Home  |  Contact  |  Resource Center  |  Search  
Ntru
ServicesProductsMarketsCryptoLabAbout Us

Overview

Crypto Corner

NTRU Algorithms

Scrutiny

Peer Review

Tutorials

Articles

Technical Notes

FAQs

R&D Team

Standards

Archive Center

CryptoLab
Tutorials

PASS - The Polynomial Authentication and Signature Scheme

This tutorial describes PASS, the Polynomial Authentication and Signature Scheme.

  1. PASS Parameters
  2. Key Creation
  3. The PASS Authentication Sequence
  4. Why It Works
  5. An Example Using Small Numbers
  6. Using PASS as a Digital Signature
  7. Further Reading

1. PASS Parameters

The basic collection of objects used by PASS (Polynomial Authentication and Signature Scheme) is the ring R that consists of all truncated polynomials of degree N-1 having coefficients modulo q:

a = a0 + a1X + a2X2 + a3X3 + . . . + aN-2XN-2 + aN-1XN-1 (modulo q).

Polynomials are added in the usual way. They are also multiplied more-or-less as usual, except that XN is replaced by 1, XN+1 is replaced by X, XN+2 is replaced by X2, and so on. For more details about the ring R, see the Section 2 of the Algebra Tutorial.

In addition to the numbers N and q, PASS requires that the user specify a number of other parameters. Here is the complete list of PASS parameters:

N the polynomials in the truncated polynomial ring have degree N-1
q the polynomials have coefficients modulo q
(the number q must be prime, and the number N must equal N=q-1)
df the private key f=(f1,f2) consists of two polynomials, each of which has df coefficients equal to each of 1 and -1
dg the commitment g=(g1,g2) consists of two polynomials, each of which has dg coefficients equal to each of 1 and -1
dc the challenge c=(c1,c2,c3,c4) consists of four polynomials, each of which has dc coefficients equal to each of 1 and -1
S a set of values {a1,a2,...,aN/2} modulo q, so that if a is in S, then a-1 (mod q) is also in S.
Bh a bound for the norm of the polynomial h

The following table gives a set of high security PASS parameters.

  N q df dg dc Bh
High Security 768 769 256 256 1 2.2

These values are provided to give you some idea of the quantities used in commercial applications. For the examples in this tutorial we will use much smaller parameter values:

  N q df dg dc Bh
Small Illustration Parameters 16 17 5 5 1 2.2

Also for our examples, we will use the set

S = {3, 5, 6, 7, 8, 10, 12, 15}

Keep in mind that these small parameters are for illustrative purposes only and are much too small to provide security.

back to top

2. Key Creation

Pearl, the "Prover", randomly selects two polynomials f1,f2 in the ring of truncated polynomials R according to the following rule:

  • f1 and f2 have df of their coefficients equal to 1, f1 and f2 have df of their coefficients equal to -1, and f1 and f2 have all of the rest of their coefficients equal to 0.

There are obviously many different possible choices. Pearl must keep the value of the polynomials f1 and f2 secret, since anyone who knows their values will be able to pretend that she is Pearl.

Pearl's next step is to evaluate the polynomials f1 and f2 at each of the elements of the set S. We will write f(S) for this set, that is,

f(S) = (f1(S),f2(S)) = {f1(a1), f1(a2), ..., f1(aN/2),f2(a1), f2(a2), ..., f2(aN/2)} (modulo q).

The set of values f(S) is Pearl's public authentication key, and the small polynomials f1 and f2 are her private key.

back to top

3. The PASS Authentication Sequence

Suppose that Pearl wants to use PASS to prove her identity to Vinnie, the "Verifier". A PASS Authentication Sequence consists of four steps: Commitment, Challenge, Response, and Verification. Here is how they work.

Commitment
Pearl randomly selects two polynomial g1 and g2 having dg of their coefficients equal to each of 1 and -1, and all of their other coefficients equal to 0. She also computes the values of g1 and g2 at each of the elements of the set S,

g(S) = (g1(S),g2(S)) = {g1(a1), g1(a2), ..., g1(aN/2),g2(a1), g2(a2), ..., g2(aN/2)} (modulo q).

Pearl keeps the polynomials g1 and g2 secret, and she sends the set of values g(S) to Vinnie. The set g(S) is Pearl's commitment.

Challenge
Vinnie randomly selects four polynomials c11,c12,c21,c22 having dc of their coefficients equal to each of 1 and -1, and all of its other coefficients equal to 0. Vinnie sends the four polynomials c11,c12,c21,c22 to Pearl. These four polynomials are Vinnie's challenge. (See below for a note about the challenge.)

Response
Pearl computes and sends to Vinnie the polynomial

h = c11*f1*g1 + c12*f1*g2 + c21*f2*g1 + c22*f2*g2 (modulo q).

