WO2001001625A1 - Secure user identification based on ring homomorphisms - Google Patents

Abstract

A method and system is disclosed for performing user identification, digital signatures and other secure communication functions based on ring homomorphisms (220). In one embodiment, a secure user identification technique is disclosed in which one of the system users, referred to as a Prover, randomly selects an element g from the set Rg. The Prover (230) evaluates the homomorphism O(g) (220) to another user referred to as the Verifier. The Verifier randomly selects a challenge element c from the set Rc. The Verifier transmits c to the Prover (230). The Prover (230) generates a response element h using the private key f and the elements c and g. The element h may be generated in the form g*(f+c*g) using addition + and multiplication * in the ring R; or more generally by choosing a set of elements gi, receiving a set of challenge elements ci, creating modified challenge elements dj from the challenge elements ci, transmitting the modified challenge elements di to the Verifier, and generating the response element h as a polynomial function of the secret key f and the selected elements gi, ci, and dj. The Verifier checks that the element h is in the set Rh. The Verifier also evaluates the homomorphism O (220) at the element h and compares the result O(h) to a function of O(g), O(c), and the public key O(f) (240) of the power.

Description

SECURE USER IDENTIFICATION BASED ON RING HOMOMORPHISMS

FIELD OF THE INVENTION

The present invention relates generally to secure communication and document identification over computer networks or other types of communication systems and, more particularly, to secure user identification and digital signature techniques based on ring homomoφhisms. The invention also has application to communication between a card, such as a "smart card", or other media, and a user terminal.

BACKGROUND OF THE INVENTION

User identification techniques provide data security in a computer network or other communications system by allowing a given user to prove its identity to one or more other system users before communicating with those users. The other system users are thereby assured that they are in fact communicating with the given user. The users may represent individual computers or other types of terminals in the system. A typical user identification process of the challenge-response type is initiated when one system user, referred to as the Prover, sends certain information in the form of a commitment to another system user, referred to as the Verifier. Upon receipt of the commitment, the verifier sends a challenge to the Prover. The Prover uses the commitment, the challenge, and its private key to generate a response, which is sent to the Verifier. The Verifier uses the commitment, the response and a public key to verify that the response was generated by a legitimate prover. The information passed between the Prover and the Verifier is generated in accordance with cryptographic techniques which insure that eavesdroppers or other attackers cannot interfere with or forge the identification process.

It is well known that a challenge-response user identification technique can be converted to a digital signature technique by the Prover utilizing a one-way hash function to simulate a challenge from a Verifier. In such a digital signature technique, a Prover generates a commitment and applies the one-way hash function to it and a message to generate the simulated challenge. The Prover then utilizes the simulated challenge, the commitment and a private key to generate a digital signature, which is sent along with the message to the Verifier. The Verifier applies the same one-way hash function to the commitment and the message to recover the simulated challenge and uses the challenge, the commitment, and a public key to validate the digital signature.

One type of user identification technique relies on the one-way property of the exponentiation function in the multiplicative group of a finite field or in the group of points on an elliptic curve defined over a finite field. This technique is described in U.S. Patent No. 4,995,082 and in C.P. Schnorr, "Efficient Identification and Signatures for Smart Cards," in G. Brassard, ed., Advances in Cryptology - Crypto '89, Lecture Notes in Computer Science 435, Springer- Verlag, 1990, pp. 239-252. This technique involves the Prover exponentiating a fixed base element g of the group to some randomly selected power k and sending it to the verifier. An instance of the Schnorr technique uses two prime numbers p and q chosen at random such that q divides p-1, and a number g of order q modulo p is selected. The numbers p, q, and g are made available to all users. The private key of the Prover is x modulo q and the public key y of the Prover is g^~" modulo p. The Prover initiates the identification process by selecting a random nonzero number z modulo q. The Prover computes the quantity g^z modulo p and sends it as a commitment to the Verifier. The Verifies selects a random number w from the set of integers { 1,2,..., 2'} where t is a security number which depends on the application and in the above-cited article is selected as 72. The Verifier sends w as a challenge to the Prover. The Prover computes a quantity u that is equal to the quantity z-t-xw modulo q as a response and sends it to the Verifier. The Verifier accepts the Prover as securely identified if g^z is found to be congruent modulo p to the quantity g^uy^z-

Another type of user identification technique relies on the difficulty of factoring a product of two large prime numbers. A user identification technique of this type is described in L.C. Guillou and J.J. Quisquater, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory," in C.G. Gunther, Ed. Advances in Cryptology - Eurocrypt '88, Lecture Notes in Computer Science 330, Springer-Verlag, 1988, pp. 123-128. This technique involves a Prover raising a randomly selected argument g to a power b modulo n and sending it to a Verifier. An instance of the Guillou-Quisquater technique uses two prime numbers p and q selected at random, a number n generated as the product of p and q, and a large prime number b also selected at random. The numbers n and b are made available to all users. The private key of the Prover is x modulo n and the public key y of the Prover is x^"b modulo n. The Prover initiates the identification process by randomly selecting the number g from the set of non-zero numbers modulo n. The Prover computes the quantity g^b modulo n and sends it as a commitment to the Verifier. The Verifier randomly selects a number c from the set of non-zero numbers modulo b and sends c as a challenge to the Prover. The Prover computes the number h that is equal to the quantity gx^c modulo n as a response and sends it to the Verifier. The Verifier accepts the Prover as securely identified if g^b is found to be congruent modulo n to h^by^c. Although the above-described Schnorr and Guillou-Quisquater techniques can provide acceptable performance in many applications, there is a need for an improved technique which can provide greater computational efficiency than these and other prior art techniques, and which relies for security on features other than discrete logarithms and integer factorization.

SUMMARY OF THE INVENTION

The present invention provides a method, system and apparatus for performing user identification, digital signatures and other secure communication functions based on ring homomorphisms. The ring homomorphism in accordance with the invention may utilize two rings R and B, a ring homomoφhism ø:R-> B, and four subsets R_f, R_g, R_h. and R_c of R. One element f in the set R_f serves as a private key for a given user. The result ø(f) of evaluating the homomoφhism ø at the element f serves as the public key of the given user.

Copending U.S. Patent Application Serial No. 08/954,712, filed October 20, 1997, and assigned, in joint ownership, to the same assignee as the present Application, discloses a user identification technique and digital signature technique based on partial evaluation of constrained polynomials over a finite field, and describes use of a response signal (such as in a commitment/challenge/response type of technique) that is generated by computing a polynomial as the product of a commitment polynomial with the sum of a private key and a challenge polynomial. The techniques hereof provide substantial improvements in computational efficiencies and lowering of processing requirements at equivalent security levels.

In accordance with one aspect of the invention, a secure user identification technique is provided in which one of the system users, referred to as a Prover, randomly selects an element g from the set R_g. The Prover evaluates the homomoφhism ø at the element g and transmits the result ø(g) to another user referred to as the Verifier. The Verifier randomly selects a challenge element c from the set R,.. The Verifier transmits c to the Prover. The Prover generates a response element h using the private key f and the elements c and g. The element h may be generated in the form g*(f+c*g) using addition + and multiplication * in the ring R; or more generally by choosing a set of elements g„ receiving a set of challenge elements c„ creating modified challenge elements d₍ from the challenge elements c_j? transmitting the modified challenge elements d_f to the Verifier, and generating the response element h as a polynomial function of the secret key f and the selected elements g_j5 c„ and d_j. The Verifier checks that the element h is in the set R_h. The Verifier also evaluates the homomoφhism ø at the element h and compares the result ø(h) to a function of ø(g), ø(c), and the public key ø(f) of the Prover. For example, if the element h is generated in the form g*(f+c*g), then the verifier may check if the value ø(h) is equal to the value ø(g)*(ø(f)+ø(c)*ø(g)) using addition + and multiplication * in the ring B. If the element h is in the set R,, and if the comparison of ø(h) to the function of ø(g), ø(c), and the public key ø(f) is correct, then the Verifier accepts the identity of the Prover. The Verifier may use the above-noted comparison for secure identification of the Prover, for authentication of data transmitted by the Prover, or for other secure communication functions.

In accordance with another aspect of the invention, a secure user identification technique is provided in which one of the system users, referred to as a Verifier, randomly selects a challenge element c from the set R^. The Verifier transmits c to another user referred to as the Prover. The Prover randomly chooses an element g from the set R_g and generates a response element h using the private key f and the elements c and g. The element h may be generated in the form g*(f+c*g) using addition + and multiplication * in the ring R; or more generally by generating the response element h as a polynomial function P(f,c,g) of the secret key f and the selected elements g and c. The Verifier checks that the element h is in the set R_h. The Verifier also evaluates the homomoφhism ø at the element h and verifies that the polynomial equation P(ø(f),ø(c),X)-ø(h)=^:0 has a solution X in the ring B. For example, if the element h is generated in the form g*(f+c*g), then the verifier may check if the polynomial ø(c)X²+ø(f)X-ø(h)=0 has a solution in B by checking if the element ø(f) +4ø(c)ø(h) is the square of an element in B. If the element h is in the set R,, and if the polynomial equation P(ø(f),ø(c),X)-ø(h)=0 has a solution X in the ring B, then the Verifier accepts the identity of the Prover. The Verifier may use the above- noted comparison for secure identification of the Prover, for authentication of data transmitted by the Prover, or for other secure communication functions. In accordance with another aspect of the invention, a digital signature technique is provided. A Prover randomly selects an element g from the set R_g. The Prover then computes ø(g) and applies a hash function to the element ø(g) and a message m to generate a challenge element c=Hash(ø(g),m) in the set R_c. The Prover utilizes g, c, and the private key f to generate an element h. The element h may be generated in the form g*(f+c*g) using addition + and multiplication * in the ring R, or more generally by choosing a set of polynomials g„ generating a corresponding set of elements c, using the hash function, and generating the response element h as a polynomial function h=P(f,c„g,). The Prover than transmits m, ø(g) and h to the Verifier. The Verifier checks that the element h is in the set R_h. The Verifier computes c=Hash(ø(g),m), evaluates ø(c) and ø(h), and compares the values of ø(g), ø(c), and ø(h) with the public key ø(f) of the Prover. For example, if the element h is generated in the form g*(f+c*g), then the verifier may check if the value ø(h) is equal to the value ø(g)*(ø(f)+ø(c)*ø(g)) using addition + and multiplication * in the ring B. If the element h is in the set R_h and if the comparison of ø(h) to the function of ø(g), ø(c), and the public key ø(f) is correct, then the Verifier accepts the signature of the Prover on the message m.

In accordance with another aspect of the invention, a digital signature technique is provided. A Prover randomly selects an element g from the set R_g. The Prover then applies a hash function to a message m to generate a challenge element c=Hash(m) in the set R_c. The Prover utilizes g, c, and the private key f to generate an element h. The element h may be generated in the form g*(f+c*g) using addition + and multiplication * in the ring R; or more generally by generating the response element h as a polynomial function P(f,c,g) of the secret key f and the selected elements g and c. The Prover than transmits m and h to the Verifier. The Verifier checks that the element h is in the set R_h. The Verifier computes c=Hash(m), evaluates ø(c) and ø(h), and verifies that the polynomial equation ø(P)(ø(f),ø(c),X)-ø(h)=0 has a solution X in the ring B, where ø(P) is the polynomial P with the homomoφhism ø applied to its coefficients. For example, if the element h is generated in the form g*(f+c*g), then the verifier may check if the polynomial ø(c)X²+ø(f)X-ø(h)=0 has a solution in B by checking if the element ø(f)²+4ø(c)ø(h) is the square of an element in B. If the element h is in the set R_h and if the polynomial equation ø(P)(ø(f),ø(c),X)-ø(h)=0 has a solution X in the ring B, then the Verifier accepts the signature of the Prover on the message m.

The present invention provides a method, system and apparatus for performing user identification, digital signatures and other secure communication functions based more particularly on ring homomoφhisms given by partial evaluation of constrained polynomials over a finite field. The ring R in accordance with the invention may utilize polynomials of degree less than N with coefficients in the field F_q of q elements, where N divides q-1 and q is a power of a prime number. An exemplary predetermined condition on the subsets R_f, R_g and R_c of R may specify that the coefficients are chosen from a predetermined set of values such as, for example, the values 0, 1 , and -1 in the field F_q, and an exemplary predetermined condition on the subset R_h may specify that the coefficients are small, as for example the number q is a prime number, the coefficients of h are chosen between -q/2 and q/2, and the sum of the squares of the coefficients of h is smaller than q². A number of other conditions on the subsets R , R_g and R_c may be used in conjunction with or in place of these exemplary conditions. The partial evaluation ring homomoφhism in accordance with the invention may consist of a ring B=F_q ^s and a set of elements a,,...,a_s in a public subset S of F_q and a homomoφhism ø:R->B corresponding to evaluation of a polynomial at the values in S according to the formula ø(p(X))=(p(a,),p(a₂),...,p(a_s)). An exemplary condition on the ring R may specify that R is the ring of polynomials modulo the relation X^N-1 and an exemplary condition on the set of elements S may specify that each element a_j in the set S satisfies the formula

. A number of other conditions on the ring R and on the set S may be used in conjunction with or in place of these exemplary conditions.

The use of ring homomoφhisms, and more particularly ring homomoφhisms given by partial evaluation of constrained polynomials over a finite field, in accordance with the invention provides user identification and digital signature techniques which are computationally more efficient than prior art techniques. The security of the techniques of the present invention depend on the fact that recovering an element of a ring from its value by a homomoφhism, and more particularly recovering a polynomial from its partial evaluation, can, in certain circumstances, be a particularly difficult task.

Further features and advantages of the invention will become more readily apparent from the following detailed description when taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a block diagram of a type of system that can be used in practicing embodiments of the invention, for example when the processors thereof are suitably programmed in accordance with the flow diagrams hereof.

Figure 2 is a flow diagram which illustrates a key creation technique in accordance with an exemplary embodiment of the present invention.

Figure 3 is a flow diagram which illustrates a user identification technique in accordance with an exemplary embodiment of the present invention.

Figure 4 is a flow diagram which illustrates a further user identification technique in accordance with another exemplary embodiment of the present invention.

Figure 5 is a flow diagram which illustrates a digital signature technique in accordance with an exemplary embodiment of the present invention.

Figure 6 is a flow diagram which illustrates a further digital signature technique in accordance with another exemplary embodiment of the present invention.

DETAILED DESCRIPTION

Figure 1 is a block diagram of a system that can be used in practicing embodiments of the invention. A number of processor-based subsystems, represented at 105, 155, 185, and 195, are shown as being in communication over an insecure channel or network 50, which may be, for example, any wired, optical, and/or wireless communication channel such as a telephone or internet communication channel or network. The subsystem 105 includes processor 1 10 and the subsystem 155 includes processor 160. When programmed in the manner to be described, the processors 110 and 160 and their associated circuits can be used to practice embodiments of the invention. The processors 1 10 and 160 may each be any suitable processor, for example an electronic digital processor or microprocessor. It will be understood that any general puφose or special puφose processor, or other machine or circuitry that can perform the functions described herein, electronically, optically, or by other means, can be utilized. The processors may be, for example, Intel Pentium processors. The subsystem 105 may typically include memories 123, clock and timing circuitry 121, input/output functions 118, and monitor 125, which may all be of conventional types. Inputs can include a keyboard input as represented at 103 and any other suitable input. Communication is via transceiver 135, which may comprise a modem, high speed coupler, or any suitable device for communicating signals. The subsystem 155 in this illustrative system can have a similar configuration to that of subsystem 105. The processor 160 has associated input/output circuitry 164, memories 168, clock and timing circuitry 173, and a monitor 176. Inputs include a keyboard 163 and any other suitable input. Communication of subsystem 155 with the outside world is via transceiver 162 which, again, may comprise a modem, high speed coupler, or any suitable device for communicating signals. As represented in the subsystem 155, a terminal 181 can be provided for receiving a smart card 182 or other media. A "user" can also be a person's or entity's "smart card", the card and its owner typically communicating with a terminal in which the card is inserted. The terminal can be an intelligent terminal, or can communicate with an intelligent terminal. It will be understood that the processing and communications media that are described are exemplary, and that the invention can have application in many other settings. The blocks 185 and 195 represent further subsystems on the channel or network.

The present invention will be illustrated below in conjunction with exemplary user identification and digital signature techniques carried out by a Prover and a Verifier in a communication network such as that of Figure 1 in which, for example, for a particular communication or transaction, any of the subsystems can serve either role. It should be understood, however, that the present invention is not limited to any particular type of application. For example, the invention may be applied to a variety of other user and data authentication applications. The term "user" may refer to both a user terminal as well as an individual using that terminal, and, as indicated above, the terminal maybe any type of computer or other digital data processor suitable for directing data communication operations. The term "Prover" as used herein is intended to include any user which initiates an identification, digital signature or other secure communication process. The term "Verifier" is intended to include any user which makes a determination as to whether a particular communication is legitimate. The term "user identification" is intended to include identification techniques of the challenge- response type as well as other types of identification, authentication and verification techniques.

The user identification and digital signature techniques in accordance with the present invention are based on evaluation of ring homomoφhisms. An exemplary embodiment of the present invention is based on the partial evaluation homomoφhism of constrained polynomials over a finite field. An exemplary finite field F_q=Z/qZ is defined for a prime number q. An exemplary ring R=F_q[X]/(X^q_1-l) is a ring of polynomials with coefficients in the finite field F_q modulo the ideal generated by the polynomial X^q"'-1. An exemplary homomoφhism ø:R->F_q ^s is a homomoφhism ø(f(X))=(f(a, ),..., f(a,)) for an ordered set S={a,,...,a,} of non-zero integers modulo q. An additional exemplary condition is that if a is in S, then a^-1 is also in S. With suitable restrictions on f(X) and a suitable choice of set S, it is infeasible to recover f(X) when given only ø(f(X)). As will be described in greater detail below, this provides a one-way function which is particularly well-suited to use in implementing efficient user identification and digital signatures. The identification and digital signature techniques make use of the multiplication rule in the ring R. Given a polynomial A(X)=A₀+A,X+...+A_q_₂X^q"2 in R and a polynomial B(X)=B₀+B,X+...+B_q.₂X^q"2 in R, an exemplary product may be given by:

C(X)=A(X)B(X)=C₀+C,X+...+C_q.₂X^q-² where C₀,...,C_q.₂ are given by:

C ^AoB.+A.B,.^...+A,B₀+A₁₊₁B_q.₂+A,₊₂B_q.3+...+A_q_₂B,₊₁ (modulo q). All reference to multiplication of polynomials in the remaining description should be understood to refer to the above-described exemplary multiplication in R. It should also be noted that the above-described multiplication rule is not a requirement of the invention, and alternative embodiments may use other types of multiplication rules.

