Download presentation

Presentation is loading. Please wait.

Published byJason Rooney Modified over 3 years ago

1
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings

2
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 NTRUEncrypt Basics NTRUEncrypt works using polynomials in the ring Z[X]/X N -1. Three important parameters: N (prime); q (usually power of 2); p (small, coprime to q) Encryption: e = p*h*r + m mod q h the public key, m the message, r random and drawn from a specific distribution Decryption: –Use the fact that h = g/f mod q, f, g, small: –a = f*e mod q = p*g*r + f*m mod q –For appropriate choice of the reduction interval, this is almost always an exact equality –m = a/f mod p The fact that f, g are small motivates lattice attacks; not dealt with here.

3
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Raw NTRUEncrypt: Information Leakage and Malleability In encryption, r is chosen s.t. r(1) is known; h(1) is also known –Therefore, e(1) leaks m(1) Additive malleability: –If i th coefficient of m is 0, then e + X i is an encryption of m + X i. Rotational malleability: –X i *e is an encryption of X i *m. Different encryptions of same message –If the recipient doesnt check the form of r, then h+e is almost certainly an encryption of m.

4
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Making NTRUEncrypt IND-CPA Combine m with randomness R reversibly to obtain m –AONT: OAEP-like hashing and masking Calculate r as H(m||R) –Fujisaki-Okamoto technique for converting IND-CPA system to IND-CCA2 e = r*h + m On decryption, recipient –Recovers m –Recovers m, R –Recalculates r and e –Rejects if calculated e != received e If AONT gives IND-CPA, then this is IND-CCA2.

5
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 m1m1 r1r1 m2m2 r2r2 mrcheckData NTRU-OAEP OAEP-BR: OAEP-NTRU

6
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Effects of this choice Say r is of length k bits in total Then maximum provable IND-CPA strength is k/2 bits

7
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Possible reactions Leave current NTRUEncrypt padding –Compatible with EESS#1 and deployed systems Replace –OAEP? NTRU to suggest new padding scheme shortly –REACT? –Issues with interactions between old and new? Efficiency?

Similar presentations

OK

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google