1 / 14

1363.1

1363.1. Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems. Overview. Attack from Crypto 2007: details Isodual lattice reduction P1363.1 status and schedule. Attack. NTRU keys are defined by h = public key, N coefficients uniformly distributed mod q f = private key

kathy
Télécharger la présentation

1363.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1363.1 Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems

  2. Overview • Attack from Crypto 2007: details • Isodual lattice reduction • P1363.1 status and schedule

  3. Attack • NTRU keys are defined by h = public key, N coefficients uniformly distributed mod q f = private key f * h mod q = g, both f and g are small (binary / trinary) • We can brute-force f: try all possible values until we find an f s.t. f*h is small • Or, since f = f1 + f2, we can try all possible f1*h and f2*h and file the results • Then if f1*h is “close to” -f2*h, (f1+f2)*h will be small • This “combinatorial attack” allows us to trade off running time against memory • If memory is free the optimal result is to (roughly) square root the running time

  4. Add {-1, 0, 1} * each rotation of h = (5, 17, 22, 9, 11) Reduce mod q = 32 Stop when the result (= g) is small (trinary or binary) Brute force attack in linear algebra terms

  5. Add {-1, 0, 1} * each of the top 4 rows to get vector G. Reduce G mod (8, *, *, *, *, *) ie add/subtract row 5 until first coeff is < 8 Reduce G mod (0, 16, *, *, *, *) ie add/subtract row 6 until second coeff is < 16 Reduce all other coeffs of G mod 32 Stop when G is small (= g) Improving brute force attack with lattice reduction

  6. Improving brute force attack with lattice reduction: analysis • Why is this an improvement? • Brute force search is exponential in N • Reducing search space even by 1 dimension greatly reduces search time • Tradeoffs? • Attacker is assuming that reducing mod 4 will help find the shortest vector – ie that that coefficient of the shortest vector is shorter than 2 • This could be wrong: short vector could possibly be a rotation that has 2.1 in that position • The lower the diagonal coefficient is, the greater the risk that “weak reduction” will give the wrong answer • The attacker wants to (a) reduce the number of {-1, 0, 1}s in the right column and (b) only perform weak reduction with sufficiently large diagonal values. • This technique can also be used to speed up combinatorial attacks.

  7. Combined lattice and combinatorial attack • Consider N=251 key of form (f, g) where • f is binary, with df = 48 1s • g is binary with 125 1s • Combinatorial attack takes (N/2 pick df/2) time • Say we perform lattice reduction so that we can weakly reduce on 10% of the top N rows instead of having to binary-search them • Then we can perform a combinatorial search taking time ((90%*N/2) pick (90%*df/2)) time • For the figures above this reduces search operations from 284 to 274 • A net saving so long as lattice reduction time is < 274 operations • As lattice reduction time goes up, combinatorial search time goes down • Two lines cross at 260.4 operations • Weakly reduce against 65 rows, combinatorial search in the remaining 186.

  8. How to defend? • For k bits of security • Determine experimentally how many q-vectors can be consumed for a given value of q with k bits of lattice reduction effort • Call this N1 • For a given N and df, remaining combinatorial effort is approx ((N-N1) pick (df *(N-N1)/N)) • Actually slightly smaller as some rotations of f will leave fewer than (df*(N-N1)/N) coefficients to pick • Pick K, d s.t. (K pick d) gives required level of combinatorial security • Then N = N1+K, df = d *(N/(N-N1)) will give k bits of combinatorial security *after* k bits of lattice reduction

  9. New parameter sets • Change: take p = 3, q = power of 2. • Previous drafts had p = 2, q prime • p = 3, q = power of 2 were used in the first proposed NTRU parameter sets • Security considerations for (p = 3, q = power of 2) and (p = 2, q prime) not known to be different • Keys are now trinary, with df 1s, df -1s, (N-2df) 0s. • Product form: F = f1*f2+f3, each with df’ 1s and -1s, s.t. df’*df’+df’ = df • Combinatorial goes from (N/2 pick df/2) to (N pick df) • Running time goes from df*N to 2*df*N

  10. Calculating lattice security 2N • Lattice reduction algorithm: Blockwise Korkine-Zolotarev (BKZ) • No theoretical bound on running time; need to find running times experimentally • Fundamental parameter: blocksize b • BKZ uses exhaustive search to find the actual shortest vector in each sublattice of dimension b • The larger b is, the greater the chance that this is also the shortest vector in the entire lattice • For each value of q: • Generate an NTRU lattice of high dimension • Run BKZ on the central section of that lattice for blocksize b = 2, 3, 4, … • Plot q-vectors consumed v running time q h 1 Reduced with b = 2 Reduced with b = 3

  11. Results • Running time goes as bb for blocksize b • Number of q-vectors consumed is linear in b • As q increases, number of q-vectors consumed for a given b also increases • Graph plots q-vectors removed v bits of effort • upward curve – slightly more than exponential running time • Fit (b log b) line to the graph, then take the tangent at the last data point

  12. Isodual lattice reduction • Incremental improvement in lattice reduction techniques that appears to lower slope of extrapolated lattice reduction time line. • Results to be posted on ePrint before 10/30 • Requires additional small increase in lattice dimension to maintain security

  13. Anticipated parameter sets

  14. To do • Complete migration of supporting algorithms from binary to trinary • Complete update of security considerations • Complete specification of parameter generation algorithm • ETA: 10/31

More Related