TITLE DIGITAL SIGNATURE AND AUTHENTICATION METHOD AND APPARATUS
FIELD OF THE INVENTION
The present invention relates generally to secure communication and document identification over computer networks or other types of communication systems and, more particularly, to secure user identification and digital signature techniques based on rings and ideals. The invention also has application to communication between a card, such as a "smart card", or other media, and a user terminal.
BACKGROUND OF THE INVENTION
User identification techniques provide data security in a computer network or other communications system by allowing a given user to prove its identity to one or more other system users before communicating with those users. The other system users are thereby assured that they are in fact communicating with the given user. The users may represent individual computers or other types of terminals in the system. A typical user identification process of the challenge-response type is initiated when one system user, referred to as the Prover, receives certain information in the form of a challenge from another system user, referred to as the Verifier. The Prover uses the challenge and the Prover's private key to generate a response, which is sent to the Verifier. The
Verifier uses the β ≥nge, the response and a public key to
a legitimate Prover generated the response. The information passed between the Prover and the Verifier is generated in accordance with cryptographic techniques that insure that eavesdroppers or other attackers cannot interfere with the identification process.
It is well known that a challenge-response user identification technique can be converted to a digital signature technique by the Prover utilizing a one-way hash function to simulate a challenge from a Verifier. In such a digital signature technique, a Prover applies the one-way hash function to a message to generate the simulated challenge. The Prover then utilizes the simulated challenge and a private key to generate a digital signature, which is sent along with the message to the Verifier. The Verifier applies the same one-way hash function to the message to recover the simulated challenge and uses the challenge and a public key to validate the digital signature.
One type of user identification technique relies on the one-way property of the exponentiation function in the multiplicative group of a finite field or in the group of points on an elliptic curve defined over a finite field. This technique is described in U.S. Patent No. 4,995,082 and in C.P. Schnorr, "Efficient Identification and Signatures for Smart Cards," in G. Brassard, ed., Advances in Cryptology - Crypto '89, Lecture Notes in Computer Science 435, Springer- Verlag, 1990, pp. 239-252. This technique involves the Prover exponentiating a fixed base element g of the group to some randomly selected power k and sending it to the verifier. An instance of the Schnorr technique uses two prime numbers p and q chosen at random such that q divides p-1, and a number g of
order q modulo p
to all users. The private key of the Prover is x modulo q and the public key y of the Prover is g
x modulo p. The Prover initiates the identification process by selecting a random non-zero number z modulo q. The Prover computes the quantity g
z modulo p and sends it as a commitment to the Verifier. The Verifier selects a random number w from the set of integers {ϊ,2,...,2
1} where t is a security number which depends on the application and in the above-cited article is selected as 72. The Verifier sends w as a challenge to the Prover. The Prover computes a quantity u that is equal to the quantity z+xw modulo q as a response and sends it to the Verifier. The Verifier accepts the Prover as securely identified if g
z is found to be congruent modulo p to the quantity g"^.
Another type of user identification technique relies on the difficulty of factoring a product of two large prime numbers. A user identification technique of this type is described in L.C. Guillou and JJ. Quisquater, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory," in C.G. Gunther, Ed. Advances in Cryptology — Eurocrypt '88, Lecture Notes in Computer Science 330, Springer-Verlag, 1988, pp. 123-128. This technique involves a Prover raising a randomly selected argument g to a power b modulo n and sending it to a Verifier. An instance of the Guillou-Quisquater technique uses two prime numbers p and q selected at random, a number n generated as the product of p and q, and a large prime number b also selected at random. The numbers n and b are made available to all users. The private key of the Prover is x modulo n and the public key y of the Prover is x
"b modulo n. The Prover initiates the identification process by randomly selecting the
number g from the quantit
g modulo n and sends it as a commitment to the Verifier. The Verifier randomly selects a number c from the set of non-zero numbers modulo b and sends c as a challenge to the Prover. The Prover computes the number h that is equal to the quantity gx
c modulo n as a response and sends it to the Verifier. The Verifier accepts the Prover as securely identified if g
b is found to be congruent modulo n to h y
c.
Another type of user identification technique relies on the difficulty of finding a polynomial with small coefficients taking a specified set of values modulo q. A user identification technique of this type is described in Jeffrey Hoffstein, Daniel Lieman, Joseph H. Silverman, Polynomial Rings and Efficient Public Key Authentication, Proceeding of the International Workshop on Cryptographic Techniques and E- Commerce (CrypTEC '99), M. Blum and CH. Lee, eds., City University of Hong Kong Press. This technique involves a Prover choosing polynomials fι(X) and f2(X) with small coefficients and publishing the values of fj(b) and f2(b) modulo q for values of b in a set S. The Prover also selects commitment polynomials gι(X) and g2(X) with small coefficients and sends the values of g!(b) and g2(b) for b in S to the Verifier. The Verifier chooses small polynomials c1(X),c2(X),c3(X),c4(X) as the challenge and sends them to the Prover. The Prover computes and sends to the Verifier the polynomial
h(X)=c
1(X)f
1(X)g
1(X)+c
2(X)f
1(X)g
2(X)+c
3(X)f
2(X)g
1(X)+c
4(X)f
2(X)g
2(X)
as the response. if the polynomial
h(X) has small coefficients and if the formula
h(b)=cI(b)f1(b)g1(b)+c2(b)f1(b)g2(b)+c3(b)f2(b)g1(b)+c4(b)f2(b)g2(b) (mod q)
is true for every value of b in S.
Although the above-described Schnorr, Guillou-Quisquater, and Hoffstein- Lieman-Silverman techniques can provide acceptable performance in many applications, there is a need for an improved technique which can provide greater computational efficiency than these and other prior art techniques, and which relies for security on features other than discrete logarithms, integer factorization, and polynomial evaluation.
International Patent Publication WO98/08323 and US Patent No. 6,081,597 describe a public key encryption system, called "NTRU", that can be used to encode and decode a message. That system has short and easily created encryption keys, has encoding and decoding processes that can be performed rapidly, and has low memory requirements. The production of the keys and the encoding operation to encode a digital message m can include the following: selecting integers p and q; generating polynomials f and g; determining inverses Fq and Fp, where Fq * f = 1 (mod q)
Fp *Λl ( od p); producing a public key that includes p, q and h, where h = Fq * g (mod q); producing a private key that includes f and Fp; and producing an encoded message e by encoding the message m in the form of a polynomial using the public key and a random polynomial Φ. The owner of the private key using the encoded message and the private key can then decode the encoded message.
Although the NTRU public key encryption system has certain advantageous aspects, its advantages have not been realized heretofore in the form of a digital signature technique, nor in the form of a challenge/response authentication technique.
Both public key encryption schemes and digital signature schemes use a public key and a private key. However, even though those keys may have the same form, they are used in different ways and for different purposes in a public key encryption scheme and a digital signature scheme.
In public key encryption, the public key is used to encode a message and the private key is used to decode the encoded message. Generally, the way that a public key encryption scheme works is that the private key contains some secret information and only one possessing that secret information can decode messages that have been encoded using the public key, which is formulated in part based on that secret information.
In a digital signature technique, the private key is used to sign a digital document and, then, the public key is used to verify or to validate the digital signature. That is opposite to the manner in which the keys are used in an encryption technique.
It has been recognized that some public key encryption schemes, by their nature, can readily be turned into digital signature schemes. One example is the RSA encryption scheme. However, other types of public key encryption schemes, such as probabilistic encryption schemes, are not readily turned into digital signature schemes. The idea of a probabilistic encryption scheme is that the encryption process also uses some random data to encode the message. (See, S. Goldwasser and A. Micali, "Probabilistic Encryption," J. Computer and Systems Science, 28 (1984), 270-299.) That random data is an intrinsic part of the encryption process, so the encoded message depends on the original message and also on the random data. It is important to note that, if the same message is transmitted twice, the two encrypted messages will look very different because of the random data. That added randomness may make it more difficult for an attacker to break the code and read the encrypted messages. However, it also means that the encryption/decryption process cannot be performed in the reverse order.
SUMMARY OF THE INVENTION
The present invention provides a method, system and apparatus for performing user identification, digital signatures and other secure communication functions using a random data component. Keys are chosen essentially at random from a large set of
vectors and key si:^κ comparable to the key size in other comm<^ dentification and digital signature schemes at comparable security levels. The signing and verifying techniques hereof provide substantial improvements in computational efficiency, key size, and/or processing requirements over previous techniques.
In one embodiment, the present invention provides an identification/digital signature scheme wherein the signing technique uses a mixing system based on polynomial algebra and on two reduction numbers, p and q, and the verification technique uses special properties of small products whose validity depends on elementary probability theory. The security of the identification/digital signature scheme comes from the interaction of reduction modulo p and modulo q and the difficulty of forming small products with special properties. Security also relies on the experimentally observed fact that, for most lattices, it is very difficult to find a vector whose length is only a little bit longer than the shortest vector.
