IEEE P1363.1 / D2
Annex D
March 23, 2001
IEEE P1363.1 / D2 (Draft Version 2). Standard
Specification for Public-Key Cryptographic
Techniques Based on Hard Problems over
Lattices
Annex D (Informative).
Security Considerations.
Copyright © 2001 by the Institute of Electrical and Electronics Engineers, Inc.
345 East 47th Street
New York, NY 10017, USA
All rights reserved.
This is an unapproved draft of a proposed IEEE Standard, subject to change. Permission is hereby granted
for IEEE Standards Committee participants to reproduce this document for purposes of IEEE
standardization activities. If this document is to be submitted to ISO or IEC, notification shall be given to
IEEE Copyright Administrator. Permission is also granted for member bodies and technical committees of
ISO and IEC to reproduce this document for purposes of developing a national position. Other entities
seeking permission to reproduce portions of this document for these or other uses must contact the IEEE
Standards Department for the appropriate license. Use of information contained in the unapproved draft is
at your own risk.
IEEE Standards Department
Copyright and Permissions
445 Hoes Lane, P. O. Box 1331
Piscataway, NJ 08855-1331, USA
Comments and suggestions are welcome. Please contact the editor, Daniel Lieman, at dlieman@ntru.com.
1
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
ANNEX D (informative). Security Considerations
D.1 INTRODUCTION ..................................................................................................................................... 3
D.2 FAMILY-SPECIFIC CONSIDERATIONS .................................................................................................... 3
D.2.1 ML Family .................................................................................................................................... 3
D.2.1.1 Security Parameters.....................................................................................................................................3
D.2.1.2 Generation Method......................................................................................................................................4
D.2.1.3 Other Considerations...................................................................................................................................4
D.2.1.4 Notes............................................................................................................................................................4
2
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
D.1 Introduction
This annex addresses security considerations for the cryptographic techniques that are defined in this
standard. It is not the intent of this annex to teach everything about security or cover all aspects of security
for public-key cryptography. Rather, the goal of this annex is to provide guidelines for implementing the
techniques specified in the standard. Moreover, since cryptography is a rapidly changing field, the
information provided here is necessarily limited to the published state of the art as of the time the standard
was drafted, February 2001. Implementers should therefore review the information against more recent
results at the time of implementation; the working group Web page may contain additional relevant
information (see http://grouper.ieee.org/groups/1363/index.html).
Security recommendations (in the form of “should”) are given throughout this annex. It should be
understood, however, that there may be choices other than the ones recommended here that achieve a given
level of security. Furthermore, as discussed in D.2, the definition of security depends on the types of attack
that are relevant to an implementation. If an attack is not relevant, then some recommendations may not
apply. Thus, while the recommendations given here enable security, they should not necessarily be taken
as requirements. Nevertheless, it is expected that other standards based on this standard may upgrade some
of the recommendations to requirements.
Implementers are also referred to IEEE P1363 Annex D for security topics that are applicable to general
families and schemes, including general security principles (IEEE P1363 D.2), key management
considerations (IEEE P1363 D.3), and generation of random numbers (IEEE P1363 D.6). We will not
repeat this material in this annex.
For readers who are interested in extensive and in-depth discussions on security and cryptography, some
reference books include [MOV96], [Sch95], [Sta98] and [Sti95].
D.2 Family-Specific Considerations
This section gives information on security parameters for the Modular Lattice (ML) family, as well as
generation of domain parameters (if any) and key pairs.
D.2.1 ML Family
D.2.1.1 Security Parameters
The primary security parameters for the ML family are the lattice dimension n, the modulus q, and the
balanced norm bound . The lattice dimension n is always even and we set N = n/2. Alternatives to the
norm bound parameter are a pair of integers (d1,d2) specifying binary Hamming weights (Note 5) or a 4tuple of integers (d1+,d1–,d2+,d2–) specifying trinary Hamming weights (Note 5). See Sections A.Y.6 and
A.Y.7 for formulas expressing LQWHUPVRIWKHd values.
A common minimum lattice dimension is n = 502 (so N = 251). Typical parameters associated to the lattice
dimension n = 502 are q = 128 and = 0.896, corresponding to the Hamming parameters d1 = d2 = 72.
