1 / 36

MaTRU A New NTRU-Based Cryptosystem

MaTRU A New NTRU-Based Cryptosystem. Bok – Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Cyberjaya, Malaysia. Michael Coglianese Macgregor, 321 Summer Street, Boston MA, USA. The Sixth International Conference on Cryptology (INDOCRYPT 2005)

naasir
Download Presentation

MaTRU A New NTRU-Based Cryptosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MaTRUA New NTRU-Based Cryptosystem Bok–Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Cyberjaya, Malaysia Michael CoglianeseMacgregor, 321 Summer Street, Boston MA, USA The Sixth International Conference on Cryptology (INDOCRYPT 2005) Indian Institute of Science, Bangalore, India, December 10-12, 2005

  2. Introduction Notation Overview of the original NTRU PKC Our New NTRU-based PKC  MaTRU Construction How it works Security Analysis & Results Brute force and lattice attacks Parameter choices NTRU vs. MaTRU Concluding Remarks Outline

  3. Introduction

  4. Revolution in cryptography in 1976, Diffie and Hellman present the idea of public key cryptosystem Introduction… • To provide non-repudiation service and solve key distribution problems

  5. RSA PKC (1978) based on integer factorization problem McEliece PKC (1978) based on algebraic coding theory ElGamal PKC (1984) based on discrete log problem (DLP) ECC PKC (1987) based on the intractability of elliptic curve DLP Variants of Matsumoto-Imai PKC (1988) based on the systems of multivariable polynomials Introduction…

  6. Problems Most of them are too slow and need large memory footprint Not suitable for low cost devices RFID, smardcards, mobile devices … Introduction...

  7. NTRU, pronounced as “ain’t – true” , by J. Hoffstein, J. Pipher and J. Silverman At rump session of CRPYTO ’96 and then full paper in ANTS III (LNCS1423,1998) Based on properties of short polynomials over polynomial rings Less resources + fast operating, but larger message expansion Have been studied comprehensively in cryptography communities So far, NTRU’s core technology is still SECURE!! NTRU…

  8. Polynomial Multiplication (cyclic convolution product) **computational complexity is O(N2) (assuming no FFT) NTRU… • All operations are done in

  9. g is short, if • g is said to be pretty / moderately short if - Note that the constant value is experimentally determined NTRU… • The width or L∞ norm on R of an element g • The size or L2 norm on R of an element g

  10. …NTRU Defined by parameters (N, p, q ) and sets (Lf , Lg, L , Lm ) in R.Note that q >> p and g.c.d.(p,q)=1. GEN (key generation algorithm)Randomly choose 2 polynomials f, gFq* f 1(mod q ), Fp* f 1 (mod p ) h  Fq* g (mod q )(PK, SK )=(h, f )ENC (encryption algorithm)Select m Lm and randomly select   L. e  p * h + m(mod q )DEC (decryption algorithm)a  f * e (mod q )Then choose the coefficient of a in the interval from –q/2 to q/2m  Fp* a (mod p )

  11. Security Analysis • Meet-in-the-Middle attacks • Multiple Transmission attacks • Lattice attacks h  Fq*g (mod q) f *h  g (mod q)=> short! Use LLL lattice basic reduction algorithm to find the shortest vector, r = (f,g)

  12. Comparison Speed Advantage of NTRU over RSA

  13. Can we further improve the speed of NTRU while keeping its security at comparative level?!!

  14. MaTRU

  15. MaTRU • We propose a new NTRU-based PKC – MaTRU • pronounced as “may-true” • All Operations are done in matrix ring, M of k by k matrices of elements in Z[X]/(Xn-1) • fix nk2 = N, for same message size with NTRU • Matrix polynomial multiplication takes time O(n2k3) • speed increase bya factor of O(k)over NTRU • however the constant factor is ½, as the linear transformation in MaTRU is a two-sided matrix multiplication

  16. Notations…

  17. …Notations • Permutation matrix, A (and B) • is a binary matrix that has exactly one 1 in each row and column with all 0s elsewhere • forms a multiplicative group of order k (i.e., Ak= I = A0) • the set {A0, A1, …, Ak-1} are linearly independent, i.e.,

  18. …Notations • E.g., if p=3 & n=5, L(2) means on average each polyn. has 2 coefficients equal to 1, 2 coefficients equal to -1, and 1 coefficients equal to 0. • Or, if p=2 & n=5, L(2) means on average has 2 coefficients equal to 1, and the rest equal to 0.

  19. MaTRU-Gen GEN (key generation algorithm) ** h is not short.

  20. MaTRU-ENC ENC (encryption algorithm) ** Coefficients in e are spread over [0, q-1]

  21. MaTRU-DEC DEC (decryption algorithm)

  22. How it works… • In decryption: • In order to simplify it become, have to be commutative!! BUT, matrix multiplication is NOT generally COMMUTATIVE!!

  23. …How it works • But, here do indeed commute:

  24. For appropriate parameter choices, will be PRETTY SHORT! • The plaintext can be obtained, d  Fp*a*Gpm (modp) …How it works • Hence, we can treat the polynomials in a having coefficients in integer, where a modulo p, leaving f*m*g(modp)

  25. Security Analysis & Results

  26. Security Analysis… • The key (or message) space depends on the 2k polynomials.

  27. …Security Analysis • For p = 2or3, the total number of possible key pairs, • Using brute force attacks => (key security)/2 • Using meet-in-the-middle attacks => (key security)1/2

  28. I = nk2 by nk2 identity matrix O =nk2 by nk2 zero matrix Q = n by n diagonalmatrix with non-zero element value of q Hi,j=n by n matrix computed based on (h, A, B), for i,j = 0,1,…,k-1 Lattice Attacks… • To discover the private key (f,g) or (i, i), the attackers has to find the linear transformation Tf,g(J): J f J g • Note that Tf,g(h) = w • Can form a 2nk2 by 2nk2 lattice matrix L

  29. …Lattice Attacks • Since i, and j are short, ij will be pretty short. • (ij, w) is in the lattice L = {(T, T(h))}

  30. By the Gaussian heuristic, the expected shortest vector in a random L, • Note that as ch approaches 1, LLL algo. will take longer time to find the shortest vector! …Lattice Attacks • The size of the target vector (ij, w)

  31. Parameter

  32. Comparison **note thatnk2= N

  33. Concluding Remarks

  34. We have introduced the MaTRU cryptosystem its construction security analysis & parameter choices comparison with the original NTRU Due to non-commutative property, MaTRU won’t face the multiple transmission attacks as in NTRU However, the security analysis is heuristic any other better attacks?? Results

  35. Future Work • Construct experiment to further refine the suggested parameters for MaTRU • Optimizing, improvement and cryptanalysis of MaTRU • new lattice attack (subdividing L) • impact of imperfect decryption

  36. Thank you for your attention!!

More Related