Cryptography Terminology & NTRU Public Key Cryptosystem Arunesh Ramalingam (M.S. CpE) Encryption and Decryption: Encryption is the process of converting unsecured information ("plaintext") into coded information ("ciphertext"). The transformation process is controlled by an algorithm and a key. The process must be reversible so that the intended recipient can decode the ciphertext to its original, plain text. But the decryption process should be impossible without the appropriate key information. Symmetric Key Cryptography: In this a single key is used to perform both the encryption and decryption of data. Since the algorithms are open to the public, the security of the communication is determined by the level of protection provided to the key (i.e., ensuring that the key is known only to the parties involved in the communication). Secrecy is provided, because if the message is intercepted, the intruder cannot transform the cipher text into its plaintext format, without knowledge of the key. Assuming that only two users know the key, authentication is provided because only a user with the key can generate cipher text that a recipient can decrypt the cipher text. So the single key has to be exchanged between the two users. Thus key exchange is a very critical issue. The main disadvantage of symmetric key cryptography is the difficulty in distributing the secret keys. A key cannot be transmitted securely without encrypting over data channels. Encrypting the key, calls for another key. So, at some point, a plaintext key needs to be exchanged between the communicating partners. One solution is to manually distribute the secret key (e.g., by registered mail). However, manual distribution, is costly, time consuming, and prone to errors. The main idea of keeping the algorithms “open to public” is that many people can perform cryptanalysis and its security will be challenged by many. A good cryptographic algorithm is one which is not broken (or at least extremely hard/expensive to be broken) even though its working is well known and understood. A secret encryption algorithm, on the other hand, undergoes much lesser degree of cryptanalysis. So its security cannot be totally trusted and could be a mere illusion. Many cryptosystems use a one-time key, that is, there is a key generation unit which produces a different key for the encryption of each block of plain text to its corresponding cipher text. The entropy(H) of the key generator of the cryptosystem can give a measure of the data security. Each key can be considered to be a binary string . The probability of a key, which is a string w, being produced is given by Pw. This means that in a long series of keys generated by the key generator, the frequency with which a particular key ,w, will appear is Pw . Then , H = ∑ w [ Pw * log (1/ Pw )] . The key can be guessed by an attacker with 2H guesses. This would give a measure of the level of message security . Key Exchange: When two users wish to communicate, they establish a logical (virtual circuit) connection. For the duration of the connection, all user data are encrypted with a one time session key. At the end of the session the keys are destroyed. These session keys must be known to both the users for proper encryption and subsequent decryption of messages to be successful. The exchange of these session keys is basically referred to as Key Exchange. An example is the Diffie/Hellman key exchange algorithm. Asymmetric Key Cryptography: Asymmetric or public-key cryptography differs from conventional cryptography in that it involves two components: A private key, which is private to the user ( only the user has access to it) A public key, which may be published or distributed on request. The relationship between the keys is such that given the public key, the private key cannot be derived easily. The advantage of a public-key system is that two users can communicate securely without exchanging secret keys. It provides both secrecy and authentication. The sender encrypts the message using the recipient's public key to. The Recipient uses his corresponding private key to decrypt the message. This ensures secrecy as the message can only be decrypted using the private key corresponding to the public key used for encryption. The private key can also be used to encrypt messages, which can be decrypted by anyone with knowledge of the public key. The purpose of this is to provide authentication (digital signature), that is, verification of the origin of the message, since the message can be decrypted only with the corresponding public key. For example, the R.S.A algorithm is a public key cryptographic algorithm. Disadvantage of a public-key system: (1)The mathematical computations used to encrypt data are time consuming, and depending on the algorithm, the ciphertext may be much larger than the plaintext. Thus, it is not suitable to encrypt large messages. Page 1 of 4 (2) An encrypted message can only be sent to a single recipient. Since a recipient's public key must be used to encrypt the message, sending to a list of recipient's is not possible. Message Authentication: The authentication of messages using symmetric key works on the assumption that the sender and the receiver share a secret key. If an attacker stumbles upon a few correct decryptions, then he can spoil the authentication. In this case a sequence number or an error detection code might help to ensure authenticity. A timestamp included in the message could indicate if there has been some abnormal delay other than the expected delay through the network. Other methods which could be used to ensure authenticity are: (1) Message Authentication Code (MAC) – This method assumes that the two parties share a common secret key. The MAC of a message is calculated by using the secret key and the message in a MAC function which takes a variable sized input and produces a fixed size output, and is transmitted along with the message. After reception, the receiver recalculates the MAC and sees if it matches with the MAC received. If both the MACs match then the message is considered authentic. This method is good as long as the secret key remains a secret because the attacker can alter the message but cannot alter the MAC as he does not know the secret key. (2) One-Way Hash Function – These are special functions used as checksum for a block of text. They accept a variable sized input and produce a fixed size output called the message digest. They have an