The NTRU public key cryptosystem uses a second modulus p. To distinguish the two moduli, the modulus
q is called the large modulus and the modulus p is called the small modulus. The large modulus q and the
small modulus p must be relatively prime (i.e., generate the unit ideal ) in the convolution ring Z[X]/(XN-1).
(Note 4.) The small modulus p need not be an integer. (Note 4.)
3
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
The NTRU signature scheme (NSS) uses additional security parameters L2NormBound1, L2NormBound2,
LinfBoundjMin (j = 0,1,2,3), LinfBoundjMax (j = 0,1,2,3), DevBoundj (j = 0,1,2,3), and DevBoundTotj (j =
0,1,2,3) for signature verification (SVVP-NTRU, Section 7.4.4). The NTRU signature scheme (NSS) also
uses additional security parameters that specify the form of the signature blinding element w. In the
EMSA6 encoding method (Section 8.1.2.1) for construction of w, these additional security parameters are
momentequalizationlevel and dw2. The selection of NSS security parameters must address the issues of
lattice reduction (Note 10), random forgery attempts (Note 11), lattice lifting (Note 12), transcript analysis
(Note 13).
D.2.1.2 Generation Method
Considerations for generating domain parameters in the ML family include the following:
—
—
—
The dimension n is an even number that may be predetermined as long as it is chosen sufficiently
large. It is recommended that the N = n/2 be a prime number. (Note 2.)
The modulus q and norm bound may be predetermined to provide an appropriate level of security.
(As the value of q increases and as the value of decreases, it becomes easier to find the target
closest vector in a modular lattice. Note 1.)
may be predetermined to provide an appropriate level of
The modulus q and norm bound
decryption reliability. (As the value of q increases and as the value of decreases, the level of
decryption reliability increases.)
Considerations for generating key pairs in the ML family include the following:
— The private key f and auxiliary private key g should be generated at random from the set of vectors of
dimension N and specified centered norm (or a sufficiently large subset of this set of vectors).
(Note 6.)
— The encryption blinding element r and the message element m should be selected from the set of
vectors of dimension N and specified centered norm (or a sufficiently large subset of this set of
vectors). They may be chosen at random or generated using a predetermined method. (Note 7.)
— The signature message representative i should be selected from a sufficiently large subset of the set of
vectors of dimension N. It should be chosen using a recommended encoding scheme (Note 10).
— The signature blinding element w should be selected from the set of vectors of dimension N and
specified centered norm (or a sufficiently large subset of this set of vectors). It should be chosen
using a recommended encoding scheme (Notes 12 and 13).
The domain parameters N, q, p, may be shared among key pairs. The domain parameter may be
specified by describing the sample spaces for the private key f and g, for example as sets of binary or
trinary polynomials. (Note 5.) The private key f should not be shared. The auxiliary private key g also
should not be shared; it may be discarded after being used to generate the public key h. The encryption
blinding element r should not be revealed and should not be reused. (Note 8.) The message element m
should not encrypted using two different blinding elements. (Note 8.)
D.2.1.3 Other Considerations
The private-key representation does not affect security in general, although the effectiveness of physical
attacks may vary according to the representation. The private key should be stored securely, and the
encryption blinding value should be erased after use. The domain parameters should be protected from
unauthorized modification. See P1363 Annex D.7 for additional information on implementation attacks.
D.2.1.4 Notes
4
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
1.
Annex D
March 23, 2001
Security parameters: The security of schemes in the ML family against attacks whose goal is to
solve the closest vector problem depends on the difficulties of general-purpose lattice reduction
methods. The security also depends on the difficulty of exhaustive and collision-search methods. In
turn, the difficulty of general-purpose lattice reduction methods depends on the dimension 2N of the
lattice, on the modulus q, and on the norm ratio WKDW PHDVXUHV WKH GLVWDQFH RI WKH WDUJHW YHFWRU
from a known vector (in a balanced ML CVP). The difficulty of exhaustive and collision-search
methods depends on the size of the space from which the target vector is chosen.
An exhaustive search algorithm tries all allowable values for v1, computes the value of v2 = v1*h, and
checks if v2 is an allowable value. Let S1 denote the sample space for v1. The exhaustive search
method has average running time ½|S1| for general modular lattices and average running time
(1/2N)|S1| for convolution modular lattices (since a convolution modular lattice will generally have
N target vectors). An exhaustive search algorithm has no storage requirements.