The polynomial h is Pearl's response.

Verification
Vinnie checks that Pearl's response satisfies the following two conditions:
(A) Vinnie writes h as h=h0+h1X+h2X2+...+hN-1XN-1 with each hi between -q/2 and q/2, and then he checks that (recall that Bh is a preset parameter):

h02 + h12 + h22 + ... + hN-12 < (Bh*q)2.

(B) For every number a in the set S, Vinnie checks that

h(a) = c11(a)*f1(a)*g1(a) + c12(a)*f1(a)*g2(a) + c21(a)*f2(a)*g1(a) + c22(a)*f2(a)*g2(a) (modulo q).

Note that Vinnie can check condition (B) because he knows the sets of values f(S) and g(S), and of course he knows the c polynomials, although he does not know the actual f and g polynomials.

If Pearl's response h passes tests (A) and (B), then Vinnie accepts that Pearl has proven her identity.

NOTE: In order to prevent Vinnie from gaining information about Pearl's key, it is better to create the challenge as follows: Vinnie chooses a random bit string b of a specified length, for example 80 bits. Vinnie sends b to Pearl. Then Vinnie and Pearl feed the bit string b into a hash function to create the four polynomials c11,c12,c21,c22. This prevents Vinnie from chooses challenge polynomials with some special property, since he can have no way of predicting the output of the hash function. Note the similarity to the way in which an authentication scheme such as PASS is turned into a digital signature scheme. To do this, one feeds a message m (and a commitment) into a hash function to produce a challenge, which is then used to create the response.

back to top

4. Why It Works

Pearl's response h will pass test (A) because the polynomials f, g, and c all have very small coefficients. Thus the polynomial h = c11*f1*g1+c12*f1*g2+c21*f2*g1+c22*f2*g2 will also have small coefficients, so with an appropriate choice of parameters (such as the norm bound Bh), h will almost certainly pass test (A). On the other hand, since h is actually equal to c11*f1*g1+c12*f1*g2+c21*f2*g1+c22*f2*g2 , the equality

h(a) = c11(a)*f1(a)*g1(a) + c12(a)*f1(a)*g2(a) + c21(a)*f2(a)*g1(a) + c22(a)*f2(a)*g2(a) (modulo q).

will be true for all values of a modulo q. In particular, it will be true for all a's in S, so Pearl's response will also pass test (B).

back to top

5. An Example Using Small Numbers

We suppose that Pearl and Vinnie (or a standards setting committee) have selected the following PASS parameters:

q=17, N=16, df=5, dg=5, dc=1.

We further suppose that they have chosen the following set of 8 values modulo 17:

S = {3,5,6,7,8,10,12,15}.

Note that every element of S has a multiplicative inverse in S, since

3*6 = 5*7 = 8*15 = 10*12 = 1 (modulo 17).

Although PASS will work even if S does not have this property, the security of the system may be compromised. We also reiterate that the numbers being used in this example do not lead to a secure system. See Section 1 for a list of secure parameter sets.

Key Creation
Pearl creates her key by randomly choosing two polynomial f1 and f2 having 5 coefficients equal to each of 1 and -1, and the other coefficients equal to 0. Say Pearl chooses the polynomials

f1 = 1-X+X2-X3+X6-X7+X8-X12+X14-X15
f2 = -X2-X5-X6-X7+X9+X10+X11+X13+X14-X15

She computes the value of f1 and f2 at each of the elements of S,

f1(S) = {f1(3),f1(5),f1(6),f1(7),f1(8),f1(10),f1(12),f1(15)} = {9,10,5,9,1,12,15,10} (modulo 17),

f2(S) = {f2(3),f2(5),f2(6),f2(7),f2(8),f2(10),f2(12),f2(15)} = {14,9,16,5,14,1,2,8} (modulo 17).

The set f(S)=(f1(S),f2(S)) is Pearl's public authentication key.

Commitment
Now suppose that Pearl wants to prove her identity to Vinnie. She randomly selects two polynomials g1 and g2 having 5 coefficients equal to each of 1 and -1, and the other coefficients equal to 0. Say Pearl chooses the polynomials

g1 = X2+X3-X4+X5-X7+X8-X9-X10-X12+X13
g2 = X+X4+X5-X6+X7-X8-X9-X11-X13+X15

She keeps g1 and g2 itself secret, but she evaluates g1 and g2 at the elements of S and sends these values to Vinnie:

g1(S) = {g1(3),g1(5),g1(6),g1(7),g1(8),g1(10),g1(12),g1(15)} = {2,16,7,10,0,14,14,10} (modulo 17),

g2(S) = {g2(3),g2(5),g2(6),g2(7),g2(8),g2(10),g2(12),g2(15)} = {8,5,1,1,5,8,2,9} (modulo 17).

