Efficient Identity-Based Encryption using NTRU Lattices L´ eo Ducas, Vadim Lyubashevsky and Thomas Prest December 10, 2014 1 / 21
Efficient Identity-Based Encryptionusing NTRU Lattices
Leo Ducas Vadim Lyubashevsky and Thomas Prest
December 10 2014
1 21
Identity-based encryption (IBE)
Alice Bob
Carol
PKA SignSKC(PKA)
PKA SignSKC(PKA)
EPKA(m)
A ldquoregularrdquo PKI
Alice Bob
Carol
SKAlice
EAlice(m)
An Identity-based encryption scheme
2 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
4 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Identity-based encryption (IBE)
Alice Bob
Carol
PKA SignSKC(PKA)
PKA SignSKC(PKA)
EPKA(m)
A ldquoregularrdquo PKI
Alice Bob
Carol
SKAlice
EAlice(m)
An Identity-based encryption scheme
2 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
4 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
4 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
[GPV] Signature scheme =rArr IBE
Alice
Carol
Sign(m)
Schema de signature
Alice
Carol
Bob
SKA asymp Sign(Alice)
EAlice(m)
IBE
1 2
3 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
4 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
4 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
A signature scheme GGHNTRUSign [GGH HHP+]
H(m)Sign(m)
Figure Only one possible signature
How to sign m with a short basis B of a lattice Λ sup qZn
1 H(m)larr$ Znq
2 Sign(m)larr a point v isin Λ st v minus H(m) is small
5 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
What GGHNTRUSign does
H(m)Sign(m)
Figure Only one possible signature
1 H(m)larr$ Znq
2 Let be the fundamental parallelepiped of B centered over H(m)
3 Sign(m)larr cap Λ6 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Information leakage in GGHNTRUSign
Figure Distribution of the H(mi )minus sign(mi )
One can recover the short base [NR]
Countermeasures are ineffective [DNb]7 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again
8 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Solution randomize the signature [GPV]
Figure Gaussian Sampling several possible signatures
No more information leakage [GPV]
The larger the standard deviation σ the looser the security
If σ is too small the simulated gaussian leaks the basis again8 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence
9 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Distinguishing two distributions
P Algorithm
q answers
q queries
0 or 1
Q Algorithm
q answers
q queries
0 or 1
Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]
Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1
If SD(PQ) 6 δ then |x minus y | 6 qδ
If DKL(PQ) 6 δ then |x minus y | 6 12
radicqδ [PDG]
rArr We can replace Statistical Distance with KL-Divergence9 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Statistical Distance or KL-Divergence
Figure The ldquobestrdquo measure depends on the distributions
Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ
10 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Practical impact of KL-Divergence
With statistical distance With KL-Divergence
Figure Sizes of the signatures
Smaller signatures
Gain for free
11 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
1 Gaussian Sampling and KL-Divergence
2 An IBE scheme over NTRU lattices
12 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
From a signature scheme to an IBE scheme
Keygen
SK larr[g Gminusf minusF
]PK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign
t larr H(m)
Sign(m) =
[s1
s2
]st s1 + s2 lowast h = t
13 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
From a signature scheme to an IBE scheme
Setup
MSK larr[g Gminusf minusF
]MPK larr h
Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract
t larr H(id)
SKid =
[s1
s2
]st s1 + s2 lowast h = t
[LPR] Encryptu larr r lowast h + e1
v larr r lowast t + e2 +lfloor
q2
rfloormiddot b
[LPR] Decrypt
v minus u lowast s2 =lfloor
q2
rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸
infin small
14 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot B
B
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Optimal NTRU bases
Which NTRU lattices should we use for signature (or IBE)
NTRUEncrypt
(f g) minimal
(f g)
(F G )
(f g)
(F G )
Our paper
(f g) asymp 117radicq
B
B
σ gt 1radic2
radicλ ln 22π2 middot BB
[SS]
(f g) gt 2nradicq
B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B
For NTRU lattices B asymp max((f g) (117)2q(f g) )
rArr B is minimal for (f g) asymp 117radicq
15 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
KL-Divergence + optimal NTRU bases
Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler
[GPV DNa] rarr If σ gtradic
λ ln 22π2 middot B then SD(PQ) 6 2minusλ
Our results rarr If σ gt 1radic2
radicλ ln 22π2 middot 117
radicq then DKL(PQ) 6 2minusλ
16 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192
1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)
17 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-192
Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680
User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms
For 192 bits of security
Extract 10times slower
Encrypt 1200times faster
Decrypt 2700times faster
18 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Implementation and comparison with a pairing-based IBE
Scheme This paper BF-128
Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072
User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms
192 bits of security for us 128 for Boneh-Franklin
Extract 60times slower
Encrypt 200times faster
Decrypt 400times faster
19 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
Thank you Any questions
ePrint httpeprintiacrorg2014794
Article and slides httpwwwdiensfr~prest
Implementation httpsgithubcomtprestLattice-IBE
Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr
20 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21
C Aguilar J Barrier L Fousse and MO Killijian
Xpire Private information retrieval for everyone IACR eprint XXX2014
Leo Ducas and Phong Q Nguyen
Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12
Leo Ducas and Phong Q Nguyen
Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12
Oded Goldreich Shafi Goldwasser and Shai Halevi
Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97
Craig Gentry Chris Peikert and Vinod Vaikuntanathan
Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08
Aurore Guillevic
Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis
Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte
Ntrusign digital signatures using the ntru lattice CT-RSArsquo03
Vadim Lyubashevsky Chris Peikert and Oded Regev
A toolkit for ring-lwe cryptography EUROCRYPTrsquo13
Phong Q Nguyen and Oded Regev
Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06
Thomas Poppelmann Leo Ducas and Tim Guneysu
Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14
Damien Stehle and Ron Steinfeld
Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21