Efficient Identity-Based Encryption using NTRU Lattices Identity... · An Identity-based encryption scheme 2/21 [GPV]: Signature scheme =)IBE Alice Carol Sign (m) Sch ema de signature

Efficient Identity-Based Encryptionusing NTRU Lattices

Leo Ducas Vadim Lyubashevsky and Thomas Prest

December 10 2014

1 21

Identity-based encryption (IBE)

Alice Bob

Carol

PKA SignSKC(PKA)

PKA SignSKC(PKA)

EPKA(m)

A ldquoregularrdquo PKI

Alice Bob

Carol

SKAlice

EAlice(m)

An Identity-based encryption scheme

2 21

[GPV] Signature scheme =rArr IBE

Alice

Carol

Sign(m)

Schema de signature

Alice

Carol

Bob

SKA asymp Sign(Alice)

EAlice(m)

IBE

1 2

3 21

[GPV] Signature scheme =rArr IBE

Alice

Carol

Sign(m)

Schema de signature

Alice

Carol

Bob

SKA asymp Sign(Alice)

EAlice(m)

IBE

1 2

3 21

1 Gaussian Sampling and KL-Divergence

2 An IBE scheme over NTRU lattices

4 21

A signature scheme GGHNTRUSign [GGH HHP+]

H(m)Sign(m)

Figure Only one possible signature

How to sign m with a short basis B of a lattice Λ sup qZn

1 H(m)larr$ Znq

2 Sign(m)larr a point v isin Λ st v minus H(m) is small

5 21

What GGHNTRUSign does

H(m)Sign(m)

Figure Only one possible signature

1 H(m)larr$ Znq

2 Let be the fundamental parallelepiped of B centered over H(m)

3 Sign(m)larr cap Λ6 21

Information leakage in GGHNTRUSign

Figure Distribution of the H(mi )minus sign(mi )

One can recover the short base [NR]

Countermeasures are ineffective [DNb]7 21

Solution randomize the signature [GPV]

Figure Gaussian Sampling several possible signatures

No more information leakage [GPV]

The larger the standard deviation σ the looser the security

If σ is too small the simulated gaussian leaks the basis again

8 21

Solution randomize the signature [GPV]

Figure Gaussian Sampling several possible signatures

No more information leakage [GPV]

The larger the standard deviation σ the looser the security

If σ is too small the simulated gaussian leaks the basis again8 21

Distinguishing two distributions

P Algorithm

q answers

q queries

0 or 1

Q Algorithm

q answers

q queries

0 or 1

Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]

Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1

If SD(PQ) 6 δ then |x minus y | 6 qδ

If DKL(PQ) 6 δ then |x minus y | 6 12

radicqδ [PDG]

rArr We can replace Statistical Distance with KL-Divergence

9 21

Distinguishing two distributions

P Algorithm

q answers

q queries

0 or 1

Q Algorithm

q answers

q queries

0 or 1

Figure Are P and Q indistinguishableIn our case P = perfect Gaussian Q = simulated Gaussian from [GPV]

Let the algorithm AP do at most q queries to P and output a bit Let x (respy) be the probability that AP (resp AQ) outputs 1

If SD(PQ) 6 δ then |x minus y | 6 qδ

If DKL(PQ) 6 δ then |x minus y | 6 12

radicqδ [PDG]

rArr We can replace Statistical Distance with KL-Divergence9 21

Statistical Distance or KL-Divergence

Figure The ldquobestrdquo measure depends on the distributions

Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler

[GPV DNa] rarr If σ gtradic

λ ln 22π2 middot B then SD(PQ) 6 2minusλ

Our results rarr If σ gt 1radic2

radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ

10 21

Statistical Distance or KL-Divergence

Figure The ldquobestrdquo measure depends on the distributions

Let P the perfect Gaussian of st dev σ Q the output of the Gaussian Sampler

[GPV DNa] rarr If σ gtradic

λ ln 22π2 middot B then SD(PQ) 6 2minusλ

Our results rarr If σ gt 1radic2

radicλ ln 22π2 middot B then DKL(PQ) 6 2minusλ

10 21

Practical impact of KL-Divergence

With statistical distance With KL-Divergence

Figure Sizes of the signatures

Smaller signatures

Gain for free

11 21

1 Gaussian Sampling and KL-Divergence

2 An IBE scheme over NTRU lattices

12 21

From a signature scheme to an IBE scheme

Keygen

SK larr[g Gminusf minusF

]PK larr h

Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Sign

t larr H(m)