Challenge
Vinnie then challenges Pearl by sending her four challenge polynomials c11, c12, c21, c22 randomly selected with 1 coefficient equal to each of 1 and -1, and the other coefficients equal to 0, say

c11=1-X13, c12=-X2+X4, c21=-X2+X15, c22=-X7+X13.

Response
Pearl uses Vinnie's challenge polynomials cij and the polynomials fi and gj that she alone knows to compute the quantity

h = c11*f1*g1 + c12*f1*g2 + c21*f2*g1 + c22*f2*g2
= -2-4X-10X2-9X3-15X4-X5 -2X6-5X7+X8+X9 +9X10+15X11+2X12+16X13 +X14+3X15 (modulo 17).

Note that in computing this quantity, Pearl always sets X16=1, X17=X, and so on.

Verification
Vinnie sums the squares of the coefficients of h and finds that

h02 + h12 + h22 + ... + hN-12 =1034.

Since this is less than (Bh*q)2=1398.6, Pearl's response passes test (A). Next Vinnie computes the values

h(a) (modulo q)

and

c11(a)*f1(a)*g1(a) + c12(a)*f1(a)*g2(a) + c21(a)*f2(a)*g1(a)+ c22(a)*f2(a)*g2(a) (modulo q)

for each number a in S and checks if they are equal. For example, taking a=7 gives

h(7) = 9 (modulo 17)

and

c11(7)*f1(7)*g1(7) + c12(7)*f1(7)*g2(7) + c21(7)*f2(7)*g1(7)+ c22(7)*f2(7)*g2(7) = 9 (modulo 17).

Note that in computing this last quantity, it was not necessary to know the fi and gj as polynomials; it was only necessary to know their values at a=7.A similar computation for the other a's in S reveals that Pearl's response passes test (B), so Vinnie accepts that Pearl has proven her identity.

back to top

6. Using PASS as a Digital Signature

Any authentication scheme of the commitment, challenge, response type can be transformed, with the addition of a hash function, into a digital signature scheme. A hash function H is a function that takes as input a bit string B of arbitrary length and gives as output a bit string H(B) of some specified length (e.g., 80 bits) in such a way that it is very difficult to predict ahead of time what the output string will be. Another way to say this is that although it is very easy to compute H(B), it is very difficult to find a B such that H(B) has a specified value.

In order to use PASS to create a digital signature, we assume that a hash function H has been specified that takes an arbitrary bit string as input and produces as output an 80 bit string. We also use a formatting function F that takes an 80 bit string and turns it into a valid set of challenge polynomials c=(c11, c12, c21, c22). Further, if B and C are bit strings, we write B | C to denote the concatenation of B and C.

Now suppose that Pearl wants to sign a message M using her authentication key f=(f1,f2).

  • Pearl picks commitment polynomials g=(g1,g2) at random and computes her commitment g(S).
  • Pearl constructs the four challenge polynomials c=(c11, c12, c21, c22) by computing c = F(H(g(S) | M)). In other words, Pearl simulates a challenge by hashing together the commitment and the message and using the result to create a challenge polynomial.
  • Pearl computes the response h to the commitment g and the challenge c, using her private key f, in the usual way: h = c11*f1*g1+c12*f1*g2+c21*f2*g1+c22*f2*g2 .
  • Pearl's signed message is then the message M followed by the signature (g(S),h).
  • To verify that Pearl signed the message m, Vinnie computes c from g(S) and M by using the publicly available hash function H and formatting function F. He then uses Pearl's public key f(S) to verify that the response h was generated by Pearl, i.e., by someone with knowledge of the private key f. This verifies Pearl's signature on the message M.

back to top

7. Further Reading

A complete description of the PASS authentication scheme with full technical details is given in the paper

Polynomial Rings and Efficient Public Key Authentication, Jeffrey Hoffstein, Daniel Lieman, Joseph H. Silverman, in Proceeding of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99), M. Blum and C.H. Lee, eds., City University of Hong Kong Press, to appear.

This paper may be downloaded in a variety of formats from the NTRU Technical Center.

The following are some additional sources to learn about algebra, number theory, algorithms, and cryptography.

  • A Course in Computational Algebraic Number Theory, H. Cohen, GTM 138, Springer-Verlag, Berlin, 1993.
  • A Friendly Introduction to Number Theory, J.H. Silverman, Prentice-Hall, New Jersey, 1997.
  • Cryptography: Theory and Practice, D. Stinson, CRC Press, Boca Raton, 1995.
  • Handbook of Cryptography, S. Vanstone, P. Van Oorschot, A. Menezes, CRC Press, Boca Raton, 1996.

 

Email Us
Copyright © NTRU Cryptosystems, Inc. 1998-2008 35 Nagog Park, Acton, MA 01720, USA Tel. 978-844-5200 Created by PixelMEDIA