important characteristic that is, given a text its Hash function can be determined but the reverse is not possible. Calculation of the inverse of the hash function is very difficult mathematically. Hence, they are said to be one-way. They are useful especially for digital signatures. The sender can encrypt the message digest with his private key. The receiver recalculates the message digest of the message, and also decrypts the received message digest with the public key of the sender. If both the message digests match then the message is authentic. Therefore, if someone signs a document by using public-key methods to sign its hash value, an attacker cannot generate a false document and claim that it was this document, having the same hash, which was signed instead. The Secure Hash Algorithm is used to produce one way hash functions. The NTRU Public Key Cryptosystem (NTRU PKCS): This Cryptosystem is based on ring theory. Its security depends on the fact that for most lattices it is very difficult to find extremely short vectors (as compared to moderately short). The basic collection of objects used by the NTRU PKCS is ring R consisting of truncated polynomials of degree (N-1) having integer coefficients. a = a0 + a1x + a2x2 + a3x3+…+aN-2xN-2 +aN-1xN-1 The polynomials are added and multiplied in usual way except that xN is replaced by 1, xN+1 is replaced by x , xN+2 is replaced by x2 and so on. The multiplications involved are cyclic convolution product. NTRU PKCS depends on 3 integer parameters and 4 sets of data. N – The polynomials in the truncated polynomial ring have a degree of (N-1). q – Large modulus; coefficients of truncated polynomials are reduced (mod q). p - Small modulus; coefficients of message are reduced (mod p) in the final step of Decryption. p and q are relatively prime, that is, gcd (p,q) =1. Rf, Rg, Rr, Rm are sets of polynomials of degree (N-1) with integer coefficients. Implementation of the NTRU PKCS: 1. Private Key: Choose “Small” Polynomials f, g є Rg. For a “small” polynomial the coefficients are much smaller than q). f must have inverses modulo q and modulo p, that is, there should be f p and fq such that, f * fp = 1(mod p) and f * fq = 1(mod q). The private keys to be kept track of are f and fp . 2. Public Key: It is calculated as h = p * fq * g (mod q). 3. Encryption: Message is put in the form of polynomial m. The coefficients are chosen between –q/2 and q/2, that is, m is a “small” polynomial mod q. [m є Rm]. A small polynomial r is randomly chosen r є Rr. This is the “blinding value” used to obscure the message. e = r * h + m (mod q) 4. Decryption: Compute polynomial a = f * e (mod q). Choose coefficient of a between –q/2 and q/2. Compute b = a (mod p), that is, each of the coefficient is reduced modulo p. d = fp * b (mod p) Page 2 of 4 Working of the NTRU PKCS: a = f * e (mod q) = f *(r * h +m) (mod q) = [f * (r * (p* fq * g) + m)] (mod q) = [(r * p * g) + (f * m)] (mod q). The coefficients of r, g, f, m and (r *g), (f * m) are small compared to q. Assuming properly chosen parameters, since p is also small compared to q, coefficients of polynomials prg+fm lies between –q/2 and q/2 . Hence, reduction by mod q has no effect. Therefore, a = [(r * p * g) + (f * m)]. When b is calculated as: b = [(r * p * g) + (f * m)] (mod p), we get b = f * m (mod p). In the last step of decryption, when we multiply b by inverse of f modulo p (fp), we get d = fp * f * m (mod p). Thus the message m is recovered, since fp* f=1. Parameter choices to optimize performance: 1. The private key f is chosen as f = 1 + pF, where F is a small polynomial. This means fp =1. So it is not required to compute fp. Moreover, the second multiplication in decryption also is removed. Only f needs to be stored as the private key. 2. The success of decryption depends on the coefficients of a being unchanged when they are reduced modulo q. The coefficients of a depends on f, g, m, and r. So if size of p is reduced, all the coefficients can be comfortably small. Since p and q have to be relatively prime p ≠ 2, but p can be a non integer. So p is chosen as p = 2 + x. Normally, the value chosen for p is 3. So trinary coefficients (+1, 0, -1) are used for the polynomials. Now binary polynomials can be used. Some Facts of NTRU PKCS: The NTRU Public-Key Cryptosystem features super fast key generation: NTRU key generation 30-1000+ times faster than RSA, ECC All NTRU keys are fully Independent. NTRU sign/verify up to 100 times faster than RSA or ECC Key generation is 1-3 orders of magnitude faster than RSA, ECC NTRU encrypt/decrypt runs up to 475 times faster than RSA/ECC on servers. Encrypts 40-50 times faster than hand-optimized (for speed) RSA, ECC. Decrypts 333 times faster than hand-optimized (for speed) RSA. Up to 2000 times faster than RSA on DSPs. Reasons for the High Speed of NTRU PKCS: System Basic Operation NTRU RSA ECC Convolution Product Modular Multiplication Elliptic Curve Addition Number of Operations Required Encrypt Decrypt 1 2 17 ~1000 ~160 ~160 NTRU and ECC basic operations take approximately the same time (basic operations for RSA are a little faster). Advantages of the NTRU PKCS: NTRU’s fast key creation enables new public key paradigms : Message Integrity: Encrypt audio and video with a different key for every few seconds of content. Use independent keys for every transaction E-mail: Master Key/Disposable Key Protocol saves storage and increases security. NTRU is: – Easy to program – Easy to build into hardware – Ideal for Digital Signal Processors (DSPs) NTRU Requires: – Less memory (RAM) in software – Less storage in software – Fewer gates in hardware NTRU easily fits into Low power smart cards, handheld devices, Cellular telephones. Page 3 of 4 References: 1. Cryptography FAQ: http://www.faqs.org/faqs/cryptography-faq/ 2. http://www.cs.jcu.edu.au/Subjects/cp5030/1999/ 3. CRYPTOSYSTEMS AND KEYS, CERBERUS SYSTEMS, INC. http://www.cerberussystems.com/INFOSEC/tutorial/keys.htm 4. Security: Symmetric and Public Key Cryptography Eduardo Magana - 11/1/2002 http://wow.eecs.berkeley.edu/~anuj/wow-talks/security-slides.pdf 5. http://www.ssh.com/support/cryptography/algorithms/asymmetric.html http://www.ssh.com/support/cryptography/algorithms/asymmetric.html 6. NTRU PKCS http://www.ntru.com/cryptolab/articles.htm#004 http://www.ntru.com/cryptolab/pdf/ANTS97.pdf http://www.ntru.com/cryptolab/pdf/TECH_ARTICLE_OPT.pdf http://csrc.nist.gov/pki/twg/y2001/presentations/twg-01-15.pdf Page 4 of 4