Presentation is loading. Please wait.

Presentation is loading. Please wait.

STRONG security that fits everywhere. NTRUSign and P1363.1 William Whyte, 2006-04-11.

Published byErik Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "STRONG security that fits everywhere. NTRUSign and P1363.1 William Whyte, 2006-04-11."— Presentation transcript:

1 STRONG security that fits everywhere. NTRUSign and P1363.1 William Whyte, 2006-04-11

2 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Summary  There’s a paper at Eurocrypt that presents an attack on one flavor of NTRUSign –http://www.di.ens.fr/~pnguyen/pub.html#NgRe06http://www.di.ens.fr/~pnguyen/pub.html#NgRe06  1363.1 recommends a different flavor and it’s not clear whether this attack applies to the 1363.1 flavor  It seems appropriate to take some time to investigate this attack properly  In order not to slow down NTRUEncrypt standardization, suggest separating NTRUSign into a 1363.1a standard and moving ahead with NTRUEncrypt in 1363.1

3 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 NTRUSign  Sign a message by applying the private key to it –This gradually leaks information about the private key –Important to quantify information leakage  Signing produces a lattice point that is close to the message  Verification: –Check that the signature is a lattice point –Check that it is sufficiently close to the message  Private key is a good lattice basis  Public key is a bad lattice basis –lets you check that points are in. lattice… –… but if you “sign” with it, error is much bigger than with private key

4 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Two flavors of signing  Unperturbed: –Hash the message to a point using a public hash function –Apply the private key  Perturbed: –Hash the message to a point using a public hash function –Apply a private perturbation function to move the message point slightly  “perturbed message point” –Apply the private key to the perturbed message point

5 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 In pictures (note: animation) Unperturbed Perturbed Apply perturbation Sign perturbed point

6 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Differences between perturbed and unperturbed signatures  Perturbed signatures are bigger –Advantage of private key over public key is smaller –Requires larger keys for same security against forgery  Perturbed signatures are drawn from a more complicated distribution –Unperturbed signatures lie within a parallelopipied –Distribution can be transformed to a hypercube and symmetries exploited –Eurocrypt attack consists of transforming to a hypercube and finding a diagonal of the hypercube –No such transformation possible for perturbed case  Distribution much more like a sphere –Need to perform higher-moment averages and eliminate perturbations using linear algebra

7 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Security estimates  NTRU recommendation: –Only use unperturbed signing to generate 10,000 signatures or less –Use perturbed signing (with one perturbation) to generate up to a billion signatures –After this number of signatures, generate a new private key and throw the old one away –Recommendations based on theoretical analysis of information leakage from transcript  Very conservative! This number of signatures is considered to be almost certainly safe: dangerous to go much beyond it.  Eurocrypt paper: –With unperturbed signing, can recover private key after 90,000+ signatures  No application yet known to perturbed signing –Best attack yet demonstrated  Users who follow NTRU guidance would nevertheless be safe

8 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Implications of attack  As it stands, attack does not affect estimated security of parameter sets –Requires bigger transcript than allowed by NTRU guidelines for unperturbed case –Not known to apply to perturbed case  However, attack is quite new. –Unknown if it can be extended to perturbed case (although perturbed transcript is in a way fundamentally different from unperturbed) –Seems appropriate to allow some months to see if there’s an obvious extension

9 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Implications of attack for 1363.1  1363.1 PAR expires this year –Would like to get something completed –Including NTRUSign could jeopardize this  Suggest: –Keep NTRUEncrypt in 1363.1 –Move PAR for 1363.1a, “Standard specifications for public key cryptography over lattices: additional techniques” –Move NTRUSign to this.

10 STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Proposed timeline  Next week: –Circulate proposed 1363.1a PAR –E-Motion to accept PAR and move NTRUSign to 1363.1a  Next teleconference (2006/06?): Final talk through 1363.1  Late 2006/06: First E-Motion to move 1363.1 to sponsor ballot  2006/08 meeting: Resolve comments arising from this first E-motion  2006/08: E-Motion to accept comment resolution and move to sponsor ballot  2006/10: Sponsor ballot opens  2006/11: Resolve sponsor ballot comments  2006/12: Recirculation ballot  2007/01: Submit 1363.1 to RevCom; switch focus back to 1363.1a

Download ppt "STRONG security that fits everywhere. NTRUSign and P1363.1 William Whyte, 2006-04-11."

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Presentation by Prabhjot Singh

Presentation by Prabhjot Singh
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
SOWK6190/SOWK6127 Cognitive Behavioural Therapy and Cognitive Behavioural Intervention Week 5 - Identifying automatic thoughts and emotions Dr. Paul Wong,

SOWK6190/SOWK6127 Cognitive Behavioural Therapy and Cognitive Behavioural Intervention Week 5 - Identifying automatic thoughts and emotions Dr. Paul Wong,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Cryptographic Technologies

Cryptographic Technologies
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 Validation and Verification of Simulation Models.

1 Validation and Verification of Simulation Models.
1 BA 555 Practical Business Analysis Review of Statistics Confidence Interval Estimation Hypothesis Testing Linear Regression Analysis Introduction Case.

1 BA 555 Practical Business Analysis Review of Statistics Confidence Interval Estimation Hypothesis Testing Linear Regression Analysis Introduction Case.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

Similar presentations

Ads by Google