A collision search algorithm of Odlyzko is described in [Si97]. If S1 = BN(d) is the space of binary
vectors of dimension N with d ones, then the running time of the collision search method is
approximately d1/2C(N/2,d/2) operations. (Here C(n,k) = n!/k!(n–k)! is the usual combinatorial
symbol.) The storage requirement is approximately 2C(N/2,d/2). It is not known if there is a
collision search method that does not require substantial storage, but it is recommended that security
be computed under the assumption that storage requirements are not an issue. The following table
lists the time and storage requirements for collision searches for various choices of security
parameters.
N
d
Time (operations)
Storage
167
48
271.9
270.1
108.2
251
72
2
2106.1
150.0
347
100
2
2147.7
218.2
503
145
2
2215.6
Table D.1. Collision Search Time and Storage Requirements in BN(d)
For modular lattices of large dimension, the fastest general purpose lattice reduction methods known
are variants of the BKZ-LLL algorithm (see [LLL82], [LLS90], [Sch87], [Sch88], [SE94], [SH95]).
The average running time for BKZ-LLL on a lattice L of dimension n and block size LVERXQGHG
by O( O( n3) and BKZ-LLL is guaranteed to return a vector of length at most 2O(n/ 1(L). In practice
the returned vector and running time are somewhat better than predicted by theory. However,
experiments suggest that for lattices in the ML family with fixed norm ratio DQG IL[HG dimension/modulus ratio N/q, the running time for BKZ-LLL to solve the CVP or to find any other
very close vector is fully exponential in the dimension N.
The security parameters should be selected so that both the general-purpose methods and the
collision-search methods have sufficient running time. Often, the parameters are selected so that the
difficulty of both types of method is about the same. It does not have be the same, however. For a
variety of reasons, such as availability of hardware, for example, an implementation may choose a
larger search space.
As noted above, a common minimum set of security parameters is (N,q,d1,d2) = (251,128,72,72) with
= 0.896 and . Experiments support the view that the average time to find the target vector
in a convolution modular lattice CVP with fixed ratios DQG N/q = 1.96 is given by the
formula
T §0.083N – 7.50 MIPS-Years.
5
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
(For d1 = d2 = d, the ratio LV REWDLQHG E\ VHWWLQJ d = 0.2874N.) The following table
provides an extrapolated estimate for the running time of BKZ-LLL on convolution modular lattices
with DQG XVLQJd1 = d2 §N). The estimate is given in MIPS-Years, where
a MIPS-Year is an approximate amount of computation that a machine capable of performing one
million arithmetic instructions per second would perform in one year (about 3 × 1013 arithmetic
instructions).
Processing Time
(MIPS-Years)
2.3 x 106
2.1 x 1013
2.0 x 1021
1.8 x 1034
N = ½ dim(L)
167
251
347
503
Table D.2. Estimated Cryptographic Strength for
Convolution Modular Lattices ( d1=d2§N)
There is some variation among published estimates of running time due to the particular definition
of a MIPS-Year and to the difficulty of estimating actual processor utilization. (How many
arithmetic instructions a modern processor performs in a second when running an actual piece of
code depends heavily not only on the clock rate, but also on the processor architecture, the amount
and speeds of caches and RAM, and the particular piece of code.) Thus, the estimates given here
may differ from others in the literature, although the relative order of growth remains the same. The
sample space for the target vector should be selected so that the collision-search methods have
sufficient difficulty.
2.
Selection of dimension security parameter N: It is required that the security parameter N be prime
(i.e., the dimension n of the lattice be twice a prime). If N is highly composite (e.g., if N is a power
of 2), then Gentry [Ge01] has shown that a folding method allows the private key and plaintext to be
recovered from a lattice of dimension much smaller than N.
3.
Selection of large modulus security parameter q: It is recommended that for each prime divisor q0 of
q, the polynomial XN – 1 modulo q0 should have no factors of small degree (aside from the obvious
factor X – 1). If N is prime (Note 2), then XN – 1 modulo q0 factors as (X – 1)A1(X)…Ae(X), where
each Ai(X) has degree equal to the multiplicative order of q0 modulo N. The following table lists
some security parameters satisfying this recommendation.
