# PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

## Presentation on theme: "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."— Presentation transcript:

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 2 What started all this?  The following slide, presented at the August P1363 meeting…

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 3 Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as 10.1095N - 12.6 MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 4 A question about the graphs  The points come from ten runs at each N value  But if log is log 10, then there are cases where the weakest key is 100 times weaker than the average  Can we really claim k-bit security in this case?

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 5 The answer!  In the graphs shown, log is ln, not log 10.  Weakest keys break 7 times faster than average, not 100  Not clearly mad, but is it reasonable?

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 6 What variation is reasonable for running times?  Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/13/4173516/slides/slide_6.jpg", "name": "PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC.", "description": "COPYRIGHT © 2004 6 What variation is reasonable for running times.  Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 7 Notation and Overview  Denote by E(M K ) the expected minimum breaking time on K keys.  Typically, we can approximate E(M K ) as K -s(A)  s(A) is the stability exponent for the algorithm  Running time of ‘cutoff algorithm’ is CK ~ K E(M K ) ~ K.K -s(A) ~ K 1-s(A)  So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t  Formal definition of s:

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 8 Stability Exponent for Symmetric Systems  If we have N possible keys –the chance that we find a key after exactly t attempts is 1/N –the chance that we find a key in t or fewer attempts is t/N  We show that E(M K ) ~ 2/K –So lim (log(E(M K ))/log(K)) = 1 –Cutoff algorithm neither helps nor hinders

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 9 Stability Exponent for Collision Algorithms  Collision Algorithms – algorithms like Pollard-rho  Normalized running time is given by  E(M K ) is given by  And stability exponent = ½ –Cutoff strategy doesn’t help

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 10 Stability Exponent for Lattice Reduction  Here, have to obtain E(M K ) experimentally –100 runs at different lattice dimensions

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 11 Stability Exponent for Lattice Reduction (2)  Approximate stability exponent with  For c = 1.73, a = 0.53, we find DimKMeanMinS 1801004492050.17 2001001012.52980.266 2201002302.55840.298 250100899420590.32

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 12 Stability Exponent for Lattice Reduction: Conclusions  At measurable dimensions, stability exponent is very low –Lower than for other cryptosystems  It seems to be increasing as dimension increases –However, it would have to increase considerably for the cutoff strategy to be of any use  Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices.  Questions?

Download ppt "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."

Similar presentations