Download presentation

Presentation is loading. Please wait.

Published byRonaldo Coopman Modified about 1 year ago

1
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004

2
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What started all this? The following slide, presented at the August P1363 meeting…

3
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Lattice Strength The lower a and c, the faster reduction algorithms run. Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as N MIPS-years. N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative. Paper available on X9 website

4
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © A question about the graphs The points come from ten runs at each N value But if log is log 10, then there are cases where the weakest key is 100 times weaker than the average Can we really claim k-bit security in this case?

5
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © The answer! In the graphs shown, log is ln, not log 10. Weakest keys break 7 times faster than average, not 100 Not clearly mad, but is it reasonable?

6
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What variation is reasonable for running times? Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C

7
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Notation and Overview Denote by E(M K ) the expected minimum breaking time on K keys. Typically, we can approximate E(M K ) as K -s(A) s(A) is the stability exponent for the algorithm Running time of ‘cutoff algorithm’ is CK ~ K E(M K ) ~ K.K -s(A) ~ K 1-s(A) So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t Formal definition of s:

8
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Symmetric Systems If we have N possible keys –the chance that we find a key after exactly t attempts is 1/N –the chance that we find a key in t or fewer attempts is t/N We show that E(M K ) ~ 2/K –So lim (log(E(M K ))/log(K)) = 1 –Cutoff algorithm neither helps nor hinders

9
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Collision Algorithms Collision Algorithms – algorithms like Pollard-rho Normalized running time is given by E(M K ) is given by And stability exponent = ½ –Cutoff strategy doesn’t help

10
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction Here, have to obtain E(M K ) experimentally –100 runs at different lattice dimensions

11
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction (2) Approximate stability exponent with For c = 1.73, a = 0.53, we find DimKMeanMinS

12
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction: Conclusions At measurable dimensions, stability exponent is very low –Lower than for other cryptosystems It seems to be increasing as dimension increases –However, it would have to increase considerably for the cutoff strategy to be of any use Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices. Questions?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google