Optimizing polynomial convolution for NTRUEncrypt

NTRUEncrypt is one of the most promising candidates for quantum-safe cryptography. In this paper, we focus on the NTRU743 paramter set. We give a report on all known attacks against this parameter set and show that it delivers 256 bits of security against classical attackers and 128 bits of security against quantum attackers. We then present a parameter-dependent optimization using a tailored hierarchy of multipli- cation algorithms as well as the Intel AVX2 instructions, and show that this optimization is constant-time. Our implementation is two to three times faster than the reference implementation of NTRUEncrypt

A Lightweight Implementation of NTRUEncrypt for 8-bit AVR Microcontrollers

Introduced in 1996, NTRUEncrypt is not only one of the earliest but also one of the most scrutinized lattice-based cryptosystems and a serious contender in NIST’s ongoing Post-Quantum Cryptography (PQC) standardization project. An important criterion for the assessment of candidates is their computational cost in various hardware and software environments. This paper contributes to the evaluation of NTRUEncrypt on the ATmega class of AVR microcontrollers, which belongs to the most popular 8-bit platforms in the embedded domain. More concretely, we present AvrNtru, a carefully-optimized implementation of NTRUEncrypt that we developed from scratch with the goal of achieving high performance and resistance to timing attacks. AvrNtru complies with version 3.3 of the EESS#1 specification and supports recent product-form parameter sets like ees443ep1, ees587ep1, and ees743ep1. A full encryption operation (including mask generation and blinding- polynomial generation) using the ees443ep1 parameters takes 834,272 clock cycles on an ATmega1281 microcontroller; the decryption is slightly more costly and has an execution time of 1,061,683 cycles. When choosing the ees743ep1 parameters to achieve a 256-bit security level, 1,539,829 clock cycles are cost for encryption and 2,103,228 clock cycles for decryption. We achieved these results thanks to a novel hybrid technique for multiplication in truncated polynomial rings where one of the operands is a sparse ternary polynomial in product form. Our hybrid technique is inspired by Gura et al’s hybrid method for multiple-precision integer multiplication (CHES 2004) and takes advantage of the large register file of the AVR architecture to minimize the number of load instructions. A constant-time multiplication in the ring specified by the ees443ep1 parameters requires only 210,827 cycles, which sets a new speed record for the arithmetic component of a lattice-based cryptosystem on an 8-bit microcontroller

NTRU software implementation for constrained devices

The NTRUEncrypt is a public-key cryptosystem based on the shortest vector problem. Its main characteristics are the low memory and computational requirements while providing a high security level. This document presents an implementation and optimization of the NTRU public-key cryptosys- tem for constrained devices. Speci cally the NTRU cryptosystem has been implemented on the ATMega128 and the ATMega163 microcontrollers. This has turned in a major e ort in order to reduce the consumption of memory and op- timize the computational resources. The di erent resulting optimizations have been compared and evaluated throught the AVR Studio 4 [1]. The nal outcome has also been compared with other published public-key cryptosystems as RSA or ECC showing the great performance NTRUEncrypt is able to deliver at a surprising very low cost

A Lightweight Implementation of NTRU Prime for the Post-Quantum Internet of Things

The dawning era of quantum computing has initiated various initiatives for the standardization of post-quantum cryptosystems with the goal of (eventually) replacing RSA and ECC. NTRU Prime is a variant of the classical NTRU cryptosystem that comes with a couple of tweaks to minimize the attack surface; most notably, it avoids rings with "worrisome" structure. This paper presents, to our knowledge, the first assembler-optimized implementation of Streamlined NTRU Prime for an 8-bit AVR microcontroller and shows that high-security lattice-based cryptography is feasible for small IoT devices. An encapsulation operation using parameters for 128-bit post-quantum security requires 8.2 million clock cycles when executed on an 8-bit ATmega1284 microcontroller. The decapsulation is approximately twice as costly and has an execution time of 15.6 million cycles. We achieved this performance through (i) new low-level software optimization techniques to accelerate Karatsuba-based polynomial multiplication on the 8-bit AVR platform and (ii) an efficient implementation of the coefficient modular reduction written in assembly language. The execution time of encapsulation and decapsulation is independent of secret data, which makes our software resistant against timing attacks. Finally, we assess the performance one could theoretically gain by using a so-called product-form polynomial as part of the secret key and discuss potential security implications

