NTRUCipher-Lattice Based Secret Key Encryption

Secret Secret Secret Secret

Key Key Key Key

Encryption Encryption Encryption Encryption IND-CPA Definition of the IND-CPA Brief Histroy of the Secret Key Encryption Truncated Polynomial Rings Truncated Polynomial Rings Truncated Polynomial Rings NTRUCipher Decryption Security Analysis Security Analysis

NTRUCipher-Lattice Based Secret Key Encryption Maheswara Rao Valluri School of Mathematical and Computing Sciences Fiji National University

IEEE,World Congress on Internet Security 2017 University of Cambridge, UK. December 11-14, 2017 Maheswara Rao Valluri

NTRUCipher-Lattice Based Secret Key Encryption


Key Key Key Key


Secret Key Encryption A secret key encryption S E = (K eyGen, E nc, Dec) consists of the following three algorithms: Key Generation Key Generation (K ey Gen) is a randomized algorithm that outputs a random key. When the algorithm is run, a different key is generated every time. 1: Input: null $ 2: k KeyGen(1l ) Maheswara Rao Valluri



Key Key Key Key


Secret Key Encryption A secret key encryption S E = (K eyGen, E nc, Dec) consists of the following three algorithms: Key Generation Key Generation (K ey Gen) is a randomized algorithm that outputs a random key. When the algorithm is run, a different key is generated every time. 1: Input: null $ 2: k KeyGen(1l ) Maheswara Rao Valluri



Key Key Key Key


Secret Key Encryption A secret key encryption S E = (K eyGen, E nc, Dec) consists of the following three algorithms: Encryption Encryption (E nc) is a randomized algorithm. 1: Input: µ 2 Dµ , k 2 Dk , where Dµ is the plaintext space, Dk is the secret key space and secret key k $ 2: c E nc(µ, k), otherwise F if µ 2 / Dµ ) 8c 2 Dc , where Dc is the ciphertext space. Maheswara Rao Valluri



Key Key Key Key


Secret Key Encryption A secret key encryption S E = (K eyGen, E nc, Dec) consists of the following three algorithms: Decryption Decryption (Dec) is a deterministic algorithm. 1: Input: c 2 Dc , k 2 Dk . 2: µ Dec(c, k) 8c 2 Dc . Maheswara Rao Valluri



Key Key Key Key


Experiment: IND-CPA Let A be an adversary. Let S E = (K eyGen, E nc, Dec) be the secret key encryption. Experiment: IND-CPAbS E (A ) 1: The challenger runs k $ K eyGen(1l ).

2: A outputs a pair of plaintexts (µ0 , µ1 ) of the same length and sends (µ0 , µ1 ) to the challenger. $

3: The challenger computes c ⇤ E nc(µb , k) and then sends c ⇤ to the adversary. 0 4: A continues its computation and outputs : b . 0 Output 1 if b = b , and 0 otherwise. Maheswara Rao Valluri



Key Key Key Key


Definition of the IND-CPA IND-CPA A secret key encryption S E = (K eyGen, E nc, Dec) is indistinguishable under chosen plaintext attack, if it holds for all probabilistic polynomial time adversary A that IND AdvS E

CPA

(A ) = |Pr [Exp IND SE

Maheswara Rao Valluri

CPA

(A ) = 1]

1 2|

 negl(l ).



Key Key Key Key


Brief Histroy of the Secret Key Encryption(SKE) and NTRUEncrypt SKE, Advanced Encryption Standard(AES)-1978,2002. SKE, Rivest Cipher(RC)-5, 1995. SKE, Blowfish 1993 SKE,Data Encryption Standards(DES)-1981. SKE, International Data Encryption Algorithm-1990. PKE,NTRUEncrypt -1998 PKE,Provable Security version of the NTRU Encrypt -2011, 2013 PKE,NTRU Prime - Encrypt -2017 Maheswara Rao Valluri



Key Key Key Key


Truncated Polynomial Rings Let q 2 N be a prime. We write Zq for the integer modulo q and represents this set by integers in the range ( q2 , q2 ). The truncated polynomial ring Rn,q = Zq [x]/(x n + 1) consists of all polynomials with coefficients in Zq and degree less than n An element f 2 Rq is represented as a polynomial, n 1

f = Â fi x i = [f0 , f1 , ....., fn i=0

1 ].

Two polynomials f , g 2 Rq are multiplied by the ordinary convolution, (f ⇤ g )k = (fi .gj ), k = 0, 1, ..., n 1, which is commutative and Â i+j⌘k(mod n)

associative.




