340 likes | 429 Vues
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Performance and Security of NTRU Security Suite] Date Submitted: [February 22, 2002]
E N D
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Performance and Security of NTRU Security Suite] Date Submitted: [February 22, 2002] Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer] Company [NTRU] Address [5 Burlington Woods, Burlington, MA 01803] Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[dbailey@ntru.com] Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite] Abstract: [This presentation gives an overview of the performance and security of NTRU’s proposal for security suite for the 802.15.3 draft standard.] Purpose: [To familiarize the working group with the NTRU proposed security suite.] Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
Agenda • NTRU Background • NTRU Security • Why Triple-DES?
Why NTRU Public-Key Cryptography? • Public-Key Cryptography was invented in the 1970s: • RSA • Elliptic Curve Cryptography • Uses complicated mathematics and large numbers • RSA: 1024 bit numbers (1 with 300 zeroes!) • ECC: 160 bit numbers and complex operations • Ratios of polynomials • Not suitable for devices with low processing power, memory, battery life… • NTRU: • Uses smaller numbers (<128) • Can be implemented efficiently on any processor • Fundamental breakthrough in cryptography
NTRU Advantages Why so fast? Why so small? Why so secure?
NTRU Buzzwords • NTRU uses convolution multiplication • RSA uses modular multiplication • Convolutions used in digital signal processing (voice, streaming multimedia, etc) • NTRU is based on the short lattice vector problem • RSA is based on the integer factorization problem • ECC is based on the elliptic curve discrete log problem • Short lattice vector problem has been proved very hard; other two are merely conjectured to be very hard.
NTRU Fundamentals • NTRU is a lattice-based public-key cryptosystem • Lattice operations are extremely fast • Lattice operations are easy to implement using 7- or 8-bit numbers • Lattice problems have been well studied and are hard in high dimension • Every NTRU key has its own random lattice • Each key is a concatenation of polynomial coefficients • NTRU keys are always completely independent • Two algorithms • NTRUEncrypt for encryption and decryption • NTRUSign for signature and verification • Only NTRUEncrypt needed for 802.15.3
History of NTRUEncrypt • Developed by team of cryptographer/mathematicians • J. Hoffstein, J. Pipher, J. Silverman (1994-1996) • Presented by J. Hoffstein at CRYPTO ’96 • Immediate feedback from top cryptographers (Coppersmith, Hastad, Odlyzko, Shamir,…) used to set appropriate security parameters • Ongoing research by experts in lattices and cryptography (Nguyen, Stern, Schnorr, May, Gentry, Szydlo, Jaulmes, Joux…) reaffirms NTRU’s security • New IEEE P1363.1 standard based on NTRU • New CEES Efficient Embedded Security Standard based on NTRU
NTRUEncrypt Public Parameters The NTRUEncrypt Public Key Cryptosystem depends on three public parameters: N, p, q Typical values for these parameters, with approximate equivalent RSA security levels, are: Key size = ciphertext size = N * log2(q) bits Plaintext size = N bits
Convolution Multiplications NTRU’s basic operation is convolution product of two vectors of small numbers: [a0,…,aN-1] * [b0,…,bN-1] = [c0,…,cN-1] With ck = a0bk + a1bk-1 + a2bk-2 + … + aN-2bk+2 + aN-1bk+1 . Convolution products can be computed very rapidly using Karatsuba multiplication or Fast Fourier Transforms. Example with N=4 (Extra Rule: x4 = 1) (x3+2x-1)*(3x3-x2+x+2) = 3x6-x5+7x4-3x3+3x2+3x-2 = 3x2-x + 7 - 3x3+3x2+3x-2 = -3x3+6x2+2x+5
Small Polynomials and Polynomials Mod q The coefficients of NTRU polynomials may be reduced modulo the parameter q. That means that the coefficients are replaced with their remainders after being divided by q. Example. 5x3 - 11x2 + 4x + 6 = -x3 + x2 + x (mod 3) (Note: usual reduction mod q reduces into the range [0, q-1]. In NTRU, sometimes we reduce into the range [-q/2, q/2) or some other range). Many polynomials used in NTRU are described as “small”. This means their coefficients are, by, and large, small relative to q.