In accord with one preferred embodiment of the invention, a secure user identification technique is provided in which one of the system users, referred to as the Prover, creates a private key f, which is an element of the ring R, and creates and publishes an associated public key h, which also is an element of the ring R. Another user of the system, referred to as the Verifier, randomly selects a challenge element m from a subset R
m of the ring R and transmits m to the Prover. The Prover generates a response element s using the private key f and the element m. The element s is generated in the form f*w modulo q using multiplication (
*) in the ring R, where w is formed using
the private key
element s to the Verifier. The Verifier checks that the element s differs modulo p from the element e
f*m in an acceptable number of places and that the element t=h
*s modulo q differs modulo p from the product e
g*m in an acceptable number of places, where βf and e
g are fixed elements of the ring R. If these conditions are satisfied, then, the Verifier accepts the identity of the Prover. The Verifier uses the above-noted comparison for secure identification of the Prover, for authentication of data transmitted by the Prover, or for other secure communication functions.
In accord with another preferred embodiment of the invention, a digital signature technique is provided. In this embodiment, a Prover applies a hash function to a message M to generate a challenge element m = Hash(M) in the set R
m. The Prover uses m and f to generate a signature element s. The element s can be generated in the form f
*w modulo q using multiplication (
*) in the ring R, where w is formed using the private key f and the challenge element m. The Prover publishes the message M and the signature s. The Verifier checks that the element s differs modulo p from the element e
f*m (where m is generated by the Verifier as the hash of M, i.e., m=Hash(M)) in an acceptable number of places and that the element t=h
*s modulo q differs modulo p from the product e
g*m in an acceptable number of places, where h is the public key and each of e
g and β
f is a fixed predetermined element of the ring R. If these conditions are satisfied, then the Verifier accepts the signature of the Prover on the message M.
The containing
instructions for performing the above-described methods of the invention.
A system for signing and verifying a digital message m, in accord with one embodiment of the present invention, comprises: means for selecting ideals p and q of a ring R; means for generating elements f and g of the ring R; means for generating an element F, which is an inverse of f, in the ring R; means for producing a public key h, where h is equal to a product that can be calculated using g and F; means for producing a private key that includes f; means for producing a digital signature s by digitally "signing" the message m using the private key; and means for verifying the digital signature by confirming one or more specified conditions using the message m and the public key h.
In accord with another embodiment of the invention, a system for signing and verifying a digital message m comprises: means for selecting integers p and q; means for generating polynomials f and g; means for determining the inverse F, where F
* f = 1 (mod q); means for producing a public key h, where h = F
* g (mod q); means for producing a private key that includes f; means for producing a digital signature s by digitally signing the message m using the private key; and means for verifying the digital signature by confirming one or more specified conditions using the message m, the public key h, the digital signature s, and the integers p and q.
In accord for authenticating
the identity of a first user by a second user including a challenge communication from the second user to the first user, a response communication from the first user to the second user, and a verification by the second user, comprises: means for selecting ideals p and q of a ring R; means for generating elements f and g of the ring R; means for generating an element F, which is an inverse off, in the ring R means for producing a public key h, where h is a product that can be produced using g and F; means for producing a private key including f and F; means for generating a challenge communication by the second user that includes selection of a challenge m in the ring R; means for generating a response communication by the first user that includes computation of a response s in the ring R, where s is a function of m and f; and means for performing a verification by the second user that includes confirming one or more specified conditions using the response s, the challenge m and the public key h.
Another embodiment of the present invention provides a system for authenticating the identity of a first user by a second user including a challenge communication from the second user to the first user, a response communication from the first user to the second user, and a verification by the second user, comprising: means for selecting integers p and q; means for generating polynomials f and g; means for determining the inverse F, where F
* f — 1 (mod q); means for producing a public key h, where h - F * g (mod q); means for producing a private key that includes f; means for generating a challenge communication by the second user that includes selection of a challenge m; means for generating a response communication by the first user that includes computation of a
response s, a verification
by the second user that includes confirming one or more specined conditions using the response s, the challenge m, the public key h, and the integers p and q.
Further features and advantages of the invention will become more readily apparent from the following detailed description when taken in conjunction with the accompanying drawings.
DEFINITIONS The following definition is used for purposes of describing the present inventions. A computer readable medium shall be understood to mean any article of manufacture that contains data that can be read by a computer or a carrier wave signal carrying data that can be read by a computer. Such computer readable media includes but is not limited to magnetic media, such as a floppy disk, a flexible disk, a hard disk, reel-to-reel tape, cartridge tape, cassette tape or cards; optical media such as CD-ROM and writeable compact disc; magneto-optical media in disc, tape or card form; paper media, such as punched cards and paper tape; or on carrier wave signal received through a network, wireless network or modem, including radio-frequency signals and infrared signals.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a flow diagram that illustrates a key creation technique in accordance with an exemplary embodiment of the present invention.
Figure 2 is
diagram that illustrates a user
technique in accordance with an exemplary embodiment of the present invention.
Figure 3 is a flow diagram that illustrates a digital signature technique in accordance with an exemplary embodiment of the present invention.
Figure 4 is a block diagram of a system that can be used in practicing the methods of the present invention.
DETAILED DESCRIPTION OF THE INVENTION INCLUDING PREFERRED EMBODIMENTS
In accord with the present invention, user identification and digital signature techniques are based on multiplication and reduction modulo ideals in a ring. An exemplary embodiment of the present invention is based on multiplication of constrained polynomials over a finite ring. An exemplary finite ring Z/qZ is defined for an integer q. An exemplary ring R = (Z/qZ)[X]/(X
N-l) is a ring of polynomials with coefficients in the finite ring Z/qZ modulo the ideal generated by the polynomial X
N-1 for a suitable chosen integer N. An exemplary product in the ring R is the product h(X) = F(X)
*g(X), where g(X) is a polynomial with small coefficients and where f(X), the inverse of F(X), in R is a polynomial with small coefficients. With suitable choices of q and N and suitable bounds on the coefficients of f(X) and g(X), it is infeasible to recover f(X) and g(X) when given only h(X). As will be described in greater detail below, this provides a oneway function that is particularly well-suited to use in implementing efficient user identification and digital signatures.
The
invention make use of the multiplication rule in the ring R. Given a polynomial A(X)=Ao+A
!X+... +AN-
2X
N"' in R and a polynomial B(X)=B
0+B]X+...+B
N_
2X
N_1 in R, an exemplary product is given by:
C(X)=A(X)B(X)=C0+C1X+...+CN-]XN"1 where Co,- - -,CN-I are given by:
Cj=AoBi+AιBj-ι+...+A1-BO+A,-+IBN-I+A1-+2BN_2+...+AN_ιB,+ι (modulo q). All reference to multiplication of polynomials in the remaining description should be understood to refer to the above-described exemplary multiplication in R. It should also be noted that the above-described multiplication rule is not a requirement of the invention, and alternative embodiments can use other types of multiplication rules.
An exemplary set of constrained polynomials R
f is the set of polynomials in R with bounded coefficients or, more specifically, the set of polynomials of the form f(X)=eι(X)+pf](X), where fι(X) has very small coefficients, p is a specified integer, and eι(X) is a specified polynomial, for example,
An exemplary set of constrained polynomials R
g is the set of polynomials in R with bounded coefficients or, more specifically, the set of polynomials of the form g(X)=e
g(X)+pg
1(X), where g^X) has very small coefficients, p is a specified integer, and e
g(X) is a fixed specified polynomial, for example e
g(X)=l-2X.
Given two constrained polynomials f(X) in Rf and g(X) in Rg, it is relatively easy to find the inverse of f(X), i.e., F(X)=f(X)"1, in the ring R and to compute the product
h(X)=F(X)*g(X). i inverse will exist for most choices of f(X). the inverse does not exist for a particular choice of f(X), then one chooses another f(X). However, appropriately selected restrictions on the set of constrained polynomials can make it extremely difficult to invert this process and determine polynomials f(X) in Rf and g(X) in Rg such that f(X)"1 *g(X) is equal to h(X). Establishing appropriate restrictions on the polynomials in Rf and Rg can provide adequate levels of security.
An exemplary identification technique, in accord with the invention, uses a number of system parameters that are established by a central authority and made public to all users. These published system parameters include the above-noted numbers N, p and q, and the above-noted polynomials er(X) and eg(X). The system parameters also include appropriate sets of bounded coefficient polynomials Rf, Rg, Rw, Rs, Rt and Rm.
Figure 1 illustrates the creation of a public/private key pair. After establishment of parameters, a Prover randomly chooses secret polynomials f(X) in Rf and g(X) in Rg. The Prover computes the inverse of f(X) in the ring R, i.e., F(X)=f(X)_1. The private key of the Prover is the polynomial f(X) and the public key of the Prover is the polynomial h(X)=F(X)*g(X). The Prover publishes the public key.