Key Key Key Key


Truncated Polynomial Rings

Define a center l2 norm of an element f 2 Rq by N 1

kf k2 = ( Â fi i=0

f¯)1/2 , where f¯ =

1 N

N 1

Â fi .

i=0

Define the infinity norm of f by kf k• =max0in


1

f f fi .



Key Key Key Key


Truncated Polynomial Rings

Lemma

f f f f f f n + 1), f .g  pn. f . g and For any f , g 2 R = Z [x]/(x n,q q f f f f f f f .g •  n. f • . g • .




Key Key Key Key


Security parameters Cryptographic Assumptions Key generation Encryption Decryption

NTRUCipher Security Parameters n- Degree Parameter q - Large Modulus Ring Parameters, Rn,q =

Zq [x] (x n +1)

p - Plaintext space modulus a1 , a2 , a3 - Non-zero coefficient counts for product form polynomial terms µ - Plaintext c - Ciphertext Maheswara Rao Valluri



Key Key Key Key



Security Parameters k - Secret key r - Ephemeral key Dµ - Plaintext space Dc - Ciphertext space Dk - Secret key space Dr - Ephemeral key space




Key Key Key Key



Security Parameters Bn ={Binary Polynomials} Tn ={Ternary Polynomials} Tn (a, e) ={Ternary polynomials with exactly a ones and e minus ones} Pn (a1 , a2 , a3 ) ={Product form of polynomials A1 ⇤ A2 + A3 : Ai 2 Tn (ai , ai )}




Key Key Key Key



Cryptographic Assumptions Search NTRUCIpher Ciphertext Cracking Problem Given c = r ⇤ k r

$

1 + µ(mod q)

Pn (a1 , a2 , a3 ), k

$

2 Rn,q , with

Pn (a1 , a2 , a3 ) , compute (r , k, µ).

Decision NTRUCIpher Ciphertext Cracking Problem Given c = r ⇤ k 1 (mod q) 2 Rn,q , distinguish whether c is sampled from the distribution $ $ D0 = {c = r ⇤ k 1 (mod q) : r Pn (a1 , a2 , a3 ), k Pn (a1 , a2 , a3 )} or from the uniform distribution D1 = U(Rn,q ). Maheswara Rao Valluri



Key Key Key Key



NTRUCipher NTRUCIpher-Key generation Input: A set of system parameters 1: repeat 0 $ 2: k Pn (a1 , a2 , a3 ) 0 3: k = 1 + p.k 2 Rn,q 4: until k is invertible in Rn,q




Key Key Key Key



NTRUCipher NTRUCipher-Encryption Input: Secret key k, message µ 2 { (p and set a parameter, p = 3. 1: repeat $ 2: r Pn (a1 , a2 , a3 ) 3: c = (p.r ⇤ k 1 + µ)(mod q) 2 Rn,q Output : Ciphertext c Maheswara Rao Valluri

1)/2, .., +(p

1)/2}n ,



Key Key Key Key



NTRUCipher NTRUCipher-Decryption Input: Secret key k, Ciphertext c 2 Rn,q , and set a parameter, p = 3. 0 1: c = c ⇤ k(mod q) 2 Rn,q 0 2: Center the coefficients of c in ( q/2, q/2) 0 0 3: µ = c (mod p) 0 4: Center the coefficients of µ in ( p/2, p/2) 5: Result = µ Maheswara Rao Valluri



Key Key Key Key


NTRUCipher NTRUCipher-Decryption Failure For a successful decryption of the ciphertext c for the plaintext µ using the 0 0 given secret key k, the coefficient of the c = [p.(r + µ ⇤ k ) + µ] must be in the range of less than q2 . Prob(a given coefficients of r + µ ⇤ k 1 has absolute value bound.

B), where B is a 0

The probability that any of the n coefficients q of r + µ ⇤ k is greater than B is p a bounded by n.erfc(B/( 2s ),where s = (4a1 a2 + 2a3 )(2 nµ ). With respect to security parameter l this imposes the constraint p n.erfc((q 2)/(2 2ps ) < 2 l .Note that the parameters n, a1 , a2 , a3 , aµ are chosen as recommended. Maheswara Rao Valluri



Key Key Key Key


Security Analysis Brute-force attack f f In this NTRUCipher, one should try (2 k • +1)n bit permutations to find the secret key which is large enough for brute force attack. Currently complexity order 280 is considered as the lower bound of security for brute force attack. The plaintext µ is of length 256 in the NTRUCipher, one should try 3256 bit permutations to find the plaintext µ on the brute force attack. Maheswara Rao Valluri



Key Key Key Key


Security Analysis Multiple transmission attack Send a single plaintext µ multiple times using the same secret key k and different ephemeral keys, r ’s. In this scenario, one would transmit t ciphertexts such that ci = p.ri ⇤ k 1 + µ(mod q) for i = 1, 2, 3, ...., t.