N
167
251
263
347
503
q
64
128
128
128
256
q0
2
2
2
2
2
Order(q0 mod N)
83
50
131
346
251
Table D.3. Factorization of XN – 1 modulo q0
This condition on the security parameters is only a recommendation because at present there are no
known significant improvements in finding target vectors in modular lattices if the condition is not
satisfied .
4.
Selection of small modulus security parameter p: If the small modulus p divides the large modulus
q, then reduction modulo p of an expression p*r*h + m modulo q will immediately recover m. More
generally, if p and q are not relatively prime in the ring Z[X]/(XN – 1), then reduction modulo a
6
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
common factor will reveal information about m. For this reason it is required that the large modulus
q and the small modulus p be relatively prime in the ring Z[X]/(XN – 1). This is equivalent to the
condition that the three quantities q, p, and XN – 1 must generate the unit ideal in the ring Z[X].
The large modulus q is required to be in Z, but the small modulus p need not be in Z. For example,
if N is odd and if q is a power of 2, then p could equal X + 2 or X – 2, since the three quantities XN –
1, 2k, and X ± 2 generate the unit ideal in the ring Z[X].
5.
Selection of target vectors: A standard sample space for target vectors v = [v1,v2] is to choose
binary vectors v1 BN(d1) and v2 BN(d2). The vectors should be selected randomly or pseudorandomly from these spaces. (See P1363 Annex D.6 for more on random number generation.) The
values of d1 and d2 are chosen to provide an appropriate value of norm security parameter 6HH
Section A.Y.6 for the formula for LQWHUPVRId1 and d2 and see Note 1 for selection of For a
given choice of d1 and d2, there are no classes of vectors v1 and v2 that are known to affect the
average running time of lattice reduction algorithms.
If d1 or d2 is very small, then the zero-forcing algorithms of May [Ma99] and Silverman [Si99] for
modular convolution lattices may allow reduction of the lattice dimension. In the case that
d1 = d2 = d, the speedup in performing an r-fold zero-force is approximately (1–(1–e–dr/N)N)e r, where
the running time for the given class of lattices is T § N + (see Section A.Y.4). The optimal value
of r my be determined using this formula. For the common security parameters N/q = 1.96 and
d § 0.2874N (corresponding to , the value of LV0.083 and the speedup from an r-fold
zero-force is approximately (1–(1–e–0.2874r)N)e0.083r. The optimal choice for r and the expected speedups
are listed in the following table. The gain in speed is negligible for the listed parameters choices.
N = ½ dim(L)
167
251
347
503
Optimal r
15
17
18
19
Speedup
3.11
3.49
3.83
4.27
Table D.4: Estimated Speedup for r-Fold Zero-Forcing in
Convolution Modular Lattices ( d1=d2§N)
Another standard sample space for target vectors v = [v1,v2] is to choose trinary vectors v1 TN(d1+,d1–
) and v2 TN(d2+,d2–). The vectors should be selected randomly or pseudorandomly from these
spaces. (See P1363 Annex D.6 for more on random number generation.) The values of d1+, d1–, d2+,
and d2– are chosen to provide an appropriate value of norm security parameter 6HH6HFWLRQ$<7
for the formula for LQWHUPVRId1+,d1–,d2+,d2– and see Note 1 for selection of If d1++d1– or d2++d2– is
very small, then as above the zero-forcing algorithms of May [Ma] and Silverman [Si99] may allow
reduction of the lattice dimension. For a given choice of d1+,d1–,d2+,d2–, there are no classes of vectors
v1 and v2 that are known to affect the average running time of lattice reduction algorithms.
6.
Selection of private keys: A private key consists of a pair of (f(X),g(X)). The associated public key
h(X) is formed via the relation
f(X) * h(X) g(X) (mod q)
The associated CML CVP formed from the coefficients of h(X) has target vector v = [v1,v2] formed
from the coefficients of [f(X),g(X)]. The selection of f(X) and g(X) should follow the guidelines
described in this Annex for the selection of target vectors for ML CVPs.
