Presentation is loading. Please wait.

Presentation is loading. Please wait.

STRONG security that fits everywhere. P1363.1 D5 Overview William Whyte NTRU Cryptosystems December 2005.

Published byTerence O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "STRONG security that fits everywhere. P1363.1 D5 Overview William Whyte NTRU Cryptosystems December 2005."— Presentation transcript:

1 STRONG security that fits everywhere. P1363.1 D5 Overview William Whyte NTRU Cryptosystems December 2005

2 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Agenda  Document walkthrough  Timetable

3 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure 1.Overview 2.References 3.Definitions 4.Types of Crytographic Technique 5.Mathematical Conventions

4 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure (2) 6.The SV Family  Algorithm specification conventions 7.Data types and conversions 8.Mathematical Foundation  Ring operations; fast multiplication techniques; inversion 9.Supporting Algorithms

5 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure (3) 10.Encryption Scheme  Components  Primitives  Encoding Methods  Scheme Overview  Scheme Operations 11.Signature Scheme  Components  Primitives  Encoding Methods  Scheme Overview  Scheme Operations 12.Security Considerations 13.Bibliography

6 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure: Annexes  Editorial: Annexes listed in ToC by accident and will be removed.

7 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Conversion Primitives  Integer to/from octet string, bit string  Ring element to/from octet string, bit string  Binary ring element to/from octet string, bit string  Octet string to/from bit string –BS2OSP in other standards pads on the left (designed for bit strings < 1 byte or integers). X9.98 converts to “right-padded octet string”.

8 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: NTRU parameters  N, dimension of polynomial ring –NTRU works on polynomials of degree N-1 –Polynomial multiplication is convolution multiplication: terms of degree > N are reduced mod N. –Increases roughly linearly with k for k-bit security  For 80-bit security, N = 251.  q, “big” modulus –All coefficients in polynomial are reduced mod q –For 80-bit security, q = 197.  Increases roughly linearly with k for k-bit security  p, “small” modulus (Used only in NTRUEncrypt) –Reduce mod p during decryption –p = 2 for all security levels.  Sizes: –Public key, ciphertext size = N  log 2 q  –message size (bits) = N  log 2 ||p||  

9 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: NTRUEncrypt Operations  Key Generation –Generate f, g, “small” polynomials in Z q [X]/(X N -1). –Public key h = p*f -1 *g mod q; private key = (f, f p = f -1 mod p).  Encrypt (Raw operation) –Encode message as “small” polynomial m. –Generate “small” random polynomial r –Ciphertext e = r*h + m mod q.  Decrypt (Raw operation) –Set a = f*e mod q.  “mod q” = in range [A, A+q-1]. –Set m = f p * a mod p.

10 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: Why Decryption Works  a= f * e(mod q) = f * (r*h + m)(mod q) = f * (r*p*g*F q + m)(mod q) = p*r*g + f*m(mod q) since f*F q = 1 (mod q)  All of the polynomials r, g, f, m are small, so coefficients of p*r*g + f*m will all lie within q of each other.  If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then f p * a = p*r*g*f p (mod p) + f p *f*m (mod p) = m (mod p).  For speed, we take f = 1+pF; then f -1 mod p = 1.

11 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 HashXOR r*h + m’ e Hash r Review: SVES-3 encryption mb m’ r*h mLen00… ID

12 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Parameter sets  N, q, p  Form of f, g  How to produce M: Length of b, means of encoding message length  How to produce r: ID, PRBG algorithm, means of converting output to polynomial (Blinding Value Generation Method)  How to produce m’: PRBG algorithm, minimum Hamming weight of m’  How to decrypt: lower bound on the mod q range, called A (always 0 in this standard)

13 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Subcategorization  Parameters – fixed inputs  Primitives – raw keygen, encrypt, decrypt –Included by analogy with 1363; since there is only one scheme in the document, should the primitives just be combined into the schemes?  Encoding methods – BVGM  Supporting algorithms – Hash, PRNG, MGF –Are these two categories logically distinct?

14 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Different parameter sets  F, r are binary polynomials, or “product-form” (p1*p2 + p3), with p1, p2, p3 binary –One set of each type at each security level –Product-form polynomial multiplications are faster: if p is product- form, p*a can be calculated as p1*(p2*a) + p3*a.  Parameter sets give number of 1s in each component polynomial – dF and dr or df1, df2, df3, dr1, dr2, dr3 –Fixed, optimal number of 1s: more would make operations slower, fewer would be insecure.

15 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Key Pair Validation  Key pair: check F (or f1, f2, f3) and g = fh/p have right form according to parameter set.  Public key plausibility test: check that a significant amount of reduction mod q is likely to occur in calculating r*h.  No full public key validation.

16 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 NTRUSign  Lattice-based signature scheme  Pick two short polynomials (f, g) in ring R = Z[X]/(X N -1)  Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2)  Then is an R-module / lattice with det q and a basis vectors of length N 1/2, N: private key  And, h = g/f mod q, is an R-module / lattice with a basis of vectors of length N 3/2 : public key  Signing: message is point, solve CVP for this point using good basis.  Verification: check signature is in lattice (using bad basis) and close to message point.