Sign(m) =

[s1

s2

]st s1 + s2 lowast h = t

13 21

From a signature scheme to an IBE scheme

Setup

MSK larr[g Gminusf minusF

]MPK larr h

Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract

t larr H(id)

SKid =

[s1

s2

]st s1 + s2 lowast h = t

[LPR] Encryptu larr r lowast h + e1

v larr r lowast t + e2 +lfloor

q2

rfloormiddot b

[LPR] Decrypt

v minus u lowast s2 =lfloor

q2

rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸

infin small

14 21

From a signature scheme to an IBE scheme

Setup

MSK larr[g Gminusf minusF

]MPK larr h

Where f lowast G minus g lowast F = q and h = g lowast f minus1 mod q (NTRU basis)Extract

t larr H(id)

SKid =

[s1

s2

]st s1 + s2 lowast h = t

[LPR] Encryptu larr r lowast h + e1

v larr r lowast t + e2 +lfloor

q2

rfloormiddot b

[LPR] Decrypt

v minus u lowast s2 =lfloor

q2

rfloormiddot b + e2 + r lowast s1 minus e1 lowast s2︸ ︷︷ ︸

infin small

14 21

Optimal NTRU bases

Which NTRU lattices should we use for signature (or IBE)

NTRUEncrypt

(f g) minimal

(f g)

(F G )

(f g)

(F G )

Our paper

(f g) asymp 117radicq

B

B

σ gt 1radic2

radicλ ln 22π2 middot B

B

[SS]

(f g) gt 2nradicq

B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B

For NTRU lattices B asymp max((f g) (117)2q(f g) )

rArr B is minimal for (f g) asymp 117radicq

15 21

Optimal NTRU bases

Which NTRU lattices should we use for signature (or IBE)

NTRUEncrypt

(f g) minimal

(f g)

(F G )

(f g)

(F G )

Our paper

(f g) asymp 117radicq

B

B

σ gt 1radic2

radicλ ln 22π2 middot B

B

[SS]

(f g) gt 2nradicq

B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B

For NTRU lattices B asymp max((f g) (117)2q(f g) )

rArr B is minimal for (f g) asymp 117radicq

15 21

Optimal NTRU bases

Which NTRU lattices should we use for signature (or IBE)

NTRUEncrypt

(f g) minimal

(f g)

(F G )

(f g)

(F G )

Our paper

(f g) asymp 117radicq

B

B

σ gt 1radic2

radicλ ln 22π2 middot B

B

[SS]

(f g) gt 2nradicq

B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B

For NTRU lattices B asymp max((f g) (117)2q(f g) )

rArr B is minimal for (f g) asymp 117radicq

15 21

Optimal NTRU bases

Which NTRU lattices should we use for signature (or IBE)

NTRUEncrypt

(f g) minimal

(f g)

(F G )

(f g)

(F G )

Our paper

(f g) asymp 117radicq

B

B

σ gt 1radic2

radicλ ln 22π2 middot B

B

[SS]

(f g) gt 2nradicq

B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B

For NTRU lattices B asymp max((f g) (117)2q(f g) )

rArr B is minimal for (f g) asymp 117radicq

15 21

Optimal NTRU bases

Which NTRU lattices should we use for signature (or IBE)

NTRUEncrypt

(f g) minimal

(f g)

(F G )

(f g)

(F G )

Our paper

(f g) asymp 117radicq

B

B

σ gt 1radic2

radicλ ln 22π2 middot BB

[SS]