Figure 2 illustrates an exemplary identification process. The Verifier initiates the Challenge Phase by generating a challenge C and sending it to the Prover. The Prover initiates the Response Phase by applying a hash function to the challenge C to form a polynomial m(X) in Rm. The Prover also forms a polynomial w(X) in Rw having the
form w(X)=m(X)-^ (X)+pw2(X), where WΪ(X) and w2(X) are pc^omials in Rw that are chosen to prevent security attacks based on accumulation of large numbers of identifiers from the Provider (see example in Appendix 1, attached hereto, which is hereby incorporated by reference). The Prover computes the response polynomial s(X)=f(X)*w(X) modulo q and sends s(X) to the Verifier. The Verifier initiates the Verification Phase by applying the hash function to C to form the polynomial m(X).
The Verifier conducts the following two tests:
(1) Does s(X) modulo p differ from ef(X)*m(X) modulo p in at least Ds>min coefficients and in at most Ds,max coefficients?
(2) Compute t(X)=h(X)*s(X) modulo q. Does t(X) modulo p differ from eg(X)*m(X) modulo p in at least Dt,m,-n coefficients and in at most Dt>maχ coefficients?
Ds>mir„ DStmax, Dt;m,n and Dt,max are predetermined numbers. The Verifier accepts the Prover as legitimate if the response polynomial s(X) transmitted by the Prover passes the two tests.
The following is an example of an embodiment of an identification scheme in accord with an embodiment of the present invention. Very small numbers are used in the example for ease of illustration. Thus, this example would not be cryptographically secure. However, in conjunction with the example there are described operating parameters that will provide a practical cryptographically secure cryptosystem under current conditions. Further discussion of the operating parameters to achieve a particular
level of security is ^^forth in Appendix 1, which also describes t^Iegree of immunity of an embodiment of the identification scheme to various types of attack.
The numbers used by the identification scheme are integers modulo an integer such as q. This means that each integer is divided by q and replaced by its remainder. For example, if q=7, then the number 39 would be replaced by 4, because 39 divided by 7 equals 5 with a remainder of 4. The objects used by the identification scheme are polynomials of degree N-l : ao + a,X +a2X2 + ... + a^X '1 where the coefficients ao,..'.,aN-ι are integers modulo q. Polynomial multiplication in a ring uses the extra rule that XN is replaced by 1, and XN+1 is replaced by X, and XN+2 is replaced by X2, and so on. In mathematical terms, this version of the identification scheme uses the ring of polynomials with mod q coefficients modulo the ideal consisting of all multiples of the polynomial XN-1. More generally, one can use polynomials modulo a different ideal or, even more generally, one could use some other ring. The basic definitions and properties of rings and ideals can be found, for example, in Topics in Algebra, I.N. Herstein, Xerox College Publishing, Lexington, Massachusetts, 2nd edition, 1975.
It is sometimes convenient to represent a polynomial by an N-tuple of numbers {ao,a!,...,aN-ι } . In this situation, the product in the ring R becomes a convolution product. Convolution products can be computed very efficiently using Fast Fourier Transforms.
A sample multiplication using N=6 and q=7 is illustrated below. (5+X+2X3+X4+3X5) * (3+X2+2X3+4X4+X5)
= 15+3X+5X2+17X3+25X4+20X5+6X6+13X7+12X8+13X9+3X10
(use the rule X6=l," X7=X, X8=X2, X9=X3, X10=X4) = 21+16X+17X2+30X3+28X4+20X5
(reduce the coefficients modulo 7) = 2X+3X2+2X3+6X5 For a cryptographically secure system, it is preferred to use, for example, N=251 and q=128. Larger values for N and q will provide more security, but will require more computational power and/or more time for computations.
Polynomials whose coefficients consist entirely of O's, l's and— l's play a special role in the identification scheme. (In some embodiments of the invention, one might prefer a different range of coefficients.) The polynomials with only O's, 1 's and —l's as coefficients are called trinary polynomials. For example,
1 + X
2 - X
3 + X
5 -X
1 ] is a trinary polynomial. In practice, one preferably can also specify how many 1 's and — l's are allowed in the polynomial. Let T(d) be the set of trinary polynomials of degree at most N-1 that have exactly d coefficients equal to 1 and exactly d coefficients equal to —1 and the remaining N-2d coefficients equal to 0.
In an
the present invention (using for illustration only the previously indicated small numbers), the first step is to choose integer parameters N, p and q. An illustrative set of such integer parameters is
N=17, p=3, q=32. For a cryptographically secure system, it is preferred to use, for example, N=251, p=3 and q=128.
The first step also includes choosing deviation bounds DS)mιn, DS;max, Dt,min, and Dtlmaχ. An illustrative set of deviation bounds is
-Us,ιrιirι ■£, l^max- O, lJt,mm~ ->ι t- ,max— ' •
For a cryptographically secure system, it is preferred to use, for example, D^mm^S, Ds,max r=87, Dt,min=55 and D,,max=87.
The first step further includes choosing sets of bounded coefficient polynomials Rf, Rg, Rw. The set Rf typically will consist of polynomials of the form f(X)=e1(X)+ρf1(X), the set Rg typically will consist of polynomials of the form g(X)= eg(X)+pg1(X) and the set Rw typically will consist of polynomials of the form w(X)=m(X)+w1(X)+pw2(X) where, preferably, ef(X) and eg(X) are small polynomials such as, e.g., 1 and 1-2X, f (X) is chosen from the set T(df), g\(X) is chosen from the set T(dg), W](X) is chosen from the set T(dW]), and w2(X) is chosen from the set T(dw2). The polynomial m(X) is chosen using the hash of the challenge and, preferably, is chosen from the set T(dm). An illustrative set of values is
df=4, dg=3, dwι=l, dw2=2, dπr=2. For a cryptographically secure system, it is preferred to use, for example, df=35, dg=20, dwι=12, dw2=20 and dm=32.
The Prover chooses random polynomials f(X) and g(X) in the sets Rf and Rg. Illustrative polynomials are
ef=l fι(X) = X16+X10-X8+X7-X6-X5-X2+l
f(X) = l+3fι (X) = 3X16+3X,0-3X8+3X7-3X6-3X5-3X2+4 and eg=l-2X g5(X) = X,5+X,3-Xn+X10-X2-1 g(X) = l-2X+3g,(X) = 3X15+3X13-3Xn+3X,0-3X2-2X-2 The Prover computes the inverse of f(X), i.e., F(X) = f(X)"'.
F(X)- -14X
16-7X
15-3X
14-9X
13+15X
12-9X
υ-10X
10+4X
9-9X
8 +2X
7+1 lX
6-2X
5-2X
4-14X
3-8X
2-2X-6 This inverse is easy to compute using the Euclidean algorithm and Newton iteration. See Appendix 1 for further details. The private key is the pair (f, F) and the public key is the polynomial h(X) = F(X g(X) = 10X
16+5X
15-X
,4-10X
,3+13X
,2-10X
n+3X
10-7X
9 +16X
8+15X
7-13X
6+12X
5+X
4+8X
3+8X
2+9X+4
The a hash
function to C to form a polynomial m(X), for example m(X) = -X
6+X
5-X
2+l
The Prover forms a random polynomial w(X) in the set Rw. (See Appendix 1 for additional details.) An illustrative formation of w(X) is
w
2(X) = -X
6+X
4+X
3-X w = m(X)+wι(X)+3w
2(X) = X
9-4X
6+X
5+3X
4+2X
3-X
2-3X+1 Next, the Prover computes the response s(X) = f(X)*w(X) (mod q), s(X) = -6X
16-14X
14-9X
13+3X
12-5X
9+12X
7+13X
6+15X
5-14X
4-6X
3+2X
2-15X-8
and sends it to the Verifier.
The Verifier first compares s(X) (mod 3) = X14+X9+X6+X4-X2+l and
ef(X m(X) = -X6+X5-X2+l where ef(X)=land checks that at least DSrmjn and no more than Ds,ma of the coefficients are different. The illustrative polynomial has 5 differences, so it passes test (1).
Next the Verifier uses the public key h(X) to compute t(X) = h(X>s(X) = 14X16-6X,5-6X14+12X,3+6X12-15X1,+X,0-2X9+12X8+8X7-3X6-
11X
5+13X
4+7X
3+5X
2+13X+16 (mod q) The Verifier then compares
and e
g(X m(X) (mod 3) = -X
7+X
5-X
3-X
2+X+l where e„(X)=l-2X and checks that at least D
t,
min and no more than D
tjma of the coefficients are different. The illustrative polynomial has 5 differences, so it passes test
(2)-
Because the exemplary response s(X) passes tests (1) and (2), the Verifier accepts the identity of the Prover.
