Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability

TAKA_23_NTRU

advertisement 
NTRU: A Ring-Based Public Key
Cryptosystem
Jeffrey Hoffstein, Jill Pipher,
Joseph H. Silverman
LNCS 1423, 1998
1
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
2
Introduction
 The encryption produce uses a mixing system
based on polynomial algebra and reduction
modulo two numbers p and q.
 The decryption produce uses an unmixing
system whose validity depends on elementary
probability theory.
3
Introduction
 The security of NTRU
 The interaction of the polynomial mixing system
with the independence of reduction modulo p and q.
 Fact that for most lattices, it is very difficult to find
extremely short vectors.
4
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
5
Notation
 An NTRU cryptosystem depends on
 3 integer parameters (N, p, q)
 p and q need not be prime
 gcd(p, q) = 1
 q will always be considerably larger then p
 4 sets Lf, Lg, Lφ, Lm of polynomial of degree N-1
integer coefficients.
6
Notation
 An NTRU cryptosystem depends on
 Work in the ring R = Z[X] / (XN - 1)
N 1
 F ∈ R will be written as a poly or a vector F   Fi xi   F0 , F1,..., FN 1 
i 0
 * to denote multiplication in R as a cyclic convolution
product F * G  H with
k
H k   FG
i k i 
i 0
N 1
 FG
i  k 1
i
N  k i


i  j  k (mod N )
FG
i i
 Do a multiplication modulo q, mean to reduce the coefficiens
modulo q.
7
Scheme – Key Generation
 Random chooses 2 polynomials f, g ∈ Lg
 f must satisfy the additional requirement that it have
inverses modulo q and modulo p.
 Denote these inverses by Fq and Fp, that is
 Fq * f ≡ 1 mod q and Fp * f ≡1 mod p
 Public key h ≡ Fq * g mod q
 Secret key f
 Store Fp
8
Scheme – Encryption
 A message m from the set of plaintext Lm
 Random choose a polynomial φ∈Lφ
 Compute e ≡ pφ * h + m mod q
9
Scheme – Decryption
 First compute a ≡ f * e mod q
 The coefficients of a in [-q/2 , q/2]
 Recovers the message by computing
Fp * a mod p
 a  f * e  p * g  f * m mod q
10
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
11
Notation and a norm estimate
 The width of an element F ∈ R to be
 |F|∞ = max{Fi} – min{Fi}
 2 norm on R by


F 2    Fi  F
 i 1
 Proposition
N


1
2
 2
1 N
 , where F  N  Fi
i 1

 For any ε> 0 there are constants γ1, γ2 > 0, depending on ε
and N, s.t. for randomly chosen polynomials F, G ∈ R, the
probability is greater then 1 – ε that they satisfy γ1|F|2|G|2 <
|F * G|∞ < γ2|F|2|G|2
 If the ratioγ2 / γ1 were very large for smallε’s.
12
Sample space
 The space of message Lm consists of all
polynomials modulo p. Assuming p is odd,

 p  1 and  p  1 
Lm  m  R | m has coefficients lying between 

2
2


 To describe the other sample spaces, use the
sets of the form


F has d1 coefficients equal 1,


L  d1 , d 2    F  R

d
coefficients
equal

1,
the
rest
0


2


13
Sample space
 Choose 3 positive integers df, dg, d and set
Lf = (df, df - 1), Lg = (dg, dg), Lφ=(d, d)
 Don’t set Lf = (df, df) is because we want f to be
invertible.
 |f|2 = (2df – 1 – N-1)½ , |g|2 = (2dg)½, |φ|2 = (2d)½
14
A decryption criterion

f * m  p * g   q
q
q
 f * m   and p * g  
4
4
q
q
 f 2 m2 
and  2 g 2 
4 2
4 p 2
 For a γ2 corresponding to a small value for ε
15
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
16
Attacks