17 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  Use full basis B =, inverse B -1 =  message (0, m) –more efficient than (m 1, m 2 ), no security risk  Sign with a single public basis: (s, t) = B * Round (B -1 * (0, m))  Transmit s.  Verifying: –calculate t = s*h mod q. –make sure ||s||, ||m-t|| are small ( < N ) hash Signing & Verification

18 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Supporting Techniques  Message Representative Generation  1 – Hash message into [0, q-1]^N  2 – Form message representative as product of small polynomials –Has efficiency advantages, but only in case with no perturbations  1363.1 parameter sets only use method 1.

19 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Considerations!  Lattice  All other

20 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Check Lattice Strength  We characterize the lattice by two variables: –c =  (2N).  (2)||f||/ . = 2||f||  (  e / q)  Length of shortest vector [  (2)||f|| ]…  Divided by expected length of shortest vector for lattice of the same determinant [ =  (N q/  e) ]…  Scaled by  (2N). –a = N/q.  Experimentally, breaking time is very sensitive to c, somewhat sensitive to a.  Experimentally, for fixed c, a, breaking time is exponential in N.  For all the parameter sets given in the previous slide, we have a >= 1.25, c >= 2.58.

21 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as 10.1095N - 12.6 MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

22 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  F, g, r have df, dg, dr 1s respectively  Brute force-like search on F, g, r can be speeded up by meet-in-the- middle techniques.  Using these techniques, number of binary convolution multiplications needed to break f is –Each multiplication requires df.N additions  … perhaps divided by 2-8 if we use wordsize cleverly  In general, use number of multiplications as security measure  Attacker will go for easiest of (f, g), (r, m); pick df = dr.  Take g = N/2: larger = greater security Binary F, g, r: Combinatorial Security

23 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Pick q, p  Our choice: –Pick p = 2, q to be the first prime greater than p.min(dr, dg) + 1 + p.min(df, N/2) with large order mod N.  This gives zero chance of decryption failures  Minimum q to do so consistent with choice of p, df. –Best lattice security

24 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Other considerations  Keys (and random component b) must be generated with sufficient entropy –Added section B.3.1 stating that RNG should be seeded with k+64 bits  R*h must result in a reasonable amount of reduction mod q –Otherwise an attacker can recover r by linear algebra  N must be prime; if it is divisible by l, can form lattice of dimension 2N/l.  E(1) = r(1)h(1) +m’(1), and r(1) and h(1) are known; therefore, the ciphertext leaks m’(1) –Require m’ to be blinded.  q must have large order mod N: similar attack to above might otherwise leak value of m’(X) in larger fields. The chance of this happening is q order(q mod N).

25 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Other considerations (2)  p and q must be relatively prime  Need to prevent adaptive chosen ciphertext attacks with appropriate scheme –For k-bit security, length of random component b = k bits –Consistent with standard security proofs.  If q is too small relative to f, r, g, m, decryption failures can occur –This will not happen for any of the given parameter sets  ID is included to ensure that sender and receiver are using same parameter set  The blinding value r is generated as a series of indices < N –Mechanisms in standard guarantee that these are uniformly distributed.

26 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Levels: Encryption  Provided parameter sets for each security level k={80, 112, 128, 160, 192, 256}. –Do we need 160?  2 parameter sets at each level –“Binary”: lower bandwidth, less RAM –“Product-form”: faster  Standard table of strengths –Note that SHA-160 is suitable as core of RNG up to 128-bit security; 80-bit limit in table is for direct use as a hash function –Captured in text, not in table.

27 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Binary Parameter Sets Parameter setkNddm 0 qO(q)c (F, g)c (r, m)T(L)rT zf (L)addssize (bits) ees251ep68025148701971252.932.77103.12997.98120482008 ees347ep2112347661082691732.942.83143.931138.26229023033 ees397ep1128397741283071982.932.84165.133159.17293783501 ees491ep1160491911673674902.982.90205.035198.75446814383 ees587ep11925871082084392932.972.91245.737239.21633965193 ees787ep12567871402945873932.952.91330.641323.451101807690

28 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Product-form Parameter Sets Parameter setkNddm 0 qO(q)c (F, g)c (r, m)T(L)rT zf (L)addssize (bits) ees251ep7802518702932502.572.4387.22080.160242259 ees347ep3112347111085411732.312.22117.816118.7114513370 ees397ep2128397121286593962.242.17138.317136.6142923890 ees491ep2160491141679674902.082.02171.316170.1220954870 ees587ep21925871720812292932.021.97203.314204.6299376347 ees787ep22567872129420273931.781.73278.114276.7519428459

29 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signing Security Considerations  To be filled in.  Four main attacks –Brute force search on keyspace (square-rooted by combinatorial methods) –Lattice reduction attack on public key to recover private key (SVP) –Brute force search on possible signature space to find signature (also square-rootable) –Lattice reduction attack on public key and message to generate signature (CVP)

30 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Improved Lattice Security Allows Smaller N than for NTRUEncrypt  In standard lattice ((f g) (F G)), (f g) is short vector of length O(√N).  In transpose lattice, (f F) is short vector of length O(N). –Improved c by factor of √N?  Attacker can “balance” lattice so f & F are of same length, but changes determinant –Improves c transpose by factor of N 1/4 compared to c standard.  Increase N, hold d/N constant  –combinatorial security increases exponentially –lattice security increases superexponentially  Note: LHS of signature is smaller than RHS; balance with balancing factor β.