(f g) gt 2nradicq

B = maxbiisinB bi where B is the Gram-Schmidt orthogonalization of B

For NTRU lattices B asymp max((f g) (117)2q(f g) )

rArr B is minimal for (f g) asymp 117radicq

15 21

KL-Divergence + optimal NTRU bases

Let P the perfect Discrete Gaussian Q the output of the Gaussian Sampler

[GPV DNa] rarr If σ gtradic

λ ln 22π2 middot B then SD(PQ) 6 2minusλ

Our results rarr If σ gt 1radic2

radicλ ln 22π2 middot 117

radicq then DKL(PQ) 6 2minusλ

16 21

Implementation and comparison with a pairing-based IBE

Scheme This paper BF-192

Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680

User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms

Implementation1 in C++ with NFLlib2 [ABFK]Comparison with Boneh-Franklin (implementation by [Gui]) for λ = 192

1Material Intel Core i5-3210M 25GHz and 6GB RAM2NTT-based Fast Lattice library (only for Encrypt Decrypt)

17 21

Implementation and comparison with a pairing-based IBE

Scheme This paper BF-192

Parameters 2n = 2048 log p = 640q asymp 227 k log p = 7680

User Key 27 kbits 062 kbitsCiphertexts 30 kbits 15 kbitsExtract 327 ms 33 msEncrypt 0033 ms 387 msDecrypt 0012 ms 327 ms

For 192 bits of security

Extract 10times slower

Encrypt 1200times faster

Decrypt 2700times faster

18 21

Implementation and comparison with a pairing-based IBE

Scheme This paper BF-128

Parameters 2n = 2048 log p = 256q asymp 227 k log p = 3072

User Key 27 kbits 025 kbitsCiphertexts 30 kbits 3 kbitsExtract 327 ms 052 msEncrypt 0033 ms 721 msDecrypt 0012 ms 478 ms

192 bits of security for us 128 for Boneh-Franklin

Extract 60times slower

Encrypt 200times faster

Decrypt 400times faster

19 21

Thank you Any questions

ePrint httpeprintiacrorg2014794

Article and slides httpwwwdiensfr~prest

Implementation httpsgithubcomtprestLattice-IBE

Contact lducas[at]engucsdeduvadimlyubashevsky[at]inriafr thomasprest[at]ensfr

20 21

C Aguilar J Barrier L Fousse and MO Killijian

Xpire Private information retrieval for everyone IACR eprint XXX2014

Leo Ducas and Phong Q Nguyen

Faster gaussian lattice sampling using lazy floating-point arithmetic ASIACRYPTrsquo12

Leo Ducas and Phong Q Nguyen

Learning a zonotope and more cryptanalysis of ntrusign countermeasures ASIACRYPTrsquo12

Oded Goldreich Shafi Goldwasser and Shai Halevi

Public-key cryptosystems from lattice reduction problems CRYPTOrsquo97

Craig Gentry Chris Peikert and Vinod Vaikuntanathan

Trapdoors for hard lattices and new cryptographic constructions STOCrsquo08

Aurore Guillevic

Etude de lrsquoarithmetique des couplages sur les courbes algebriques pour la cryptographiePhD thesis

Jeffrey Hoffstein Nick Howgrave-Graham Jill Pipher Joseph H Silverman and William Whyte

Ntrusign digital signatures using the ntru lattice CT-RSArsquo03

Vadim Lyubashevsky Chris Peikert and Oded Regev

A toolkit for ring-lwe cryptography EUROCRYPTrsquo13

Phong Q Nguyen and Oded Regev

Learning a parallelepiped cryptanalysis of ggh and ntru signatures EUROCRYPTrsquo06

Thomas Poppelmann Leo Ducas and Tim Guneysu

Enhanced lattice-based signatures on reconfigurable hardware CHESrsquo14

Damien Stehle and Ron Steinfeld

Making ntru as secure as worst-case problems over ideal lattices EUROCRYPTrsquo11 21 21