Presentation is loading. Please wait.

Presentation is loading. Please wait.

NTRUSign Parameters Challenge

Published byやすもり さどひら Modified over 5 years ago

Similar presentations

Presentation on theme: "NTRUSign Parameters Challenge"— Presentation transcript:

1 NTRUSign Parameters Challenge
William Whyte NTRU Cryptosystems, Inc.

2 Ground Rules What’s a break? Cash prizes for break:
We’re going to say things have a certain security level. Anything below that IS A BREAK. If we say 80 bits and it’s 79 bits, that’s a break. Cash prizes for break: There are no cash prizes for a break.

3 NTRUSign Pick two short polynomials (f, g) in ring R = Z[X]/(XN-1)
Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2) Then is an R-module / lattice with det q and a basis vectors of length N1/2, N: private key And , h = g/f mod q, is an R-module / lattice with a basis of vectors of length N3/2: public key Signing: message is point, solve CVP for this point using good basis. Verification: check signature is in lattice (using bad basis) and close to message point.

4 Lattice Reduction Speed of lattice reduction depends on size of good basis v expected size of short vector in lattice with given determinant. For ((f g) (F G)) lattice, N = 251 gives 80-bit security. But if we swap g and F: Determinant is still fG-gF = q, but (f F) is much bigger than (f g) Get greater lattice security at lower dimensions! For free! (remember: no cash prizes)

5 Improved Parameter Sets
Up now at k: security level; d: f consists of d+1 +1s, d -1s, and (N-2d-1) 0s; \beta: signature normalization factor; Norm: how close you have to be for a signature to pass \tau: attacker requires >> 2\tau signatures to recover private key. Have at them! k N d q \beta Norm \tau

Download ppt "NTRUSign Parameters Challenge"

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Adding Integers. Adding Integers with the Same Sign Add the absolute values. The sum will have the same sign as the addends. Example 1 Find –2 + (-3)

Adding Integers. Adding Integers with the Same Sign Add the absolute values. The sum will have the same sign as the addends. Example 1 Find –2 + (-3)
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March
Diophantine Approximation and Basis Reduction

Diophantine Approximation and Basis Reduction
Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC

Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC
Domain Range definition: T is a linear transformation, EIGENVECTOR EIGENVALUE.

Domain Range definition: T is a linear transformation, EIGENVECTOR EIGENVALUE.

Similar presentations

Ads by Google