An exemplary set of constrained polynomials R_f is the set of polynomials in R with bounded coefficients. Given the prime number q and the polynomial f(X), it is relatively easy to generate ø(f)=(f(a,),...,f(a_t)). However, appropriately selected restrictions on the polynomials in R_f can make it extremely difficult to invert this function to determine a polynomial F(X) in R_f such that ø(F)=ø(f). The difficulty of the inversion is generally dependent on the type of restrictions placed on the polynomials in R_f. For example, if easily satisfied restrictions are placed on the polynomials, basic inteφolation techniques could be used to find some polynomial F(X) in R_f such that ø(F)=ø(f). It will be shown in greater detail below that establishing appropriate restrictions on the polynomials in R_f can provide adequate levels of security.

An exemplary identification technique in accordance with the invention uses a number of system parameters which are established by a central authority and made public to all users. These system parameters include the above-noted prime number q and set S={a,,...,a,} oft nonzero elements of the finite field F_q and appropriate sets of bounded coefficient polynomials R_f,R_g,R_c. Figure. 2 illustrates the creation of a public/private key pair. After establishment of parameters (block 220) a Prover randomly chooses a secret polynomial f(X) in R_f as its private key (block 230). The public key of the Prover is then generated as ø(f)=(f(a, ),..., f(a,)) which represents the ordered evaluation of the secret polynomial f(X) at the t elements of S, and the public key can be published (block 240). Figure 3 illustrates an exemplary identification process. The identification process is initiated in the Commitment Phase (block 310) by the Prover generating a polynomial g(X) with bounded coefficients. The polynomial g(X) may be selected at random from a set R_g that is restricted in a manner to be described below. The Prover uses the polynomial g(X) and the public set of values

to compute a commitment ø(g)=(g(a, ),..., g(a,)) and sends the commitment to the Verifier.

The Verifier initiates the Challenge Phase (block 330) by generating a challenge polynomial c(X) with bounded coefficients and sending it to the Prover. The polynomial c(X) may be generated by random selection from a set of polynomials R_c that is restricted in a manner to be described below. The Prover initiates the Response Phase (block 350) by verifying that the challenge polynomial c(X) is in the restricted set of polynomials R_c and then using the polynomials c(X),g(X) and the secret polynomial f(X) to generate the response polynomial h(X) given by h(X) = g(X)(f(X)+c(X)g(X)) and sending the response polynomial h(X) to the Verifier. The Verifier initiates the Verification Phase (block 360) by using its knowledge of ø(g), c(X), and the public key ø(f) to check that the response polynomial h(X) was generated using the private key f(X) of the Prover by comparing: h(a.) to g(a,)(f(a,)+c(a₁)g(a₁)) for i=l,2,...,t. This check may be expressed as comparing whether ø(h) is equal to ø(g)(ø(f)+ø(c)ø(g)). The Verifier in the Verification Phase also checks whether or not the coefficients of h(X) are appropriately bounded, given that a legitimate h(X) will have bounded coefficients and will belong to a restricted set R,, of polynomials. The restrictions on the set R_h depend on the choice of the above noted sets R_f,R_g and R,.. The Verifier accepts the Prover as legitimate if the response polynomial h(X) transmitted by the Prover passes the checks of steps (A) and (B) of the Verification Phase. The Verifier may perform a number of other checks as part of the identification process. For example, prior to performing steps (A) and (B) of the Verification Phase, the Verifier may check that g(l), provided by the Prover as an element of the commitment ø(g), has a particular expected value. A first exemplary set of system parameters suitable for use with the above-described identification technique will now be described. It should be emphasized that these and other exemplary parameters described herein are illustrative only and that numerous alternative sets of parameters could also be used. In the first exemplary set of parameters, the prime number q is selected as 769, and the set S includes t=384 non- zero integers modulo q. The set S is constructed such that if a is an element of S, then a^"1 is also an element of S. It should be noted that a given implementation may utilize only a subset of the t elements of S. The set R_f is the set of all polynomials f(X) of degree less than 768 constructed with 51 coefficients of value 1, with 51 coefficients of value -1, and all other coefficients set to zero. The set R_g is the set of all polynomials g(X) of degree less than 768 constructed with 51 coefficients of value 1 , with 51 coefficients of value -1, and all other coefficients set to zero. The set R_c is the set of all polynomials c(X) of degree less than 768 constructed with 5 coefficients of value 1, with 5 coefficients of value -1, and all other coefficients set to zero. Finally, the set R_h is the set of polynomials h(X)=h₀+h,X+...+h₇₆₇X⁷⁶⁷ of degree less than 768 whose coefficients are between -384 and 384 and which satisfy the inequality h₀ ²+h,²+...+h₇₆₇ ²<769²= 591361. The user identification technique described in conjunction with Figure 3 above is then implemented using polynomials selected from the sets R_f,R_g,R_c and R_h.

Alternative embodiments of the invention may utilize several private key polynomials f,,...,f_n, several commitment polynomials g,,...,g_r and several challenge polynomials c,,...,c_s and may further utilize other functions of the key polynomials, commitment polynomials, and challenge polynomials to generate several response polynomials h,,...,h_u. For example, h„ could be generated as the value h, = P_i(f„...,f_n, g,,...,g_r> c„...,c.) for polynomials P_j(U,,...,U_n,V₁,...,V_r,W₁,...,W_s) with coefficients in R. The Verification Phase then consists of the two verification steps: (A) verify that h is in the set R_h; and (B) verify that the value ø(h,) is equal to the value ø(P,)(ø(f,),...,ø(f_n),ø(g,),- ..,ø(g_r),ø(c,),. • .,0(c_s)) for i=l,2,...,u, where ø(P,) is the polynomial P, with the homomoφhism ø applied to its coefficients. A second exemplary identification technique in accordance with the invention uses the same systems parameters and public/private key pairs as described above. Figure 4 illustrates the second exemplary identification process. The identification process is initiated in the Challenge Phase (block 430) by the Verifier generating a challenge polynomial c(X) with bounded coefficients and sending it to the Prover. The polynomial c(X) may be generated by random selection from a set of polynomials R_c as described above. The Prover initiates the Response Phase (block 450) by verifying that the challenge polynomial c(X) is in the restricted set of polynomials R_c and then generating a polynomial g(X) with bounded coefficients, where the polynomial g(X) may be selected at random from a set R_g as described above. The Prover uses the polynomials c(X),g(X) and the secret polynomial f(X) to generate the response polynomial h(X) given by h(X) = g(X)(f(X)+c(X)g(X)) and sending the response polynomial h(X) to the Verifier. The Verifier initiates the Verification Phase (block 460) by using its knowledge of c(X), and the public key ø(f) to check that the response polynomial h(X) was generated using the private key f(X) of the Prover by verifying that: f(a,)²+4c(a,)h(a,) equals a square modulo q for i=l,2,...,t. This check my be expressed as verifying that ø(f)²+4ø(c)ø(h) is equal to a square in the ring B. The Verifier in the Verification Phase also checks whether or not the coefficients of h(X) are appropriately bounded, given that a legitimate h(X) will have bounded coefficients and will belong to a restricted set R_h of polynomials. The restrictions on the set R_h depend on the choice of the above noted sets R_f,R_g and R_c. The Verifier accepts the Prover as legitimate if the response polynomial h(X) transmitted by the Prover passes the checks of steps (A) and (B) of the Verification Phase.

A second exemplary set of system parameters suitable for use with the above-described identification technique will now be described. In the second exemplary set of parameters, the prime number q is selected as 641, and the set S includes t=320 non-zero integers modulo q. The set S is constructed such that if a is an element of S, then a^"1 is also an element of S. It should be noted that a given implementation may utilize only a subset of the t elements of S. The set R_f is the set of all polynomials f(X) of degree less than 640 constructed with 214 coefficients of value 1, with 214 coefficients of value -1, and all other coefficients set to zero. The set R_g is the set of all polynomials g(X) of degree less than 640 constructed with 43 coefficients of value 1 , with 43 coefficients of value -1, and all other coefficients set to zero. The set R_c is the set of all polynomials c(X) of degree less than 640 constructed with 5 coefficients of value 1, with 5 coefficients of value -1, and all other coefficients set to zero. Finally, the set R_h is the set of polynomials h(X)=h₀+h,X+...+h₇₆₇X⁷⁶⁷ of degree less than 640 whose coefficients are between -320 and 320 and which satisfy the inequality ho²+h,²+...+h₇₆₇ ²<641²= 410881. The user identification technique described in conjunction with Figure 4 above is then implemented using polynomials selected from the sets R_f,R_g,R_c and R_h.

Figure 5 illustrates the operation of an exemplary digital signature technique implemented using the above-described ring homomoφhism method. In a digital signature technique, the Prover generates a simulated challenge polynomial by applying a one-way hash function to a message m and a commitment ø(g). The one-way hash function is also available to the Verifier and will be used to validate the digital signature. As shown in Figure 5, in the Message and Commitment Phase (block 505), the Prover generates a polynomial g(X) in the set R_g as previously described and uses g(X) to generate the commitment ø(g). The Prover also selects a message m to be signed. In the Challenge Phase (block 530) the Prover computes a challenge polynomial c(X) by applying a hash function Hash(o,o) such that c(X) is generated as Hash(m,ø(g)). The message m and commitment ø(g) are suitably formatted as an input to the function Hash(o,o) and the output c(X) of Hash(o,o) maps uniformly onto the set R_c. In the Digital Signature Phase (block 545) the Prover computes a response polynomial as in the above- described user identification embodiments. For example, h(X) may be computed as g(X)(f(X)+c(X)g(X)). The Prover then sends the message m to the Verifier, along with the pair (ø(g),h(X)) as a digital signature on the message m. In the Verification Phase of (block 560), the Verifier uses the one-way hash function to compute c(X)=Hash(m,ø(g)). The Verifier accepts the signature as valid if h(X) is within in the set R_h and if ø(h) is equal to ø(g)(ø(f)+ø(c)ø(g)). As in the identification embodiments, alternative embodiments may use several private keys, several commitments, several challenges, and different functions to generate the response.

Figure 6 illustrates the operation of a second exemplary digital signature technique implemented using the above-described ring homomoφhism method. In a digital signature technique, the Prover generates a simulated challenge polynomial by applying a one-way hash function to a message m. The one-way hash function is also available to the Verifier and will be used to validate the digital signature. As shown in the Message Phase (block 610), the Prover selects a message m to be signed. In the Challenge Phase (block 630), the Prover computes a challenge polynomial c(X) by applying a hash function Hash(o) such that c(X) is generated as Hash(m). The message m is suitably formatted as an input to the function Hash(o) and the output c(X) of Hash(o) maps uniformly onto the set R_c. In the Digital Signature Phase (block 654), the Prover randomly selects a polynomial g(X) from the set R_g and computes a response polynomial as in the above-described user identification embodiments. For example, h(X) may be computed as g(X)(f(X)+c(X)g(X)). The Prover then sends the message m to the Verifier, along with the polynomial h(X) as a digital signature on the message m. In the Verification Phase (block 660), the Verifier uses the one-way hash function to compute c(X)=Hash(m). The Verifier accepts the signature as valid if h(X) is within in the set R_h and if the quantity ø(f)²+4ø(c)ø(h) is a square in B. As in the identification embodiments, alternative embodiments may use several private keys, several commitments, several challenges, and different functions to generate the response.

Examples of operation of embodiments hereof will be provided below using very small numbers. These examples are not cryptographically secure and are meant only to illustrate the process. For further detail, see Appendix I (published as J. Hofffstein, D. Lieman, J.H. Silverman, Polynomial Rings and Effect Public Key Authentication, in Proceeding of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99),Hong Kong, (M. Blum and CH. Lee, eds.), City University of Hong Kong Press) and Appendix II (J. Hoffstein, J.H. Slverman, Polynomial Rings and Efficient Public Key Authentication II, CCNT '99 Proceedings, to appear.) The technique is called "PASS" (for Polynomial Authentication And Signature Scheme), and has a variation called PASS2.

The numbers used by PASS are integers modulo q. This means that each integer is divided by q and replaced by its remainder. For example, if q=7, then the number 39 would be replaced by 4, since

39 divided by 7 equals 5 with a remainder of 4.

The objects used by PASS are polynomials of degree N-l

a^ + a,x + a₂x² + ... + a_N.,x^N"',

where the coefficients a_o,...,a_N., are integers modulo q. (It is sometimes more convenient to represent a polynomial by an N-tuple of numbers [a^a,,...^.,]. In this situation the star product becomes a convolution product. Convolution products can be computed very efficiently using Fast Fourier Transforms.) PASS uses a special kind of multiplication where x^N is replaced by 1, and x^N+1 is replaced by x, and x^N+2 is replaced by x\ and so on (In mathematical terms, this version of PASS uses the ring of polynomials with mod q coefficients modulo the ideal consisting of all multiples of the polynomial x^N-l . More generally, one could use polynomials modulo a different ideal; and even more generally, one could use some other ring. The basic definitions and properties of rings and ideals can be found, for example, in Topics in Algebra, I.N. Herstein, Xerox College Publishing, Lexington, MA, 2^nd edition, 1975.) A* will be used to indicate this special polynomial multiplication.

Here is a sample multiplication using N=6:

(5+x+2x³+x⁴+3x⁵)*(3+x +2x³+4x⁴+x⁵)

= 15+3x+5x²+17x³+25x +20x⁵+6x⁶+13x⁷+12x⁸+13x⁹+3x¹⁰

(use the rule x⁶=l, x⁷=x, x⁸=x², x⁹=x\ x¹⁰=x⁴) = 21+16x+17x²+30x³+28x⁴+20x⁵

(reduce the coefficients modulo 7) = 2x+3x²+2x³+6x⁵ Polynomials whose coefficients consist entirely of 0's and l 's play a special role in PASS. (In some versions, one also allows coefficients to equal -1.) These polynomials with only 0's and l 's as coefficients are called binary polynomials. For example,

1 + x² + χ³ + χ⁵ is a binary polynomial. In practice one may also want to specify how many l 's are allowed.

The PASS2 authentication scheme is next described, using a small numerical example. PASS2 Parameters The first step is to choose a prime number q and to take N=q-1. For this example, take q=7 and N=6. One also needs to choose a set S consisting of half of the numbers between 1 and q-1, so for our example, half of the numbers between 1 and 6. Take the set

S = { 2, 4, 6 }.

(There is one other condition on the set S. This condition says that if b is in S, then S must also contain the number c that satisfies the equation be = 1 (modulo q). In our example, 2*4 = 1 (modulo 7) and 6*6 = 1 (modulo 7), so the set S={2,4,6} has the required property.) Finally, one needs to specify two numbers A_h and B_h that will be used in the verification process. For this example, take

A_h = 5 and B_h = 22. PASS2 Key Creation

The key creator Bob chooses a binary polynomial f(x) of degree less than N. This means that f(x) has only 0's and l's as its coefficients. For example, Bob might choose the polynomial f(x) = 1 + x² + x³ + x⁵. The polynomial f(x) is his private key, so he must keep it secret.

Next Bob computes the values of f(x) modulo q for the numbers in S. In this example the set S is S = { 2, 4, 6 } , so Bob computes f(2) = 1+4+8+32 = 45 = 3 (modulo 7) f(4) = 1+16+64+1024 = 1105 = 6 (modulo 7) f(6) = 1+36+216+7776 = 8029 = 0 (modulo 7). This set of values f(S) = { 3, 6, 0 } is Bob's public key. He publishes it so that people can use it to verify his identity.

PASS2 Commitment Step

The first step in the PASS2 authentication process is for Bob to make a Commitment and send it to Alice. He does this by choosing a binary polynomial g,(x) and computing the set of values g,(S), in much the same way that he chose f(x) and computed the values of f(x). He keeps the polynomial g,(x) secret, but he sends the set of values g,(S) to Alice as his Commitment.

For our example we will suppose that Bob chooses the polynomial g,(x) = x + x³ + x⁴ + x⁵. He computes the values g,(2) = 58 = 2 (modulo 7) g,(4) = 1348 = 4 (modulo 7) g,(6) = 9294 = 5 (modulo 7) and sends the set of values g,(S) = { g,(2), g,(4), g,(6) } = { 2, 4, 5 } to Alice as his Commitment.

PASS2 Challenge Step

The second step in the PASS2 authentication process is for Alice to send a Challenge to Bob. Alice's challenge consists of two binary polynomials c,(x) and c₂(x), possibly satisfying some additional conditions. (The principal extra condition is that the polynomials c,(x) should not vanish modulo q for all nonzero values of x not in the set S. In this example, we have c,(x) = x⁵+x³, and the values of c,(x) at nonzero numbers not in S are c,(l)=2 (modulo 7), c,(3)=4 (modulo 7), and c,(5)=2 (modulo 7).) For our example we suppose that Alice chooses the polynomials c,(x) = x³ + x⁵ and c₂(x) = x + x².

Alice sends the two challenge polynomials c, and c₂ to Bob.

PASS2 Response Step

The third step in the PASS2 authentication process is for Bob to use his private key f(x), his commitment polynomial g](x). and Alice's challenge polynomials c,(x) and c₂(x) to create his Response. He does this by choosing another binary polynomial g₂(x) and computing the polynomial h(x) = ( f(x) + c,(x)*g,(x) + c₂(x)*g₂(x) ) * g₂(x). Note that this computation is done using star multiplication (i.e., with x^N=l) and that the coefficients are always computed modulo q. Bob sends the polynomial h(x) to Alice as his Response. He does not reveal the polynomial g₂(x), and indeed he may discard it as soon as he has computed h(x).

Suppose that in our example Bob chooses the polynomial g₂(x) = 1 + x + x⁵. Then h(x) = ( (l+x²+x³+x⁵) + (x +x⁵)*( x+x³+x⁴+x⁵) + (x+x²)*(l+x+x⁵) ) * (1+x+x⁵) = 1 + 5x + 4x² + 3x³ + 6x⁴ (modulo 7, with the rule x⁶=l).

