Hi Peter,
Thanks for such a nice overview of current discussions. Just want to give a quick update on the NTRU.
- NTRU is around for the longest time and has, even with high-security parameters, fairly short messages. However, existing software implementations (at least the ones in SUPERCOP) are highly vulnerable to timing attacks. Key generation (with protection to against timing attacks) is, as far as I can tell, fairly expensive.
We are working on a constant-time implementation of NTRU. We expect to release the source code this summer. However, as far as I know, timing attacks are much more powerful against encryption algorithm (that uses long-lived key for multiple times), rather than KEMs (use ephemeral keys). Our proposal treats NTRU as a KEM so I think the timing attack is not so useful.
What I'm missing in the discussion are benchmarks of NTRU and NTRUprime
(in
the context of key exchange).
Please see the attached for some benchmark results. We are working on the camera-ready version of the paper. The final version should be out soon. Also note that we are using an IND-CCA-2 secure version of NTRU. The performance can be further improved by switching to the IND-CPA secure version. IND-CPA is enough to provide channel security, provide that the ciphertext is accepted for only once for a given key. (This may open doors to some DoS attack.) As far as I can tell, the NewHope and NTRU-prime all uses CPA secure encryption algorithms.
Would it help the discussion at this point to fix NTRU parameters, produce an optimized implementation of NTRU (not production-quality code for Tor,
but
something to obtain benchmarks) and compare performance of NewHope, NTRU,
and
NTRUprime in an ephemeral key exchange? This would be a nice project for a Ph.D. student.
It would be very interesting indeed. We need to fix the parameter sets for NTRU. Currently we have 1. ntru-443 with product form, providing 128 pre-quantum/post-quantum security 2. ntru-743 with product form, providing 256 pre-quantum and >128 post-quantum security 3. ntru-887 with non-product form, providing 256 pre-quantum security And all of those parameter sets uses SHA256 rather than SHA-3 as suggested by the community.
It would be nice to have a final decision on a. shall we use non-production form b. shall we remove the IND-CCA-2 feature c. shall we use ntru-743/887 to build a sufficiently large margin just like NTRUprime
Cheers, Zhenfei
On Tue, May 24, 2016 at 6:32 PM, Peter Schwabe peter@cryptojedi.org wrote:
bancfc@openmailbox.org wrote:
Hi all,
Some great developments in lattice-based crypto. DJB just released a
paper
on NTRU Prime:
Let me just also throw in my 2 cents:
As far as I can tell, there are now 5 approaches to post-quantum key exchange that are discussed (or at least have surfaced) in this thread:
- NTRU
- NewHope
- NTRUprime
- McEliece
- SIDH
In some of the posts I got the impression that there are considerations for some sort of "algorithm agility" in the key exchange. This can mean two things:
- runtime algorithm agility, such that a client can choose what algorithm to use according to some strategy; or
- upgrading algorithm agility, which means that for each version number of a client, it is very clear which algorithm it will use, but the key exchange supports (easy) upgrading to better algorithms with increasing version numbers.
In my opinion, the second approach is extremely important, in particular because at the moment we certainly want some sort of PQ key exchange, but are quite uncertain about what approach will prove best in the long run. I'm not really sure whether anybody really suggested the first approach, but just in case, I think it's a terrible idea. If the decision of what algorithms to use is left to users, they will certainly end up making worse choices than experts; if it's left to randomness, users inevitably get the worst out of the set from time to time. I simply cannot think of any strategy that lets the user win here.
Now, out of the 5 proposals, my impression is that McEliece with binary Goppa codes has been killed as an idea for key exchange in Tor and that whenever somebody mentions it again, Isis will just shout "KEYSIZE" to make sure that it remains dead.
I can see good reasons for each of the first three (lattice-based) proposals:
NTRU is around for the longest time and has, even with high-security parameters, fairly short messages. However, existing software implementations (at least the ones in SUPERCOP) are highly vulnerable to timing attacks. Key generation (with protection to against timing attacks) is, as far as I can tell, fairly expensive.
NewHope is explicitely designed for ephemeral key exchange (not public-key encryption), i.e, for the operation that is required. It offers best performance and, as Isis pointed out, the paramters we propose have the largest security margin against all known attacks. Disadvantage (price to pay for the security margin): somewhat longer messages.
NTRUprime is much less conservative than NewHope in its parameter choices against known attacks but offers "defenses" against attacks that may or may not work against NewHope and NTRU. The advertisement of those defenses is a pretty good job of the marketing department: the wording suggests that NTRUprime is, at the same bit-security level, at least as secure as NTRU or NewHope, but then has those defenses as additional safeguards. This is not quite true: NTRUprime operates in a different mathematical structure, which may in the long run prove more secure, it may also prove less secure and it could turn out that the "defenses" against hypothetical attacks turn out to be weaknesses against other attacks. Having said that, I really like the ideas of the NTRUprime paper and much more often than not have Dan and Tanja been right with their intuition for cryptographic design.
