# STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

## Presentation on theme: "STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings."— Presentation transcript:

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 NTRUEncrypt Basics NTRUEncrypt works using polynomials in the ring Z[X]/X N -1. Three important parameters: N (prime); q (usually power of 2); p (small, coprime to q) Encryption: e = p*h*r + m mod q h the public key, m the message, r random and drawn from a specific distribution Decryption: –Use the fact that h = g/f mod q, f, g, small: –a = f*e mod q = p*g*r + f*m mod q –For appropriate choice of the reduction interval, this is almost always an exact equality –m = a/f mod p The fact that f, g are small motivates lattice attacks; not dealt with here.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Raw NTRUEncrypt: Information Leakage and Malleability In encryption, r is chosen s.t. r(1) is known; h(1) is also known –Therefore, e(1) leaks m(1) Additive malleability: –If i th coefficient of m is 0, then e + X i is an encryption of m + X i. Rotational malleability: –X i *e is an encryption of X i *m. Different encryptions of same message –If the recipient doesnt check the form of r, then h+e is almost certainly an encryption of m.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Making NTRUEncrypt IND-CPA Combine m with randomness R reversibly to obtain m –AONT: OAEP-like hashing and masking Calculate r as H(m||R) –Fujisaki-Okamoto technique for converting IND-CPA system to IND-CCA2 e = r*h + m On decryption, recipient –Recovers m –Recovers m, R –Recalculates r and e –Rejects if calculated e != received e If AONT gives IND-CPA, then this is IND-CCA2.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 m1m1 r1r1 m2m2 r2r2 mrcheckData NTRU-OAEP OAEP-BR: OAEP-NTRU

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Effects of this choice Say r is of length k bits in total Then maximum provable IND-CPA strength is k/2 bits

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2002 Possible reactions Leave current NTRUEncrypt padding –Compatible with EESS#1 and deployed systems Replace –OAEP? NTRU to suggest new padding scheme shortly –REACT? –Issues with interactions between old and new? Efficiency?