NTRU(number theory reserach unit/Nth DegreeTruncated Polynomial Ring—N次截断多项式环问题)是设计在多项式环上的公钥密码系统,它基于多项式代数,安全性基于格中寻找最短向量困难问题(SVP)
文章目录
基本概念重申
SVP:在格L中寻找一个最短的非零向量v∈L,使它的欧几里得范数||v||最小。
P范数(P norm):║x║p=(|x1|p+|x2|p+…+|xn|p){1/p}
在数学中,欧几里得距离(Euclidean Metric,Euclidean Distance)或欧几里得度量是欧几里得空间中两点间“普通”(即直线)距离。使用这个距离,欧氏空间成为度量空间。相关联的范数称为欧几里得范数。较早的文献称之为毕达哥拉斯度量。
欧几里得范数(Euclidean norm)== 欧式长度(距离) == L2范数 == L2距离
Euclidean norm == Euclidean length == L2 norm == L2 distance ==
ι
2
\iota ^{2}
ι2 norm
最大公约数:记为(a,b)
最小公倍数:记为[a,b]
若干个互质数的最小公倍数为它们的乘积的绝对值。
常见范数计算方法:
给定向量x=(x1,x2,...xn)
L1范数 = ||x||1 = 向量各个元素绝对值之和 = x与0之间的曼哈顿距离
L2范数 = ||x||2 = 向量各个元素的平方求和然后求平方根 = x与0之间的欧式距离
Lp范数 = ||x||p = 向量各个元素绝对值的p次方求和然后求1/p次方
L∞范数 = ||x||∞ = 向量各个元素求绝对值,最大那个元素的绝对值
一、NTRU
1.特点
2.Scheme — Key Generation
- Random chooses 2 polynomials
f
,
g
∈
L
g
f,g ∈ L^g
f,g∈Lg
f f f must satify the additional requirement that it have inverses modulo q and modulo p.
Denote these inverses by F q a n d F p , F_q and F_p , FqandFp,that is
F q ∗ f = 1 m o d q F_q*f = 1 mod q Fq∗f=1modq a n d and and F p ∗ f = 1 m o d p F_p*f = 1 mod p Fp∗f=1modp - Public key h = F q ∗ f = 1 m o d p h = F_q * f = 1 modp h=Fq∗f=1modp
- Secret key f f f
- Store F p F_p Fp
3.Scheme — Encryption
- A message m m m from the set of plaintext L m L_m Lm
- Random choose a polynomial φ ∈ L φ \varphi ∈L_\varphi φ∈Lφ
- Compute e = p φ ∗ h + m m o d q e = p\varphi * h + m\;mod\;q e=pφ∗h+mmodq
4.Scheme — Decryption
-
First compute a = f ∗ e m o d q a = f*e\;mod\;q a=f∗emodq
the coefficients of a i n [ − q / 2 , q / 2 ] a\;in\;[-q/2,q/2] ain[−q/2,q/2]. -
Recovers the message by computing F p ∗ a m o d p F_p*a\;mod\;p Fp∗amodp
-
a = f ∗ e = p ϕ ∗ g + f ∗ m m o d q a\;=\;f*e\;=\;p\phi*g\;+\;f*m\;mod\;q a=f∗e=pϕ∗g+f∗mmodq
二、
2.1.Recommended parameters
Security levels
Parameters | Highest | High | Standard | Moderate |
---|---|---|---|---|
p | 3 | 3 | 3 | 3 |
q | 256 | 128 | 128 | 128 |
N | 503 | 347 | 251 | 167 |
//求f_p及f_q
PolynomialMod[
PolynomialRemainder[(-1 + y^2 + y^3 - y^4 + y^6)^-1, y^7 - 1, y],
3]
//f_p = 1 + y + y^2 + y^3 + 2 y^5 + y^6
PolynomialMod[
PolynomialRemainder[(-1 + y^2 + y^3 - y^4 + y^6)^-1, y^7 - 1, y],
41]
//f_q = 37 + 2 y + 40 y^2 + 21 y^3 + 31 y^4 + 26 y^5 + 8 y^6
Msg = 1 - y + y^2 + y^3 - y^5
ry = -1 + y - y^5 + y^6
Pk = 8 + 37 y + 24 y^2 + 32 y^3 + 6 y^4 + 38 y^5 + 19 y^6
fy = -1 + y^2 + y^3 - y^4 + y^6
Me = 25 + 3 y + 40 y^2 + 2 y^3 + 4 y^4 + 19 y^5 + 31 y^6
Md1 = 40+ y+40 y^2+40 y^3+33 y^4+10 y^5+y^6
Md2 = -1 + y - 1 y^2 - y^3 - 8 y^4 + 10 y^5 + y^6
PolynomialMod[
PolynomialRemainder[Expand[ry*Pk + Msg], y^7 - 1, y], 41]
//加密后的消息
//M_e = 25 + 3 y + 40 y^2 + 2 y^3 + 4 y^4 + 19 y^5 + 31 y^6
PolynomialMod[Expand[fy*Me], 41]
//Md1 = 16 + 38 y + 26 y^2 + 26 y^3 + 14 y^4 + 20 y^5 + y^6 + 24 y^7 + 4 y^8 + 14 y^9 + 14 y^10 + 19 y^11 + 31 y^12
PolynomialMod[
PolynomialRemainder[PolynomialMod[Expand[fy*Me], 41], y^7 - 1,
y], 41]
//Md1 = 40+ y+40 y^2+40 y^3+33 y^4+10 y^5+y^6
PolynomialMod[Md1, 3]
//Md2 = 1 + 2 y + 2 y^2 + 2 y^3 + 2 y^4 + 2 y^5 + y^6 + y^8 + 2 y^9 + 2 y^10 + y^11 + y^12
PolynomialMod[PolynomialRemainder[Expand[fp*Md2], y^7 - 1, y], 3]
2.2.Complexity
Complexity
Parameters | Highest |
---|---|
Block of original message in bits | Nlog2§ |
Message expansion | Logp q-to-1 |
Public key size in bits | Nlog2(q) |
Block of encrypted message in bits | Nlog2(q) |
Encryption speed | O(N2) |
Private key size | 2Nlog2§ |
Decryption speed | O(N2) |