PASS2 Verification Step

The fourth and final step in the PASS2 authentication process is for Alice to use Bob's public key f(S), Bob's commitment g(S), and her challenge polynomials c,(x) and c₂(x) to verify that Bob's response is a valid response. This Verification consists of two parts. [A] Recall that the PASS2 parameters included two numbers A_h and B_h. Alice writes the polynomial h(x) as h₀+h,x+h₂x²+...+h_N.₁x^N"1 with coefficients ho,hι,...h_N., taken modulo q and lying as close as possible to the number A_h. She then computes the quantity

C = (ho-A_h)² + (h,-A_h)² + (h₂-A_h)² + ... + (h_N.,-A„)². She compares the number C to the number B_h. If C is smaller than B_h, then Bob's response passes the first test. If C is larger than B_h, then Bob's response fails the first test.

[B] For each number b in the set S, Alice computes the number

( f(b) + c,(b)g,(b) )² + 4c₂(b)h(b) modulo q. (Note that Alice possesses enough information to compute this number, since she knows the polynomials c,(x), c₂(x), and h(x) and she knows the values of f(b) and g,(b) for every number b in the set S.) Alice checks if this number is equal to the square of a number modulo q. If it is equal to a square modulo q for every number b in the set S, then Bob's response passes the second test. If it fails to be a square for even a single number in the set S, then Bob's response fails the second test.

In the present example, this works as follows. The example quantities are A_h = 5 and B_h = 22, and the response polynomial is h(x)=l+5x+4x²+3x³+6x\ For the first verification test, which is test [A], Alice writes h(x) using coefficients modulo 7 that are as close as possible to 5; in other words, she uses the numbers 2,3,4,5,6,7,8 as coefficients of h(x), which means she writes h(x) as h(x) = 8 + 5x + 4x² + 3x³ + 6x⁴ + 7x⁵. Alice then computes

(8-5)² + (5-5)² + (4-5)² + (3-5)² + (6-5)² + (7-5)² = 19. This value is smaller than 22 (i.e., it is smaller than B_h), so Bob's response passes the first verification test.

For the second verification test, which is test [B], Alice uses the known quantities { f(2), f(4), f(6) } = { 4, 3, 0 }

{ g,(2), g,(4), _gl(6) } = { 4, 2, 4 } c,(x) = x³+x⁵, so { c,(2), c,(4), c,(6) } = { 2, 5, 4 } c₂(x) = x+x², so { c₂(2), c₂(4), c₂(6) } = {2, 6, 5 } h(x) = l+5x+4x²+3x³+6x⁴, so { h(2), h(4), h(6) } = {5, 0, 3 } These values let her compute

( f(2) + c,(2)g,(2) )² + 4c₂(2)h(2) = 2 (modulo 7)

( f(4) + c,(4)g,(4) )² + 4c₂(4)h(4) = 1 (modulo 7)

( f(6) + c,(6)g,(6) )² + 4c₂(6)h(6) = 1 (modulo 7) Each of these numbers is a square modulo 7, since

1 = 1² and 2 = 3² (modulo 7). (The numbers 0, 1, 2, and 4 are squares modulo 7, and the numbers 3, 5, and 6 are not squares modulo 7.) Bob's response passes the second verification test. Since it has now passed both tests [A] and [B], Alice accepts that Bob has proven his identity.

Any authentication scheme involving the steps of

Commitment/Challenge/Response/Verification

can be turned into a digital signature scheme. The basic idea is to use a hash function (see below) to create the challenge from the commitment and the digital document to be signed. The steps that go into a PASS2 Digital Signature are as follows. o PASS2 Key Creation (Digital Signature)

Same as for PASS2 Authentication: Bob creates his private key f(x) and his public key consisting of the partial set of values f(S). o PASS2 Commitment Step (Digital Signature)

Same as for PASS2 Authentication: Bob chooses a polynomial g,(x) and computes the partial set of values g,(S) to serve as his commitment. o PASS2 Challenge Step (Digital Signature)

Bob takes his commitment g,(S) and the digital document D that he wants to sign and runs them through a hash function H (see below) to produce challenge polynomials c,(x) and c₂(x). o PASS2 Response Step (Digital Signature)

Same as for PASS2 Authentication: Bob uses his private key f(x), the polynomial g,(x),another polynomial g₂(x), and the challenge polynomials c,(x) and c₂(x) to compute the response polynomial h(x)=(f(x)+c₁(x)*g,(x)+c₂(x)*g₂(x))*g₂(x). Bob publishes the D, g,(S), and h(x). The quantities g,(S) and h(x) are his digital signature for the digital document D. o PASS2 Verification Step (Digital Signature)

When Alice wants to check Bob's digital signature on the digital document D, she begins by running g,(S) and D through the hash function H to reproduce the challenge polynomials c,(x) and c₂(x). She now has all of the information needed to verify that h(x) is a valid response for the public key f(S), the commitment g,(S), and the challenge c,(x) and c₂(x). If h(x) is a valid response, she accepts Bob's signature on the document D.

Notice how Bob's signature is inextricably tied to the digital document D. If even one bit of D is changed or if one bit of the commitment g,(S) is changed, then the hash function will produce different challenge polynomials c,(x) and c₂(x), so the verification step will fail and the signature will be rejected.

Hash functions, which are well known in the art, are used herein. The puφose of a hash function is to take an arbitrary amount of data as input and produce as output a small amount of data (typically between 80 and 160 bits) in such a way that it is very hard to predict from the input exactly what the output will be. For example, it should be extremely difficult to find two different sets of inputs that produce the exact same output. Hash functions are used for a variety of puφoses in cryptography and other areas of computer science.

It is a nontrivial problem to construct good hash functions. Typical hash function such as SHAl and RD5 proceed by taking a chunk of the input, breaking it into pieces, and doing various simple logical operations (e.g., and, or, shift) with the pieces. This is generally done many times. For example, SHAl takes as input 512 bits of data, it does 80 rounds of breaking apart and recombining, and it returns 160 bits to the user. This process can be repeated for longer messages.

The PASS2 scheme described above is a variation of an earlier version of PASS. Both schemes have the same level of security, but the operating characteristics (key sizes, communication requirements, etc.) of PASS are not as good as those of PASS2. Next, PASS is demonstrated with a small numerical example, to illustrate the similarities and differences between the two systems. The fundamental similarity is that the security depends on the difficulty of reproducing a binary polynomial from a partial set of its values, o PASS Parameters

PASS and PASS2 use the same parameters q, N (with N=q-1), a set of numbers S, and two quantities A_h and B_h, although the actual values of these parameters may differ. Example: q = 7, N = 6, S = {2, 4, 6}, A_h = 5, B_h = 9. o PASS Key Creation

Bob chooses two binary polynomials f,(x) and f₂(x) as his private key. The partial sets of values f,(S) and f₂(S) form his public key. Example: f,(x) = x⁴ + 1 f,(S) = {f,(2),f,(4),f,(6)} = {3,5,2} f₂(x) = x⁵ + x f₂(S) = {f₂(2),f₂(4),f₂(6)} = {6,6,5} o PASS Commitment Step

Bob chooses two binary polynomials g,(x) and g₂(x). He computes and sends to Alice the partial sets of values g,(S) and g₂(S) as his commitment. Example: g,(x) = x⁵ + x⁴ g,(S) = {_gl(2),g,(4),g,(6)} = {6,6,0} g₂(x) = x + 1 g₂(S) = {g₂(2),g₂(4),g₂(6)} = {3,5,0} o PASS Challenge Step

Alice choose four binary polynomials c,(x), c₂(x), c₃(x), and c₄(x) (possibly satisfying some other constraints) and sends them to Bob as her challenge. Example: c,(x) = x³ + x c,(S) = {c,(2),c₁(4),c₁(6)} = {3,5,5} c₂(x) = x⁵ + x⁴ c₂(S) = {c₂(2),c₂(4),c₂(6)} = {6,6,0} c₃(x) = x⁵ + x² c₃(S) = {c₃(2),c₃(4),C₃(6)} = { 1,4,0} c₄(x) = x⁵ + x c₄(S) = {c₄(2),c₄(4),c₄(6)} = {6,6,5} o PASS Response Step Bob computes the polynomial h(x) - f,(x)g,(x)c,(x) + f,(x)g₂(x)c₂(x) + f₂(x)g,(x)c₃(x) + f₂(x)g₂(x)c₄(x). and sends h(x) to Alice as his response. (Remember that h(x) is computed using the rule x^N=l and that the coefficients are computed modulo q.) Example: h(x) = (x⁴ + 1)( x⁵ + x )(x³ + x) + (x⁴ + 1)( x + l)(x⁵ + x⁴)

+ (x⁵ + x)( x⁵ + x⁴)(x⁵ + x²) + (x⁵ + x)( x + l)(x⁵ + x) = 5x⁴ + 5x³ + 5x² +4x + 6 o PASS Verification Step

Verification consists of two steps. First Alice writes the polynomial h(x) as h₀+h,x+h₂x²+... +h_N.,x^N~1 with coefficients ho,h,,...h_N.| modulo q taken as close as possible to A_h and she computes the quantity

C = ( A_h)² + (h,-A_h)² + (h₂-A_h)² + ... + (h_N,-A_H)². She compares the number C to the number B_h. If C is smaller than B_h, then Bob's response passes the first test. If C is larger than B_h, then Bob's response fails the first test. Second, for each number b in the set S, Alice computes the two numbers h(b) (modulo q) and f,(b)g₁(b)c₁(b) + f,(b)g₂(b)c₂(b) + f₂(b)g,(b)c₃(b) + f₂(b)g₂(b)c₄(b) (modulo q). If they are the same for every number b in the set S, then Bob's response passes the second test; otherwise his response fails the second test. Note that Alice has enough information to compute these quantities, because she knows the polynomials h(x), c,(x), c₂(x), c₃(x) and c₄(x) and she knows the values of f,(b), f₂(b), g,(b), and g₂(b) for every number b in the set S. Example:

For the example, the polynomial h(x) is 5x⁴ + 5x³ + 5x² +4x + 6 and the number A_h is equal to 5. This means that Alice should write h(x) as h(x) = 7x⁵ + 5x⁴ + 5x³ + 5x² +4x + 6 since she wants the coefficients, which are numbers modulo 7, to be as close to 5 as possible. Then she computes

C = (7-5)²+(5-5)²+(5-5)²+(5-5)²+(4-5)²+(6-5)² = 6. This is smaller than the bound B_h = 9, so Bob's response passes the first test. Next Alice computes the values h(2) = 0 (modulo 7), h(4) = 1 (modulo 7), h(6) = 0 (modulo 7). and f,(2)_gl(2)c,(2) + f,(2)g₂(2)c₂(2) + f₂(2)g,(2)c₃(2) + f₂(2)g₂(2)c₄(2) = 0 (modulo 7), f.(4)g,(4)c,(4) + f,(4)g₂(4)c₂(4) + f₂(4)g,(4)c₃(4) + f₂(4)g₂(4)c₄(4) = 1 (modulo 7), f,(6)g₁(6)c₁(6) + f,(6)g₂(6)c₂(6) + f₂(6)g,(6)c₃(6) + f₂(6)g₂(6)c₄(6) = 0 (modulo 7).

Since these values match the values of h, Bob's response passes the second test, so Alice accepts that Bob is really who he says he is.

The user identification and digital signature techniques of the present invention provide significantly improved computational efficiency relative to prior art techniques at equivalent security levels, while also reducing the amount of information which must be stored by the Prover and Verifier and communicated between the Prover and Verifier. It should be emphasized that the techniques described above are exemplary and should not be construed as limiting the present invention to a particular group of illustrative embodiments. Alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art. Appendix I

Polynomial Rings and Efficient Public Key Authentication

Jeffrey Hoffstein, Daniel Lieman and Joseph H. Silverman NTRU Cryptos stems, Inc. (www.ntru.com)

Abstract and N = q - 1. The "hard problem" involves the difficulty of recovering a polynomial in R whose coefficients

A new "hard problem " xn number theory, based on parsatisfy certain constraints, if one is given the value of the tial evaluation of certain classes of constrained polynopolynomial at a certain subset of the points of Z/ςZ. mials, was proposed in [5). In this paper we present a In both papers the fundamental hard problems are highly efficient public key authentication scheme based based on properties of short polynomials, i.e., polynomion a combination of this problem and a more traditional als whose coefficients are small (in absolute value) relfactonzalion problem. We. call this scheme PASS for ative to q. The surprising thing is that this concept Polynomial Authentication and Signature Scheme. In can be meaningful and useful even in the context of R, addition to quantifying the. lime, required to solve, tlie where coefficients are reduced modulo q and exponents "hard problem" of [5J, we qive a detailed security analysis are reduced modulo N. at certain speetfie. parameters. The scheme we propose In this paper we present a new authentication scheme, M not zero-knowledge. In return for computational effiPASS, based partly on the hard problem of [5] and partly ciency and low processing requirements far beyond any on a more traditional factorization problem. The scheme competing schemes, we. accept a quantifiable leakage of features extremely light computational requirements for information from a sufficiently long transcript of authenboth the prover and the verifier. To illustrate the speed tications. Conservative estimates suggest that the paand efficiency of PASS we wrote a straightforward non- rameters proposed provide high levels of security for tranoptimized test program in C. We ran this on a 330 MHz scripts of 500 auϋientications with a single key pair. We Macintosh G3, compiled using Metroworks Codewarrior briefly discuss a generalization using non-commutative compiler. At a security level far greater than that prorings and Fourier transforms. As with other interactive vided by an RSA 1024 bit key, our program required authentication scheme i, our scheme may be combined 2.060 milliseconds to generate a public/private key pair with a hash function to give, a non-mteractive signature and 6.438 milliseconds to complete a Commit, Chalscheme. lenge, Respond, Verify sequence. Further details on the test are given in Appendix 4. Details on key lengths and

1 Introduction bit transmissions are given in Table 3.

With public key encryption systems there is a private

In a recent paper [6], some new ideas were introduced key and a public key. The only piece of information into public key cryptography. These involve the use of a revealed by the holder of the private key is the public combination of algebraic and analytic techniques in the key. Consequently the creator of a public key encryption context of a commutative ring. The ring of truncated system must insure that the task of determining inforpolynomials mation about the private key, or of reading a message without the private key, is extremely difficult. n = {z./qz)[τ)/(_r" - i) (i) The situation with public key authentication and digital signatures is more challenging. There is again a pubis used, where q and N are moderately sized relatively lic key and a private key, but every authentication or prime integers. Λ public key cryptosystem called NTRU digital signature performed with a public key risks reis described, with a typical parameter choice being q = vealing some information about the private key. Some 256 and N = 5U3. The "hard problem" that, NTRU is schemes, for example the identification schemes due to based upon is related to the difficulty of finding particuSchnorr and to Guillou-Quisquater , can be shown to be larly small vectors in certain lattices of high dimension. sound. (See, for example, [22, chapter 9].) The security In a recent patent application, [5], a new "hard probof such schemes is comforting, but the computational lem" in nu b^pr theory is proposed, also involving the requirements are considerable. ring R. Here q is taken to be a small prime, such as 503, In this paper we propose an approach to authentica-

1- 1 tion and digital signatures which is different from the square of the dimension of the lattice. (The same is traditional approach, but. is perhaps better suited for true of the lattice-based cryptosystcms proposed in [1] applications involving low powered processors such as and [3].) In contrast, the keys used by NTRU and by smart cards and the authentication or certification of PASS, the authentication scheme in this paper, grow millions of micro transactions. The public keys we proonly linearly with the dimension of the lattice, so they pose will be at least as secure from attack as RSA 1024 remain very practical even for lattices of dimension bebit keys. To keep the transcripts at a similar security tween 500 and 1000. level, we will require that the transcript lengths be reMore generally, the reason for re-examining the use of stricted to about 500. (This is a very conservative estilattice based cryptosystems has to do with some of the mate.) However the ease and speed of key pair generaapparently fundamental limitations of lattice reduction tion will make it easy to leverage this, by a short tree of attacks and the nature of the cryptosystcms that were validations, to millions of transactions descended from a successfully attacked in the past. In the most general single key. terms, the LLL method, or its various improvements,

As mentioned above, the hard problem underlying the will find a relatively short vector in a lattice L of dimensecurity of the public key in our scheme is related to sion n in a surprisingly small amount of time. But one properties of short polynomials. Since short polynocan ask just how short that vector is, and how its length mials can be made to correspond to short vectors in compares to that of either the actual shortest vector in L a lattice, it is vital that any security analysis of these or the probabilistic expected length of the shortest vecschemes carefully consider the possibility of attack by tor if L were a random lattice. What seems to happen is lattice reduction methods. Lattice reduction attacks are that a first approximation by LLL or its improvements the general name for techniques for finding short vectors will find a reasonably short vector in a lattice of dimenin lattices. The use of lattice attacks in cryptography sion n in time which grows polynomially in n. Further was pioneered by Shamir,[17], who used it to break the refinements of LLL will find successively shorter vectors original knapsack based public key cryptosystem prowith lengths that are still greater than the actual or exposed by [12]. In the mid 80's Lcnstra, Lenstra and Lo- pected shortest length. Ultimately, LLL will always find vasz [9] introduced what has since been called the LLL a vector either with the actual shortest length, or at lattice reduction method. This, and further improveany rate with length very close to the expected smallments on LLL by Schnorr, Euclmer and others [14, 15] est. However, the time required to find this vector seems led eventually to the breaking of all known cryptosys- to grow exponentially, or even super exponentially, with tems based on the difficulty of finding small vectors in the dimension n. We can summarize this in the following lattices. This includes the recent system proposed by very rough conjecture: Ajtai and Dwork [1] and by Goldreich, Goldwasser, and Conjecture 1 (Hard Problem 1) Let L be a "reasonably Halcvy [3]. random" lattice of dimension n and discriminant d. Let

The success of LLL and later improvements in attacka be the length of the actual shortest non-zero vector of ing lattice based cryptosystcms has led to a general beL and suppose that lief among cryptographers that any cryptosystem based upon the difficulty r finding small vectors in a lattice Cιd^l'ⁿ < 8 < C₂d^{1 n}vtn. must inevitably ho doomed. Why then, do we seem to be doing just that in NTRU, and in the PASS authentiwhere Cι, C_\ > 0 are fixed constants. (The gaussian cation scheme being proposed in thus paper? The short heuristic says that an inequality of this sort will be true.) answer is that the lattices underlying NTRU and PASS Suppose further that d^l,n lies within a factor of ri ofn. have dimensions several times greater than the lattices Then the time required to find a vector of length less than needed to break cryptosystcms based on knapsack probCΛS, for a fixed positive constant CΛ, grows exponentially lems. And just as going from a 512 bit RSA modulus to a with n. 1024 bit RSA modulus changes a solvable problem into In previous cryptosystems the above observations were an intractable problem, going from a lattice of dimennot of much use. This is because until now in lattice sion 300 to a lattice of dimension 700 is the difference based systems, as mentioned above, key size has been between an attackable problem and a problem that is proportional to the square of the dimension. As a relikely to remain iiusolvablc for the forsceable future. sult, it has not been practical to propose systems re¬