Brute force attack
Meet-in-the-middle attack
Multiple transmission attack
Lattice based attack
17
Lattice based attacks
 This section is to give a brief analysis of the
known lattice attacks on both the public key h
and the message m.
 The goal of lattice reduction is to find one or
more “small” vectors in a given lattice.
 The LLL algorithm (Lenstra-Lenstra-Lovasz)
will find the smallest vector provided that the
smallest vector is not too much smaller than the
expected length of the smallest vector.
18
Lattice attack on an NTRU private key
L=
2N × 2N
Let L be the lattice generated by the rows of this matrix.
det(L) = qNαN
19
Lattice attack on an NTRU private key
 Public key h = g * f-1
 The lattice L will contain the vector τ=(αf, g)
 The 2N vector consisting of the N coefficients of f
multiplied by α, followed by the N coefficients of g.
 By the Gaussian heuristic
 The expected size of the smallest vector in a
random lattice of dimension n and determinant D
lies between
D
1
n
n
2 e
and D
1
n
n
e
20
Lattice attack on an NTRU private key
 In this case, n = 2N, D = qNαN
N q
e
 The expected smallest length is larger than s 
 If the attacker chooses α to maximize the ratio
s / |τ|2, the lattice reduction algorithm will have the
best chance of locating τ, or another vector whose
length is close to τ.
 An attacker should choose α so as to maximize

 f 2 g2
2
2
2

  f 2 
2
1

2 1
g2
 
g2
f
2
21
Lattice attack on an NTRU private key
 A constant ch by setting |τ|2 = chs
 ch is the ratio of the length of the target vector to the
length of the expected shortest vector.
 Smaller ch, the easier to find the target vector.
 If ch is close to 1, then L will resemble a random
lattice.
22
Lattice attack on an NTRU message
 A lattice attack may also be directed against an
individual message m.
 The target vector will have the form (αm, φ)
 α= |φ|2 / |m|2

2 e m 
cm 
2
2
Nq
 cm gives a measure of the vulnerability of an individual
message to a lattice attack.
 If cm is small, an encrypted message is most vulnerable.
23
Lattice attack on an NTRU message
 In order to make the attacks on h and m equal
difficult, we want to take cm ≒ ch.
 For p = 3, an average message m will consist of
N/3 each of 1, 0, and -1.
24
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
25
Moderate Security







(N, p, q) = (107, 3, 64)
Lf = (15, 14), Lg = (12, 12), Lφ=(5, 5)
Secret key = 340-bit
Public key = 642-bit
Key security = 250
Message security = 226.5
ch = 0.257, cm = 0.258, s = 0.422q
26
High Security







(N, p, q) = (167, 3, 128)
Lf = (61, 60), Lg = (20, 20), Lφ=(18, 18)
Secret key = 530-bit
Public key = 1169-bit
Key security = 282.9
Message security = 277.5
ch = 0.236, cm = 0.225, s = 0.296q
27
Highest Security







(N, p, q) = (503, 3, 256)
Lf = (216, 215), Lg = (72, 72), Lφ=(55, 55)
Secret key = 1595-bit
Public key = 4024-bit
Key security = 2285
Message security = 2170
ch = 0.182, cm = 0.160, s = 0.365q
28
Outline






Introduction
Scheme
Parameter selection
Security analysis
Practical implementations of NTRU
Conclusion
29
Conclusion
30
Conclusion
31
Related documents
Encryption and Decryption:
Encryption and Decryption:
Document
Document
ntru3final
ntru3final
PPT - Site BU - Boston University
PPT - Site BU - Boston University
n1l1l2longmultiplication
n1l1l2longmultiplication
Fully Homomorphic Encryption: current State of the Art
Fully Homomorphic Encryption: current State of the Art
qcrypto
qcrypto
Lattice Energy - coolchemistrystuff
Lattice Energy - coolchemistrystuff
First-principles study of the metallic fcc/bcc interfaces
First-principles study of the metallic fcc/bcc interfaces
point lattices
point lattices
f*M (mod p)
f*M (mod p)
2.8 Multiplication of Whole Numbers and Decimals
2.8 Multiplication of Whole Numbers and Decimals
Download
advertisement