Any authentication scheme involving the steps of
Challenge/Response/Verification can be turned into a digital signature scheme. The basic idea is to use a hash function to create the challenge from the digital document to be signed. Figure 3 illustrates an exemplary digital signature process in accord with the present invention. The steps that go into a digital signature are as follows:
Key Creation (Digital Signature)
The Signer creates the private signing key (f(X),F(X)) and the public verification key h(X) exactly as in the identification scheme.
Signing Step 1. Challenge Step (Digital Signature)
The Signer applies a hash function H to the digital document D that is to be signed to produce the challenge polynomial m(X).
Signing Step 2. Response Step (Digital Signature)
This is the
w(X), computes s(X)=f(X)
*w(X) (mod q), and publishes the pair (D, s(X)) consisting of the digital document and the signature.
Verification Step (Digital Signature)
The Verifier applies the hash function H to the digital document D to produce the polynomial m(X). The verification procedure is now the same as in the identification scheme. The Verifier tests that (1) s(X) mod p differs from ej(X)*m(X) mod p in an appropriate number of places and that (2) t(X) mod p differs from eg(X)*m(X) mod p in an appropriate number of places. If s(X) passes both tests, then the Verifier accepts the digital signature on the document D.
Hash functions are well known to those skilled in the art. The purpose of a hash function is to take an arbitrary amount of data as input and produce as output a small amount of data (typically between 80 and 160 bits) in such a way that it is very difficult to predict from the input exactly what the output will be. For example, it should be extremely difficult to find two different sets of inputs that produce the exact same output. Hash functions are used for a variety of purposes in cryptography and other areas of computer science.
It is a nontrivial problem to construct good hash functions. Typical hash functions such as SHAl and MD5 proceed by taking a chunk of input, breaking it into pieces, and doing various simple logical operations (e.g., and, or, shift) with the pieces. This is generally done many times. For example, SHAl takes as input 512 bits of data, it
does 80 rounds of leaking apart and recombining, and it returns ^^ bits to the user. The process can be repeated for longer messages. For example, Federal Information Processing Standards Publication 180-1 (FJJPS PUB 180-1), 1995 April 17, issued by the National Institute of Standards and Technology describes the standard for a Secure Hash Algorithm, SHA-1, that is useful in the practice of the present invention. This disclosure of this publication is hereby incorporated by reference.
Figure 4 is a block diagram "illustrating a system that can be used to practice the methods of the present invention. A number of processor-based subsystems, represented at 105, 155, 185 and 195, are shown in communication over an insecure channel or network 50, which can be, for example, any wired, optical and/or wireless communication channel such as a telephone or internet communication channel or network. The subsystem 105 includes processor 110 and the subsystem 155 includes processor 160. When suitably programmed as described above, the processors 110 and 160 and their associated circuits and memory can be used to implement and practice the methods of the present invention. The processors 110 and 160 each can be any suitable processor such as, for example, a digital processor or microprocessor, or the like. It will be understood that any general purpose or special purpose processor, or other machine or circuitry that can perform the functions described herein, electronically, optically, or by other means, can be utilized to practice the methods of this invention. The processors can be, for example, Intel Pentium processors.
The subsysΛj 105 typically includes memories 123, clocj^id timing circuitry 121, input/output devices 118, and monitor 125, all of which are conventional devices. Input devices can include a keyboard 103 or any other suitable input device. Communication is via transceiver 135, which can include a modem, high speed coupler, or any suitable device for communicating signals. The subsystem 155 in this illustrative system can have a similar configuration to that of subsystem 105. Thus, the processor 160 also has associated input/output devices and circuitry 164, memories 168, clock and timing circuitry 173, and a monitor 176. Input devices include a keyboard 163 and any other suitable input device. Communication of subsystem 155 with outside devices is via transceiver 162, which can include a modem, high speed coupler, or any suitable device for communicating signals.
As represented in the subsystem 155, a terminal 181 can be provided for receiving a smart card 182 or other media. A "user" also can be a person's or entity's "smart card", the card and its owner typically communicating with a terminal in which the card has been inserted. The terminal can be an intelligent terminal or a terminal communicating with an intelligent terminal. It will be understood that the processing and communication media described herein are merely illustrative and that the invention can have application in many other settings. The blocks 185 and 195 represent further subsystems on the channel or network.
The present invention has been described in conjunction with exemplary user identification and digital signature techniques carried out by a Prover and a Verifier in a
communication ne(Λ>rk such as that illustrated in Figure 4 wher ^^for a particular communication or transaction, either subsystem can serve either role. It should be understood that the present invention is not limited to any particular type of application. For example, the invention can be applied to a variety of other user and data authentication applications. The term "user" can refer to both a user terminal as well as an individual using that terminal and, as indicated, the terminal can be any type of computer or digital processor suitable for directing data communication operations. The term "Prover" as used herein is intended to include any user that initiates an identification, digital signature or other secure communication process. The term "Verifier" as used herein is intended to include any user that makes a determination regarding the legitimacy or authenticity of a particular communication. The term "user identification" is intended to include identification techniques of the challenge/response type as well as other types of identification, authentication and verification techniques.
The user identification and digital signature techniques of the present invention provide significantly improved computational efficiency relative to the prior art techniques at equivalent security levels, while also reducing the amount of information which must be stored by the Prover and Verifier. It should be emphasized that the techniques described above are exemplary and should not be construed as limiting the present invention to a particular group of illustrative embodiments. Alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art.
NSS: An NTRU Lattice-Based Signature Scheme
Jeffrey HofFstein, Jill Pipher, Joseph H. Silverman
NTRU Cryptosystems, Inc., 5 Burlington Woods, Burlington, MA 01803 USA, jhoffΘntru. com, jpipherΘntru. com, jhs@ntru. com
Abstract. A new authentication and digital signature scheme called the NTRU Signature Scheme (NSS) is introduced. NSS provides an authentication/signature method complementary to the NTRU public key cryp- tosystem. The hard lattice problem underlying NSS is similar to the hard problem underlying NTRU: and NSS similarly features high speed, low footprint, and easy key creation.
Key-words: digital signature, public key authentication, lattice-based cryptography, NTRU, NSS
Introduction
Secure public key authentication and digital signatures are increasingly important for electronic communications and commerce, and they are required not only on high powered desktop computers, but also on SmartCards and wireless devices with severely constrained memory and processing capabilities. The importance of public key authentication and digital signatures is amply demonstrated by the large literature devoted to both theoretical and practical aspects of the problem, see for example [1, 2, 6, 7, 9, 11, 12, 15-17].
At CRYPTO '96 the authors introduced a highly efficient new public key cryptosystem called NTRU. (See [4] for details.) Underlying NTRU is a hard mathematical problem of finding short vectors in certain lattices. In this note we introduce a complementary fast authentication and digital signature scheme that uses public and private keys of the same form as those used by the NTRU public key cryptosystem. We call this new algorithm NSS for NTRU Signature Scheme.
In the original version of this paper for Eurocrypt 2001, we both introduced NSS and optimized it for maximum efficiency and minimum signature length. As a result the underlying ideas and security analysis were less transparent than they might have been. To alleviate this problem and attempt to address some of the concerns of the referees, the present paper takes the following form. We first present a complete version of NSS and a set of parameters optimized to provide security comparable to RSA 1024 along with high efficiency. We then describe the properties of an implementation of this system at these parameters. The version of this paper originally submitted to Eurocrypt then provided a security analysis tailored specifically to these parameters. In the current version we eliminate some details of the security analysis of the optimized version in order to include a discussion of the less efficient version. In this way we hope to
elucidate the main ideas underlying NSS and thereby make this paper easier to read. Complete details of the analysis of the optimized version are available on our website at <vww.ntnι. com/technology/tech. echnical. htm>.
We also note that the signature scheme described in this paper differs in some respects from the scheme described by Jeff Hoffstein at the CRYPTO 2000 rump session. In order to optimize NSS, the rump session version used disparate sized coefficients whose existence was concealed by allowing p to divide q, which led to a statistical weakness. (This weakness was independently noted by Mironov [10].) The use of uniform coefficients and relatively prime values for p and q makes NSS more closely resemble the original NTRU public key cryptosystem, a system that has withstood intense scrunity since its introduction at CRYPTO '96.
The authors would like to thank Phil Hirschhorn for much computational' assistance and Don Coppersmith for substantial help in analyzing the security of NSS. Any remaining weaknesses or errors in the signature scheme described below are, of course, entirely the responsibility of the authors.
1 A Brief Description of NSS
In this section we briefly describe NSS, the NTRU Signature Scheme. In order to avoid excessive duplication of exposition, we assume some familiarity with [4], but we repeat definitions and concepts when it appears useful. Thus this paper should be readable without reference to [4].
The basic operations occur in the ring of polynomials
R = [X)/(XN - l) of degree JV — 1, where multiplication is performed using the rule XN = 1. The coefficients of these polynomials are then reduced modulo p or modulo q, where p and q are fixed integers.