This leads to an obvious question: Why don't peolated to lattices of dimension greater than the range 200 ple use knapsack based systems whose underlying latto 300. Also, in these systems, the discovery of even a tices have dimension 700. The answer is that the key moderately short vector would stand a reasonable chance size for a knapsack based cryptosystem grows like the of compromising security. The ever improving work on

1-2 LLL algorithms has made the discovery of moderately to Don Coppersmith for both pointing out weaknesses short vectors of dimension up to about 300 within reach. in earlier versions of this scheme and for formulating the Beyond this bound, however, experiments with current fourth power moment attack on transcripts which is deLLL algorithms seem to indicate that the exponential scribed in Section 3.3. Any remaining weaknesses in the aspect comes into play very significantly. In NTRU and proposed scheme are entirely the responsibility of the in the PASS system proposed in this paper, key size is authors. proportial to n, as opposed to n². As a result we believe it is possible to obtain very substantial security with moderate key sizes. In Section 3 we will provide exper2 Introduction to PASS imental evidence for this along with a precise version of the above conjecture for certain classes of lattices. 2.1 Properties of R

In the following sections we present the PASS public Let R be as defined above in (1), with q a prime and N key authentication scheme. Section 2 gives an overview a divisor of q — 1. Note that R is then isomorphic to a of our scheme. In this section a definition of short polydirect sum of N copies of Z/qZ. This is equivalent to nomials is given, along with a description of some of the fact that by Fermat's Little Theorem, for any a φ 0 their properties. We also explain where the lattice based mod q, the homomorphism from R to Z/gZ given by hard problem fits in, and introduce another hard probg{x) → g(a ^,>-^l)<^N) is well defined. lem more directly related to a traditional factoring probA typical element g of R will have a representative of lem. We then describe how the TASS scheme works, disthe form cuss soundness and completeness of the scheme, and give some specific parameter suggestions. Section 3 contains g = oo + oiz + α₂x² H _- o/v-ii"^-1, a complete security analysis of the PASS scheme, concentrating on a specific parameter choice. In this section with coefficients α< € Z/qZ. we also quantify the above conjecture more precisely and We will have reason later to refer to an automorcalculate some extrapolated breaking times. For examphism σ defined by ple, we estimate that the breaking time for N = 768 is approximately 4.73 • IO¹⁸ MTPS-years. Section 4 gives σ . R — + Λ, σ(.9(x)) = .9(ι^_1), key lengths and communication requirements for some specific parameter values, and in the final section we or more explicitly, discuss the use of FFT's to make computatioas faster and to decrease the number of bits transmitted. In four σ(g) = αo + a.N-ιx + o.N-2 ² H - UιX^N~l. appendices we: (1) show how to apply PASS to digital signatures; (2) describe a hash function based on If g satisfies σ(g) = g, we say g is cυcn. If σ(g) = —g, constrained polynomial evaluation; (3) explain why the we say o is odd. PASS scheme is related to the uncertainty principle for We will also find it useful to define two norms on R. (discrete) Fourier transforms and how this leads to possiSuppose that g is a polynomial whose coefficients satisfy ble non-commutative extensions of the PASS ideas; and |OJ | < q/2 and ∑, o₄ = 0. We then define (4) give results of our timing experiments.

There is a large literature devoted to both theoretical lsl = /αg + O_ΛΓ__D Iflloo = maxθj - minα<. and practical aspects of digital identification, authentication, and signatures [2, 4, 11 , 13, 16, 18, 20, 21, 22]. (These are the only sorts of polynomials we will need The widespread need for such applications makes the to consider, but in general we would define \g\ to be introduction of new schemes of interest to both the l i(^ai — t¹)²) where μ = (1/N) ∑< °i >^{s tne} mean of academic and financial community, especially schemes the coefficients.) which are based on new hard mathematical problems A very useful concept for us will be the notion of a and which offer significant practical advantages in terms short polynomial. Formally, we will define: of speed and key size over existing methods. Acknowledgements. We would like to thank Hcndryk Definition 1 A polynomial h will be called "short" if Lenstra and Bjorn Poonen for a number of helpful disits norm \h\ is smaller than a constant times /q. cussions on lattices, Burl KalLski for many discussions on potential attacks, and Jill Piphcr and Phil Hirschhorn Very roughly, polynomials are called short if their cofor much help in all stages of the preparation of this paefficients are sufficiently small with respect to q that no per. We also would like to extend a very warm thanks reduction mod q occurs when two of them are multiplied

1-3 together. When polynomials are short, the two norms short implies that they will be irreducible in K, and above arc related by the rough inequality the problem of factorizing h translates into a traditional factorization problem, with difficulties compounded by

(2) the exponentially large class number of K. In fact, if h could be factored, then the norm of h down to Q could where * denotes multiplication in R and c_? is a constant be factored. But this norm is on the order of q^N , and that varies between 0.3 and 0.5 for parameters in the factorization of rational integers of this size is beyond ranges discussed here. Also wc have the approximate the range of current technology. relation (for random choices of short polynomials) There is, however, a special case of this problem that can be solved in polynomial time. If / = g, then h

\9 * 9'\ * \9\\9'\ (3) corresponds to a square of an algebraic integer. One can

Notice that by the relations (2) and (3) with approprichoose a rational prime p with the property that over ate cilices of constants, the product of two short polynoZ/nZ, the polynomial x - 1 has very few (say 4 or 5) mials will have small | ■ | and | • |_∞ norms with respect factors. Then after reduction mod p, the polynomial h to q. can be viewed as a square in a product of 4 or 5 finite fields. The square root can be taken quickly in each of

2.2 Another hard problem these fields and the resulting 16 or 32 possibilities can be searched for a solution with small coefficients. For

One hard problem that our scheme is based on has althis reason, wc will always take / and g to be distinct ready been discussed in the introduction. Wc will return randomly chosen polynomials. to this in the next section. The other hard problem that the our scheme is based on is more directly related to a traditional factoring problem. In particular we have the 2.3 An outline of PASS following: We begin by choosing a set S of t distinct non-zero elements α € Z/gZ as a system-wide parameter. For rea¬

Conjecture 2 (Hard Problem 2) Let f, g € R be chosen sons to be explained shortly, we assume that if α € S, to be short. Let h = f+g. (Notice, that by (2) above, \h\_∞ then α^_l € S. In other words, 5 is closed under takand \h\ will also be small.) With appropriate choices of ing inverses. Also public are four subsets of R, which parameters, it is very difficult to either recover f and g we denote by £/, £_β, £_r and £j,. It will be convefrom h, or to find two other polynomials f and g' such nient to define these as follows. Fix a positive integer Uiat f and g' arc short and /» = /' * g'. df < N/2. Define £/ to be the set of all polynomials / in TZ such that / has d_j coefficients equal to each of 1

As this is, at least on the face of it, a new type of and -1, with all other coefficients equal to 0. Notice hard problem, let us discuss some of the reasons why that l l = 2d_j. Let C„ and £_P be defined similarly uswe claim that it is hard. One reason is that any polying d_β and d_c. Finally, we will define * as the set of Λ's nomial r e R with no roots in Z/g will be invcrtible satisfying \h\ < η/_hq, with /, to be chosen later. and hence divide h. As the number of such invertible r

An authentication session proceeds as follows. Pearl, is on the order of q^N , a direct approach to the problem the prover, has a private key /, /', known only to her. reduces to searching among exponentially many possible This private key consists of two polynomials / and /' factorizations of h, looking for a very small number of chosen by Pearl at random from £/. Her public, key short solutions. Parameters ran be chosen so that this is the associated ordered collection of values mod q: is impractical.

If several different products, f*gι , f*g₂, — are given, it (f(ct), f'(a))_a£s- We claim that the following scenario allows Pearl to prove to Vinnie, the verifier, that she posis possible to construct an attack by lattice methods, as sesses the secret key /, /' associated to her public key, will be mentioned later, but if a single product is given, the non-hnear nat ure r the problem seems to make it without revealing /, /' or information that could help Vinnie, or a third party Irving, observing the transachard to apply lattice reduction methods. tion, to discover /, /'.

An alternative approach is to view Z[ι]/(x^JV — 1) as (essentially) the ring of integers of the cyclotomic field K • Pearl chooses g, g' € £, and computes and reveals obtained by adjoining the N'^h roots of unity to Q. As the collection of values (g{ct),g'{ά))aes- This is the coefficients of /, q and h are small, no reduction mod Pearl's commitment. q will occur when the product h = f * g is computed, and consequently h may be viewed as an algebraic in• Vinnie chooses a challenge Co 6 £_c at random and teger. With high probability, the fact that / and g are sends Co to Pearl. This is hashed with the co mit-

1-4 ment to produce polynomials: c_t, c₂,c ,C₄ e £_e. 2.4 A Specific example

In this section we will give concrete details for the general

• Pearl computes and reveals the polynomial scheme described above using the parameters h = afg + cifg' + c₃f'g + c 'g _q = 769, N = 768, t = N/2 = 384.

• Vinnie verifies that Let. r be a primitive root mod q, and let J be a collection of t distinct indices j, chosen at random from the collec¬

(A) /. € C_h (i.e., |/ι| < f_hq). tion of integers less than JV, with the condition that if j € J, then q — 1 — j € J. Define 5 by

(B) Λ(α) = eι(ft)/(a)fl(rt) + c₂(n)f(a)g'{ct) + r₃{n)f'(n)g{n) + c_Λ(a)f'(a)g(,a) for all a e S. 5 = {r* mod q : j € J}. (4)

Then S consists of t distinct elements a mod q. As they

To assess the security and usefulness of this scheme are nonzero, each has the property that α" = 1 mod q. one must verify, or at least make strong arguments in Also, by its definition, S is closed under the taking of favor of, several things. multiplicative inverses mod q.

First, it must be shown that if Pearl possesses the We fix a set |S| as in (4) above, and we set the paprivate, key /, /', the probability that she will pass the rameters d/, dg,d_c,fh as follows: test and be accepted by Vinnie as legitimate can be d = 256, d, = 256, ά_e = 1 7_h = 2.2. (5) made arbitrarily high. This property of an authentication scheme is called completeness. It is simple to check then that

Then it must be shown that a potential impostor without knowledge of /, /' or some ot her false key F, F' would |£/| > 2^lβ0, |£_ff| > 2^lβ0, |£_c| > 2^7β, q^l > 2^lβ0. have a very low probability of passing the test. A particIn the first section below we discuss completeness. We ularly satisfactory way of establishing this is by proving will show that Pearl, knowing the secret key /, /', can that the scheme has the property of being sound. This pass Vinnie's test with very high probability. In the means demonstrating that any procedure that fools Vinnext section we will give probabilistic arguments demonnie a single time into thinking that an impostor is really strating that an imposter, Irving, using only a random Pearl can be leveraged into a method of fooling Vinnie search strategy will have a probability of less than 2^_7β on future transactions with significant probability. This of passing Vinnie's test without knowledge of /,/'. We is often shown by demonstrating that an opponent who will then discuss soundness, showing that for values of can answer several distinct challenges to the same comt slightly larger than the suggested N/2, and large valmitment can recover the secret key or at any rate fool ues of N the scheme is likely to be sound. Our argument Vinnie consistantly. here will depend on the gaussian heuristic and hence not

Finally, it must be shown that for a given B, large be completely airtight, but will hopefully be convincing. enough to be useful, if an impostor knows the public key Finally we will analyze the information that can be oband has access to a transcript of no more than B genuine tained from a study of long transcripts. authentication transactions using /, /', he would have a close to zero chance of recovering either the original private key /, /' or an equally useful false key F, F'. 2.5 On completeness

Remark. It is also possible to use the problem of parRecall how the scenario works: Pearl chooses g, g' 6 tial evaluation of short |>olynomials as the basis for a £_g and computes and reveals the collection of values public key cryptosystem. This public key cryptosystem (<7(α)_> <7'(α))αes- Then Vinnie chooses a challenge Co € is described in [7]. A useful feature of combining this £_c at random and sends Co to Pearl. Pearl then uses her public key system with the PASS authentication scheme knowledge of /, /' to compute and reveal h. The test described in this paper is that a single key can be used (B) h(a) = _Cl(α)/(α)ff(α) + c₃(a)f(a)g'{a) + for both encryption and authentication. This is analoC₃(α)/'(α)_fl(α) + C₄(α)/'(α)_fl(α) for all Q € S. gous to the way in which an RSA key can be used for both encryption and signature/authentication, although will be passed for every α ζ. S because the fact that the analogy is not perfect, because the PASS key is used a^N ≡ 1 mod q for every α € S ensures that the evaluain somewhat different ways for encryption and for aution mapping thentication purposes. e . R → (Z/«Z)«, e(h) = (ft(α_), ... , h(o,)),

1-5 is a homomorphism. 2.7 Soundness

On the other hand, consider the requirement that One can make a reasonable argument for soundness, alh € _h- From (2) and (3), wc sec that the fact that though as is often the case with such schemes, with an l/l, |ø|, and |c| arc small implies that \h\ and \h\_∞ must efficient choice of parameters it does not seem to be posbe small. The probability that \h\ falls into a given range sible to construct a rigorous proof of soundness. In parcan be computed theoretically, but it is far easier to ticular, if a value of t is chosen that is slightly larger do an empirical computation. For the sample paramthan recommended above, then a strong probabilistic eters (5), we randomly selected IO⁵ sets of polynomials argument can be made that the scheme is sound. (/, /', ø, ø', cι , ...,c₄) from Cf, C_g, C_c and computed the The main problem that a proof of soundness faces is associated h. Every h in the experiment satisfied that it is not possible for Vinnie to test that h actually has the desired form. It is only possible for him to

I.67 < |/*| < 2.2q. apply a norm test to h. Let us suppose that an impostor, Irving, could produce valid responses h and h! to

Thus the probability that Pearl, knowing the secret /, /', the same commitment g, g¹ and four distinct 4-tuples of will fail the test |Λ| < 2.2q is less than 10 ^"5. Further challenges c. Assume for the moment that the responses details of our experiments are given in appendix 4. do actually have the correct form. Then the resulting system of four equations would probably be solvable for the products fg, fg', f'g, f'g'. With these four products,

2.6 Initial security discussion Irving could keep the same commitment and fool Vinnie

We will now consider the chances that an imposter, Irvfor any future challenges. ing, can pretend to be Pearl without knowledge of the The problem with this argument is the assumption secret PASS key /, /'. It is easy to verify that with the that the h supplied by Irving actually has the correct choices of parameters given in (5), the chance of Irving form. In fact, all that can be ascertained is that h is locating /, /', or an cquivalently useful /' by an exhaussmall and has the correct values at a € 5. Similarly, Vinnie can not be sure that a valid g, g' with small coeftive search or meet in the middle attack, is less than 2^_β0. As |£_f I > 2^7β, the chance that a repeat of a preficients created the commitment, although there must exist many polynomials G 6 R with the given valviously observed genuine session will help Irving is less ues g(a). However, by choosing t to be larger than sugthan 2-⁷⁰. gested above, but still considerably smaller than would

Also, by using Sterling's formula to approximate the allow an attack by lattice methods, as described below, volume of an JV-spherc, one can check that with 7_Λ = we can achieve some guarantees. An argument can be 2.2, made, using the gaussian heuristic, that with high probability any h supplied by Irving satisfying the necessary

|£_Λ| a (2πe)^Nfl(2.2q)^NN-^N/2. (6) requirements must have the correct form and must thus reveal the four products in the same way, given four

It follows from this that for our parameters, \C_h\q~^N < responses to the same commitment and different chal2~ι^βo ^«p_nj_{8 mcans} that _{a ra}ndom attempt by Irving lenges. to pass Vinnie's test will have a less than 2~⁸⁰ chance More specifically, let us first suppose that there reof success, even including possible mcet-in-the-middle ally does exist a pair of short polynomials g,g' with offline attacks. (ff(Q)ι - («)) _oe5 equal to Irving's commitment. Sup¬

Another potential attack for Irving is to cheat on his pose Irving somehow produces a short polynomial H commitment g, g' and pick a polynomial far shorter than with the property that (//(a)) _ satisfies the correct it should be. In the most extreme case, Irving could evaluations. As (/, /') is known to exist and we are aschoose g, g' to each be simply x^k for some k. If Irving suming that (g,g') exists, there certainly exists another could find a false key F, F' with |F|, |F'| < 2.2 and short polynomial h of the correct form satisfying the correct evaluations. But then h — H must also be relatively

F(α) = /(o) (mod e ) and F'(a) ≡ f'(a) (mod q) short, meaning that \h — H\ < Kq for K some absolute constant K, and also h — H vanishes mod q at all α € S. for all α ε 5, then this attack would succeed. The chance The expected number of such polynomials is on the order of Irving finding such an F, F' through a random search of is covered by (0) above and is less than 2~⁸⁰. The genuine key and false keys can also be searched for via lattice (2πe)^N^N-^N^K^Nq^Nq-^t. reduction methods, as will be discussed below. If t = N/2 + eN for some small e > 0, then this quantity

1-6 approaches zero for large N, meaning that with high It is easy to check that is indeed a lattice, and that probability rl must have the required form. the determinant of L is equal to q^l.