7
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
In the case that f(X) has the form f0(X) + p*F(X) for a known polynomial f0(X) (e.g., f0(X) = 1), then
the CML CVP target vector is the vector [F(X),g(X)]. Similarly if g(X) has the form g0(X) + p*G(X)
for a known polynomial g0(X). In these situations the security must be computed using the smaller
norm bound associated to [F(X),g(X)] or [F(X),G(X)].
7.
Selection of encryption blinding elements and message elements: The blinding element r(X) and the
message element m(X) should be selected from sample spaces with characteristics similar to those
for the two parts of the private key f(X) and g(X). The ciphertext e(X) is formed from the public key
h(X), the message element m(X), and the blinding element r(X) via the formula
e(X)
p * r(X) * h(X) + m(X) (mod q).
The CML formed using the coefficients of the public key h(X) may be used to formulate a CVP in
which the target vector v = [v1,v2] is formed from the coefficients of [r(X),m(X)]. The selection of
r(X) and m(X) should follow the guidelines described in this Annex for the selection of target
vectors for ML CVPs.
In order to prevent chosen ciphertext attacks ([HS99],[JJ00]), it is recommended that the message
element m(X) be generated in an invertible fashion from the plaintext M and an appropriate amount
of random blinding material R and that the element r(X) be generated deterministically as a hash
function of M and R. It is further recommended that the decrypter regenerate the element r(X) and
verify that the ciphertext e(X) is the encryption of m(X) by the element r(X) and that the decrypter
reject the message as invalid if it is not.
8.
Reuse of blinding or message elements: A blinding element r(X) should not be reused, since if r(X)
is used to send two message m1(X) and m2(X), then the difference of the two ciphertexts e1(X) – e2(X)
m1(X) – m2(X) (mod q) will reveal a large portion of m1(X) and m2(X).
A single message element m(X) should not be encrypted using two different blinding elements. If
m(X) is encrypted using r1(X) and r2(X), then the quantity
(ph(X))–1(e1(X) – e2(X)) r1(X) – r2(X) (mod q)
will reveal a large portion of r1(X) and r2(X). (Even if h(X)–1 mod q does not exist, one may still gain
considerable information using a partial inverse.) Recommended message encoding methods
(Section 8.2) include inclusion of random bits in the message element.
9.
Generation of private keys and blinding elements using small Hamming weight products: It may be
computationally advantageous to choose the private key f(X) and/or the blinding element r(X) to be
a product, or a sum of products, of elements of low Hamming weight (i.e., with few nonzero
coefficients). (See Annex A.5.6.) In the case that f(X) has the form f0(X)+p*F(X), the same remark
applies to F(X). The size of the search space and possiblity of square root-type searches must be
analyzed if this method is used. (See Annex A.5.6 and [HS01] for details.) Tables D.5-D.8 give
effective search space sizes for typical forms of cryptographic interest.
N
251
347
503
d1
8
11
20
d2
8
11
20
d3
8
11
20
Search
297
2135
2236
Table D.5. Effective search space for f = f0+p*(f1*f2+f3) with f0 known and fi B(di) for i=1,2,3
8
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
N
251
347
503
d2
8
11
13
d1
8
11
12
Annex D
d3
8
11
14
March 23, 2001
Search
297
2135
2165
Table D.6. Effective search space for r = r1*r2+r3 with ri B(di) for i=1,2,3
N
251
347
503
d1+
5
7
11
d1–
5
7
11
d2+
7
10
11
d2–
7
10
11
Search
2109
2155
2219
Table D.7. Effective search space for f = f0+p*f1*f2 with f0 known and fi T(di+,di–) for i=1,2
N
251
347
503
d1+
4
6
10
d1–
4
6
10
d2+
5
7
10
d2–
5
7
10
Search
287
2129
2203
Table D.8. Effective search space for g = g0+p*g1*g2 with g0 known and gi T(di+,di–) for i=1,2
There are no known lattice reduction methods that take advantage of a product structure in the target
vector(s) to improve their performance.
10.
Selection of message representatives and signature blinding elements: The message representative i
should be selected using a hash function encoding process on the message m. An example encoding
process is EMSA5 (Section 8.1.1). The message representative should be selected from a
sufficiently large sample space to make it infeasible to find two messages with the same message
representative.
The signature blinding element w should be selected using an approved encoding process. An
example encoding process is EMSA6 (Section 8.1.2). See also Notes 12 and 13.
