We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJason Rooney
Modified over 2 years ago
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 NTRUEncrypt Basics NTRUEncrypt works using polynomials in the ring Z[X]/X N -1. Three important parameters: N (prime); q (usually power of 2); p (small, coprime to q) Encryption: e = p*h*r + m mod q h the public key, m the message, r random and drawn from a specific distribution Decryption: –Use the fact that h = g/f mod q, f, g, small: –a = f*e mod q = p*g*r + f*m mod q –For appropriate choice of the reduction interval, this is almost always an exact equality –m = a/f mod p The fact that f, g are small motivates lattice attacks; not dealt with here.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Raw NTRUEncrypt: Information Leakage and Malleability In encryption, r is chosen s.t. r(1) is known; h(1) is also known –Therefore, e(1) leaks m(1) Additive malleability: –If i th coefficient of m is 0, then e + X i is an encryption of m + X i. Rotational malleability: –X i *e is an encryption of X i *m. Different encryptions of same message –If the recipient doesnt check the form of r, then h+e is almost certainly an encryption of m.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Making NTRUEncrypt IND-CPA Combine m with randomness R reversibly to obtain m –AONT: OAEP-like hashing and masking Calculate r as H(m||R) –Fujisaki-Okamoto technique for converting IND-CPA system to IND-CCA2 e = r*h + m On decryption, recipient –Recovers m –Recovers m, R –Recalculates r and e –Rejects if calculated e != received e If AONT gives IND-CPA, then this is IND-CCA2.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 m1m1 r1r1 m2m2 r2r2 mrcheckData NTRU-OAEP OAEP-BR: OAEP-NTRU
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Effects of this choice Say r is of length k bits in total Then maximum provable IND-CPA strength is k/2 bits
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Possible reactions Leave current NTRUEncrypt padding –Compatible with EESS#1 and deployed systems Replace –OAEP? NTRU to suggest new padding scheme shortly –REACT? –Issues with interactions between old and new? Efficiency?
Computer Security Set of slides 4 Dr Alexei Vernitski.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
CLASSICAL ENCRYPTION TECHNIQUES
1 Cryptography encryption authentication digital signatures one-way functions hash algorithms key generation, exchange and management.
Relations, Functions, and Matrices Mathematical Structures for Computer Science Chapter 4 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesThe Mighty Mod.
Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
Minimalism in Cryptography: The Even-Mansour Scheme Revisited Orr Dunkelman, Nathan Keller, and Adi Shamir Haifa University, Bar-Ilan University, and The.
1 Pretty Good Privacy (PGP) Security for Electronic .
1 RSA. 2 Prime Numbers An integer p is a prime number if it has no factors other than 1 and itself. An integer which is greater than 1 and not a prime.
Estimation of Means and Proportions. Concepts Estimator: a rule that tells us how to estimate a value for a population parameter using sample data Estimate:
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
Slide 1 Introduction to Quantum Cryptography Nick Papanikolaou
Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
On necessary and sufficient cryptographic assumptions: the case of memory checking Lecture 2 : Authentication and Communication Complexity Lecturer: Moni.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
1 El Gamel Public Key Cryptosystem. 2 The Discrete Log Problem The El Gamel public key cryptosystem is based upon the difficulty of solving the discrete.
Security – Keys, Digital Signatures and Certificates I CS3517 Distributed Systems and Security Lecture 19.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Appendix A: Introduction to cryptographic.
A Simple BGN-Type Cryptosystem from LWE Craig Gentry Shai Halevi Vinod Vaikuntanathan IBM Research.
Home. Copyright © by The McGraw-Hill Companies, Inc. All rights reserved.Glencoe Accounting The general journal is a permanent record organized by account.
Statistical inference Ian Jolliffe University of Aberdeen CLIPS module 3.4b.
Fundamentals of Digital Communications and Data Transmission 29 th October 2008 Abdullah Al-Meshal.
Pseudo Random and Random Numbers Vivek Bhatnagar and Chaitanya Cheruvu.
Secret Key Cryptography Nick Feamster CS 6262 Spring 2009.
Cryptography And Secure Channels Kenny Paterson Information Security Group Royal Holloway, University of London 05/22/09 | Cryp-203.
© 2017 SlidePlayer.com Inc. All rights reserved.