We have seen that we may assume soundness if the As remarked above, it is not difficult to find a polycommitment comes from a genuine short pair (g, g'). Let nomial F' € R such that F'(a) = /(α) mod q for all us finally suppose that Irving can somehow cleverly proa € 5. However the chances of such an F' having small duce a commitment (q(a), < g' (α)) ₉ suth that no short coefficients has been noted to be quite small. Suppose, (ø, q') exists with these values. If Irving can answer the though, that we find an F' with non-small coefficients challenges (cι ,f₂,t>»,r₄) and (1 + cι,r₂, C₃, c,|) for any and then search for a point F 6 L close to F'. If such single 4-tuple c, then he can recover a moderately short an F is found, set / = F' - F. Then / will still have polynomial G_\ such that G_\ (n) ≡ f(n)g(a) mod q for the correct valuations at α mod q and if F is very close all Q € 5. By moderately short we mean, as before, to F', then |/| will be small. that |Gι | < C\q for C\ some absolute constant. SimiThe problem of finding an / which will give a good larly, Irving can recover a moderately short polynomial impersonation of / is thus reduced to that of finding a G such that G₂( ) ≡ /'(α)ø(u) mod q for all α € S. point in a lattice which is as close as possible to a given Then assuming G₂ is invertible, (while not quite true, point outside the lattice This is a non-homogeneous this is a safe assumption) the pair of short polynomiversion of the problem of finding a short vector in a als {G_\ ,G₂) have the property that their ratio G₂/Gι lattice. It can also be translated into a homogeneous has the prescribed values (/'(n:)//(α)) for a € S. The problem in a similar lattice of one higher dimension. expected number of siuh pairs with small norm and preRoughly speaking, an attacker's chance of success in a scribed values is seen by the same argument as above fixed amount of time improves as the distance of the to be vani hingly small for large N and t shghtlygreater given point to the lattice decreases The attacker's than N/2. Thus we may assume that the chances of Irvchances also deteriorate as the dimension of the lattice ing constructing such a pair G_\ , G₂ without taking small increases. multiples of /, /' are vanishingly small This possibility Consider a sequence of primes q and N = q — 1 with too is therefore ruled out and we have established soundness (for large N and t slightly larger than N/2) under the assumption of the gaussian heuristic.

it took a somewhat shorter time to find an / wit correct evaluations mod q and |/| < 2.2<j, but for large

3 Lattice reduction techniques N the difference was not significant. Table 1 gives the tune required for several expenments for each q be¬

Lattice reduction methods can be used by Irving to attween 101 and 197, together with the average time retempt a recovery of the private key (/, /'), or an equally quired for each q. The experiments were performed useful falsp key, from the public key. These methods can using version 3.1b of Victor Shoup's implementation also be used in an off line attempt to construct a valid of the Schnorr, Euchner and Hoerner improvements of response h to a given commitment and challenge. This the LLL algorithm, distributed in his ΝTL package at aspect of serurity us relevant for both authentication and http : //www . cs . vise . edu/ ~ shoup/ntl/. digital signatures. In this section we will discuss and The regression line for the average time (in seconds), quantify the difficulty of recovering a short / (respecas a function of N, is tively /') from the collection of values (/(a)) _nes, or a short response h from the collection of values (/ι(α)) „. log(T) « 0.0750N - 2.661.

The correlation coefficient is 0.979. We have used the re¬

3.1 Formulation of a lattice attack on gression line to extrapolate the breaking time for larger the public key values of N. The results are listed in Table 2. Note

We begin by constructing a lattice as follows. For any that the running time to find a useful h, given a collecpolynomial F e R, associate to F the vector of coeffition (/ι(α))_βes, will be greater than the time required to find / or /'. We. also mention that the conversion cients (OO, OI , . . . , OΛΓ- I ). Similarly for any such vector or point in Z^N one can take the polynomial built from factor from seconds to MlPS-years is 400/31557600, bethese coefficients, reduce mod q, and obtain an F . β cause our expenments were nm on 400 MHz Celeron

Let L he the lattice of all points in Z^N such the corcomputers. responding polynomial F satisfies Remark. For comparison purposes, wc note that the estimated time to break RSA 1024 is 3 • 10^u MlPS-

F{n) = 0 (mod q) for each α 6 S. years, and the estimated time to break RSA 2048

1-7 We now consider the information revealed in a large collection of distinct examples of h = c fg + c₂fg' + c₃/'ø + Cif'g for fixed /, /' and varying c and g, g'. It is important to note that since /, f',g,g'c are small, an attacker may assume that no reduction mod q has occurred in the construction of », and thus that the coefficients of h are given over Z.

If the g,g' varied over a space of polynomials whose expected value was an invertible element G € Rq, and if each c, had expected value another invertible element C, then by taking an average of sufficiently many h, one

would approach 2C(/ + f')G. If one had a long enough

Table 1. Time (sees) To Find Target Vector transcript to pick out subcollections of challenges with different expected values, one could obtain two independent equations: CιGf+C₂Gf', C₃Gf + C₄Gf' and solve for /, /'. This is not a feasable option, however, as the expected value of g equals the expected values of ø' which equals 0.

The collection of all h in a transcript will generate a

Table 2. Estimated Breaking Times for PASS lattice over Z. However, because of the presence of the non-zero c_t, the full (and thus useless) lattice is generated by this collection.

An attacker might also consider the product hσ(h). is 3 • 10²⁰ MlPS-years. So according to Table 3, This is potentially a very powerful attack, due to Burt PASS 640 and 768 should be considerably more secure Kaliski, as after averaging a long transcript, an attacker than RSA 1024, and PASS 1152 should be considerably can hope to obtain the polynomial more secure than RSA 2048.

2a_ca_caf + 2a_ca_σa_r + Kfσ(J') + Kf'σ(f),

3.2 Zero-forced lattices where for any polynomial F, OF denotes the even polynomial OF = F * σ(F). Also ac, a denote the expected

Alexander May [10] has given an improved method for value of a_e,a„. These will, in fact, be invertible consearching for small vectors which have a comparatively stants. large number of coordinates equal to 0. These ideas lead

The average of hσ(h) will approach this limit as the to the notion of zero-forced lattices, in which one guesses cross terms of the product will have expected value that r particular coordinates of the target are 0, forces zero. The values oσ and ac may be assumed to be them to be zero, and thereby reduces the dimension of known, and hence it must be assumed that an atthe lattice. Of course, if r is large, it may take many tacker can obtain knowledge of this linear combination tries before one makes a correct guess. Full details of of o.f, ap , fσ(f'), f'σ(f). In fact, by picking out suh- how zero-forced lattices work and how to estimate their βts of a transcript where products of challenges have effectiveness is explained in [19]. For the values of N in different expected values, it must be assumed that Table 2 and choice of df « d₉ w r//3, the effect of using an attacker has knowledge of the individual quantities zero-forced lattices is negligible. ^α/»^α/'ι /^σ(/')ι /'^(/). This means, in effect, that if /(α) is known, one must assume that an attacker can deter¬

3.3 Attacks on a transcript of authentimine /(α^{- 1}), /'(α) and /'(α^{_ l} ). This is the reason that cation sessions we made the original assumption that 5 is closed under the taking of inverses. We remark, though, that to

First let us note that exactly the same exhaustive obtain this information requires a considerably longer searches and lattice attacks apply to {g,g') as apply transcript. ^to (/> /')• I" particular, if an attacker could discover Assuming that an attacker can determine the above ø, from the commitment or some other information refour products, one is left with the question of whether vealed in the transcripts, then he could recover /. It is he can use it to determine /. This seems to be an infor this reason that we have made the size of the search stance of the hard problem mentioned above, as it boils spaces the same. down to a factorization question in an algebraic number

1-8 field of high degree and large class number. Note that in the case of fcr(f), this factorization question is not completely general. It appears, though, to be as difficult to solve as the general factorization problem. In particular, solving an equation /*σ(/) = a is far more difficult than solving an equation of the rυrm f² — a. As previously indicated, the equation /² = a may be solved by reducing modulo a prime p such that X^N — 1 has a small number of factors modulo p, and then finding square roots in the associated finite fields. One could try to

proceed similarly for the equation / * σ{f) = a, but the Table 3. Communication requirements (bits) situation is entirely different. To explain why, suppose that X^N — \ mod p factors as a product of irreducible polynomials F, (λ ) • • • F„(Λ'), and let k, = deg(F,). mean values were chosen by an attacker from a long tran¬

For any F = Ft of elegreπ; k = fcj, we consider the asscript, it was noted that an average of cross terms of an sociated finite field K = (Z/pZ)[λ^']/(F( )) of order p*. could reveal information about the secret key /. This There are homomorphisms possibility was avoided by making / even and c odd,

K* K* and K'. eliminating cross terms. However, a_j remained potentially accessable, and if / is even, this is a square. As

/ f² / mentioned earlier, by reducing modulo an appropriate

The first homomorphism has kernel ±1, so for any smaller prime p it would then be possible to view a_j as given α, there arc at most 2 solutions to the equation sufficiently close to a square in a finite field to make the f² = o. The second homomorphism is quite different. extraction of a short square root feaβable. This is why in The image consists of the non-zero elements in the sub- the present scheme we avoid introducing any symmetry field of K of order p^{k, i} , so the kernel has p^k'² + 1 elinto either /, /' or c. ements. Thus the equation / * σ(f) = a has p^t/2 + 1 We will close this section by remarking briefly on an solutions in the finite field K. important observation of Coppersmith. By selecting any

Considering each of the factors j in turn, we see that fixed 4-tuple of indices i,j, k,l and computing an averif we can find all of the solutions lo f² = a in each finite age of the product of the i,j, k, l individual coefficients field, then we can solve f^'1 = a in Z[X]/(X^N - 1) by i, hj, hk, hι, information can be obtained about a comchecking only 2ⁿ possibilities. However, even if wc can bination of second and fourth power moments of / (resolve / * σ{f) = a in each finite field, then in order to spectively /'). (In this terminology, α/ is the second solve / * σ(f) = a in Z[X]/(X^N - 1), we need to check power moment of /.) It is then possible to recover / (p*^ι/² + 1) ■ • • (p^k"'² + 1) possibilities. This quantity is by a process which, while computationally intensive, is greater than p^N'², which is large enough to preclude an still feasable for the parameter choice N = 768. Copexhaustive search. persmith's initial calculations indicate that ignoring the

Another way of extracting information from the prodneed for differentiating the c's via subcollections, the ucts might be lo consider the ratio o/- /(/σ(/')) = transcscript needs to be on the order of several thouf'f^~ . This leads to lattices, similar to those studied sand. As we have not yet completed a precise analysis in [6], which have considerably higher breaking times of the necessary length, we will make the conservative because their dimensions arc doubled. One can also try estimate that a transcript of length 500 is far too short to locale the small target (σ(/), σ(/')) that solves the to leak much information about /. linear equation xfσ(f') - ya_f = 0. This too appears to take a longer time to solve than the lattice problem of recovering / from the public key. Finally, one could add 3.4 Cheating verifiers the valuation information to any of the above lattice attacks. As this increases the lattice' dimension while leavA cheating verifier is in a potentially powerful position. ing the structure of the Lattice very similar, it appears He can pass specially constructed challenges with given that^, the chances of finding a solution arc not improved. expected values to Pearl and extract information from

This is an appropriate point lo explain why an early the responses as outlined above. In this scheme, howversion or this scheme, described in [5], docs not provide ever, a challenge o is hashed with the commitment. secure authentication. In [5], the polyneimial h — (f+c)g This seems to eliminate any chance of a cheating verwas proposed. If a selcctiein of special c's with non-zero ifier obtaining an advantage.

1-9 4 Key length and communication [2] E.F. Brickell and K.S. McCurlcy. Interactive Idenrequirements tification and Digital Signatures. AT&T Technical Journal, November/December, 1991, 73-86.

The key lengths and number of bits transmitted for [3] 0. Goldrcich, S. Goldwasser, S. Halevy, Public-key N — 768 are given in Table 3. It is worth noting that cryptography from lattice reduction problems. In if desired, in the PASS scheme the private key can be Proc. CRYPTO'97, Lect. Notes in Computer Scistored as, and then generated from, any random string ence 1294, Springer- Verlag, 1997, 112-131. of 80 bits, as long as a non-line'ar uniform mapping is [4] L.C. Guillou and J.-J. Quisquater. A practical zero- provided into the pace £/. knowledge protocol fitted to security microprocessor minimising both transmission and memory. In

5 Final remarks C.G. Gύnther, eeϋtor, Advances in Cryptology — Eurocrypt '88, Lecture Notes in Computer Science

It is possible lo cut the number of bits transmitted in the 330, Springer- Verlag (1988) 123-128. following way. Currently Pearl computes and sends to [5] J. Hoffstein, B.S. Kaliski, D. Lieman, M.J.B. Rob- Vinnie the polynomial h = c_x fg + c fg' + Ca/'ø + c_\f'g, shaw, Y.L. Yin, "A New Identification Scheme which Vinnie then uses lo complete the verification. It Based on Polynomial Evaluation," patent applicaactually sufr es for Pearl to send to Vinnie the set of tion. values (h(rt))„es' , where S' is the complement of the [6] J. Hoffstein, J. Pipher, J. Silverman, NTRU: A ring- set S me>d q. Using the^s ' v luta and the information based public key system, Proceedings of ANTS III, he already possesses, Vinnie can reconstruct the value Portland (1998), Springer- Verlag. of Λ(α) for every a 6 Z/qZ, and this allows him to reconstruct Λ(.V). He then performs step (A) of the verifi[7] J. Hoffstein, J.H. Silverman. A new public key crypcation, that is, he verifies that, this h(X) is in the set £_/,. tosystem based on partial evaluation of polynomiIf it is, he accepts Pearl's identity. Note that Vinnie does als, preprint, March 1999. not need to perform step (B), because the construction [8] K. Ireland, M. Rosen. A classical introduction to assures that h(X) has the correct values for α € S. modern number theory, GTM 84, Springer- Verlag,

The procedure described in the last step may seem New York, 1982 impractical, because Vinnie neeels to reconstruct h(X) [9] A.K. Lenstra, H.W. Lenstra Jr., L. Lovsz, Factoring from its complete set r values. However, this is simply polynomials with rational coefficients, Mathematis- the association between a vector over Z/qZ and its dische Ann. 261 (1982), 513-634. crete Fourier transform, where a polynomial is identified with the vector of its coefficients. Naive computation [10] A. May, Cryptanalysis of NTRU, preprint, Februof discrete Fourier transfeirnis of vectors of dimension N ary 1999 only takes N² steps. Furthe'r, if N is divisible by a large [11] A.J. Menez.cs and P.C. van Oorschot and S.A. Van- value of 2, then one can use Fast Fourier Transforms stone. Handbook of Applied Cryptography. CRC (FFT) to speed the process. Note lhat one can do these Press, 1996. FFT's in Z/qZ working entirely with integers, because [12] R. Merkle, M. Hellman, Hiding information and Z/qZ contains a primitive N^lh root of unity. There is signatures in trapdoor knapsacks, IEEE Trans. Inno need to use real or complex numbers. The timing esform. Theory, IT-24:525-530, September 1978. timates described in Appendix 4 use FFT's in this way. We also neite that when Pearl e-emiputcs and reveals the [13] T. Okamoto, Provably secure and practical idencollection of values (ø(α))_oe.s, it will often be more effitification schemes and corresponding signature cient for her to compute the complete set of values of g schemes. In E.F. Brickell, editor, Advances in Crypusing FFT's, and then just reveal some of them to Vintology — Crypto '92, Lecture Notes in Computer nie. Science 740, Springer- Verlag (1993) 31-53.

[14] C.-P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms, Theoretical Com¬

References puter Science 53 (1987), 201-224.

[1] M. Λjtai, C. Dweirk, A public-key cryptosystem [15] C.-P. Schnorr, A more efficient algorithm for lattice with worst case/average case equivalence. In Proc. basis reduction, J. Algorithms 9 (1988), 47-62. 29th ACM Symposium on Theory of Computing, [16] C.-P. Schnorr. Efficient identification and signatures 1997, 284-293. for smart cards. In G. Brassard, editor, Advances in

I- 10 Cryplology — Crypto '89, Lecture Notes in Comcommitment and the message and mapping the reputer Science 435, Springer- Verlag (1990) 239-251. sult to the space of challenges.

[17] A. Shamir, A polynomial-time algorithm for break• Pearl computes the response h to the commitment ing the basic Merkel-Hellman cryptosystem. In Proø, ø' and the challenge c using her private key /, /'. ceedings of Uic 23rd IEEE Symposium on Foundations of Computer Science., IEEE, 1982, 145-152. • Pearl's signed message is then the message M fol¬

[18] A. Shamir. An efficient ielenlilicatioii scheme based lowed by the signature (<?(S), ø'(S), Λ). on permuted kernels. In G. Brassarel, editor, Ad• To verify that Pearl signed the message M, Vinnie vances m Cryplology Crypto '89, Lecture Notes computes c from g(S),g'(S) and , and then uses in Computer Science 435, Springer- Verlag (1990) Pearl's public key /(S) to verify that the response 606-609. h was generated by someone with knowledge of the

[19] J.H. Silverman, Dimension-Reduced Lattices, Zero- private key /, /', i.e., by Pearl. Feιre:ed Lattices, anel the NTRU Public Key Cryptosystem, NTRU Technical Note 013, March 2, The fundamental difference between the use of the 1999, (wwH.ntru . com) scheme for authentication and for digital signatures is

[20] J. Stern. A new identification scheme based on synthat an attacker is allowed to have an arbitrarily long drome decoding. In D. Stinson, editor, Advances m time off line to try to compute a forged response. This Cryplology — Crypto '9.1, Lecture Notes in Comhas already been taken into account in the PASS auputer Science 773, Springer- Verlag (1994) 13-21. thentication scheme.

[21] J. Ste^«rn. Designing identification schemes with keys of short siz.e. In Y.G. Desmedt, editor, Advances m Appendix 2. A hash function Cryptology — Crypto '< , lecture Notes in Computer Science 839, Springer- Verlag (1994) 164-173. based on constrained polynomial

[22] D. Stinson. Cryptography, theory and practice. evaluation CRC Press, 1995.

Although any efficient and secure hash function can be used in the application to digital signatures, in some

Appendix 1. Application to digital circumstances it may be dcsireable to have a simple hash function available using only routines already prosignatures grammed into an implementation of the authentication scheme. For this reason, and for its own intrinsic inter¬

It is well known that any authentication scheme of the est, we present the following function. commitment, challenge, response type can be trans¬

We will construct a hash function Η in the context formed, with the addition of a hash function, into a digital signature scheme. This can also be. done here in the of the case N = 768 above. The input of will be a message of length N bits. The output of Η. will be a bit usual way. Specifically one would proceed as follows.

Let us suppose we have a hash function Η( ) which string of length T = t log₂ q.