There are five integer parameters associated to NSS,
(N,p, q, nin, -Dmax).
There are also several sets of polynomials Tf,Tg, w, m having small coefficients that serve as sample spaces. For concreteness, we mention the choice of integer parameters
{N,p, q, Dmin, Dmax) = (251, 3, 128, 55, 87), (1) which appears to yield a secure and practical signature scheme. See Section 2 for father details.
Remark 1. For ease of exposition we often assume that p = 3. We further assume that polynomials with mod q coefficients are chosen with coefficients in the range -q/2 to q/2.
The public and private keys for NSS are formed as follows. Bob begins by choosing two polynomials / and g having the form
/ = /o + p/ι and 9 = 9o -r P9ι. (2)
Here f0 and g0 are fixed universal polynomials (e.g., /u = 1 and go = 1 — 2X) and i and gι are polynomials with small coefficients chosen from the sets j and Tg, respectively. Bob next computes the inverse f~l of / modulo q, that is, /-1 satisfies
/-1 * / ≡ 1 (mod q).
Bob's public verification key is the polynomial h = /_1 * g (mod q).
Bob's private signing key is the polynomial /.
Before describing exactly how NSS works, we would like to explain the underlying idea. The coefficients of the polynomial h have the appearance of being random numbers modulo q, but Bob knows a small polynomial / (i.e., / has coefficients that have small absolute value compared to q) with the property that the product g ≡ f * h (mod q) also has small coefficients. Equivalently (see Section 4.2), Bob knows a short vector in the NTRU lattice generated by h. It is a difficult mathematical problem, starting from h, to find / or to find some other small polynomial F with the property that G = F * h (mod q) is small. Bob's signature s on a digital document D will be linked to D and will demonstrate to Alice that he knows a decomposition h ≡ /_1 * g (mod q) without giving Alice information that helps her to find /. The mechanism by which Bob shows that he knows / without actually revealing its value lies at the heart of NSS and is described in the next section.
1.1 NSS Key Generation, Signing, and Verifying
We now describe in more detail the steps used by Bob to sign a document and by Alice to verify Bob's signature. The key computation involves the following quantity.
Definition 1. Let a(X) and b(X) be two polynomials in R. First reduce their coefficients modulo q to lie between —q/2 to q/2, then reduce their coefficients modulo p to lie in the range between —p/2 and p/2. If a{X) = α
0 + • •
• +
b
0 + - - - +
are the reductions of a and b, respectively, then the deviation of α and b is
Intuitively7 Dev(α, b) is the number of coefficients of a mod q and b mod g that differ modulo p.
Key Generation: This was described above, but we briefly repeat it for convenience. Bob chooses two polynomials / and g having the appropriate form (2). He computes the inverse /_1 of / modulo q. Bob's public verification key is the polynomial h = f~1 * g mod q and his private signing key is the pair (/, g).
Signing: Bob's document is a polynomial modulo p. (In practice, must be the hash of a document, see Section 4.9.) Bob chooses a polynomial w 6 Fw of the form w — m + wι + pu>2, where u ι and wi are small polynomials whose precise form we describe later, see Section 2.1. He then computes
•s ≡ f * w (mod q).
Bob's signed message is the pair (m, s). Verification: In order to verify Bob's signature s on the message τn, Alice checks that s φ 0 and then verifies the following two conditions:
(A) Alice compares s to /o * rn by checking if their deviation satisfies nin < Dev(s, /o * ) < -Dmax.
(B) Alice uses Bob's public verification key h to compute the polynomial t = h * s (mod q). She then checks if the deviation of t from g0 * m satisfies
Dmin ≤ Dev(i, p0 * m) < Dmax.
If Bob's signature passes tests (A) and (B), then Alice accepts it as valid.
The check by Alice that s Φ 0 is done to eliminate the small possibility of a forgery via the trivial signature. This is described in more detail in [5] We defer until Section 3 below a detailed explanation of why NSS works. However, we want to mention here the reason for allowing s and t to deviate from /o * m and go *τn, respectively. This permits us to take w to be nonzero and to allow a significant amount of reduction modulo q to occur in the products f*w and g*w. This makes it difficult for an attacker to find the exact values of / * w or g * w over , which in turn means that potential attacks via lattice reduction require lattices of dimension 2N rather than N.
This is the key difference between the optimized version of NSS presented in the next section and a somewhat less efficient version. If we take £>min = Dmax = 0, i.e., if we allow no deviations, then a transcript will reveal f * w and g * w exactly. Lattices of dimension N can be reduced faster than lattices of dimension 2N. Consequently, for a secure version of NSS assuming no deviations we require a larger value of TV. We will show that if N is chosen greater than about 700 this still gives a fast and equally secure signature scheme, albeit with somewhat larger key and signature sizes than the optimized version of NSS described in this note.
This concludes our overview of how NSS works. In the next section we suggest a parameter set and explain why we believe that it provides a level of security comparable to RSA 1024. Table 1 compares the efficiency of NSS to other systems. In the following sections we provide a security analysis, although due to space constraints, we refer the reader to [5] for some details, especially for the optimized version with Dm\n, Dmax > 0.
2 A Practical Implementation of NSS
The following parameter selection for NSS appears to create a scheme with a breaking time of at least 1012 MIPS years:
(N,p, q,Dmiτl, Dmax = (251, 3, 128, 55, 87). (3)
This leads to the following key and signature sizes for NSS:
Public Key: 1757 bits Private Key: 502 bits Signature: 1757 bits
We take /0 = 1 and go = 1 — 2X, where recall that f — fo + P ar>d 9 — 9o + V9 - I" order to describe the sample spaces, we let
T{d) = {F{X ) e R : F as d coefs = 1 and = -1, with the rest 0}.
Then the sample spaces corresponding to the parameter set (3) are
Jγ = T(70), Fg = T(40), ^m = T(32).
Note that m is a hash of the digital document D being signed. Thus the users must agree on a method (e.g., using SHAl) to transform D into a list of 64 distinct integers 0 < e,- < 251, and then m = ∑Si X e - ∑^33 Xe .
The polynomial w has the form w — m + w\ +pw2, so we also must explain how to choose the polynomials v) and u>2- This must be done carefully so as to prevent an attacker from either lifting to a lattice over (see Section 4.4) or gaining information via a reversal averaging attack (see Section 4.6). Roughly, the idea is to choose random u>2, compute s' ≡ f * (m + ρυi2) (mod q) and t' == g * (m + PW2) (mod q), choose viy to cancel all of the common deviations of (sf, fo*m) and (t go*m) and to exchange some of the noncommon deviations, and finally to alter ui2 to move approximately 1/p of the nonzero coefficients of m + wι. For the parameter set (3) given above, the polynomial wi has up to 25 nonzero coefficients and W2 is initially chosen at random from the set (32). The precise prescription for creating w is described in Section 2.1.
We have implemented NSS in C and run it on various platforms. Table 1 describes the performance of NSS on a desktop machine and on a constrained device and gives comparable figures for RSA and ECDSA signatures.
Table 1. Speed Comparison of NSS, RSA, and ECDSA
Notes for Table 1.
1. NSS speeds from the NERI implementation of NSS by NTRU Cryptosystems.
2. RSA and ECDSA speeds presented by Alfred Menezes [8] at CHES 2000.
3. RSA 1024 bit verily uses a small vcrificatiou exponent for increased speed.
4. ECDSA 163 bit uses a Koblitz curve for increased speed. Time is approximately doubled if a random curve over 2ιε3 is used.
2.1 Selection of the Masking Polynomial w
The polynomial w = m-Hui+ wa has two purposes. First, it includes the message digest m and is thus the means by which m is attached to the signature s. Second, it contains polynomials Wi and W2 that introduce variability into the signature and prevent an attacker from gaining useful information that might be used to find the private key / or to directly forge a signature.
There are two principle areas that must be addressed when selecting w. First, in the optimized version we must ensure that an attacker cannot lift the values of s ≡ / * w (mod q) and t ≡ g * w (mod g) to the exact values of / * w or g * w in [X]. Second, we must ensure that the attacker cannot use averages formed from long transcripts of signatures to deduce information about / or g.
The first item is addressed by selecting wι so as to alter many of the coefficients of / * (m + PW2) and g * (m + p >2) that lie outside the range from — q/2 to q/2. This has the effect of masking the coefficients that have suffered nontriv- ial reduction modulo q and prevents the attacker from undoing the reduction. The second item is handled by changing 1/p of the coefficients of w2; this has the effect of forcing all second moment transcript averages to converge to 0. We now describe exactly how w\ and w2 are created. For ease of exposition, we assume that p = 3. For further details of why this procedure protects against lifting and averaging attacks, see [5].
