Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

Similar presentations


Presentation on theme: "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."— Presentation transcript:

1 PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004

2 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What started all this?  The following slide, presented at the August P1363 meeting…

3 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as N MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

4 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © A question about the graphs  The points come from ten runs at each N value  But if log is log 10, then there are cases where the weakest key is 100 times weaker than the average  Can we really claim k-bit security in this case?

5 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © The answer!  In the graphs shown, log is ln, not log 10.  Weakest keys break 7 times faster than average, not 100  Not clearly mad, but is it reasonable?

6 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What variation is reasonable for running times?  Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C

7 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Notation and Overview  Denote by E(M K ) the expected minimum breaking time on K keys.  Typically, we can approximate E(M K ) as K -s(A)  s(A) is the stability exponent for the algorithm  Running time of ‘cutoff algorithm’ is CK ~ K E(M K ) ~ K.K -s(A) ~ K 1-s(A)  So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t  Formal definition of s:

8 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Symmetric Systems  If we have N possible keys –the chance that we find a key after exactly t attempts is 1/N –the chance that we find a key in t or fewer attempts is t/N  We show that E(M K ) ~ 2/K –So lim (log(E(M K ))/log(K)) = 1 –Cutoff algorithm neither helps nor hinders

9 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Collision Algorithms  Collision Algorithms – algorithms like Pollard-rho  Normalized running time is given by  E(M K ) is given by  And stability exponent = ½ –Cutoff strategy doesn’t help

10 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction  Here, have to obtain E(M K ) experimentally –100 runs at different lattice dimensions

11 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction (2)  Approximate stability exponent with  For c = 1.73, a = 0.53, we find DimKMeanMinS

12 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction: Conclusions  At measurable dimensions, stability exponent is very low –Lower than for other cryptosystems  It seems to be increasing as dimension increases –However, it would have to increase considerably for the cutoff strategy to be of any use  Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices.  Questions?


Download ppt "PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March."

Similar presentations


Ads by Google