The function H is defined as follows. Take a message takes as input a message M eif arbitrary length and outm of length N bits, and use it to define the coefficients puts a stamp of length 80 bits. Suppose also that we of a polynomial P of degree N - 1 with coefficients chohave a formatting function T, that takes the output of Η anel turns it into a 4- tuple! challenge peilynomial from sen from {0, 1}. Thus P(x) = no + o,_\x + a₂x² + ... + the space £_r. Le'l α||lι denote the concatenation of the α/v-i-t*^{- 1}, where α;_ι is 0 or 1 according to whether bit strings a and b. the i^th bit of m is 0 or 1. Thus the bits of m are strung

Suppose Pearl wants to sign a message , using her out as the coefficients of P. authentication key (/, /'). The polynomial P is then evaluated at the t values of α and reduced mod q. The output of H is then the

• Pearl picks a commitment polynomial pair (ø,ø') concatenation of the values P(a) mod q viewed as bit at random from C_s and computes her commitment strings, i.e., U = P(α₁)||P(α₂)||...||F(α_t). g{S),g'{S). Note, for implementation purposes, that in both this hash function computaton and in the authentication

• Pearl constructs the 4-tuplc challenge polynomial scheme, it will speed things considerably to have at least by ceimputing c - F{H(g(S)\\M)). In other words, a partial table of the values of α^ reduced mod q pre- Pearl simulates a challenge by hashing together the computed. Certainly, at least the values for j equal to

1-11 all powers of 2 less thnn log₂ q should be included in the table.

The Tact that this hash function is probabilistically collision free can be seen from the fact that two messages m,m' with eeμial output weiuld correspond to a polynomial Q = P - P' which vanishes at the t distinct α value* mod q, anel which has coefficients chosen from {1,0, -1}, with approximately half equal to 0. In the case N = 768 and I = N/2, a polynomial Q would have a norm about one tenth the length of the expected

smallest vector in the lattice of polynomials vanishing at Table 4. Distribution of \h\ for N = 768 (10* trials) the α's mod q. The chance of such a pair τn,m' existing is thus extremely low.

Appendix 4. Additional computational details

Appendix 3. Theoretical background and non-commutative genWe implemented the PASS authentication scheme on a 330 MHz Macintosh G3 using the Metroworks Codewar- eralizations rior compiler. We made no special attempts at optimization, but we did implement Fast Fourier Transform

The foundation of the TASS scheme is the evaluation routines over the finite field with q elements to speed homomorphism freim the peilyneimial ring R to the prodthe computation of the values of the polynomials. The uct (Z/øZ)'. This can be interpreted in another way program also precomputed a list of powers r' mod q for that clarifies the underpinnings of the schemes a bit and 0 < s < q — 1, where r is a primitive root modulo q, makes clear a elirection to loeik for possible generalizafor use by the FFT routines. The precomputation time tions. is not included in the elapsed times listed below. How¬

One can view Λ as a ring of functions on a cyclic group ever, we note that this precomputation only consists of taking values in Z/øZ. In other words, the function valq multiplications and reductions modulo q of numbers ues arc the coefficients o„ and the arguments are the between 0 and q — 1, so is in any case not very time indices i. The Fourier transform of this function (corconsuming. responding te» a polynomial /) can then be viewed as For our experiments we used the PASS parameters the ordered colloctiem eif values (/(α))„_6Z/,_z. The evaluation homomorphism the-n can be interpreted as the N = 768, ø = 769, d_t = d_s = 256, d_e = 1. well-known homomorphism from a ring of functions to the ring of Fourier transforms of the functions. The time needed to create a public/private key pair was 2.06 milliseconds. The time needed to perform a com¬

The key observation e>f TΛSS is that if one concentrates in a certain arι<a eif R and then leκiks at the image plete authentication sequence consisting of the four steps of this area in (Z/yZ)', the image is uniformly dispersed Commit, Challenge, Respond, and Verify was 6.438 milthroughout the space. When viewed from the point of liseconds. This equals approximately 155 authentications/signatures per second. view just described, one can sec that this is an exam¬

The first verification step (A) asks that \h\ < ^q. For ple of the uncertainty principle for Fourier transforms. This generally states that one can not simultaneously our sample parameter set, we chose 7_/, = 2.2. Table 4 concentrate the values eif a functiein and the values of its gives the distribution of \h\/q for 10^s trials. There were Fourier coefficients. no values greater than 2.2, indicating that the probability of Pearl's response failing the verification step (A) is

In addition to making one Tcel more comfortable about smaller than 10~^B. the theoretical basis of the schemes, this also allows one lo begin investigating generalizations in the form of Fourier analysis on nein-abelian groups. Alternatively, Contact Information such non-abclian Fourier analysis ran also be interpreted J. Hoffstein: (jhoffateinCntru.com) in a different but equivalent way: evaluations of / corD. Lie an: (dliefflanCntru.com) respond in general to higher degree representations of J.H. Silverman: (jailvermanCntru.com) non-abelian groups. We heipe to say more about this in ΝTRU Cryptosystems, Inc.: (www.ntru. com) future papers.

1-12 Appendix II

Polynomial Rings and Efficient Public Key Authentication II Jeffrey Hoffstein and Joseph H. Silverman

Abstivcl. In a recent paper [3] a highly efficient public key authentication scheme called PASS was introduced. In this paper we show how a small modification in the scheme cuts the size of the public key and the commitment in half while reducing an already minimal computational load.

Keywords. Authentication, Digital Signature, Public Key

Non-Technical Description of Work. A new public key authentication method was introduced in [3] featuring high speed, moderate key sizes, very low processing power required for both prover and verifier, and rapid generation of public-private key pairs. The efficiency and flexibility of the scheme is such that in addition to high security applications, it is also suitable for use on Smart Cards and in any other context, such as micropayments, where overhead considerations have maele more traditional authentication schemes impractical. In this paper wc show how the PASS scheme can be improved still further, reducing the already minimal computations of the prover substantially and decreasing communication requirements.

§1. Introduction

In a recent paper [3], a new highly efficient scheme for public key authentication and digital signatures called PASS was introduced. The ideas underlying PASS are related to the ideas originating in [1] and [2]. Each of these three papers used a combination of algebraic and analytic techniques in the context of a commutative ring

R = (Z/qZ)[x]/(x^N - l), (1) where q and N are moderately sized relatively prime integers.

In order to avoid excessive duplication of exposition, we will assume some familiarity with the previous paper [3|. We will, however, repeat some definitions and concepts when it appears that this would be useful. Thus this paper should be readable without reference to [3J.

The general idea in the earlier paper [3] is as follows. Pearl, the prover, wishes to prove her identity to Vinnie, the verifier. Pearl has a secret key (/, /') consisting of a pair of "short" polynomials in R, i.e., having coefficients 1, -1, and 0. Pearl's public key is the collection of values { ( ), '(α)}_α€5, where α varies over a set S consisting of half the numbers modulo q.

To identify herself, Pearl randomly picks a pair (g,g') of short polynomials in R. She keeps (g,g') secret, but as her commitment, Pearl reveals {g(a),g'( )}_QeS, the collection of values of g and g' a the points in 5. The verifier Vinnie sends Pearl a challenge en that Pearl hashes with the commitment to produce a 4-tuple of extremely short polynomials (cι » C2, C3, C4). Pearl computes and reveals the polynomial

/,. = ] * / * g + c₂ * f * g' + C₃ * ' * g + c_Λ * f * g'. π- 1 (Note all polynomial multiplications take place in the ring R.)

In order to verify Pearl's identity, Vinnie first checks that h is fairly short, and second he checks that, the identity h( ) = cι (α)/(α)flf(α) + c₂(a)f( )g'(a) + c₃( )f'(a)g(a) + c₄(α)/'(α)< (α) is true for all o € S. If /) passes both of these tests, then Vinnie accepts Peral's proof of identity, i.e., that she has knowledge of the secret short polynomial /.

In this paper we describe a modified version of the above scheme in which the public key and the commitment each consist of a single short polynomial, rather than a pair of short, polynomials. This will improve the operating characteristics of the scheme. We call this variation on the PASS scheme PASS2.

The polynomial response h in PASS2 will take a somewhat different form. It is constructed using a pair of challenge polynomials (ci , c₂), and the check by Vinnie changes to a verification that h is short, followed by a verification that a certain combination of the values f( ), c(a), </(α), /ι(α) are squares modulo q for all € S.

In the following sections we give a precise description of PASS2, propose some specific parameters, and provide security analyses in these cases.

§1.1. An outline of the PASS2 authentication scheme

We first review some of the PASS notation. Let q be a prime and let N = q — 1. A typical element g of R has a representative of the form

with coefficients ai G Z/qZ. It is useful to define two norms on R. Let g be a polynomial whose coefficients satisfy |u, | < q/2 and £ α; = 0. We then define

and = Maxαi - Minoi.

We recall the notion of a short polynomial:

Definition. A pnlyiwminl f will he called "short" if its norm \f\₂ is smaller than a specified cons int multiple ol q.

Very roughly, polynomials are called short if their coefficients are sufficiently small with respect to q that no reduction mod q occurs when two of them are multiplied together. We will occasionally find it useful to call a polynomial "moderately" short if its norm is less than a constant times q.

When polynomials arc short, the two norms above are related by the rough inequality l</- * <?'|oo < c₂|<7|₂h/|₂, (2) where c₂ is a constant that varies between 0.3 and 0.5 for parameters in the ranges discussed here. Also we have the approximate relation (for random choices of short polynomials)

\g * 9'h ∞ \g\ \g'\₂. (3) π-2 The estimate (3) with appropriate choices of constants shows that the product of two short polynomials will have small | • |₂ and | • |_∞ norms with respect to q.

For any integer d, we let C(d) denote the set of polynomials in R that have exactly d coefficients equal to each of 1 and -1, with all other coefficients equal to 0. We fix a set S consisting of t = N/2 randomly chosen distinct non-zero elements € Z/qZ. The set S is a system-wide parameter. For technical reasons, we assume that 5 is chosen so that if a € S, then α^{- 1} € 5, i.e., 5 is closed under taking inverses.

We further fix four system parameters df , d_g, d_{C )} η. These are used to define four sets of polynomials:

Cf = C(d_f), C_g = C(d_g), C_c = C(d_c), £_h = {h € R : \h\₂ < q}.

We now describe how an authentication session proceeds in PASS2. Pearl, the prover, has a private key /, known only to her. This private key is chosen by Pearl at random from £/. Her public key is the associated ordered collection of values mod q: {/(α }_Qes- We claim that the following scenario allows Pearl to prove to Vinnie, the verifier, that she possesses the secret key / associated to her public key, without revealing / or information that could help Vinnie, or a third party Irving observing the transaction, to discover /.

• Pearl randomly chooses a commitment g_\ € C_g and sends the set of values {<7ι ('>)}_{oe <;} to Vinnie.

• Vinnie chooses an 80 bit challenge en at random and sends Co to Pearl. Pearl hashes en with {#ι (α)}_αe ^to obtain Cι , c₂ € C_c. Pearl checks that ci (a) ≠ 0 (mod q) for all 2 < a < q - 2 with a S. If this is not the case Pearl rechooses ci in a predefined way until ci has this property.

• Pearl chooses g₂ € C_g and computes and reveals

ft = (/ + cι * g\ + c₂ * g₂) * g₂.

• Vinnie verifies that: (A) /» € £,,.

(D) The quantity (f(a) + cι(a)gι (a))² + 4c₂(α)/ι( ) is a quadratic residue modulo q for every € 5. If Pearl passes the two tests, then Vinnie accepts her claim of identity.

Remark 1. One can check that the probability that the Ci chosen through a hashing process as above will have the desired non-vanishing property is greater than 50%. Thus it will not take long for Pearl to locate a satisfactory ci.

As with PASS, or any public key authentication scheme, one must verify, or at least make strong arguments in favor of, several things. First, it must be shown that if Pearl possesses the private key , the probability that she will pass the test and be accepted by Vinnie as legitimate can be made arbitrarily high. Second, it must be shown that a potential impostor without knowledge of / or some other false key /' will have a very low probability of passing the test. Finally, it must be shown that even if an impostor knows the public key and has access to an arbitrarily long transcript of genuine authentication π-3 transactions using /, he will have a close to zero chance of recovering either the original private key or an equally useful false key /'.

In the following, we will generally suppress the * in the notation when multiplying polynomials in J .

§1.2. Specific parameter choices

In this section we give concrete eletails for the PASS2 scheme described above. Let g be a small prime, for example; q = 769 or q = 929, and let N = q - 1. We will establish below that the level of security for q = 769 is considerably greater than that of RSA 512, while that of q = 920 is greater than USA 1024.

Let r be a primitive root modulo q, let t — N/2, and let J be a collection of t distinct indices j, chosen at random from the collection of integers less than N, with the condition that, if j € J, then q — 1 — j G J. Define S by

S = {r^j mod q : j G J}. (4)

Then 5 consists of t distinct elements a mod q. As they are non-zero, each has the property that ^Ν ≡ 1 mod 7. Also, by its definition, S is closed under the taking of multiplicative inverses mod q.

Fix t anel a set .S with |5| = t as in (4) above. Set the parameters dj, d_g, d_c. ~i as follows: d_f = [1/2 + 7/3], d_g = [1/2 + 7/6], d_c = 2, = 1-8. (5)

It is simple to check then that for any 7 > 769

|£/| > 2^1C0, |£₉| > 2¹⁶⁰, |£_c| > 2³⁶, q* > 2¹⁶⁰. (6)

In fact these bounds arc far exceeded for all spaces except for £_c. Note that the space of challenges is the space of pairs of elements of £_c and thus has size 2⁷².

Let us first discuss completeness. We will show that Pearl, knowing the secret key /, can pass Vinnie's test with very high probability.

§1.3. On Completeness

Recall how the scenario works: Pearl chooses g_\ € C_g and reveals the commitment {-7ι (°')}_{o€ ,s'}- Λ challenge is sent to Pearl, which she uses to create the pair c_{1 (} C₂ G £_c. Pearl chooses g₂ € £,,, then uses her knowledge of / to compute and reveal

ft = (/ + ci * øi + c₂ * g₂) * g₂.

The test ft € £ , will be passed for the following reason. From (2) and (3), we see that the fact that. |/|₂, løfe, |cι |₂, and |c₂|₂ are small implies that | |₂ and |ft|_∞ must be small. As with PASS, the probability that |/t|₂ falls into a given range, or that individual coefficients of h fall into given ranges, can be computed theoretically, but it is far easier to do an

II-4 empirical computation. For example, in the case (5) above with 7 = 769, we found that in 5 • 10^R tests of randomly chosen triples (f, g_ Cι , c₂) from £/, £«,, £_c,

600250 < |ft|₂ ² < 1916009 for all but. one h, for whit-h the value was 1972192. From this we conclude that the probability that |ft|₂ < I.87 is roughly 2 • 10^-7 (and even for the exception this inequality held with 1.8 replaced by 1.83). Thus we claim that the probability of a false alarm, i.e., that Pearl will fail test (A) despite knowing the secret /, is less than 10^~6. If this occurs, the test can simply be repeated, and similarly with a digital signature. Remark 2. If desired the test can be strengthened by lowering 1.8 to, say, 1.6. Then the chances of a false alarm are? somewhat increased, but the security level at a given parameter setting increases dramatically. Next consider the test

(B) (f(a) + c_\ (a)g_\ (a))² + 4c₂(α)ft(α) is a quadratic residue mod 7 for every € S. This is will be true because (f( ) + _\ (a)gι (a))² + 4c₂(α)/ι(α) will be a square if and only if the quadratic equation e₂(u ) τ² + (/(cv) + c_\ (a)g_\ (ot))x - h(ά) ≡ 0 (mod 7) has a solution. But the construction of ft guarantees the existence of a solution, namely = g₂(a). Thus Pearl will pass this test also and her proof of identity will be accepted by Vinnie.

§1.4. Security discussion

We will now consider the chances that an imposter, Irving, can pretend to be Pearl without knowledge of the secret PΛSS2 key /. The first few arguments are identical to those in [3]. With the size eif the spaces given in (6), the chances of Irving locating /, or an equivalently useful /' by an exhaustive search or meet-in-the-middle attack are, as in PASS, less than 2~⁸⁰. Since |£_c| — 2'², the; chances that a repeat of a previously observed genuine session will help Irving are minimal.

In order to impersonate Pearl, Irving can either choose his ft at random satisfying the quadratic constraints and hope that |ft|₂ < I.87, or Irving can choose ft with \h\ < I.87 and hope that h satisfies the quadratic constraints. In the first case, as in PASS, by using Sterling's formula to approximate the volume of an N-sphere one can check that

|£,, | w (2ιre)^N/2(1.8q)^NN-^N'². (7)

An ft chosen to sat isfy the quadratic constraints will be uniformly distributed inside a space of volume 7^. Thus by (7) we see that for our parameters, \C_h\q^~N < 2^-160. This means that this approach will have a less than 2~⁸⁰ chance of success, even including possible meet-in-the-middle off line attacks.

On the other hand, an h picked at random from _h will have a 50% chance of satisfying each quadratic constraint, and thus a 2~ ^/2 probability of satisfying all of them. For N > 320 this is also less than 2^{~ xm}.

II-5 Another potential attack for Irving is to cheat on his choice of g\ , g and pick poly^¬ nomials far shorter than they should be. In the most extreme case, Irving could choose 0₁, 0₂ to c simply .τ*\ r' for some k, l. If Irving could find a false key /' with |/'|₂ < I.87 and f'(n) = f(n ) mod 7 for all S, then this attack would succeed. The chances of Irving finding such an /' through a random search are covered by (7) above and are less than 2~⁸⁰. Keys / and /' can also be searched for via lattice reduction methods, which will be discussed below.

§1.5. Soundness

We will give a probablistic argument here that for t a bit larger than N/2, if Irving can produce a sequence of responses to a single commitment {øι (α)}_α65 and a sequence of challenge pairs cι , c₂ then he must have knowledge of the secret key /. As in [3], our argument will not be airtight. But we hope it will be convincing.

Suppose that, given {øι ( )} ~, when confronted by a random challenge pair c\ , c Irving can produce a moderately snort polynomial ft with the property that

{f (a) + ci ( )øι (α))² + 4c₂(α)ft(α) is a quadratic resieluo mod 7 for every α € S. It may be the case that Irving does not really have short polynomials g_\ ,g on hand but has simply selected the collection of values {øι (o)} _ς by seimc method. If so, the multiplication by the random c_\ and the inclusion of the random r₂ in the constraint seem to reduce Irving's situation to the general one of finding a moderately short polynomial satisfying a collection of t quadratic constraints. This problem is analyzed below in the section on lattice reduction attacks. With high probability there will exist a large number of potential responses ft satisfying these constraints. However, the only method available for finding them seems to be lattice reduction methods, and the time estimates for Irving to find a response by this method are quite long.