A can compute (ci c1 ) = (ri r1 ) ⇤ k 1 (mod q). Then, 9u 2 Rn,q with u = k⇤c+r ,where c = ci c1 and r = ri r1 , such that [k, u].Lc = [k, r ], q  I c where Lc = . One can find the secret key k by solving SVP 0 qI (approximate SVP) in Lc . Maheswara Rao Valluri



Key Key Key Key


Security Analysis Chosen Plaintext attack In chosen plaintext attack, the adversary can randomly choose plaintexts to be encrypted and gets corresponding ciphertexts. The goal of the attack is to get access to the information that reduces the security of the secret key encryption. Theorem The NTRUCipher-Lattice based secret key encryption is INA-CPA Secure if the decision NTRUCipher ciphertext cracking problem is hard. Maheswara Rao Valluri



Key Key Key Key


Performace Analysis Space complexity

f f The space complexity of the secret key is O((2 k • +1)n ). f f The size of the secret key is nblog2 (2 k • +1)e. The space complexity of the plaintext space is O(p n ). The size of the plaintext is nblog2 pe.

The complexity of the ciphertext space is O(q n ). The size of the ciphertext is nblog2 qe. Maheswara Rao Valluri



Key Key Key Key


Performace Analysis

Time-complexity The cost of encryption and decryption in both cases is O(n2 blog2 qe) bit operations.




Key Key Key Key


Concrete Parameters Concrete Parameters Set Our recommendations for parameters of the NTRUCipher suggests taking n = 256, p = 3, q = 863 , a1 = 5, a2 = 5, a3 = 5, and aµ = 102 so that we will ensure upper bound on the security parameter that our decryption failure probability is less than 2 80 .




Key Key Key Key


Conclusion The proposed secret key encryption is based on truncated polynomials over NTRU lattices. Attacks such as brute force attack, multiple transmission attack and IND-CPA are exposed against the proposed NTRUCipher. A set of parameters for the cipher is recommended and the cipher is also analyzed with respect to security and efficiency. A disadvantage is that the size of ciphertext of the NTRUCipher is much larger compared to other existing secret key block ciphers. Further work is required for designing the NTRUCipher based homomorphic secret key encryption and MAC. Maheswara Rao Valluri



Key Key Key Key


Many Thanks for Participating Any Questions??



NTRUCipher-Lattice Based Secret Key Encryption

NTRUCipher-Lattice Based Secret Key Encryption

Suggest Documents

LANL_quantum secret key encryption algorithm based on quaâ¦ - arXiv

Secret Key Awareness Security Public Key Encryption ... - SERSC

Secret Key Awareness Security Public Key Encryption Scheme - SERSC

Secret Key Establishment for Symmetric Encryption over ... - IAENG

Channel-Parameter-Based Encryption Key ...

Key-Policy Multi-Authority Attribute-Based Encryption

Tree Based Symmetric Key Broadcast Encryption

Attribute-Based Encryption with Key Cloning Protection

Encryption using XOR based Extended Key for

Neural Synchronization based Secret Key ... - Semantic Scholar

Bit-level based secret sharing for image encryption - Multimedia Lab

A Dynamic Secret-Based Encryption Scheme for Smart Grid Wireless ...

secret sharing vs. encryption-based techniques for privacy ... - CiteSeerX

Key-Privacy in Public-Key Encryption

secret key cryptographic algorithm

Offline Key Encapsulation and Encryption

Universally Anonymizable Public-Key Encryption

Reverse Public Key Encryption - Journals

Symmetric Public-Key Encryption

Secret-key agreement without public-key cryptography

A CCA2 Secure Public Key Encryption Scheme Based on ... - CiteSeerX

Identity-Based Online/Offline Key Encapsulation and Encryption

Message Based Random Variable Length Key Encryption Algorithm

Identity-Based Online/Offline Key Encapsulation and Encryption

NTRUCipher-Lattice Based Secret Key Encryption