The signature blinding element w should be selected so that if w and w’ are blinding elements on
two signatures s = f*w (mod q) and s’ = f*w’ (mod q) , then the convolution modular lattice formed
from s’*s–1 (mod q) with target short vector [w,w’] has the desired extrapolated search time. (See
Note 1.)
11.
Selection of signature verification parameters: The signature verification parameters
L2NormBound1, L2NormBound2, LinfBoundjMin (j = 0,1,2,3), LinfBoundjMax (j = 0,1,2,3),
DevBoundj (j = 0,1,2,3), and DevBoundTotj (j = 0,1,2,3) must be selected to prevent creation of
forged signatures.
The norm bounds tie the signature directly to a hard lattice problem. In particular, given a message
representative i for a public key h, there is a target vector ai in the convolution modular lattice Lh
attached to h so that a valid signature s for i determines a vector in Lh that is (heuristically) no more
than
L 2 NormBound 2
Nq / πe
9
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
times as far away from ai as the closest vector in Lh is to ai. L2NormBound2 should be selected to
make this approximate closest vector problem hard. The other norm bounds (L2NormBound and
LinfBoundjMin) should be selected to provide additional constraints that are satsified by signatures
created using the private key.
The deviation bounds tie the signature to the message via mod p conditions. They should be selected
to provide constraints that are satisfied by signatures created using the private key. In particular, if
polynomials s and t are formed by first selecting half of their coefficients to match i modulo p and
then solving t = h*s (mod q) for the remaining coefficients, then there should be a very small
probability that sdata [j][0] + sdata [j][1] + tdata [j][0] tdata [j][1] ”DevBoundTotj for j = 0, 1, 2, 3. For an
s that is half preselected in this way, the probability that s satisfies this deviation bound condition for
j = 0 and j = 1 is given approximately by the formula (with p = 3)
2
Probability ≈  
3
N
∑
∑
b ≤ DevBoundTot 1c ≤ DevBoundTot 2
T ( N ; b, c)
1
4
b +c
.
The quantity T(N;b,c) is the trinomial coefficient N!/b!c!(N-b-c)!. Table D.9 gives the probability of
half preselected (s,t) satisfying the deviation test for j=1 and j=2 and various values of
DevBoundTot1 and DevBoundTot2.
N
DevBoundTot
DevBoundTot
Probability
1
2
251
8
20
2–57
251
6
17
2–68
251
4
14
2–81
Table D.9. Probability that a half preselected (s,t) passes deviation tests
12.
Selection of signature blinding elements to prevent lattice lifting: A signature s has the form s = f*w
(mod q). The signature blinding element w is naturally written in the form
w = (u-1*i mod p) + (u-1*w1 mod p) + p*w2,
where i is the message representative and w1 and w2 are blinding element pieces.
The product f*w must have sufficiently many coefficients outside the range (–q/2,q/2] so that
knowledge of s does not allow reconstruction of f*w exactly, and similarly for t = h*s = g*w (mod
q), since exact knowledge of f*w and g*w (or of f*w and f*w’ for two different values w and w’)
may allow recovery of f or g from a lattice of dimension N. Coefficients with nontrivial reduction
modulo q tend to cluster near –q/2 and near q/2 and their presence may be detected by a mod p
comparison of s and/or t with m, so the blinding element piece w1 should be chosen to hide a
significant number of the common nontrivial mod q reductions in f*w and g*w. (See EMSA6
encoding, Section 8.1.2.1, for details of a method to choose w1 to achieve this effect. )After s and t
have been generated, the the number of indices j for which the coefficients sj and tj agree modulo p
with mj, yet for which (f*w)j and (g*w)j both lie outside the range (–q/2,q/2], should be counted. The
number of such hidden reductions should be at least equal to a security paramter hiddenwrapbound
that is chosen to make it infeasible to do an exhaustive search for the hidden reductions. It should be
noted that in order to generate a useful lattice, it is necessary to recover either two values f*w and
f*w’ exactly or to recover two values f*w and g*w exactly.
