MaTRU A New NTRU-Based Cryptosystem
description
Transcript of MaTRU A New NTRU-Based Cryptosystem
![Page 1: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/1.jpg)
MaTRUA New NTRU-Based Cryptosystem
The Sixth International Conference on Cryptology (INDOCRYPT 2005) Indian Institute of Science, Bangalore, India, December 10-12, 2005
Michael Coglianese Macgregor,
321 Summer Street, Boston MA, USA
Bok–Min GoiCentre for Cryptography and Information Security (CCIS) Multimedia University,
Cyberjaya, Malaysia
![Page 2: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/2.jpg)
2/39
Outline Introduction
Notation
Overview of the original NTRU PKC
Our New NTRU-based PKC MaTRU Construction
How it works
Security Analysis & Results Brute force and lattice attacks
Parameter choices
NTRU vs. MaTRU
Concluding Remarks
![Page 3: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/3.jpg)
Introduction
![Page 4: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/4.jpg)
4/39
Introduction…
Revolution in cryptography in 1976, Diffie and Hellman
present the idea of public key cryptosystem
To provide non-repudiation service and solve key
distribution problems
![Page 5: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/5.jpg)
5/39
Introduction… RSA PKC (1978)
– based on integer factorization problem McEliece PKC (1978)
– based on algebraic coding theory ElGamal PKC (1984)
– based on discrete log problem (DLP) ECC PKC (1987)
– based on the intractability of elliptic curve DLP Variants of Matsumoto-Imai PKC (1988)
– based on the systems of multivariable polynomials
![Page 6: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/6.jpg)
6/39
Introduction...
Problems
Most of them are too slow and
need large memory footprint
Not suitable for low cost devices
RFID, smardcards, mobile devices …
![Page 7: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/7.jpg)
7/39
NTRU, pronounced as “ain’t – true” , by J. Hoffstein, J. Pipher and J. Silverman
– At rump session of CRPYTO ’96 and then full paper in ANTS III (LNCS1423,1998)
Based on properties of short polynomials over polynomial rings
Less resources + fast operating, but larger message expansion
Have been studied comprehensively in cryptography communities
So far, NTRU’s core technology is still SECURE!!
NTRU…
![Page 8: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/8.jpg)
8/39
NTRU… All operations are done in
Polynomial Multiplication (cyclic convolution product)
**computational complexity is O(N2) (assuming no FFT)
![Page 9: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/9.jpg)
9/39
NTRU… The width or L∞ norm on R of an element g
The size or L2 norm on R of an element g
g is short, if
g is said to be pretty / moderately short if
- Note that the constant value is experimentally determined
![Page 10: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/10.jpg)
10/39
…NTRU
GEN (key generation algorithm)
Randomly choose 2 polynomials f, g
Fq * f 1 (mod q ), Fp * f 1
(mod p )
h Fq * g (mod q )
(PK, SK ) = (h, f )ENC (encryption algorithm)Select m Lm and randomly select L.
e p * h + m (mod q )DEC (decryption algorithm) a f * e (mod q )Then choose the coefficient of a in the interval from –q/2 to q/2
m Fp * a (mod p )
Defined by parameters (N, p, q ) and sets (Lf , Lg , L , Lm ) in
R.
Note that q >> p and g.c.d.(p,q) = 1.
![Page 11: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/11.jpg)
11/39
Security Analysis Meet-in-the-Middle attacks Multiple Transmission attacks Lattice attacks
h Fq * g (mod q)
f *h g (mod q) => short!Use LLL lattice basic reduction
algorithm to find the shortest vector, r =
(f,g)
![Page 12: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/12.jpg)
12/39
Comparison
Speed Advantage of NTRU over RSA
![Page 13: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/13.jpg)
Can we further improve the speed of NTRU while keeping
its security at comparative level?!!
