Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

Published byMoises Chaney Modified over 9 years ago

Similar presentations

Presentation on theme: "NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)"— Presentation transcript:

1 NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

2 NSS Scheme (HPS 2000) Ring: (Use N=251, q=128). |f|=140, |g|=80, |m|=64. Study Scheme in EUROCRYPT 2001. Private f, g. Public: For message m, choose masks: Sign with: Verify: s-m and t-m’ small (mod 3).

3 RSA Labs attacks the NTRU signature scheme using linear algebra and statistical analysis Efficient Forgery for m Fix ~N/2 coefficients s k and ~N/2 coefficients t r so that { Solve the N x N matrix equation t = hs mod q. s-m and t-m’ mod 3 = 0 often  Valid Sign! Linear Algebra Message Public Key Valid! O(N 3 ) later… s k mod 3 = m k t r mod 3 = m’ RSA Labs attacks the NTRU signature scheme using linear algebra and statistical analysis r

4 Transcript Exposes Keys Measure s given m reveals f. Look at the distribution of To get info about By Affecting Term How? Set: Recall the convolution formula: Unique m+w Distrib. Multiplied by !

5 Comparing Distributions Avg. s same. Same Distrib. NO A high s freq (2,4,7) in our sample suggests f = -3. Pre-computed S Frequency Distribution, for f=-3,0,3. Which does our sample distribution resemble? (Without Fix#1 ~200 signs give key) (Not to scale)

6 Convergence Rates Limitte 160 km Compare sample to 3 background (e.g. L2 norm). For a key bit, use all 32 s coefs with m=1. 100,000 Signatures to recover key. Number of mistakes in [1-4]. Direct Search! Conjecture: 50,000 with Hybrid Attack. –Same Technique for g. –Take The Confident Half Indices, g=fh.

7 ‘Fast Keys’ Used in Practice. Product of Very Small Polynomials (8-14 1’s) Some 6 and –6 Coefficients in Appear in f & g. Convergence Faster! Need Only 30,000 Signatures. Conjecture: Maybe 20,000 with f,g hybrid!

8 The State of NSS NSS00 Published + prelim. Standard Is Broken Forging Easy &Private Key Pops Out. Fundamental Problem: NSS Related to, not Based on, Lattice Problem New Version: ‘NSS3’, May 9, 2001 New Private Key u. (Thwart Transcript Attack) Different Sign Proc: Uses u^-1 mod 3,s=f(new mes) New Verify Procedure: (|43(s-m)|,|43(t-m)| must be small) Thwarts fast Matrix Attack. (NSS# is open Research)

9 Do More Research Are New Statistical/Forgery Attempts Possible? Time will Tell.

10 New Scheme Summary New Secret small key: u. f=u+pf1,g=u+pf2. As before w1 and w2 are small masking polys. Let v= u^-1 mod 3, so uv=1+3d, for a small d. Sign m, define w_0=v(m+w1). Let s=f(w0+pw2) mod q, t=hs mod q. Verify: Check 43(s-m), 43 (t-m) have small norm. –Some secondary checks on mod 3 distribution

11 New Statistical Attacks We are given many S=F(w0+pw2) mod q, t=hs S-m=(u+pf1)(v(m+w1)+pw2)-m =uvm-m+uvw1+upw2+pf1vm+pf1vw1+p^2f1w2 (q) 43(s-m)=43(uv-1)m+43w1+dw1+f1v(m+w1) +w2(u+pf1) =(d+f1v)(m+w1)+43w1+w2(u+pf1) = useful+random Notice Distrib of 43(s-m) heavily depends on f (when m=1) Get d+f1v! Quickly (500 sigs?) Gives=>Fv /Similar get Gv Same Idea in previous scheme might crack faster??(5,000 sigs) What to do with Fv and Gv?

12 Using the Extracted Info Potential Lattice Attack: Dim N lattice. Lattice :A(f v)=B(gv) for all polys A,B (No wraps!). Has short Vector (g,f). So Try LLL variant. Is N=251 to big?: Open Question for this Special Lattice. Direct Forgery for m, given extracted vf. –Try s=fv(m+w1)+43w1+3fv x^a, for some w1 & a in Z. –Set t=hs. (we try to replace the 3fw2 term by fvx^a). –We Likely pass the main norm & Deviation Tests. (Other tests?). Disclaimer: ALL of the Above Attacks On May 8 NSS are Preliminary.

Download ppt "NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)"

Similar presentations

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
296.3Page1 296.3:Algorithms in the Real World Error Correcting Codes II – Cyclic Codes – Reed-Solomon Codes.

296.3Page :Algorithms in the Real World Error Correcting Codes II – Cyclic Codes – Reed-Solomon Codes.
15-853:Algorithms in the Real World

15-853:Algorithms in the Real World
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
FFT1 The Fast Fourier Transform. FFT2 Outline and Reading Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1) The Discrete Fourier Transform.

FFT1 The Fast Fourier Transform. FFT2 Outline and Reading Polynomial Multiplication Problem Primitive Roots of Unity (§10.4.1) The Discrete Fourier Transform.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
FEAL FEAL 1.

FEAL FEAL 1.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.

Similar presentations

Ads by Google