Let us assume therefore that Irving's response actually has the form ft = ( + ciøi + c₂g₂)g₂ for any challenges ci , c₂, with g_\ , g fixed, but not necessarily short. We also assume that F has the correct values at 5 but is not necessarily short. Then by taking the two responses H and H' challenge pairs eι , c₂ and Cι , l + c₂, Irving can obtain the the difference ' — H = Unless Irving has solved the problem previously mentioned, of finding general sho olynomials whose values are quadratic residues, it is highly probable that H' — H =

is a square of a short polynomial, i.e. that g really must be short. The square root can then be taken, as described in [3], recovering g . The short polynomial

π-6 The difference of the polynomials H = Fg₂ - fg₂ satisfies H(α) ≡ 0 mod q for all a S. H is also moderately short, meaning that |H|₂ < Kq for an absolute constant q. The probable existence of a non-zero H satisfying these constraints for large N can be calculated by aprroxitnaling the volume of an N-sphere using Sterlings formula, as in [3], and applying the gaussian heuristic to a lattice of determinant 7*, described in the next section. One sees that for N large the expected number of such polynomials is on the order 2 e /²N-^N/²K^Nq^Nq-^t.

If /, = N/2 -I- fN for some small t > 0, then this quantity approaches zero for large N, meaning that with high probability II = 0 and Fg = fg .

§2. Lattice reduction techniques

Lattice reduction methods can be used by Irving to search for the private key /, or an equally useful false ke;y /'. These methods can also be used in an off line attempt to construct a valid response ft. to a given challenge. Finally, they can be used in an attempt to recover _,7₁ from a given commitment and hence / from the corresponding response ft. (In fact about 15 different .7₁ recoveries would be necessary to recover /.) In this section we will discuss and quantify the difficulty of these questions. First we will discuss an attack on / using the public key {/(«)}_α€

§2.1. Formulation of a lattice attack on the public key.

This is approached exactly as in [3]. For convenience we will remind the reader of the outline. We begin by constructing a lattice as follows. For any polynomial F € R, associate to F the vector of coefficients (αn,αι , . . . .o^- - Similarly for any such vector or point in Z^N , one can take the polynomial built from these coefficients, reduce mod 7, and obtain an F € R.

Let L be the lattice of all points in Z^N such the corresponding polynomial F satisfies

F( ) = 0 (mod 7) for each S.

It is easy to check tha L is indeed a lattice, and that the determinant of L is equal to 7*.

It is not difficult to find a polynomial F' € R such that F'( ) ≡ /( ) mod 7 for all a € S. However it is ve;ry unlikely that such an F' will have small coefficients. Suppose, instead, that we find an F' with non-small coefficients and then search for a point F € L close to F'. If such an F is found, set /' = F' - F. Then ' will still have the correct valuations at o mod 7, anel if F is very close to F then |/'|₂ will be small.

The problem or finding an ' which will give a good impersonation of / is thus reduced to that of finding a point in a lattice which is as close as possible to a given point outside the lattice. This is a non-homogeneous version of the problem of finding a short vector in a lattice. It can also be translated into a homogeneous problem in a similar lattice of one higher dimension. Roughly speaking, an attacker's chance of success in a fixed amount of time improves as the distance of the given point to the lattice decreases. The attacker's chances also deteriorate as the dimension of the lattice increases.

π- 7 §2.2. Some lattice reduction experiments

Consider a list or primes q and N = - 1 with d_f = [1/2 + 7/3] as in (5). When 7 = 769, this gives d_j ----- 256. Our experiments used the lattice reduction package provided in version 3.1b or Victor Shoup's implementation of the Schnorr, Euchncr and Hoerner improvements of the LLL algorithm. This is distributed in his ΝTL package, located at http: //www. cs. wisc . edu/~ shoup/ntl/. Our approach was to obtain results for an increasing sequence of primes 7, and N = 7 - 1, and plot the log of the time it took to break a key or find an alternative key against N. We found in all cases that the log time increased linearly with N. We then extrapolated theline we obtained to obtain estimated breaking times for high N.

Table 1 gives the results of experiments to recover the private key / from {/{<*)} _a€S-

Table 1. Time (sees) To Find Original Key /

The; regression line; for the average time (in seconds), as a function of N, is log(7') w 0.0803N - 3.1923.

The correlation coefficient is 0.9866. We have used the regression line to extrapolate the breaking time for larger values of N. The results are listed in Table 2. Note that the conversion factor from seconds to MlPS-years is 400/31557600, because our experiments were run on 400 MHz Celeron computers.

Table 2. Estimated Breaking Times For Original / Key

π-8 Now consider a list of primes 7 and N = 7 - 1 with d_g = [1/2 + 7/6] as in (5). When 7 = 769, this gives d_g ^■= 128. Table 3 gives the results of experiments to recover øi from {5i(°)} ._<?• Ν°^{, c} that an attempt could be made to recover ø₂ from values given by the solution^*^ ^' the quadrat ic equation involving /, øι , Cι , c₂ that ø₂ satisfies. However, as the values of and g_\ are: only known in S and each g (σ) has two possible solutions, this procedure is far more difficult than the problem of recovering g\.

Table 3. Time (sees) To Recover øi

The regression line for the average time (in seconds), as a function of N, is log(7") w 0.0574N - 1.6850.

The conelat ion coe:fIicie;nt is 0.9978. We have used the regression line to extrapolate the breaking time for large;r values of N. The results are listed in Table 4.

Table 4. Estimated Breaking Times For øi Recovery

Table 5 gives the t ime required to produce an /' with the property that /' = / mod 7 for all a E ^,S and |/'|₂ < 1.87. Such an /' would not equal the original /, but would be sufficient, one-c discovered, for Irving to have a reasonably good chance of impersonating π- 9

Table 5. Time (sees) To Find False Key /'

Pearl. To do this he woulel cheat on his commitment by choosing øj , ø₂ to be simple powers of x. We give the results of several experiments for each q between 193 and 307, together with the average time required for each q.

The regression line for the average time (in seconds), as a function of N, is log(T) w 0.0487N - 3.9606.

The correlation coefficient is 0.9876. We have used the regression Une to extrapolate the breaking time for larger values of N. The results are listed in Table 6.

Table 6. Estimated Breaking Times for false PASS2 key /'

Remark 3. Table 6, the estimated time for recovery of a false key /', gives the smallest breaking times, hence should be regarded as providing a lower bound for the security of the PASS2 scheme. For comparison purposes, we note that the estimated time to break RSA 512 is 3 - 10'¹ MlPS-years, and the; estimated time to break RSA 1024 is 3 ^• 10¹¹ MlPS-years. So according to Table 6, the; the PΛSS2 scheme with N = 640 should be considerably more secure? than RSA 512, while for N = 928 security is greater than RSA 1024 and N = 728 lies in between.

§2.3. Zero-Forced Lattices

Alexander May |4] has given an improved method for searching for small vectors when the small vectors have a comparatively large number of coordinates equal to 0. These ideas lead to the notion of zero-feirccd lattices, in which one guesses that r particular coordinates of the target arc 0, forces them to be zero, and thereby reduces the dimension of the lattice. Of course, if r is large, it may take many tries before one makes a correct guess. Full details of how zcro-forccel lattices work and how to estimate their effectiveness are given in [5]. However, since the polynomials have only 1/3 of their coefficients equal to 0, in the case of /, and 2/3 equal to 0, in the? case of øiit is very difficult to correctly guess many zeros. As it would be necessary to guess considerably more than 100 zero locations correctly in order to reduce the ke;y breaking time for i or / down to even the time estimate for finding a false ', one; sees that the; use eif zero-forced lattices has a negligible effect on security estimates for PΛSS2.

§2.4. Lattice based creation of a response without the private key

Irving faces the following problem. Given a challenge c, he must find a polynomial ft with \h\ < I.87 such that (/(α) + cι ( )øι(α))² + 4c₂( )ft(α) is a quadratic residue mod 7 for every a € 5. There are several different approaches that Irving can take, but none seem to have any chance of success in time less than that estimated in Table 6 for recovery of a false key '.

For example, Irving could choose his collection of commitment values 0₁(0) at random. After receiving the: challenges Irving could choose t values for ft( ) at random that satisfy the quadratic constraints. I ie could then use LLL to search for ft with |ft|₂ < I.87 satisfying these constraints. For I — N/2 the expected size of a vector satisfying these constraints is (sec [3]) about q/ /'2πc. As this is less than I.87, there is a high probability that such an h exists. However the time required to find such an ft by lattice reduction methods is greater than or equal to the time required to find a false key /' as given in Table 6. Thus the security estimate for PΛSS2 remains unchanged after considering this potential attack.

Another possibility for Irving is to pick a random collection of commitment values øi (α). He can then e-hoeisc G^ very short, (even a power of x), and define g (σ.) by <-π(α) = ø₂(α)/(o ). Then he can search for a short G such that |G₂|₂ < I.87 and such that G₂(σ) = (ci (0 )01 (0-) + c₂(α)ø₂( ))ø₂(o;) for every a € S. This, however, reduces to the same search as just mentioned, and should be solvable in about the same time.

The last possibility we will consider is that Irving could find relatively short polynomials G'ι , G₂, G₃, i.e., polynomials satisfying |Gι |_{2 )} |G₂|₂, |G₃|₂ < I.87, and collections of values {gι{ot),g₂(a)}_aζ such that

Gι ( ) = /(α)ø₂(«), G₂(a) = øι ( )ø₂(α), G₃{ ) - g₂(a)².

II- 11 This problem seicms lei be just as hard as that mentioned in the first two possibilities, but the dimension is tripled, lcaeling to considerably greater breaking times.

§2.5. Attacks on a transcript of authentication sessions.

Consider the information revealed in a large collection of distinct examples of

for fixed / anel varying n , r anel _,7₁ , ø₂. It is important to note that since /, ø₁ ,ø₂, cι , c₂ are small, an attacker may assume that no reduction modulo 7 has occurred in the construction of /?., and thus that the coe:flicients of h are given over Z. Significant reduction, however, has occurred modulo x^N — 1.

First, fix some β not in S and let. us consider the information revealed from a collection of responses ft. for which ci vanishes at β, i.e., c_\(β) ≡ 0 (mod 7). Let QR denote the set of quadratic residues mod 7. Since g (β) is the solution of a quadratic equation, it must be true that

(f(fl) + n(/ ι( ?))² + 4c₂(β)h(β) e QR.

Since wc are assuming that c^ β) vanishes, it follows that f(β)² + 4c (β)h(β) G QR. This constrains f(β)² to lie in the translated set f(β)² € QR - Λc₂(β)h(β) = {u² - 4c₂(β)h(β) : u mod 7}.

Each response ft for which c_\ (β) = 0 will cut the possibilities for f(β)² by approximately 50%, so after little more than log₂ ø such responses, an attacker can determine f(β)²-

If this attack is carrieel out for every β not in 5, then the polynomial f(x)² can be determined, since the values f(a) for € 5 are already public knowledge. It is then easy to extract the; small square; root and recover f(x) itself, see [3] for details. The attack we have just described is the π?ason for the requirement in the protocol that c_\(β) 0 for all β $. S (other than β — 0, ±1 , which are not important). This requirement means that the above attack cannot eve:n get started. We are indebted to Don Coppersmith for informing us of this potential attack.

One might ask if the attacker could apply the same approach using an irreducible quadratic factor of r, and thus a root of ci in a quadratic extension of Z/7Z. This will not work, because the polynomial ft is only given modulo x^N — 1, and it is only elements of Z/7Z that have the property that a^N = 1; elements in extension fields do not have this property. In other words, the evaluation map at a element of an extension field is not a homomorphism from R to that extension field, so the attack using extension fields is not possible.

The collection of all h in a transcript will generate a lattice over Z. However, because of the presence of the non-zero c, , the full (and thus useless) lattice is generated by this collection.

One^; can consider t he: average of many different responses ft. As in [3] this does not provide useful information because the expected values of the coefficients of øι, ø₂ arc 0.

π- 12 The expected value, incidentally, of the polynomial ø² is (x^N - l)/(x² - 1)- This is not quite zero, but highly non-invertible.

An attacker might alsei consider the product ftσ(ft), the autocorrelation polynomial corresponding to ft. This is potentially a very powerful attack, due to Burt Kaliski, as after averaging a long transcript, an attacker can hope to obtain the polynomial

_/ ²⁾ + ^{,) 1,2)} + ^{2) 2}'²⁾-

Here for any peilynomial F, n_F denotes the even autocorrelation polynomial ap — F*σ(F). Also Λ^ denotes the expected value of a * σd for i = 1, 2 and Ag ³' denotes the expected value of ø,ø_j * <?{g_.g_j)- The average of ftσ(ft) will approach this limit as the cross terms of the product, will have expected value zero.

If øi . ₂. fi . <-₂ vary uniformly, the limiting autocorrelation polynomials are simple constants and hence j can be recovered. This means in effect that /(cr)/(α^-1) can be assumed to be known, anel thus that once f(a) is known mod 7 for any α, /(α^-1) can be found. This is the reason for the original assumption that S is closed under multiplicative inverses, as an attacker gets no additional knowledge from α/. We refer also to the analysis given in [3] for the conclusion that it is very difficult to factor α/ as a polynomial and obtain /.

We will close this section by remarking briefly on an important observation of Coppersmith. By selecting any fixed 4-tuple of indices i,j, k, l and computing an average of the product of the i,j, /.;, I individual coefficients hi, hj, hk, hi, information can be obtained about a combination of second and fourth power moments of /. (In this terminology, α is the second power moment of /.) It is then possible to recover / by a process which, while computationally intensive, is still subexponential in N and feasable for the parameter choice N — 768. We have conducted a number of computer experiments to determine lower bounds that the le;ngth of a transcript must exceed before an attacker has a chance of determining the limiting value of the products hi, h_j, h_k, hι. Some experimental evidence is given in the Appendix 2. The experiments show that the convergence to the limiting value is extremely slow. Eve;n after averaging 100 million responses, i.e., examining 100 million digital signatures proeluced by a single private key, the variation in each product is still wide enough to alleiw cemside;rably greater than 2¹⁶⁰ choices for a sufficiently large (greater than N) limiting collection of 4-tuple products. We thus feel that it is safe to use a single key for at least 100 million authentication sessions or digital signatures.

§2.6. Cheating Verifiers

A cheating verifier can pass specially constructed challenges with given expected values to Pearl anel extract information from the responses as outlined above. (For example, choosing challenges equal to 0, or those where ci has roots consistently in specific places.) In this scheme, Imwcveir, a. challenge c₀ is hashed with the commitment. This seems to eliminate any chance of a cheating verifier obtaining an advantage.

π- 13 §3. Key length and communication requirements

The key lengths anel number of bits transmitted for N = 768 and N = 928 are given in Table 7. (For N = 928, d_f = 62.) It is worth noting that if desired, as in the PASS scheme, the private; ke:y can be; sl ired as, or generated from, any random string of 80 bits, as long as a non-linear uniform mapping is provided into the space £/. The number of bits in the response is an upper bound, based on the fact that most coefficients of ft will have a rather small absolute value and hence can be recorded using 5,6 or 7 bits. On average, one finds that with these parameter choices, about 34% of the coefficients can be recorded with 5 bits, 29.14% with 6 bit s, 29.64% with 7 bits. Only about 0.03% will require 8 bits and one or two rare exceptions require 9. Note that the length of a digital signature attached to a message will be the tot l number of bits transmitted as recorded below, minus the 80 bits required for the challenge. This is because, as usual when constructing a digital signature, the message is hashed with the commitment to produce the challenge. The signature is then the commitment, followed by the response.

Table 7. Key Length and Communication Requirements in Bits

§4. Final Remarks

Recall that wc established above that the security level of PΛSS2 with q = 769 is considerably greater than t hat of RSA 512, while the security level of PASS2 with q = 929 is greater to RSA 1024.

When Vinnie checks that the quadratic condition is fulfilled, he need only do this for a randomly chosen subset of 80 values in S. It will probably be most efficient for Vinnie to use a precompute table or quadratic residues mod q, but if space is at a premium, then quadratic reciprocity could be used for this test.

Finally, we remark that the evaluation of polynomials by Pearl and Vinnie can be done most efficiently by means of the FFT. This is because the evaluation of a polynomial is simply the association between a vector over Z/7Z and its discrete Fourier transform, where a polynomial is identified with the vector of its coefficients. Naive computation of discrete Fourier transforms of vectors of dimension N only takes N² steps, so is not an onerous task. However, the suggested parameter values were selected so that N is divisible by a reasonably large; value of 2, which means that one can use Fast Fourier Transforms π-14 (FFT) to speed the process. Note that one can do these FFT's in Z/7Z working entirely with integers, because Z/7Z contains a primitive N^lh root of unity. There is no need to use real or complex numbers.

References

|1] J. Iloffslcin, B.S. Kaliski, D. Licman, M.J.B. Robshaw, Y.L. Yin, "A New Identifica^¬ tion Scheme Base?el on Polynomial Evaluation," patent application.

[2] J. Hoffstein, J. Piphcr, J. Silverman, "NTRU: A ring-based public key system," Proceedings or ANTS III, Portland (1998), Springer-Verlag.

|3] J. lloffsfein, D. Lie an, J. Silverman, "Polynomial Rings and Efficient Public Key Authentication," Procee ing of the International Workshop on Cryptographic Techniques and E-Commercc (CrypTEC '99), M. Blum and CH. Lee, eds., City University of Hong Kong Pre:ss, to appear.

[4] A. May, Cryptanalysis eif NTRU, preprint, February 1999

[5] J.H. Silverman, Dimension-Reduced Lattices, Zero-Forced Lattices, and the NTRU Public Key Cryptosystem, NTRU Technical Note 013, March 2, 1999, (www . ntru . com)

Appendix 1. Timing Comparisons

In this section we compare digital signature and verification times for various cryptosystcms. We note that the PΛSS2 times are based on a preliminary non-optimized implementation by Tao Group, Inc. Wc also note that the extremely fast RSA verification times are due to the use of the very small value k = 17 as decryption exponent.