The polynomial phi = (F – G)*w must also have sufficiently many coefficients outside of the range
(–q/2,q/2] so that knowledge of
phi (mod q) = (F – G)*w (mod q) = = p-1*(s – t) (mod q)
does not allow reconstruction of (F – G)*w exactly, since exactly knowledge of (F – G)*w for two
10
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
diffferent values of w may allow recovery of F – G from a lattice of dimension N. After w
selected, the polynomial phi should be computed and the number of indices j for which phij
outside the range (–q/2,q/2] should be at least equal to a security paramter phiwrapbound that
chosen to make it infeasible to do an exhaustive search for phi. It should be noted that in order
generate a useful lattice, it is necessary to recover the value of phi for two different values of w.
is
is
is
to
Specific sample sets for w2 and i satisfying these criteria may be determined by experiment. It is
recommended that the security parameters be chosen so that it be infeasible to do an exhaustive
search for the exact values of f*w or g*w. Sample values for the following security parameters can
be found in [CEES].
N
polynomial degree
q
large modulus
p
small modulus
du
private key size (u has du 1’s and –1’s)
df
private key size (F has df 1’s and –1’s, f = u + p*F)
dg
private key size (G has dg 1’s and –1’s, g = u + p*G)
di
message representative size (number of 1’s and –1’s in i)
dw2
blinding element size (number of 1’s and –1’s in w2)
momentequalizationlevel moment equalization level for blinding element w2
phiwrapbound signature reduction parameter (number of reductions required in phi)
hiddenwrapbound
signature reduction parameter (number of simulatneous hidden
reductions required in f*w and g*w)
L2NormBound1
individual L2 norm bound for p–1(s – m) and p–1(t – m)
L2NormBound2
simultaneous L2 norm bound for p–1(s – m) and p–1(t – m)
LinfBound0Min
L norm frequency lower bound for p–1(s – m) and p–1(t – m)
LinfBound1Min
L norm frequency lower bound for p–1(s – m) and p–1(t – m)
LinfBound2Min
L norm frequency lower bound for p–1(s – m) and p–1(t – m)
LinfBound3Min
L norm frequency lower bound for p–1(s – m) and p–1(t – m)
LinfBound0Max
L norm frequency upper bound for p–1(s – m) and p–1(t – m)
LinfBound1Max
L norm frequency upper bound for p–1(s – m) and p–1(t – m)
LinfBound2Max
L norm frequency upper bound for p–1(s – m) and p–1(t – m)
LinfBound3Max
L norm frequency upper bound for p–1(s – m) and p–1(t – m)
DevBound0
individual quartile deviation bound for s – m and t – m modulo p
DevBound1
individual quartile deviation bound for s – m and t – m modulo p
DevBound2
individual quartile deviation bound for s – m and t – m modulo p
DevBound3
individual quartile deviation bound for s – m and t – m modulo p
DevBoundTot0
simultaneous quartile deviation bound for s – m and t – m modulo p
DevBoundTot1
simultaneous quartile deviation bound for s – m and t – m modulo p
DevBoundTot2
simultaneous quartile deviation bound for s – m and t – m modulo p
DevBoundTot3
simultaneous quartile deviation bound for s – m and t – m modulo p
’
’
’
’
’
’
’
’
13.
Selection of signature blinding elements to prevent transcript averaging and transcript frequency
analysis: It is recommended that the signature blinding element w be chosen to prevent transcript
frequency analysis methods. (See Annex A, Section A.5.7.) It is recommended that this be done
using a recommended encoding method. (See for example EMSA6, Section 8.1.2.) This method
requires that w2 be selected partially at random and partially to mask the frequency differences that
occur in u-1*i mod p when i is chosen from a subtranscript (e.g., when i is chosen to have one or
more coefficients equal to particular values modulo p). This masking is accomplished by selecting
coefficients of w2 so that the frequency distribution of the jth coefficient of the quantity
11
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
IEEE P1363.1 / D2
Annex D
March 23, 2001
(u-1*i mod p) + pw2
has its initial momentequalizationlevel moments the same regardless of the value of the jth coefficient
of u-1*i mod p. For example, equalization of first moments means that the averages are the same
(and should equal zero). Equalization of first and second moments means that the averages and
standard deviations are the same. Methods for doing moment equalization at levels 1, 2, 4, and 7 are
given in Section 8.1.2. Moment equalization at other levels is also possible.
12
Copyright © 2001 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.