NTRUEncrypt Key Creation Bob chooses two polynomials f(x) and g(x). f(x) has the form 1 + pF(x), where F(x) is small g(x) is small Bob computes the inverse of f(x) modulo q: Fq(x)*f(x) = 1 (mod q). Finding these inverses is very fast using the Euclidean algorithm. Bob computes the product h(x) = p*Fq(x)*g(x) (mod q). Bob’s Private Key: the polynomial f(x) Bob’s Public Key: the polynomial h(x)
NTRUEncrypt Encryption • Alice processes the message before encryption • pads the message with random data • blinds it, OAEP-style, to get the blinded message • converts the blinded message to a polynomial m(X). • Alice encrypts the message • generates a small random polynomial r(X) (using the blinded message as the seed for the random number generator) • calculatese(X) = r(X) * h(X) + m(X) • e(X) is the ciphertext.
NTRUEncrypt Decryption • Bob decrypts the message • calculatesa(X) = f(X) . e(X) mod q. • places the coefficients of a(X) into the range [A, A+q-1] • reduces mod p. This recovers the polynomial m’(X). • Bob checks that the ciphertext was valid • converts the polynomial m’(X) to the blinded message • generates a small random polynomial r’(X) (using the blinded message as the seed for the random number generator) • calculatese’(X) = r’(X) . h(X) + m’(X) • If this is identical to e(X), accepts the message.
Why Does NTRUEncrypt Work? a = f * e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*Fq + m) (mod q) = p*r*g + (1 + pF)*m (mod q) since f*Fq = 1 (mod q). All of the polynomials r, g, f, m are small, so coefficients of p*r*g + (1 + pF)*m will all lie within q of each other. If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then a = p*r*g + m + pF*m = m (mod p)
In answer to those questions: • Why so fast? • NTRUEncrypt uses only adds on 7-bit numbers • For security of order N, needs only N ln N operations • other algorithms require N2 or N3 operations • Why so small? • NTRUEncrypt uses only adds on 7-bit numbers • No need for big integer arithmetic library • Fits in small amount of RAM • Why secure? • To be discussed…
How Fast is NTRUEncrypt?(RSA 1024 Level Security) NTRU vs. RSA on ARM9 NTRU vs. ECC on ARM9 NTRU vs. RSA on PDAs NTRU vs. ECC on PDAs ARM9 Comparisons: NTRU’s NERI toolkit vs. Mike Scott’s MIRACL library, using a NIST curve PDA Comparisons: NTRU’s NERI portable toolkit vs. published results (for ECC, RSA) specialized for the Palm device, (RSA encryption exponent e=65537)
Performance on a Microcontroller • Speakers will have an 8051 if they’re lucky • Microcontrollers vary widely, so here’s three implementations of NTRUEncrypt:
Comparison on a Microcontroller • For comparison, the top microcontroller has a 50,000 gate RSA/ECC coprocessor • 028r3-TG3-Coding-Criteria.ppt gives the following cost/power guidance: • In 0.18 micron technology, 100,000 gates cost 20 cents • Power is dissipated at a rate of 0.018 mW/(MHz*kgates)
Comparison in Hardware • What if you need NTRUEncrypt in hardware? • This is a complete implementation, including SHA-1
Agenda • NTRU Background • NTRU Security • Why Triple-DES?
