STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

Slides:

Advertisements

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Advertisements

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Computer Security Set of slides 4 Dr Alexei Vernitski.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

Lattice-Based Cryptography

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

8. Data Integrity Techniques

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

The RSA Algorithm Rocky K. C. Chang, March

Cryptography Lecture 8 Stefan Dziembowski

1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Cryptography Lecture 9 Stefan Dziembowski

On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.

1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.

Section 4.4: The RSA Cryptosystem Practice HW Handwritten and Maple Exercises p at end of class notes.

1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

Better Key Sizes (and Attacks) for LWE-Based Encryption Richard LindnerChris Peikert.

CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.

PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.

STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005.

Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems.

COMP 424 Lecture 04 Advanced Encryption Techniques (DES, AES, RSA)

Public Key Cryptosystem Introduced in 1976 by Diffie and Hellman [2] In PKC different keys are used for encryption and decryption 1978: First Two Implementations.

Performance Evaluation of Public Key Cryptosystems Advisor: Dr.Jens Peter Kaps Project Team: Rakesh Malireddy Rohan Malewar Vasunandan Peddi Vijay Koneru.

NTRU Key Exchange based on a posting of Lars Luthman on the Cryptography mailinglist on 05/17/2014 The search for a Post-Quantum Diffie-Hellman replacement.

Copyright 2012, Toshiba Corporation. A Survey on the Algebraic Surface Cryptosystems Koichiro Akiyama ( TOSHIBA Corporation ) Joint work with Prof. Yasuhiro.

Tae-Joon Kim Jong yun Jun

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

STRONG security that fits everywhere. NTRUSign and P William Whyte,

Cryptography and Code Breaking Cryptography is the study and practice of hiding messages.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.

Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.

Attacks on Public Key Encryption Algorithms

Topic 24: Finding Prime Numbers, RSA

NTRUSign Parameters Challenge

Cryptography Lecture 26.

Chapter 13 Digital Signature

Introduction to Cryptography

Cryptography Lecture 22.

Cryptography Lecture 25.

Presentation transcript:

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 NTRUEncrypt Basics NTRUEncrypt works using polynomials in the ring Z[X]/X N -1. Three important parameters: N (prime); q (usually power of 2); p (small, coprime to q) Encryption: e = p*h*r + m mod q h the public key, m the message, r random and drawn from a specific distribution Decryption: –Use the fact that h = g/f mod q, f, g, small: –a = f*e mod q = p*g*r + f*m mod q –For appropriate choice of the reduction interval, this is almost always an exact equality –m = a/f mod p The fact that f, g are small motivates lattice attacks; not dealt with here.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Raw NTRUEncrypt: Information Leakage and Malleability In encryption, r is chosen s.t. r(1) is known; h(1) is also known –Therefore, e(1) leaks m(1) Additive malleability: –If i th coefficient of m is 0, then e + X i is an encryption of m + X i. Rotational malleability: –X i *e is an encryption of X i *m. Different encryptions of same message –If the recipient doesnt check the form of r, then h+e is almost certainly an encryption of m.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Making NTRUEncrypt IND-CPA Combine m with randomness R reversibly to obtain m –AONT: OAEP-like hashing and masking Calculate r as H(m||R) –Fujisaki-Okamoto technique for converting IND-CPA system to IND-CCA2 e = r*h + m On decryption, recipient –Recovers m –Recovers m, R –Recalculates r and e –Rejects if calculated e != received e If AONT gives IND-CPA, then this is IND-CCA2.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 m1m1 r1r1 m2m2 r2r2 mrcheckData NTRU-OAEP OAEP-BR: OAEP-NTRU

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Effects of this choice Say r is of length k bits in total Then maximum provable IND-CPA strength is k/2 bits

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Possible reactions Leave current NTRUEncrypt padding –Compatible with EESS#1 and deployed systems Replace –OAEP? NTRU to suggest new padding scheme shortly –REACT? –Issues with interactions between old and new? Efficiency?