Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.

Published byBertha White Modified over 8 years ago

Similar presentations

Presentation on theme: "PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004."— Presentation transcript:

1 PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004

2 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 2 Purpose of this presentation  Review lattice reduction techniques  Investigate the question: Is there any better thing to do than a straight-line extrapolation of log(breaking times)?

3 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 3 Review of lattice results  LLL – considers pairs of vectors, reduces them to give smallest equivalent basis, swaps depending on the orthogonal projection of one onto the other. –Polynomial time to get a vector that’s exponentially bigger than the smallest vector. –In practice, does better.  BKZ – like LLL, but works on blocks of size b to find the smallest vector in the block. Finds better approximation to shortest vector than LLL does. –Running time ~ b b. –In practice, for small b, block reduction time is better than this. –Proposed enhancement has running time 2 kb, but Schnorr reckons k ~ 30.  Lattice reduction algorithms run much faster in practice than in theory –To get timing estimates, need to run many, many experiments.

4 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 4 Other Algorithms  Schnorr’s random sampling reduction algorithm –Better asymptotics than BKZ, but it’s not clear that BKZ’s running time ever approaches its asymptotics –In low dimensions seems much slower  Though Schnorr would disagree –Also, BKZ running time depends on blocksize  Not clear what equivalent measure for RSR is that would give equally good lattice reductions  Would be good to have theory of how blocksize scales with N for NTRU… –See later graphs!  Seysen’s algorithm –Used only rarely

5 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 5 NTRU and Lattices  (f, g) has property that f*h mod q = g. –(Neglect the factor of p; it can be divided out)  All (u, v) such that u*h mod q = v are contained in the lattice: where the entries are considered to be either polynomials of degree N-1 or N-dimensional circulant matrices with entries taken from the coefficients of the corresponding polynomials.  (f, g) will be a short vector in this lattice: standard lattice reduction algorithms should retrieve it or a rotation.

6 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 6 NTRU and Lattices (2)  The shorter the shortest vector is (relative to the determinant) the easier, experimentally, it is to break the lattice.  If f = 1+pF, then the short vector is (1+pF, g) –Longer than (f, g) for binary f by factor of (p+1)/2  However, we can say (1 + pF)h = g  F.ph = g-h  (0, h) is (F, g) away from a lattice vector in the lattice given by ph.  Can solve CVP for (0,h) in the above lattice –Same as SVP in a 2N+1-dimensional lattice  But lose rotational symmetry –“inhomogeneous” v “homogeneous”

7 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 7 Lattice Strength  We characterize the lattice by two variables: –c =  (2N).  (2)||f||/ . = 2||f||  (  e / q)  Length of shortest vector [  (2)||f|| ]…  Divided by expected length of shortest vector for lattice of the same determinant [ =  (N q/  e) ]…  Scaled by  (2N). –a = N/q.  Experimentally, breaking time is very sensitive to c, somewhat sensitive to a.  Experimentally, for fixed c, a, breaking time is at least exponential in N.

8 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 8 Previous Statements About Lattice Strength  The lower a and c, the faster reduction algorithms run. –See later…  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as 10.1095N - 12.6 MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.

9 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 9 Notes about the experiments to follow  Most run on CVP with f = 1+pF –“non-homogeneous” –This results in increased running time compared to straightforward search for f  Perhaps because rotational symmetry is broken and so there are fewer really short vectors in the system  Most run on trinary f –To ensure center is 0 and avoid centering issues –Could run on binary f by multiplying all values by N and solving CVP for (df, df, df, …, df, dg, dg, dg, …, dg) –This would *not* break symmetry  … but might increase running times because the quantities are bigger  Note – NTRUSign is homogeneous! –Also, don’t want to rely on strength gain from inhomogeneity – seems like the kind of thing that could be worked around –Recommend that experiments in future are run on homogeneous case.

10 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 10 Time v N for different c and a  Note difference between homogeneous (1 st set) and inhomogeneous (2 nd set) of c=1.73, a=0.53 results

11 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 11 Extrapolated Time v N  Extrapolated from last 10 complete points

12 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 12 Observations  Even on log scale (bit security), lines are concave upwards –See blocksize experiments later  As a increases, breaking time for constant c decreases! –Because for constant N, c, increasing a means decreasing df?  Wide variation in slope of line –N = 163 only gives 80-bit security for c=5.3 –N = 251 gives 80-bit security for all cs except homogeneous c=1.73 case –N = 769 gives 256-bit security for c=5.3, c=3.7, and one of the c=2.6 lines but none of the c=3.1 lines! –Probably due to choice of extrapolation point  Extrapolating breaking times leaves us vulnerable to speedups in implementations –Is there something more reliable?

13 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 13 Blocksize v N

14 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 14 Extrapolated blocksize v N

15 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 15 Observations  These slopes are much nicer!  Blocksize is basically 0.45N – some constant that depends on c  Assume that any block-reduction based algorithm takes time at least 2 b –Then requiring blocksize k guarantees us k bits of lattice security, and probably much more  But is this a reasonable assumption? –Look at blocksize v bitstrength

16 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 16 Time v Blocksize

17 PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 17 Observations and conclusions  Time is more than exponential in blocksize  Lower c  greater time for the same blocksize –Because lower c, same blocksize  larger N  more block reductions necessary  However, not clear that it’s anything more than a guess to say that block reduction time is at least 2 b  Conclusion: Best to stick with extrapolation of breaking times for the time being. –Simply making a statement about best current known technology

Download ppt "PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004."

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
2 – In previous chapters: – We could design an optimal classifier if we knew the prior probabilities P(wi) and the class- conditional probabilities P(x|wi)

2 – In previous chapters: – We could design an optimal classifier if we knew the prior probabilities P(wi) and the class- conditional probabilities P(x|wi)
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
QuickSort 4 February 2003. 2 QuickSort(S) Fast divide and conquer algorithm first discovered by C. A. R. Hoare in 1962. 1.If the number of elements in.

QuickSort 4 February QuickSort(S) Fast divide and conquer algorithm first discovered by C. A. R. Hoare in If the number of elements in.
Business Statistics for Managerial Decision

Business Statistics for Managerial Decision
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
2.3. Measures of Dispersion (Variation):

2.3. Measures of Dispersion (Variation):
Linear and generalised linear models

Linear and generalised linear models
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
7-2 Estimating a Population Proportion

7-2 Estimating a Population Proportion
7.2 - 1 Copyright © 2010, 2007, 2004 Pearson Education, Inc. Lecture Slides Elementary Statistics Eleventh Edition and the Triola Statistics Series by.

Copyright © 2010, 2007, 2004 Pearson Education, Inc. Lecture Slides Elementary Statistics Eleventh Edition and the Triola Statistics Series by.
Linear and generalised linear models

Linear and generalised linear models
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 5 Instructor: Paul Beame TA: Gidon Shavit.

1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 5 Instructor: Paul Beame TA: Gidon Shavit.
Nonparametric or Distribution-free Tests

Nonparametric or Distribution-free Tests
McGraw-Hill/IrwinCopyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. Chapter 9 Hypothesis Testing.

McGraw-Hill/IrwinCopyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. Chapter 9 Hypothesis Testing.

Similar presentations

Ads by Google