Cryptography for Ultra-Low Power Devices

Ubiquitous computing describes the notion that computing devices will be everywhere: clothing, walls and floors of buildings, cars, forests, deserts, etc. Ubiquitous computing is becoming a reality: RFIDs are currently being introduced into the supply chain. Wireless distributed sensor networks (WSN) are already being used to monitor wildlife and to track military targets. Many more applications are being envisioned. For most of these applications some level of security is of utmost importance. Common to WSN and RFIDs are their severely limited power resources, which classify them as ultra-low power devices. Early sensor nodes used simple 8-bit microprocessors to implement basic communication, sensing and computing services. Security was an afterthought. The main power consumer is the RF-transceiver, or radio for short. In the past years specialized hardware for low-data rate and low-power radios has been developed. The new bottleneck are security services which employ computationally intensive cryptographic operations. Customized hardware implementations hold the promise of enabling security for severely power constrained devices. Most research groups are concerned with developing secure wireless communication protocols, others with designing efficient software implementations of cryptographic algorithms. There has not been a comprehensive study on hardware implementations of cryptographic algorithms tailored for ultra-low power applications. The goal of this dissertation is to develop a suite of cryptographic functions for authentication, encryption and integrity that is specifically fashioned to the needs of ultra-low power devices. This dissertation gives an introduction to the specific problems that security engineers face when they try to solve the seemingly contradictory challenge of providing lightweight cryptographic services that can perform on ultra-low power devices and shows an overview of our current work and its future direction

Cryptanalysis and Secure Implementation of Modern Cryptographic Algorithms

Cryptanalytic attacks can be divided into two classes: pure mathematical attacks and Side Channel Attacks (SCAs). Pure mathematical attacks are traditional cryptanalytic techniques that rely on known or chosen input-output pairs of the cryptographic function and exploit the inner structure of the cipher to reveal the secret key information. On the other hand, in SCAs, it is assumed that attackers have some access to the cryptographic device and can gain some information from its physical implementation. Cold-boot attack is a SCA which exploits the data remanence property of Random Access Memory (RAM) to retrieve its content which remains readable shortly after its power has been removed. Fault analysis is another example of SCAs in which the attacker is assumed to be able to induce faults in the cryptographic device and observe the faulty output. Then, by careful inspection of faulty outputs, the attacker recovers the secret information, such as secret inner state or secret key. Scan-based Design-For-Test (DFT) is a widely deployed technique for testing hardware chips. Scan-based SCAs exploit the information obtained by analyzing the scanned data in order to retrieve secret information from cryptographic hardware devices that are designed with this testability feature. In the first part of this work, we investigate the use of an off-the-shelf SAT solver, CryptoMinSat, to improve the key recovery of the Advance Encryption Standard (AES-128) key schedules from its corresponding decayed memory images which can be obtained using cold-boot attacks. We also present a fault analysis on both NTRUEncrypt and NTRUSign cryptosystems. For this specific original instantiation of the NTRU encryption system with parameters $(N,p,q)$, our attack succeeds with probability $\approx 1-\frac{1}{p}$ and when the number of faulted coefficients is upper bounded by $t$, it requires $O((pN)^t)$ polynomial inversions in $\mathbb Z/p\mathbb Z[x]/(x^{N}-1)$. We also investigate several techniques to strengthen hardware implementations of NTRUEncrypt against this class of attacks. For NTRUSign with parameters ($N$, $q=p^l$, $\mathcal{B}$, \emph{standard}, $\mathcal{N}$), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault to succeed with probability $\approx 1-\frac{1}{p}$ and requires $O((qN)^t)$ steps when the number of faulted polynomial coefficients is upper bounded by $t$. The attack is also applicable to NTRUSign utilizing the \emph{transpose} NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are also investigated. Furthermore, we present a scan-based SCA on NTRUEncrypt hardware implementations that employ scan-based DFT techniques. Our attack determines the scan chain structure of the polynomial multiplication circuits used in the decryption algorithm which allows the cryptanalyst to efficiently retrieve the secret key. Several key agreement schemes based on matrices were recently proposed. For example, \'{A}lvarez \emph{et al.} proposed a scheme in which the secret key is obtained by multiplying powers of block upper triangular matrices whose elements are defined over $\mathbb{Z}_p$. Climent \emph{et al.} identified the elements of the endomorphisms ring $End(\mathbb{Z}_p \times \mathbb{Z}_{p^2})$ with elements in a set, $E_p$, of matrices of size $2\times 2$, whose elements in the first row belong to $\mathbb{Z}_{p}$ and the elements in the second row belong to $\mathbb{Z}_{p^2}$. Keith Salvin presented a key exchange protocol using matrices in the general linear group, $GL(r,\mathbb{Z}_n)$, where $n$ is the product of two distinct large primes. The system is fully specified in the US patent number 7346162 issued in 2008. In the second part of this work, we present mathematical cryptanalytic attacks against these three schemes and show that they can be easily broken for all practical choices of their security parameters

