Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

Published byRonaldo Coopman Modified over 9 years ago

Similar presentations

Presentation on theme: "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."— Presentation transcript:

1 PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004

2 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 2 What started all this?  The following slide, presented at the August P1363 meeting…

3 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 3 Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as 10.1095N - 12.6 MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

4 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 4 A question about the graphs  The points come from ten runs at each N value  But if log is log 10, then there are cases where the weakest key is 100 times weaker than the average  Can we really claim k-bit security in this case?

5 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 5 The answer!  In the graphs shown, log is ln, not log 10.  Weakest keys break 7 times faster than average, not 100  Not clearly mad, but is it reasonable?

6 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 6 What variation is reasonable for running times?  Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C<T –For keys 1…k, try to break each key. –If a given key is not broken by the cutoff time, abort that breaking run  If the variation is such that one key in T/C has breaking time less than C, this will break a single key in time less than T.  In the rest of this presentation, we apply this strategy to different cryptographic problems and observe how it works.

7 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 7 Notation and Overview  Denote by E(M K ) the expected minimum breaking time on K keys.  Typically, we can approximate E(M K ) as K -s(A)  s(A) is the stability exponent for the algorithm  Running time of ‘cutoff algorithm’ is CK ~ K E(M K ) ~ K.K -s(A) ~ K 1-s(A)  So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t  Formal definition of s:

8 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 8 Stability Exponent for Symmetric Systems  If we have N possible keys –the chance that we find a key after exactly t attempts is 1/N –the chance that we find a key in t or fewer attempts is t/N  We show that E(M K ) ~ 2/K –So lim (log(E(M K ))/log(K)) = 1 –Cutoff algorithm neither helps nor hinders

9 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 9 Stability Exponent for Collision Algorithms  Collision Algorithms – algorithms like Pollard-rho  Normalized running time is given by  E(M K ) is given by  And stability exponent = ½ –Cutoff strategy doesn’t help

10 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 10 Stability Exponent for Lattice Reduction  Here, have to obtain E(M K ) experimentally –100 runs at different lattice dimensions

11 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 11 Stability Exponent for Lattice Reduction (2)  Approximate stability exponent with  For c = 1.73, a = 0.53, we find DimKMeanMinS 1801004492050.17 2001001012.52980.266 2201002302.55840.298 250100899420590.32

12 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 12 Stability Exponent for Lattice Reduction: Conclusions  At measurable dimensions, stability exponent is very low –Lower than for other cryptosystems  It seems to be increasing as dimension increases –However, it would have to increase considerably for the cutoff strategy to be of any use  Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices.  Questions?

Download ppt "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Break-even ‘SPLAT!!!’. is all the money that comes into a business. Many businesses keep their money in a bank account that pays them a regular income..

Break-even ‘SPLAT!!!’. is all the money that comes into a business. Many businesses keep their money in a bank account that pays them a regular income..
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Slide 5-2 Copyright © 2008 Pearson Education, Inc. Chapter 5 Probability and Random Variables.

Slide 5-2 Copyright © 2008 Pearson Education, Inc. Chapter 5 Probability and Random Variables.
Slide Slide 1 Copyright © 2007 Pearson Education, Inc Publishing as Pearson Addison-Wesley. Lecture Slides Elementary Statistics Tenth Edition and the.

Slide Slide 1 Copyright © 2007 Pearson Education, Inc Publishing as Pearson Addison-Wesley. Lecture Slides Elementary Statistics Tenth Edition and the.
Topic 6: Introduction to Hypothesis Testing

Topic 6: Introduction to Hypothesis Testing
Scenario  You have last week’s closing stock price for a particular company. You are trying to place a value to a European call option which expires a.

Scenario  You have last week’s closing stock price for a particular company. You are trying to place a value to a European call option which expires a.
Chapter 4 Probability Distributions

Chapter 4 Probability Distributions
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Experimental Evaluation

Experimental Evaluation
Copyright © 2009 Pearson Education, Inc. CHAPTER 5: Exponential and Logarithmic Functions 5.1 Inverse Functions 5.2 Exponential Functions and Graphs 5.3.

Copyright © 2009 Pearson Education, Inc. CHAPTER 5: Exponential and Logarithmic Functions 5.1 Inverse Functions 5.2 Exponential Functions and Graphs 5.3.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
1 Chapter 10 Correlation and Regression We deal with two variables, x and y. Main goal: Investigate how x and y are related, or correlated; how much they.

1 Chapter 10 Correlation and Regression We deal with two variables, x and y. Main goal: Investigate how x and y are related, or correlated; how much they.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved. 10.1 - 1 Section 10-3 Regression.

Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 10-3 Regression.
Reading Strategies ‘Unlocking the Text’. Revenue is all the money that comes into a business. Interest: Many businesses keep their money in a bank account.

Reading Strategies ‘Unlocking the Text’. Revenue is all the money that comes into a business. Interest: Many businesses keep their money in a bank account.
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.

Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
Sociology 5811: Lecture 7: Samples, Populations, The Sampling Distribution Copyright © 2005 by Evan Schofer Do not copy or distribute without permission.

Sociology 5811: Lecture 7: Samples, Populations, The Sampling Distribution Copyright © 2005 by Evan Schofer Do not copy or distribute without permission.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved. 10.1 - 1 Section 10-1 Review and Preview.

Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 10-1 Review and Preview.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.

Similar presentations

Ads by Google