The first step is to choose a random polynomial W2 6 T(dW2). That is, W2 has a specified number of l's and —l's. For example, the parameter set (3) takes u>2 £ (32). The next step is to compute preliminary signature polynomials s' ≡ f * (m + pw2) (mod 5) and t' = g * (m + pωa) (mod q). (4)
Next we choose wj . We start with wi = 0. We let i = 0, 1, 2, .. . , N — 1 and run through the coefficients s'± and t of s' and t', performing the following steps. [The
quantity i-Limit used below is a prespecified parameter. For the parameter set (3), its value is 25.]
• If s'i φ mi (mod p) and t' =z= ; (mod p) and s' = t (mod p), then set uii^ ≡ πii — ' (mod p).
• If s'i ψ. i (mod p) and t^ mt (mod p) and Sj φ t (mod p), then set u>ιtj = 1 or — 1 at random.
• If s[ φ mi (mod p) and t ≡ πii (mod p), then with probability 25%, set wι,j ≡ mj — s^ (mod p).
• If s' ≡ T i (mod p) and t φ mi (mod p), then with probability 25%, set w\ti ≡ πii — t^ (mod p).
• If i — N — 1 or if wi ø has more than wj -Limits nonzero coordinates, the construction of røi is complete.
Finally, we need to make some alterations to W
2 to prevent the averaging of long transcripts of signatures. This is done by taking each coefficient u>
2,i, 0 < i < N, and with probability 1/3, replacing it with with ui .i — —
This completes the description of how wι and wj are chosen.
3 Completeness of NSS
A signature scheme is deemed to be complete if Bob's signature, created with the private signing key /, will be accepted as valid. Thus we need to check that Bob's signed message (m, s) passes the two tests (A) and (B).
3.1 The Norm of a Polynomial
In order to analyze the two verification conditions we briefly digress to discuss norms of polynomials. Let a(X) = a0 + axX + a2X2 + ■ ■ ■ + aN-iX*'1 be a polynomial with integer coefficients and let μ be the average of the coefficients. We define the centered Euclidean Norm and the Sup Norm of a, denoted respectively ||α|| and ||α||∞, by the formulas
IMI - V(αo ~ μ)2 + 1- (OΛT-1 - μ)2 and ||α||∞ = max{|α0|, - .. , |αjv-ι|}-
In our examples, μ will be close to or equal to zero.
We require certain facts about polynomials with small coefficients. For random polynomials with small coefficients such as / and w, it is generally true that
||/* «,|| * ||/HM| and ||/ *H» * 711/11 - IMI, (5) where < 0.15 for N < 1000. The NTRU cryptosystem relies on these properties of small polynomials, which are discussed in [4]. (Note that the infinity norm defined in [4] is actually twice the infinity norm defined here.)
With this background we now easily check the completeness of NSS.
Test (A): The polynomial s that Alice tests is congruent to the product s ≡ / * w (mod q) ≡ (fa + Pfι)(™ + + w2) (mod q) ≡ /o * m + /o * v>ι + pfo * w2 + pfι * w (mod q).
We see that the ith coefficients of s and fo * m will agree modulo p unless one of the following situations occurs:
• The ith coefficient of /o * ιt ι is nonzero.
• The ith coefficient of / * w is outside the range (—q/2, q/2], so differs from the i h coefficient of s by some multiple of q.
The estimates in (5) tell us that before reduction modulo q, the absolute value of the coefficents of / * w is bounded above by 7||/|| • \\w\\ . As long as this quantity does not greatly exceed q/2, little reduction modulo q will take place. If the parameters and sample spaces are chosen properly (e.g., as in Section 2) then there will be at least Dm\n and at most Z?max deviations between 5 mod p and τn mod p. Alternatively, if j|/|j and |jw|j are sufficiently small, then no reduction modulo q will take place and one can set r>m — Dmax = 0. Thus Bob's signature will pass test (A). Test (B): The polynomial t is given by t ≡ h * s = (/_1 * g) * (f * w) ≡ g * w (mod q).
Since g has the same form as /, the same reasoning as for test (A) shows that t will pass test (B).
Remark 2. We have indicated why, for appropriate choices of parameters, Bob's signature will probably be accepted by Alice. Note that when Bob creates his signature, he should check to make sure that it is a valid signature. For the parameters (N,p, q, Dm\n, Dmax) = (251, 3, 128, 55, 87) from Section 2, we see from Table 2 that the probability that Dev(s, fo *rn) is valid is approximately 87.33% and the probability that Dev(t, go * m) is valid is approximately 90.92%. Thus Bob's signature will be valid about 79.40% of the time. Of course, if it is not valid, he simply chooses a new random polynomial u> and tries again. In practice it will not take very many tries to find a valid signature. The timings given in Table 1 take this factor into account.
4 Security Analysis of NSS
It was shown in Section 3 that given a message , Bob can produce a signature s satisfying the necessary requirements. In this section we discuss various ways in which an observer Oscar might try to break the system. There are many attacks that he might try. For example, he might attempt to discover the private key / or a useful imitation, either directly from the public key h or from a long transcript of valid signatures. He might also try to forge a signature on a message without
(N,p, q) = (251, 3, 128)— 106 Trials Table 2. Deviations Between fo * τn and s and Between go * m and t
first finding the private key. We describe the hard lattice problems that underlie some of these attacks and examine the success probabilities of other attacks that rely on random searches. In all cases we explain why the indicated attacks are infeasible for an appropriate choice of parameters such as those given in Section 2. Due to space constraints, we must refer the reader to [5] for many of the technical details related to the analysis of the optimized parameter set.
4.1 Random Search for a Valid Signature on a Given Message Given a message m, Oscar must produce a signature 5 satisfying:
(A) £>, mm < Dev(s, fo * m) < Dn
(B) £>, min < Dev(t, go * m) < Z?m κ, where t ≡ s * h (mod q).
If , nmjv = 0 these conditions become:
(A') s = fo * m (mod p).
(B') t ≡. h * s (mod q) satisfies t ≡ g0 * m (mod p).
The most straightforward approach for Oscar is to choose s at random satisfying condition (A), which is obviously easy to do, and then to hope that t satisfies condition (B). If it does, then Oscar has successfully forged Bob's signature, and if not, then Oscar can try again with a different s. Thus we must examine the probability that a randomly chosen s satisfying (A) will yield a t that satisfies (B).
The condition (A) on s has no real effect on the end result t, since t is formed by multiplying s * h and reducing the coefficients modulo g, and the coefficients of h are essentially uniformly distributed modulo q. Thus we are really asking for the probability that a randomly chosen polynomial t with coefficients between — q/2 and q/2 will satisfy condition (B). This is easily computed using elementary probability theory.
The coefficients of a randomly chosen t can be viewed as N independent random variables taking values uniformly modulo q. The coefficients of m are fixed target values modulo p. We need to compute the probability that a randomly chosen ΛT-tuple of integers modulo q has at least Dm\n and no more than Dmax of its coordinates equal modulo p to fixed target values. Assuming that q is significantly larger than p, this probability is approximately
1 -"max Λ/Λ
Prob(Dmin < Dev(i, ff0 * m) < Z?max) « ^ ∑ { d) ^ ' 1^'
**= Λnϊιι
(Notice that for condition (B'), the probability is p~N, since all N "random" coefficients of t (mod p) must match go * m.) Table 3 gives this probability for (N,p) = (251, 3) and seλ'eral values of Dmm and Dmax. For example, the table shows that for D = 87, the probability of a successful forgery using a randomly selected s is approximately 2-80'95.
Table 3. Probability Random t Satisfies Dm,-n < Dev(£, c?o * τή) < D„
4.2 NTRU Lattices and Lattice Attacks on the Public Key
Oscar can try to extract the private key / from the public key h with or without a long transcript of genuine signatures. Alternatively, he can try to forge a signature without knowledge of /, using only h and a transcript. In this section we discuss attempts by Oscar to obtain the private key from the public key by lattice reduction methods. As is the case with the NTRU cryptosystem, recovery of the private key by this means is equivalent to solving a certain class of shortest or closest vector problems.
We begin with a brief exposition of our approach to the analysis of lattice reduction problems. We have perfomed a large number of computer experiments to quantify the effectiveness of current lattice reduction techniques. This has given us a strong empirical foundation for analyzing and .quantifying the vulnerability of several general classes of lattices to lattice reduction attacks. The following analysis and heuristics applies to the lattices discussed in this paper. (See also the lattice material in the papers [3, 4, 6, 7].)
Let I be a lattice of determinant d and dimension n. Let VQ denote a given fixed vector, possibly the origin. Let r denote a given radius and consider the
problem of locating a vector v e L such that ||u — vn|| < r. The difficulty of solving this problem for large n is related to the quantity
Here the denominator is the length that the gaussian heuristic predicts for the shortest expected vector in L. See [4] for a similar analysis.
