We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJason Rooney
Modified over 3 years ago
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 NTRUEncrypt Basics NTRUEncrypt works using polynomials in the ring Z[X]/X N -1. Three important parameters: N (prime); q (usually power of 2); p (small, coprime to q) Encryption: e = p*h*r + m mod q h the public key, m the message, r random and drawn from a specific distribution Decryption: –Use the fact that h = g/f mod q, f, g, small: –a = f*e mod q = p*g*r + f*m mod q –For appropriate choice of the reduction interval, this is almost always an exact equality –m = a/f mod p The fact that f, g are small motivates lattice attacks; not dealt with here.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Raw NTRUEncrypt: Information Leakage and Malleability In encryption, r is chosen s.t. r(1) is known; h(1) is also known –Therefore, e(1) leaks m(1) Additive malleability: –If i th coefficient of m is 0, then e + X i is an encryption of m + X i. Rotational malleability: –X i *e is an encryption of X i *m. Different encryptions of same message –If the recipient doesnt check the form of r, then h+e is almost certainly an encryption of m.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Making NTRUEncrypt IND-CPA Combine m with randomness R reversibly to obtain m –AONT: OAEP-like hashing and masking Calculate r as H(m||R) –Fujisaki-Okamoto technique for converting IND-CPA system to IND-CCA2 e = r*h + m On decryption, recipient –Recovers m –Recovers m, R –Recalculates r and e –Rejects if calculated e != received e If AONT gives IND-CPA, then this is IND-CCA2.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 m1m1 r1r1 m2m2 r2r2 mrcheckData NTRU-OAEP OAEP-BR: OAEP-NTRU
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Effects of this choice Say r is of length k bits in total Then maximum provable IND-CPA strength is k/2 bits
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Possible reactions Leave current NTRUEncrypt padding –Compatible with EESS#1 and deployed systems Replace –OAEP? NTRU to suggest new padding scheme shortly –REACT? –Issues with interactions between old and new? Efficiency?
STRONG security that fits everywhere. NTRUSign and P William Whyte,
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,
STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)
OAEP Reconsidered Tae-Joon Kim Jong yun Jun
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems RSA is the first public key cryptosystem Proposed in.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Cryptography Lecture 8 Stefan Dziembowski
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
A Designer’s Guide to KEMs Alex Dent
Computer Security Set of slides 4 Dr Alexei Vernitski.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples: Caesar Cipher At Bash PigPen (Will be demonstrated) …
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure E.g., a standard and a proprietary, a.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Códigos y Criptografía Francisco Rodríguez Henríquez Some Number Theory Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12 3 mod.
Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.
NTRU Key Exchange based on a posting of Lars Luthman on the Cryptography mailinglist on 05/17/2014 The search for a Post-Quantum Diffie-Hellman replacement.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Performance Evaluation of Public Key Cryptosystems Advisor: Dr.Jens Peter Kaps Project Team: Rakesh Malireddy Rohan Malewar Vasunandan Peddi Vijay Koneru.
Section 4.4: The RSA Cryptosystem Practice HW Handwritten and Maple Exercises p at end of class notes.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
Lattice-Based Cryptography. Lattice Problems Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
RSA and its Mathematics Behind July Topics Modular Arithmetic Greatest Common Divisor Euler’s Identity RSA algorithm Security in RSA.
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
COMP 424 Lecture 04 Advanced Encryption Techniques (DES, AES, RSA)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
The RSA Algorithm Rocky K. C. Chang, March
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
© 2017 SlidePlayer.com Inc. All rights reserved.