What I'm missing in the discussion are benchmarks of NTRU and NTRUprime (in the context of key exchange). For NTRUprime there is not even a proposal for ephemeral key exchange as needed in Tor; however, I assume that it's not too hard to replace NTRU operations (from the NTRU proposal) by NTRUprime operations. Also (please correct me if I'm wrong), for NTRU it's not clear what parameters to use and there is no optimized and timing-attack protected implementation. Would it help the discussion at this point to fix NTRU parameters, produce an optimized implementation of NTRU (not production-quality code for Tor, but something to obtain benchmarks) and compare performance of NewHope, NTRU, and NTRUprime in an ephemeral key exchange? This would be a nice project for a Ph.D. student.
Now, then there is SIDH: I really like SIDH, not so much for the shorter public keys (that's nice, but it's not like a difference of an order of magnitude), but because of two other reasons: 1.) It is a completely different approach and even if all non-standard lattice crypto falls, SIDH may survive. 2.) It's offering the same functionality as (EC)DH right now; both parties can compute their public keys without having received the public key of the other party. This is a great feature for protocol design and for migrating existing DH-based protocols to a post-quantum setting. However, I don't think that SIDH is ready for use at the moment. The reason is not only that it's about 300x slower than ECC, the reason is that security is really not understood at all. While probably everybody in the crypto community expects some progress in lattice attacks over the next few decades, I don't think that anybody seriously expects a polynomial-time algorithm that breaks, for example, Ring-LWE with suitably chosen paramters. A polynomial-time algorithm to break SIDH would clearly be a major breakthrough with an immediate-accept at any of the big crypto venues, but I would not want to really bet anything important (like my life in freedom) against this happening. I talked to Michael Naehrig (co-author of the Crypto paper this year implementing SIDH) two days ago and mentioned that SIDH popped up in this discussion as a possible approach for Tor. His reaction was roughly along the lines of "We say in our paper that you shouldn't use this, and very certainly not in Tor".
So, I hope that SIDH will survive in the long run, after serious cryptanalytic effort trying to break it; I hope that it will become faster by, say, a factor of 100 (that's not totally inconceivable, pairings took minutes to compute at the beginning, now we're below a millisecond) and if this happens then Tor should migrate to SIDH. Not now.
As I said, just my 2 cents.
Cheers,
Peter
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Zhenfei Zhang zzhang@securityinnovation.com wrote:
Hi Peter,
Hi Zhenfei, hi all,
We are working on a constant-time implementation of NTRU. We expect to release the source code this summer.
That's great news! Any thoughts on the license? Can you place it into public domain?
However, as far as I know, timing attacks are much more powerful against encryption algorithm (that uses long-lived key for multiple times), rather than KEMs (use ephemeral keys). Our proposal treats NTRU as a KEM so I think the timing attack is not so useful.
It's tricky; I agree that if you get only a single timing trace with the same key, it will be much harder to get useful information about the key than in a public-key encryption (or signature) setting where the private key is used many times. Then again, I also think that it will be very hard to prove that it's impossible to extract useful information about keys from timing on any platform. Maybe more importantly, Tor does not only have to be concerned about leaking the key, but also leaking de-anonymizing information. That's why Isis and I sat down and wrote a constant-time version of the sampling of the public polynomial in NewHope. My general take on this is that it's much easier to write constant-time code than to deal with the fallout caused by software that is vulnerable to timing attacks.
Please see the attached for some benchmark results.
Did the attachment get lost?
We are working on the camera-ready version of the paper. The final version should be out soon. Also note that we are using an IND-CCA-2 secure version of NTRU. The performance can be further improved by switching to the IND-CPA secure version. IND-CPA is enough to provide channel security, provide that the ciphertext is accepted for only once for a given key. (This may open doors to some DoS attack.) As far as I can tell, the NewHope and NTRU-prime all uses CPA secure encryption algorithms.
Definitely true for NewHope.
Here's what my answers would be to your questions:
It would be nice to have a final decision on a. shall we use non-production form
Would be interesting to see benchmarks of both.
b. shall we remove the IND-CCA-2 feature
Again, it would be interesting in a larger context to have benchmarks of both; the Tor handshake should be fine with IND-CPA.
c. shall we use ntru-743/887 to build a sufficiently large margin just like NTRUprime
Definitely. As I wrote in my previous mail, in NewHope we went for a much larger margin than NTRUprime did; I would probably feel better with 887, but for long-term security (and this is what the whole thing is about), 743 is a must-have.
Cheers,
Peter
-
Peter Schwabe -
Zhenfei Zhang