If K < 1, then the gaussian heuristic says that a solution, if one exists at all, will probably be unique (or unique up to obvious symmetries of the lattice). The closer that K is to 0, the easier it will be to find the unique solution using lattice reduction methods. As K gets close to 1, lattice reduction methods become less effective.
For example, let (Ln, rn, u0.„) be a sequence of lattices, radii, and target vectors of increasing dimension n that contain a target vector vn e Ln (i.e.. satisfying |un — t>o,nl < rn) and whose K values satisfy κn = κ(Ln, rn) = c/s/n (7) for a constant c. Then our experiments suggest that the time necessary for lattice reduction methods to find the target vector vn grows like ean for a value of a that is roughly proportional to c. Similarly, if K. > 1, then a solution will probably not be unique, but it becomes progressively harder to find a solution as K approaches 1.
We must stress here that the above statements are not intended to be a proof of security or to convey any assurance of security. They merely supply a conceptual framework that we have found useful for formulating working parameter sets. The lattices associated to these parameter sets are then subjected to extensive experimental testing.
Recall from (2) that the public key has the form h = /_1 * g (mod q), where / = /o + P an<i g — go + pgi ■ As this is very similar to the form of an NTRU public key, a 27V-dimensional lattice attack based on the shortest vector can be used to try to derive / and g from h. See [4, 13] for details on the NTRU lattice and the use of lattice reduction methods to compute the shortest expected vector.
If we identify polynomials with their vector of coefficients, then the 27V- dimensional NTRU lattice LNT consists of the linear combinations of the 2N vectors in the set
{(X Xl * h) : 0 < t < N] U { (O. gJT*) : 0 < i < N}.
Equϊvalently, LNT is the set of all vectors (F{X), F(X) * h(X)), where F(X) varies over all TV-dimensional vectors and the last N coordinates are allowed to be changed by arbitrary multiples of q. It is not hard to see that the vector (/, g) is contained in iNT and will be shorter than the expected shortest vector of LNT (i.e., K < 1). Thus in principle, {f, g) should be essentially unique and findable by lattice reduction methods.
A more effective attack is to use the knowledge of /o, <?o to set up a closest vector attack on fι, gι in the same 27V-dimensional lattice The object is to search for the vector in NT that is closest to the vector (0, (50 — /o * h)p'), where pp' ≡ 1 (mod q). If successful, this attack produces a small F such that G = F * h — (go — /o * h)p' (mod q) is also small. Then (/0 + pF, g + pG) is either the original key or a useful substitute. With this approach, after balancing the lattice as in [4], we obtain the following estimate for the constant c in equation (7): c > 2 /πe||/1||||ffl ||/ϊ. (8)
Experimental evidence shows that if L runs through a sequence of NTRU type lattices of dimension 27V with TV > 80 and q ~ 7V/2 and if the constant c of (7) satisfies c > 3.7, then the time T (in MlPS-years) necessary for the LLL reduction algorithm to find a useful solution to the closest vector problem satisfies logT > 0.17077V - 15.82. (9)
Thus if TV = 251 and c = 3.7, one has T > 5 • 10 MlPS-years.
For the optimized version of NSS presented in Section 2, we have N = 251 and c > 5.3. Since larger c values in (7) yield longer LLL running times, we see that the time to find the target vector should be at least 1012 MlPS-years, and is probably considerably higher. In general, we obtain this lower bound provided that N, Tj, g are chosen so that ||/ι j|, ||<7ι |j give a large enough value for c in (8).
4.3 Lattice Attacks on Transcripts
Another potential area of vulnerability is a transcript of signed messages. Oscar can examine a list of signatures s, s', s" . . ., which means that he has at his disposal the lists fw, fw', fui", .. . mod q and gw, gw', gw", ... mod q. (10)
section. As long as \\w\\, ||/||, and \\g\\ are about the same size, remain the same or increase, leading to no improvement in the breaking time.
Oscar can also set up a A V-dimensional NTRU type lattice using
There are several other variations on the lattice attacks described in this and the previous section, but none appears to be stronger then the closest vector attack on the public key given in Section 4.2.
4.4 Lifting a NSS Signature Lattice to
Recall that an attacker Oscar is presumed to have access to a transcript of signed messages such as given in (10). Various ways in which he might try to exploit this mod q information are described in Sections 4.3. In this section we are concerned with the possibility that Oscar might lift the transcript information (10) and recover the values of / * w, f * w', ... exactly over .
This is the primary area where the signature scheme with zero deviations differs from the optimized scheme. If the signatures can be recovered over , as they can be if Dm;n = Dmax = 0, then two additional lattice attacks are made possible. In the optimized scheme of Section 2, we ensure that a lift back to is impractical by making the number of possible liftings greater than 280. This leaves Oscar with only the lattice attacks described in Sections 4.2 and 4.3 and allows us to take TV -= 251 while maintaing a breaking time in excess of 1012 MIPS years.
We now investigate the attacks that are possible if such a lifting can be accomplished. This analysis, irrelevant for the optimized parameters, allows us to set parameters for a simpler variant of NSS with Dmm = Dm3X = 0.
Suppose that Oscar forms the lattice L' generated by Xz*f*w with 0 < i < TV and a few different values of w (or similarly for Xτ *g*w). It is highly likely that the shortest vectors in V are the rotations of /. Essentially, Oscar is searching for a greatest common divisor of the products / * w, though the exponentially large class number of the underlying cyclotomic field greatly obstructs the search. Although it is still not easy to find very short vectors in the lattice U using lattice reduction, the fact that dim( ') = TV, as compared to the NTRU lattice INT of dimension 2TV, means that L' is easier to reduce than LNT.
The difficulty of finding a solution to the shortest vector problem for the lattice V appears to be related, as one might expect, to the magnitude of the norm of /. For example, if one considers a sequence of lattices L' of dimension TV formed with / satisfying ||/|| « • 2TV/3, then our experiments have shown that the extrapolated time necessary for the LLL reduction algorithm to locate / is at least T MIPS years, where T is given by the formula lo r = 0.11517V - 7.9530. (11)
As the norm of / is reduced, the time goes down. For example, if we take H/ll ~ VO.0687V, then our experiments show that the breaking time is greater than the T given by the formula logT = 0.0785TV - 6.2305. (12)
One further lattice attack of dimension 2TV is enabled if a lifting to is possible. One can view it as an alternative attack on the gcd problem. Given
two products / * w and g * w, one can reduce these modulo any integer Q and then take the ratio, obtaining f~l * g modulo Q. This is very similar to the original problem of finding the private key from the public key, but there is an important difference. The integer Q can be chosen as large as desired, which has the effect of decreasing the value of K. AS a result, it becomes easier to reduce the lattice. The advantage of making Q larger does not continue indefinitely, and the ultimate result is to reduce the effective dimension of the lattice from 27V to TV. Experiments have shown that when / and g satisfying ||/|| = ||</|| = ^/27V/3 are used to generate these lattices and an optimal value of Q is chosen for each TV, the extrapolated time necessary for the LLL reduction algorithm to locate / is at least T MIPS years, where T is given by the formula logT = 0.05497V + 1.7693. (13)
This third approach seems to be the strongest attack, yielding a lower bound of 1012 MIPS years when TV > 680. As with the TV-dimensional lattice, decreasing the norms of / and g does not seem to lower the slope of the line very much, while increasing the norms increases the slope somewhat. A closest vector attack on (/ι, ι) might decrease this lower bound a bit, but should not alter it substantially.
4.5 Forgery Via Lattice Reduction
The opponent, Oscar, can try to forge a signature s on a given message m by means of lattice reduction. We show in this section that an ability to accomplish this implies an ability to consistently locate a very short vector in a large class of (27V + l)-dimensional lattices.
First consider the case that Dmm = Dmax = 0, so Oscar must find a polynomial s satisfying s ≡ /o * m (mod p) and such that t ≡ h * s (mod q) satisfies t ≡ go * m (mod p). Let ms and mt be the polynomials with coefficients between —p/2 and p/2 satisfying ms = /0 * m mod p and mt ≡ g * rn mod p, respectively. Consider the (27V + l)-dimensional lattice Lm generated by
{{Xi, Xi * h, 0) : 0 < i < TV} U {(0, qX 0) : 0 < i < TV} U {{ms,mt, l}}.
Then Lm contains the vector r = (s — ms, t — mt, — 1). The norm of r can be
of the public key ft, the lattice L
m,
p is the intersection of the lattices generated by the rows of the following matrices:
Then L
m,
p has determinant equal to (det L)p
2N . Referring to (6) we see that
For example. (N,p, q) = (719, 3, 359) gives n « 7.5. This means that the construction of a signed message is equivalent to finding a vector in LmtP that is about 7.5 times longer than the expected shortest vector. It follows that if Oscar is able to forge messages with a reasonable probability, then with reasonable probability he can also find vectors within a factor of 7.5 of the shortest vector. Experiments have indicated that for TV « 700, it requires far in excess of 1012 MlPS-years to find such a vector in the (27V + l)-dimensional lattice Im,p. We note also that the probability that such a vector would have all of its coefficients bounded in absolute value by q/2 is extremely low.
