Download presentation
Presentation is loading. Please wait.
Published byBertha White Modified over 8 years ago
1
PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004
2
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 2 Purpose of this presentation Review lattice reduction techniques Investigate the question: Is there any better thing to do than a straight-line extrapolation of log(breaking times)?
3
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 3 Review of lattice results LLL – considers pairs of vectors, reduces them to give smallest equivalent basis, swaps depending on the orthogonal projection of one onto the other. –Polynomial time to get a vector that’s exponentially bigger than the smallest vector. –In practice, does better. BKZ – like LLL, but works on blocks of size b to find the smallest vector in the block. Finds better approximation to shortest vector than LLL does. –Running time ~ b b. –In practice, for small b, block reduction time is better than this. –Proposed enhancement has running time 2 kb, but Schnorr reckons k ~ 30. Lattice reduction algorithms run much faster in practice than in theory –To get timing estimates, need to run many, many experiments.
4
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 4 Other Algorithms Schnorr’s random sampling reduction algorithm –Better asymptotics than BKZ, but it’s not clear that BKZ’s running time ever approaches its asymptotics –In low dimensions seems much slower Though Schnorr would disagree –Also, BKZ running time depends on blocksize Not clear what equivalent measure for RSR is that would give equally good lattice reductions Would be good to have theory of how blocksize scales with N for NTRU… –See later graphs! Seysen’s algorithm –Used only rarely
5
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 5 NTRU and Lattices (f, g) has property that f*h mod q = g. –(Neglect the factor of p; it can be divided out) All (u, v) such that u*h mod q = v are contained in the lattice: where the entries are considered to be either polynomials of degree N-1 or N-dimensional circulant matrices with entries taken from the coefficients of the corresponding polynomials. (f, g) will be a short vector in this lattice: standard lattice reduction algorithms should retrieve it or a rotation.
6
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 6 NTRU and Lattices (2) The shorter the shortest vector is (relative to the determinant) the easier, experimentally, it is to break the lattice. If f = 1+pF, then the short vector is (1+pF, g) –Longer than (f, g) for binary f by factor of (p+1)/2 However, we can say (1 + pF)h = g F.ph = g-h (0, h) is (F, g) away from a lattice vector in the lattice given by ph. Can solve CVP for (0,h) in the above lattice –Same as SVP in a 2N+1-dimensional lattice But lose rotational symmetry –“inhomogeneous” v “homogeneous”
7
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 7 Lattice Strength We characterize the lattice by two variables: –c = (2N). (2)||f||/ . = 2||f|| ( e / q) Length of shortest vector [ (2)||f|| ]… Divided by expected length of shortest vector for lattice of the same determinant [ = (N q/ e) ]… Scaled by (2N). –a = N/q. Experimentally, breaking time is very sensitive to c, somewhat sensitive to a. Experimentally, for fixed c, a, breaking time is at least exponential in N.
8
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 8 Previous Statements About Lattice Strength The lower a and c, the faster reduction algorithms run. –See later… Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as 10.1095N - 12.6 MIPS-years. N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.
9
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 9 Notes about the experiments to follow Most run on CVP with f = 1+pF –“non-homogeneous” –This results in increased running time compared to straightforward search for f Perhaps because rotational symmetry is broken and so there are fewer really short vectors in the system Most run on trinary f –To ensure center is 0 and avoid centering issues –Could run on binary f by multiplying all values by N and solving CVP for (df, df, df, …, df, dg, dg, dg, …, dg) –This would *not* break symmetry … but might increase running times because the quantities are bigger Note – NTRUSign is homogeneous! –Also, don’t want to rely on strength gain from inhomogeneity – seems like the kind of thing that could be worked around –Recommend that experiments in future are run on homogeneous case.
10
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 10 Time v N for different c and a Note difference between homogeneous (1 st set) and inhomogeneous (2 nd set) of c=1.73, a=0.53 results
11
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 11 Extrapolated Time v N Extrapolated from last 10 complete points
12
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 12 Observations Even on log scale (bit security), lines are concave upwards –See blocksize experiments later As a increases, breaking time for constant c decreases! –Because for constant N, c, increasing a means decreasing df? Wide variation in slope of line –N = 163 only gives 80-bit security for c=5.3 –N = 251 gives 80-bit security for all cs except homogeneous c=1.73 case –N = 769 gives 256-bit security for c=5.3, c=3.7, and one of the c=2.6 lines but none of the c=3.1 lines! –Probably due to choice of extrapolation point Extrapolating breaking times leaves us vulnerable to speedups in implementations –Is there something more reliable?
13
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 13 Blocksize v N
14
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 14 Extrapolated blocksize v N
15
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 15 Observations These slopes are much nicer! Blocksize is basically 0.45N – some constant that depends on c Assume that any block-reduction based algorithm takes time at least 2 b –Then requiring blocksize k guarantees us k bits of lattice security, and probably much more But is this a reasonable assumption? –Look at blocksize v bitstrength
16
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 16 Time v Blocksize
17
PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 17 Observations and conclusions Time is more than exponential in blocksize Lower c greater time for the same blocksize –Because lower c, same blocksize larger N more block reductions necessary However, not clear that it’s anything more than a guess to say that block reduction time is at least 2 b Conclusion: Best to stick with extrapolation of breaking times for the time being. –Simply making a statement about best current known technology
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.