Table 8. Timing Estimates (Milliseconds Per Operation)

The timing elata feir the: RSA, DSA, and ECC signature schemes in Table 8 are taken from the Crypto++ 3.1 Benchmarks page, which may be found at

<http: //www . eskimo . com/"weidai/benchmarks . html> . All were coded in C++ or ported to C++ from C implementations, compiled with Microsoft Visual C++ 6.0 SP2 (optimized for speed, Pentium Pro code generation), and run on

H- 15 a. Celeron 450MHz machine under Windows 2000 beta 3. No assembly language was used. The RSA computations were done using the small verification exponent 17. The DSA and ECC values can be improved somewhat (up to a factor of 2 in some cases) by storing procomputod values. The PΛSS2 times are for the preliminary implementation by Tao Group (run on a 30 i l/, machine and extrapolated to 450MHz). The reason that PΛSS2 1152 is faster t han PΛSS2 928 is because 1152 is more highly divisible by 2 than is 928, which allows greater efficiency in the FFT routines.

Appendix 2. Transcript Experiments

We fixed PΛSS2 parameters

N = 768, d_f = 256, d_g = 128, d_c = 2,

For each experiment we fixed a random polynomial /, and four random indices i,j, k, l. We randomly chose? 100 million 4-tuples of polynomials øι , ø₂, cι , c₂ according to these parameters. For each of these choices we computed

ft = (f + 9i * Cl + 02 * c₂) * ø₂.

We then took the four random indices and computed the product ih_jhkhi of the corresponding four coefficients of ft. We kept a running average of these quadruple products. Results from a typical experiment are given in Table 9. Other experiments gave similar behavior, so we have selected a few pieces of one run to give a feel for the rate of convergcne e. In this t able, the four indices fixed were 55, 105, 537, and 551 and we have recorded the running average, denoted Avg_h, rounded to the nearest integer, for various numbers of trials. As is clear from the table, even after IO⁸ trials, the value of the product has not fully settled eleiwn, so it would be difficult to guess the correct value. Note that even if the: value of each quadruple product is known to within 2 or 3, say, the number of possible: values for all e>f the products hih_jh_khi would be far greater than 2⁷⁶⁸, so it would not be possible to perform an exhaustive search.

π- 16

Table 9. Average Values of Products hih_jh_khi

π-17

Claims

CLAIMS:

1. A method of communicating information between users of a communication system, the method comprising the steps of: transmitting from a first user to a second user a result ø(g) of evaluating an element g in a ring R by a ring homomorphism ø:R->B, wherein the element g satisfies a first set of predetermined conditions; generating an element h in the ring R as a function of an element c in the ring R satisfying a second set of predetermined conditions, a private key element f of the first user in the ring R, wherein the element f satisfies a third set of predetermined conditions; and transmitting the element h from the first user to the second user, such that the second user can authenticate the communication from the first user by verifying that the element h satisfies a fourth set of predetermined conditions and by comparing the result ø(h) of evaluating the element h by the ring homomorphism ø to a function of ø(g), ø(c), and a public key ø(f) of the first user.

2. The method of claim 1 wherein the element c is generated by the second user as a challenge to the first user in response to receipt of the result ø(g).

3. The method of claim 2 wherein the second user authenticates the identity of the first user based on the result of the step of comparing ø(h) to a function of ø(g), ø(c) and ø(f).

4. The method of claim 1 wherein the element c is generated by the first user applying a hash function to the result ø(g) and a message m, and the method further includes the step of transmitting the message m from the first user to the second user.

5. The method of claim 4 wherein the second user authenticates a digital signature of the first user based on the result of the step of applying a hash function to the result ø(g) and the

27 message m to generate an element c, and the method further includes the step of comparing ø(h) to a function of ø(g), ø(c) and ø(f).

6. The method of claim 1 wherein the ring R is a ring of functions.

7. The method of claim 6 wherein the homomorphism ø is the evaluation homomorphism at a set of values a,,a₂,...,a_s.

8. The method of claim 1 wherein the element h generated as a function of the element c, a private key f, and the first element g, is generated as the value of a polynomial P(f,c,g), wherein P(X,Y,Z) is a polynomial with coefficients in R.

9. The method of claim 8 wherein the second user authenticates the communication from the first user by comparing the result ø(h) of evaluating the element h by the ring homomorphism ø to the result of evaluating ø(P)(ø(f),ø(c),ø(g)), wherein ø(P) is the polynomial obtained by evaluating the coefficients of the polynomial P by the ring homomorphism ø.

10. The method of claim 8 wherein the polynomial P(X,Y,Z) is the polynomial ZX+Z²Y.

1 1. The method of claim 8 wherein f is a n_rtuple, c is an n_c-tuple, and g is an n_g-tuple and P is a polynomial in ly n. n_j, variables.

12. The method of claim 11 wherein n_c is equal to n,n_g and the polynomial P is equal to the summation of X, Y_yZ, as i ranges from 1 to n_f and j ranges from 1 to n_g.

13. The method of claim 1 wherein the ring R is the ring F_q[X]/(X^N-l) of polynomials over the field F_q of q elements modulo the ideal generated by the polynomial X^N-1 and wherein N is a divisor of q-1.

28

14. The method of claim 13 wherein the first set of predetermined conditions on the element g are that the coefficients of g are small compared to q.

15. The method of claim 13 wherein the second set of predetermined conditions on the element c are that the coefficients of c are small compared to q.

16. The method of claim 13 wherein the third set of predetermined conditions on the element f are that the coefficients of f are small compared to q.

17. The method of claim 13 wherein the fourth set of predetermined conditions on the element h are that the coefficients of h are small compared to q.

18. A method of communicating information between users of a communication system, the method comprising the steps of: generating an element h in a ring R as a function of an element g in the ring R satisfying a first set of predetermined conditions, an element c in the ring R satisfying a second set of predetermined conditions, and a private key element f of the first user in the ring R satisfying a third set of predetermined conditions; transmitting the element h from the first user to the second user, such that the second user can authenticate the communication from the first user by verifying that the element h satisfies a fourth set of predetermined conditions and by using a ring homomorphism ø:R->B and verifying that the quantity ø(h), the quantity ø(c), and a public key ø(f) of the first user satisfy a fifth set of predetermined conditions.

19. The method of claim 16 wherein h is also a function of an element g, in the ring R, and wherein the element φ(g,) is transmitted from the first user to the second user and wherein the second user also uses φ(g_j) to authenticate the communication.

29

20. The method of claim 18 wherein the element c is generated by the second user as a challenge to the first user.

21. The method of claim 20 wherein the second user authenticates the identity of the first user based on the result of the step of verifying that the element h satisfies the fourth set of predetermined conditions and that the quantities ø(h), ø(c), and ø(f) satisfy the fifth set of predetermined conditions.

22. The method of claim 18 wherein the element c is generated by the first user applying a hash function to the message m, and the method further includes the step of transmitting the message m from the first user to the second user.

23. The method of claim 22 wherein the second user authenticates a digital signature of the first user based on the result of the step of applying a hash function to the message m to generate an element c, and the method further includes the step verifying that the element h satisfies the fourth set of predetermined conditions and that the quantities ø(h), ø(c), and ø(f) satisfy the fifth set of predetermined conditions.

24. The method of claim 18 wherein the ring R is a ring of functions.

25. The method of claim 24 wherein the homomorphism ø is the evaluation homomorphism at a set of values a„a₂,...,a_s.

26. The method of claim 18 wherein the element h generated as a function of the element c, a private key f, and the first element g, is generated as the value of a polynomial P(f,c,g), wherein P(X,Y,Z) is a polynomial with coefficients in R.

30

27. The method of claim 26 wherein the fifth set of predetermined conditions by which the second user authenticates the communication from the first user are that the equation ø(P)(ø(f),ø(c),Z)=0 has a solution Z in the ring R, wherein ø(P) is the polynomial obtained by evaluating the coefficients of the polynomial P by the ring homomorphism ø.

28. The method of claim 26 wherein the polynomial P(X,Y,Z) is the polynomial ZX+Z²Y.

29. The method of claim 26 wherein f is a n_rtuple, c is an n_c-tuple, and g is an n_g-tuple and P is a polynomial in n_f+n_c+n_g variables.

30. The method of claim 29 wherein the polynomial P is equal to XZ₂+Y|Z,Z₂+ Y₂Z 2 ^•

31. The method of claim 30 wherein the fifth set of predetermined conditions is that (φ(f)+φ(c,)φ(g,))²+4φ(c₂)φ(h) is the square of an element of the ring B.

32. The method of claim 28 wherein the fifth set of predetermined conditions by which the second user authenticates the communication from the first user are that the quantity ø(f)²+4ø(c)ø(h) is the square of an element of the ring B.

33. The method of claim 18 wherein the ring R is the ring F_q[X]/(X^N-l) of polynomials over the field F_q of q elements modulo the ideal generated by the polynomial X^N-1 and wherein N is a divisor of q-1.

34. The method of claim 33 wherein the first set of predetermined conditions on the element g are that the coefficients of g are small compared to q.

31

35. The method of claim 33 wherein the second set of predetermined conditions on the element c are that the coefficients of c are small compared to q.

36. The method of claim 33 wherein the third set of predetermined conditions on the element f are that the coefficients of f are small compared to q.

37. The method of claim 33 wherein the fourth set of predetermined conditions on the element h are that the coefficients of h are small compared to q.

38. A method for authenticating, by a second user, the identity of a first user, that includes a challenge communication from the second user to the first user, a response

communication from the first user to the second user, and a verification by the second user,

comprising the steps of:

selection by the first user of a private key f in a ring R and a public key that includes φ(f) in a ring B that is mapped from fusing the ring homomoφhism φ : R — >B , and publication by the first user of the public key; generation of the challenge communication by the second user that includes selection of a challenge c in the ring R; generation of the response communication by the first user that includes computation of a response comprising h in the ring R, where h is a function of c and f; and performing of a verification by the second user that includes determination of φ(c) from c, φ(h) from h, and an evaluation that depends on φ(h), φ(c) and φ(f).

39. The method as defined by claim 38, wherein said generation of the response communication by the first user includes selection by the first user of an element g in the ring R, and wherein h is also a function of g.

32

40. The method as defined by claim 39, wherein φ(g) is also communicated to the second user, and wherein said performing of a verification includes an evaluation that also depends on

Φ(g)-

41. The method as defined by claim 39, wherein said authentication includes an initial commitment communication from said first user to said second user, and wherein said commitment communication includes φ(g).

42. The method as defined by claim 39, wherein said first user further selects an element g, in the ring R and determines φ(g therefrom, and further comprising communicating φ(g,) to the second user.

43. The method as defined by claim 42, wherein said authentication includes an initial commitment communication from said first user to said second user, and wherein said commitment communication includes φ(g,).

44. The method as defined by claim 39, wherein f, c, and g are elements in respective subsets of the ring R.

45. The method as defined by claim 42, wherein f, c, g, and g, are elements in respective subsets of the ring R.

46. The method as defined by claim 39, wherein f, c, g, and h are polynomials, and wherein φ(f), φ(c), φ(g) and φ(h) each represent one or more values of the respective polynomials from which they are mapped.

33

47. The method as defined by claim 43, wherein f, c, g, g, and h are polynomials, and wherein φ(f), φ(c), φ(g), φ(gι) and φ(h) each represent one or more values of the respective polynomials from which they are mapped.

48. The method as defined by claim 39, wherein said step of generation of the response includes computation of h in the form h = (f+cg)g.

49. The method as defined by claim 39, wherein at least one of the elements f, c, and g is an n-tuple with n greater than 1, and φ evaluated at an n-tuple of elements (r,, r₂, r_n) of R is equal to the n-tuple of respective values (φ(r,),φ(r₂) φ(r_n)) of φ.

50. The method as defined by claim 40, wherein at least one of the elements f, c, and g is an n-tuple with n greater than 1 , and φ evaluated at an n-tuple of elements (r , , r₂, r_n) of R is equal to the n-tuple of respective values (φ(r,),φ(r₂) φ(r_n)) of φ.

51. The method as defined by claim 41 , wherein at least one of the elements f, c, and g is an n-tuple with n greater than 1, and φ evaluated at an n-tuple of elements (r„ r₂, r_n) of R is equal to the n-tuple of respective values (φ(r,),φ(r₂) φ(r_n)) of φ.

52. The method as defined by claim 42, wherein at least one of the elements f, c, and g is an n-tuple with n greater than 1, and φ evaluated at an n-tuple of elements (r,, r₂, r_n) of R is equal to the n-tuple of respective values (φ(r,),φ(r₂) φ(r_n)) of φ.

53. The method as defined by claim 43, wherein at least one of the elements f, c, and g is an n-tuple with n greater than 1, and φ evaluated at an n-tuple of elements (r,, r₂, r_n) of R is equal to the n-tuple of respective values (φ(r,),φ(r₂) φ(r_n)) of φ.

34

54. The method as defined by claim 52, wherein element c includes the pair c,, c₂ and elements g,, g correspond respectively to the pair g,, g₂, and wherein h is of the form h = (f+c,g,+c₂g₂) g₂.

55. The method as defined by claim 53, wherein element c includes the pair c,, c₂ and elements g,, g correspond respectively to the pair g„ g₂, and wherein h is of the form h = (f+c,g,+c₂g₂) g₂.

56. The method as defined by claim 50, wherein element f includes the pair f,, f₂, element g includes the pair g„ g₂, and element c includes the 4-tuple c_n, c₁₂, c₁₂, c₂₎, c₂₂, and wherein h is of the form h = fιgιC,,+f_Ig,c₁₂+f₂g₁c₂₁+f₂g₂c₂₂.

57. The method as defined by claim 51, wherein element f includes the pair f,, f₂, element g includes the pair g,, g₂, and element c includes the 4-tuple c,,, c₁₂, c₁₂, c_2I, c₂₂, and wherein h is of the form h = f₁g|C,,+fιg_Ic₁₂+f₂g₁c₂₁+f₂g₂c₂₂.

58. The method as defined by claim 42, wherein said verification includes a determination of whether certain values of functions of φ(f), φ(c), φ(g,), φ(h) are squares modulo q, where q is a certain integer modulus used in key creation by the first user.

59. The method as defined by claim 43, wherein said verification includes a determination of whether certain values of functions of φ(f), φ(c), φ(g,), φ(h) are squares modulo q, where q is a certain integer modulus used in key creation by the first user.

35

60. The method as defined by claim 53, wherein said verification includes a determination of whether certain values of functions of φ(f), φ(c), φ(g,), φ(h) are squares modulo q, where q is a certain integer modulus used in key creation by the first user.

61. The method as defined by claim 55, wherein said verification includes a determination of whether certain values of functions of φ(f), φ(c), φ(g,), φ(h) are squares modulo q, where q is a certain integer modulus used in key creation by the first user.

62. An authentication method that includes authenticating, by a second user, of a signed digital message of a first user communicated from said first user to said second user, comprising the steps of: selecting by the first user, of a private key f in a ring R and a public key that includes φ(f) in a ring B that is mapped from fusing the ring homomoφhism φ : R — >B , and publication by the first user of the public key; selecting, by the first user, of an element g, in the ring R, determining φ(g,), and applying a hash function to at least a message m to produce an element c; generating, by the first user, an element h which is a function of c and f; communicating, from the first user to the second user, the message m and a digital signature comprising φ(g,) and h; determining, by the second user, of the element c, by applying a hash function to at least the message m, and determining, by the second user of φ(c) from c and φ(h) from h ; and authenticating, by the second user, of the digital signature, said authenticating including an evaluation that depends on φ(h), φ(f) and φ(c).

63. The method as defined by claim 62, wherein said steps, by the first user and the second user, of applying a hash function to at least the message m, comprise applying a hash function to the message m.

36

64. The method as defined by claim 62, wherein said steps, by the first user and the second user, of applying a hash function to at least the message m, comprise applying a hash function to a combination of the message m and φ(g,)-

65. The method as defined by claim 62, wherein f, c, and g, are elements in respective subsets of the ring R.

66. The method as defined by claim 62, wherein f, c, g,, and h are polynomials, and wherein φ(f), φ(c), φ(g,) and φ(h) each represent one or more values of the respective polynomials from which they are mapped.

67. The method as defined by claim 54, wherein f, c, g,, and h are polynomials, and wherein φ(f), φ(c), φ(g,) and φ(h) each represent one or more values of the respective polynomials from which they are mapped.

68. The method as defined by claim 62, wherein h is of the form h = (f+cg,)g,.

69. The method as defined by claim 66, wherein at least one of the elements f, c, and g, is an n-tuple with n greater than 1.

70. The method as defined by claim 67, wherein at least one of the elements f, c, and g, is an n-tuple with n greater than 1.

71. The method as defined by claim 70, wherein element c includes the pair c,, c₂ and element g, is part of the pair g„ g₂, and wherein h is of the form h = (f+c,g,+c₂g₂) g₂.

37

72. The method as defined by claim 69, wherein element f includes the pair f,, f₂, element g, is part of the pair g„ g₂, and element c includes the 4-tuple c_π, c_I2, c₁₂, c₂₁, c₂₂, and wherein h is of the form h = ^fl l^Cπ⁺fl !^Cl2⁺f2gl^C ₂l+f2g2C22-

73. The method as defined by claim 58, wherein said verification includes a determination of whether certain values of functions of φ(f), φ(c), φ(g,), φ(h) are squares modulo q, where q is a certain integer modulus used in key creation by the first user.

74. A method for use by a first user to prove its identity to a second user who sends a challenge to the first user and wishes to authenticate the identity of the first user, comprising the steps of: selecting a private key f in a ring R and a public key that includes φ(f) in a ring B that is mapped from fusing the ring homomoφhism φ : R →B , and publication by the first user of the public key; receiving the challenge communication from the second user that includes selection of a challenge element c in the ring R ; and generation of the response communication that includes computation of a response comprising h in the ring R, where h is a function of c and f; whereby the second user can perform a verification that includes determination of φ(c) from c, φ(h) from h, and an evaluation that depends on φ(h), φ(c) and φ(f).

75. A method for producing and sending a signed digital message comprising the steps of: selecting a private key f in a ring R and a public key that includes φ(f) in a ring B that is mapped from fusing the ring homomoφhism φ : R →B , and publication by the first user of the public key;

38 selecting an element g, in the ring R, determining φ(g,), and applying a hash function to at least a message m to produce an element c; generating an element h which is a function of c and f; and communicating the message m and a digital signature comprising φ(g,) and h.

39