31 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 CVP  Difficulty of solving signature by lattice reduction linked to constant γ. –γ = N /(σ * √(2N)).  Norm bound …  Divided by expected length of shortest vector…  Scaled by 1/(√2N).  In this case, smaller γ = required to solve CVP “better” = harder lattice problem

32 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signature Parameter Generation  Want to pick (N, d, q, beta, NB) s. t. –strength against all attacks is greater than k bits –performance is optimized  smallest public keys/bandwith  fastest operations  Paper presents iterative process: –Loop through N, d, q –Calculate expected size of signature –Set NB = ρ * size of signature (ρ typically 1.1 – 1.25 – affects chance of having to re-sign, essentially negligible for specified parameter sets) –Check strength against specified attacks –Store all acceptable parameter sets: output one with best performance using chosen metric.

33 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Transcript Analysis  If message was random within ball of radius NormBound, transcript could not leak information  Transcript is s = d * f + D * F –d, D are {-1/2, 1/2} N –d, D slightly constrained: s must have integer coefficients.  Leaks information about geometry of lattice

34 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signing with Perturbations  Message is (0, m); public basis is B 0 ; b private bases B 1 … B b. –Set (s b+1, t b+1 ) = (0, m).  For each private basis i in turn, i = b, b-1, … 1: –Input point is (s b+1, t b+1 ) –(s i, t i ) = result of solving appr-CVP in basis B i on point (s i+1, t i+1 ).  Signature is appr-CVP on (s 1, t 1 ) in B 0.  Can implement this such that each private basis operation requires: –2 multiplies by (f i, F i ) (or (f i, g i ) in transpose lattice) –One multiply by h i.

35 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  s = d * f + D * F –d, D are {-1/2, 1/2} N  First moment: s averages to 0 –Subtranscripts don’t appear to help.  Second moment: Can find quantities that behave like norms (don’t average to 0) –Define p rev (X) = p(X -1 ) for any polynomial p  if p = [f 0, f 1, f 2, …], then p rev = [f 0, f N-1, f N-2, …] –Constant coordinate of p * p rev = p ¢ p = squared norm of p  0  Other coordinates are p dotted with its rotations –s * s rev will average to non-zero result.  Notation: –denote average of x by Transcript Analysis

36 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 (f 1,g 1 ) (F 1,G 1 ) NTRUSign with Perturbations (F,G) (f,g) (s, t-m) -- without perturbations (s, t-m) -- with perturbations (F,G) (f,g)

37 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Claim for Perturbations  Number of signatures required to recover private key = number required to converge on 6 th moment –= O(2 9 d 6 ) –Highly conservative  Could be that 8 th moment is actually required  Big-O constant is considerably more than 1.  In paper, take a single perturbation at each security level –Required transcript is > 10 9.

38 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Improved Parameter Sets  k: security level; d: f consists of d+1 +1s, d -1s, and (N-2d-1) 0s; \beta: signature normalization factor; Norm: how close you have to be for a signature to pass  \tau: attacker requires >> 2 \tau signatures to recover private key. kNdq\betaNorm\tau 80 157 29 256 0.384150.0231.9 112 197 28 256 0.514206.9132.2 128 223 32 256 0.655 277.5231.2 160 263 45 512 0.315 276.5334.9 192 313 50 512 0.406 384.4135.6 256 349 75 512 0.185 368.6238.9

39 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Timetable  End of December: Complete Editorial Review and NTRUSign Security Considerations  January: Present to working group and request written comments  March: First WG vote, hopefully with comments resolved.  May?: Go into Sponsor Ballot

Download ppt "STRONG security that fits everywhere. P1363.1 D5 Overview William Whyte NTRU Cryptosystems December 2005."

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
CENG536 Computer Engineering Department Çankaya University.

CENG536 Computer Engineering Department Çankaya University.
1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.

1 Foundations of Software Design Fall 2002 Marti Hearst Lecture 18: Hash Tables.
Hashing Techniques.

Hashing Techniques.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Tirgul 7. Find an efficient implementation of a dynamic collection of elements with unique keys Supported Operations: Insert, Search and Delete. The keys.

Tirgul 7. Find an efficient implementation of a dynamic collection of elements with unique keys Supported Operations: Insert, Search and Delete. The keys.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Similar presentations

Ads by Google