![Page 14: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/14.jpg)
MaTRU
![Page 15: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/15.jpg)
15/39
MaTRU We propose a new NTRU-based PKC – MaTRU
pronounced as “may-true” All Operations are done in matrix ring, M of k by k
matrices of elements in Z[X]/(Xn-1) fix nk2 = N, for same message size with NTRU
Matrix polynomial multiplication takes time O(n2k3) speed increase by a factor of O(k) over NTRU however the constant factor is ½, as the linear
transformation in MaTRU is a
two-sided matrix multiplication
![Page 16: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/16.jpg)
16/39
Notations…
![Page 17: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/17.jpg)
17/39
…Notations Permutation matrix, A (and B)
is a binary matrix that has exactly one 1 in each row and column with all 0s elsewhere
forms a multiplicative group of order k (i.e., Ak = I = A0) the set {A0, A1, …, Ak-1} are linearly independent, i.e.,
![Page 18: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/18.jpg)
18/39
E.g., if p=3 & n=5, L(2) means on average each polyn. has 2 coefficients equal to 1, 2 coefficients equal to -1, and 1 coefficients equal to 0.
Or, if p=2 & n=5, L(2) means on average has 2 coefficients equal to 1, and the rest equal to 0.
…Notations
![Page 19: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/19.jpg)
19/39
MaTRU-GenGEN (key generation algorithm)
** h is not short.
![Page 20: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/20.jpg)
20/39
MaTRU-ENCENC (encryption algorithm)
** Coefficients in e are spread over [0, q-1]
![Page 21: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/21.jpg)
21/39
MaTRU-DECDEC (decryption algorithm)
![Page 22: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/22.jpg)
22/39
How it works…
In decryption:
In order to simplify it become,
have to be commutative!!
BUT, matrix multiplication is NOT generally COMMUTATIVE!!
![Page 23: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/23.jpg)
23/39
…How it worksBut, here do indeed commute:
![Page 24: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/24.jpg)
24/39
…How it works
Hence, we can treat the polynomials in a having coefficients in integer, where a modulo p, leaving
f * m * g (mod p)
For appropriate parameter choices,
will be PRETTY SHORT!
d Fp * a * Gp
m (mod p)
The plaintext can be obtained,
![Page 25: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/25.jpg)
Security Analysis &
Results
![Page 26: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/26.jpg)
26/39
Security Analysis…
The key (or message) space depends on the 2k
polynomials.
![Page 27: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/27.jpg)
27/39
…Security Analysis
For p = 2 or 3, the total number of possible key
pairs,
Using brute force attacks
=> (key security)/2
Using meet-in-the-middle attacks
=> (key security)1/2
![Page 28: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/28.jpg)
28/39
To discover the private key (f,g) or (i, i), the attackers has to find the linear transformation
Tf,g (J): J f J g
Lattice Attacks…
Note that Tf,g (h) = w
Can form a 2nk2 by
2nk2 lattice matrix
L I = nk2 by nk2 identity matrix
O = nk2 by nk2 zero matrix
Q = n by n diagonal matrix with non-zero element value of q
Hi,j = n by n matrix computed based on (h, A, B), for i,j = 0,1,…,k-1
![Page 29: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/29.jpg)
29/39
…Lattice Attacks
Since i, and j are short, i j will be pretty short.
(i j , w) is in the lattice L = {(T, T(h))}
![Page 30: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/30.jpg)
30/39
The size of the target vector (ij, w)
…Lattice Attacks
By the Gaussian heuristic, the expected shortest vector in
a random L,
Note that as ch approaches 1, LLL algo. will take longer time to find
the shortest vector!
![Page 31: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/31.jpg)
31/39
Parameter
![Page 32: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/32.jpg)
32/39
Comparison
** note that nk2 = N
![Page 33: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/33.jpg)
Concluding Remarks
![Page 34: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/34.jpg)
34/39
We have introduced the MaTRU cryptosystem its construction
security analysis & parameter choices
comparison with the original NTRU
Due to non-commutative property, MaTRU
won’t face the multiple transmission attacks as
in NTRU
However, the security analysis is heuristic any other better attacks??
Results
![Page 35: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/35.jpg)
35/39
Future Work
Construct experiment to further refine the suggested
parameters for MaTRU
Optimizing, improvement and cryptanalysis of MaTRU– new lattice attack (subdividing L)
– impact of imperfect decryption
![Page 36: MaTRU A New NTRU-Based Cryptosystem](https://reader036.fdocuments.in/reader036/viewer/2022062305/568148ba550346895db5d55e/html5/thumbnails/36.jpg)