The case of the optimized parameters of Section 2 is similar. Oscar's best strategy is probably to simply choose ms at random having the correct properties (i.e.. with Dev(ms, /0 * m) in the allowable range) and to choose τnt ≡ g0 * m mod p exactly. The optimized parameters (N, p, q) = (251, 3, 128) lead to a 503-dimen- sional lattice with K = 4.5. Oscar must first try to find a vector no more than 4.5 times longer than the shortest vector. He must then refine his search so that the first TV coordinates of his vector have absolute value less than q/2 and so that the second TV coordinates have at least 55 and no more than 87 coordinates with absolute value greater than q/2. The norm condition alone requires about 105 MIPS years for LLL to produce a candidate. Experiments indicate that if the necessary additional constraints are placed on the sup norms of the vectors, then the required time will significantly exceed 1012 MIPS years.
Another, less efficient, forgery attack requiring a 3TV-dimensional lattice is described in detail in [5j.
In conclusion, forgery solutions probably exist in both the general and the optimized versions of NSS, but the time required to find a forgery is sufficiently large so as to preclude a successful attack based on this approach.
4.6 Transcript Averaging Attacks
As mentioned previously, examination of a transcript (10) of genuine signatures gives the attacker a sequence of polynomials of the form s = f * w = (/o + pf )(m + wι + ρw2) (mod q) with varying wj and ui - A similar sequence is known for g. Because of the inherent linearity of these expressions, we must prevent Oscar from obtaining useful information via a clever averaging of long transcripts.
The primary tool for exploiting such averages is the reversal of a polynomial a(X) G R defined by p(a) = a(X~1). Then the average of a*p(a) over a sequence of polynomials with uncorrelated coefficients will approach the constant [|α||2,
while the average of a' * p(a) over uncorrelated polynomials will converge to 0. If m, u>ι , and w∑ were essentially uncorrelated, then Oscar could obtain useful information by averaging expressions like s * ρ(m) over many signatures. Indeed, this particular expression would converge to /||τn||2, and thus would reveal the private key /.
There is an easy way to prevent all second moment attacks of this sort. Briefly, after vn, w\, and a preliminary w2 are chosen, Bob goes through the coefficients of m + ∞i and, with probability 1/p, subtracts that value from the corresponding coefficient of u>2- This causes averages of the form a *p(b) created from signatures to equal 0. For further details on this attack and the defense that we have described, see [5]. We also mention that it might be possible to compute averages that yield the value of / * p(f) and averages that use fourth power moments, but the former does, not appear to be useful for breaking the scheme and the latter, experimentally, appeal's to converge much too slowly to be useful. Again we refer to [5] for details.
4.7 Forging Messages To Known Signatures
Another possible attack is to take a list of one or more valid signatures (s, t, rn), generate a large number of messages m', and try to find a signature in the list that validly signs one of the messages. It is important to rule out attacks of this sort, since for example, one might take a signature in which says "IOU $10" and try to find an m' that says "IOU $1000" . Note that this attack is different from the attack in Section 4.1 in which one chooses an m and an s with valid Dev(s, m) and hopes that t = h*s (mod ςr) has a valid Dev(f , g0 *m). The fact that (s, t, m) is already a valid signature implies some correlation between s and t , which may make it more likely that (s, t ) also signs some other rn! .
In the case of zero deviations, if signature encoding is used as suggested in Section 4.9 then it is quite clear that the probability of a successful attack by this method is negligable.
In the case of the optimized parameters the situation is somewhat harder to analyze, but a conservative probabilistic estimate shows that the possibility of a successful forgery is less than 2-67. For added security, one can reduce the value of Dmax to 81. This makes it only a little harder to produce a valid signature while reducing the above probability to less than 2-82. See [5] for details.
4.8 Soundness of NSS
A signature scheme is considered sound if it can be proved that the ability to produce several valid signatures on random messages implies an ability to recreate the secret key. We can not prove this for the parameters given in Section 2, which have been chosen to maximize efficiency. Instead, the preceding sections on security analysis make a strong argument that forgery is not feasible without the private key, and that it is not feasible to recover the private key from either a transcript of valid signatures or the public key.
We can, however, make a probabilistic argument for soundness under certain assumptions. For example, recall from Section 4.5 that the existence of a signed message (m, s) implies the existence of a vector in a lattice which is a factor of K = y/πeq/(6p2) times larger than the expected smallest vector. We have chosen p = 3 for efficiency, but if p is somewhat larger, for fixed TV, then K will be less than 1. This implies that the existence of such a vector by random chance is extremely unlikely, and that such a vector is probably related to a genuine product / * w. If we assume the ability of Oscar to produce such products on demand, given an input m, with a somewhat larger p it is not too hard to see that Oscar can probably recover f\.
4.9 Signature Encoding
In practice, it is important that the signature be encoded (i.e., padded and transformed) so as to prevent a forger from combining valid signatures to produce new valid signatures. For example, let si and s2 be valid signatures on messages mx and m∑, respectively. Then there is a nontrivial possibility that the sum Sj + S2 will serve as a valid signature for the message i 4- m∑. This and other similar sorts of attacks are easily thwarted by encoding the signature. For example, one might start with the message M (which is itself probably the hash of a digital document) and concatenate it with a time/date stamp D and a random string R. Then apply an all-or-nothing transformation to ||77||T? to produce the message m to be signed using NSS. This allows the verifier to check that m has the correct form and prevents a forger from combining or altering valid signatures to produce a new valid signature.
This is related to the more general question of whether or not Oscar can create any valid signature pairs (τn, s), even if he does not care what the value of m is. When encoding is used, the probabiUty that a random m will have a valid form can easily be made smaller than 2~80.
References
1. E.F. Brickell and K.S. McCurley. Interactive Identification and Digital Signatures, AT&T Technical Journal, November/December, 1991, 73-86.
2. L.C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. Advances in Cryptology — Eurocrypt '88, Lecture Notes in Computer Science 330 (C.G. Giinther, ed.), Springer-Verlag, 1988, 123-128.
3. J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Robshaw, Y.L. Yin, Secure user identification based on constrained polynomials, US Patent 6,076,163, June 13, 2000.
4. J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: A new high speed public key cryptosystem, in Algorithmic Number Theory (ANTS III), Portland, OR, June 1998, Lecture Notes in Computer Science 1423 (J.P. Buhler, ed.), Springer-Verlag, Berlin, 1998, 267-288.
5. J. Hoffstein, J. Pipher, J.H. Silverman, NSS: A Detailed Analysis of the NTRU Lattice-Based Signature Scheme, <wvw. ntru. com>.
6. J. Hoffstein, D. Lϊeman, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication, in Proceeding of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99), Hong Kong, (M. Blum and CH. Lee, eds.), City University of Hong Kong Press.
7. J. Hoffstein, J.H. Silverman, Polynomial Rings and Efficient Public Key Authentication II, in Proceedings of a Conference on Cryptography and Number Theory (CCNT '99), (I. Shparlinski, ed.), Birkhauser.
8. A.J. Menezes, Software Implementation of Elliptic Curve Cryptosystems Over Binary Fields, presentation at CHES 2000, August 17, 2000.
9. A.J. Menezes and P.C. van Oorschot and S.A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1996.
10. I. Mironov, A note on cτyptanalysis of the preliminary version of the NTRU signature scheme, IACR preprint server, <lrt'tp://epriιrt. iacr.org/2001/005/>
11. T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes, Advances in Cryptology — Crypto '92, Lecture Notes in Computer Science 740 (E.F. Brickell, ed.) Springer-Verlag, 1993, 31-53.
12. C.-P. Schnorr. Efficient identification and signatures for smart cards, Advances in Cryptology— Crypto '89, Lecture Notes in Computer Science 435 (G. Brassard, ed), Springer-Verlag, 1990, 239-251.
13. J.H. Silverman. Estimated Breaking Times for NTRU Lattices, NTRU Technical Note #012, March 1999, <VOT.ntru. coin>.
14. J.H. Silverman. Almost Inverses and Fast NTRU Key Creation, NTRU Technical Note #014, March 1999, <VOT.ntru. coa>.
15. J. Stern. A new identification scheme based on syndrome decoding, Advances in Cryptolog — Crypto '93, Lecture Notes in Computer Science 773 (D. Stinson, ed.), Springer-Verlag, 1994, 13-21.
16. J. Stern. Designing identification schemes with keys of short size, Advances in Cryptolog — Crypto '94, Lecture Notes in Computer Science 839 (Y.G. Desmedt, ed), Springer- Verlag,1994, 164-173.
17. D. Stinson, Cryptography: Theory and Practice. CRC Press, 1997.