Aspects of hardware methodologies for the NTRU public-key cryptosystem

Cryptographic algorithms which take into account requirements for varying levels of security and reduced power consumption in embedded devices are now receiving additional attention. The NTRUEncrypt algorithm has been shown to provide certain advantages when designing low power and resource constrained systems, while still providing comparable security levels to higher complexity algorithms. The research presented in this thesis starts with an examination of the general NTRUEncrypt system, followed by a more practical examination with respect to the IEEE 1363.1 draft standard. In contrast to previous research, the focus is shifted away from specific optimizations but rather provides a study of many of the recommended practices and suggested optimizations with particular emphasis on polynomial arithmetic and parameter selection. Various methods are examined for storing, inverting and multiplying polynomials used in the system. Recommendations for algorithm and parameter selection are made regarding implementation in software and hardware with respect to the resources available. Although the underlying mathematical principles have not been significantly questioned, stable recommended practices are still being developed for the NTRUEncrypt system. As a further complication, recommended optimizations have come from various researchers and have been split between hardware and software implementations. In this thesis, a generic VHDL model is presented, based on the IEEE 1363.1 draft standard, which is designed for adaptation to software or hardware implementation while providing flexibility for changes in recommended practices

NTRU software implementation for constrained devices

The NTRUEncrypt is a public-key cryptosystem based on the shortest vector problem. Its main characteristics are the low memory and computational requirements while providing a high security level. This document presents an implementation and optimization of the NTRU public-key cryptosys- tem for constrained devices. Speci cally the NTRU cryptosystem has been implemented on the ATMega128 and the ATMega163 microcontrollers. This has turned in a major e ort in order to reduce the consumption of memory and op- timize the computational resources. The di erent resulting optimizations have been compared and evaluated throught the AVR Studio 4 [1]. The nal outcome has also been compared with other published public-key cryptosystems as RSA or ECC showing the great performance NTRUEncrypt is able to deliver at a surprising very low cost

Enhancement of Nth degree truncated polynomial ring for improving decryption failure

Nth Degree Truncated Polynomial (NTRU) is a public key cryptosystem constructed in a polynomial ring with integer coefficients that is based on three main key integer parameters N; p and q. However, decryption failure of validly created ciphertexts may occur, at which point the encrypted message is discarded and the sender re-encrypts the messages using different parameters. This may leak information about the private key of the recipient thereby making it vulnerable to attacks. Due to this, the study focused on reduction or elimination of decryption failure through several solutions. The study began with an experimental evaluation of NTRU parameters and existing selection criteria by uniform quartile random sampling without replacement in order to identify the most influential parameter(s) for decryption failure, and thus developed a predictive parameter selection model with the aid of machine learning. Subsequently, an improved NTRU modular inverse algorithm was developed following an exploratory evaluation of alternative modular inverse algorithms in terms of probability of invertibility, speed of inversion and computational complexity. Finally, several alternative algebraic ring structures were evaluated in terms of simplification of multiplication, modular inversion, one-way function properties and security analysis for NTRU variant formulation. The study showed that the private key f and large prime q were the most influential parameters in decryption failure. Firstly, an extended parameter selection criteria specifying that the private polynomial f should be selected such that f(1) = 1, number of 1 coefficients should be one more or one less than -1 coefficients, which doubles the range of invertible polynomials thereby doubling the presented key space. Furthermore, selecting q 2:5754 f(1)+83:9038 gave an appropriate size q with the least size required for successful message decryption, resulting in a 33.05% reduction of the public key size. Secondly, an improved modular inverse algorithm was developed using the least squares method of finding a generalized inverse applying homomorphism of ring R and an (N x N) circulant matrix with integer coefficients. This ensured inversion for selected polynomial f except for binary polynomial having all 1 coefficients. This resulted in an increase of 48% to 51% whereby the number of invertible polynomials enlarged the key space and consequently improved security. Finally, an NTRU variant based on the ring of integers, Integer TRUncated ring (ITRU) was developed to address the invertiblity problem of key generation which causes decryption failure. Based on this analysis, inversion is guaranteed, and less pre-computation is required. Besides, a lower key generation computational complexity of O(N2) compared to O(N2(log2p+log2q)) for NTRU as well as a public key size that is 38% to 53% smaller, and a message expansion factor that is 2 to15 times larger than that of NTRU enhanced message security were obtained

Practical Lattice Cryptosystems: NTRUEncrypt and NTRUMLS

Public key cryptography, as deployed on the internet today, stands on shaky ground. For over twenty years now it has been known that the systems in widespread use are insecure against adversaries equipped with quantum computers -- a fact that has largely been discounted due to the enormous challenge of building such devices. However, research into the development of quantum computers is accelerating and is producing an abundance of positive results that indicate quantum computers could be built in the near future. As a result, individuals, corporations and government entities are calling for the deployment of new cryptography to replace systems that are vulnerable to quantum cryptanalysis. Few satisfying schemes are to be found. This work examines the design, parameter selection, and cryptanalysis of a post-quantum public key encryption scheme, NTRUEncrypt, and a related signature scheme, NTRUMLS. It is hoped that this analysis will prove useful in comparing these schemes against other candidates that have been proposed to replace existing infrastructure