The NTRU Hard Problem The hard problem underlying NTRU is the Shortest Vector Problem in lattices of high dimension • Best Known Methods to Break: • NTRU and ECC are exponential (very slow) • RSA and DH are subexponential (faster)
(1,5) B (7,1) LB’ = (13,-3) B’ (6,-4) Lattices • Lattice: Set of all vectors that are integer linear • combinations of the basis vectors B = {b1, …, bn}. • Lattice Bases are not unique. • Lattice Basis Reduction: Finding a “good” basis, usually • one with short, nearly orthogonal vectors. LB = (Slide due to Craig Gentry)
LB = (1,5) B (7,1) × 1 × -2 LB’ = (13,-3) B’ (6,-4) Shortest Vector Problem • Shortest Vector Problem (SVP): Given a lattice basis, find • the shortest (nonzero) vector in the lattice. • Example: Given LB’ below, find (1,5). • The SVP is NP-Hard (no algorithm with running time • polynomial in lattice dimension that always find the SV). (Slide due to Craig Gentry)
Brief History of Lattice Problems • Lattices, the SVP, and the CVP have been extensively studied for more than 100 years (Hermite 1870s, Minkowski 1890s,…). • Best computational tool was developed by Lenstra, Lenstra, and Lovasz (LLL algorithm) in early 1980s. • Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and others. • Algorithms to find small vectors in lattices have been extensively studied because they have applications to many areas outside of cryptography, including physics, combinatorics, number theory, computer algebra,…. • Contrast this with integer factorization (RSA) and elliptic curve discrete logarithms (ECC), where the only applications are to cryptography.
NTRU Security NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium
Scrutiny • NTRUEncrypt has been widely studied since it was first announced in 1996 • Papers on NTRU techniques appear at every major cryptography conference • Nguyen and Stern (CaLC-2001): “this makes NTRU the leading candidate among knapsack-based and lattice-based cryptosystems, and allows high dimension lattices.” • Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite Normal Form, the most secure form for a general lattice • NTRU encourages peer review • Challenge problems • Support to Crypto community (CaLC conference, etc)
NTRU Standardization work • IEEE P1363 • Draft of P1363.1 available on IEEE P1363 WG web site with NTRUEncrypt included • Vote on permanently including NTRUEncrypt passed at May 2001 meeting • Consortium for Efficient Embedded Security (CEES) • Draft of EESS #1 standardizing NTRUEncrypt currently available from http://www.ceesstandards.org • Drafts include complete specification, encodings, certificate formats, etc. • VHN (Versatile Home Networking) • NTRU included in EIA/CEA-851
NTRU Standardization work • IETF • TLS: NTRU ciphersuites proposed May 2001. • Expected to proceed to Informational RFC. • PKIX: “Supplemental Algorithms for PKI” Internet Draft • Edited by NTRU, includes NTRUEncrypt • Also includes new US Government algorithms: DSA2, SHA-256… • WAP • NTRU active participants in WSG
Implications of High Data Rate • Symmetric components must meet the data rate • Public key costs on a per-session basis, not per-bit • For enough gates (612,834 actually), 2 Gbps is practical with AES • Smallest implementation with local subkey storage is 43,000 gates • 17,000 gates if you hit external memory every cycle • The challenge: minimize footprint to meet a target data rate at a target cost (area, clock rate,…) • You’ll need a custom hardware implementation for encryption and integrity • We’ve been evaluating algorithms and…
Triple-DES • Hits the data rate at lowest gate count • DES has a 64-bit block size. • DES encryption has 16 rounds. Triple-DES encryption has 48. • Using DES for integrity takes another 16 rounds, except for the last block, which takes 48. • So we need 64 rounds per 64 bits. • Instantiating two rounds of DES gives a throughput of 2 bits/cycle. • So you’ll need at least a 23 MHz clock for 55 Mbps. • Synthesized with LeonardoSpectrum, that’s 9196 gates • With 802.15.3’s assumptions, that’s $0.02, 5.4 mW
Triple-DES Security • Encryption standardized in ANSI X9.52, FIPS 46-3, … • Well-studied since the late 1970s. • 112-bit key makes brute force attacks infeasible • MAC standardized in ISO 9797, … • We MAC the ciphertext, not the plaintext • 64-bit block size means we’d expect a MAC collision after 232 blocks • Sequence numbers in MAC calculation prevent the attacker from substituting one message for another! • The attacker isn’t looking for two messages that give the same MAC… • She needs two messages with the same sequence number that give the same MAC
Conclusions • NTRUEncrypt and Triple-DES are the most cost-effective solutions for 802.15.3. • Both have received intense scrutiny • Both are believed to be secure