matru a new ntru-based cryptosystem
DESCRIPTION
MaTRU A New NTRU-Based Cryptosystem. Bok – Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Cyberjaya, Malaysia. Michael Coglianese Macgregor, 321 Summer Street, Boston MA, USA. The Sixth International Conference on Cryptology (INDOCRYPT 2005) - PowerPoint PPT PresentationTRANSCRIPT
MaTRUA New NTRU-Based Cryptosystem
The Sixth International Conference on Cryptology (INDOCRYPT 2005) Indian Institute of Science, Bangalore, India, December 10-12, 2005
Michael Coglianese Macgregor,
321 Summer Street, Boston MA, USA
Bok–Min GoiCentre for Cryptography and Information Security (CCIS) Multimedia University,
Cyberjaya, Malaysia
2/39
Outline Introduction
Notation
Overview of the original NTRU PKC
Our New NTRU-based PKC MaTRU Construction
How it works
Security Analysis & Results Brute force and lattice attacks
Parameter choices
NTRU vs. MaTRU
Concluding Remarks
Introduction
4/39
Introduction…
Revolution in cryptography in 1976, Diffie and Hellman
present the idea of public key cryptosystem
To provide non-repudiation service and solve key
distribution problems
5/39
Introduction… RSA PKC (1978)
– based on integer factorization problem McEliece PKC (1978)
– based on algebraic coding theory ElGamal PKC (1984)
– based on discrete log problem (DLP) ECC PKC (1987)
– based on the intractability of elliptic curve DLP Variants of Matsumoto-Imai PKC (1988)
– based on the systems of multivariable polynomials
6/39
Introduction...
Problems
Most of them are too slow and
need large memory footprint
Not suitable for low cost devices
RFID, smardcards, mobile devices …
7/39
NTRU, pronounced as “ain’t – true” , by J. Hoffstein, J. Pipher and J. Silverman
– At rump session of CRPYTO ’96 and then full paper in ANTS III (LNCS1423,1998)
Based on properties of short polynomials over polynomial rings
Less resources + fast operating, but larger message expansion
Have been studied comprehensively in cryptography communities
So far, NTRU’s core technology is still SECURE!!
NTRU…
8/39
NTRU… All operations are done in
Polynomial Multiplication (cyclic convolution product)
**computational complexity is O(N2) (assuming no FFT)
9/39
NTRU… The width or L∞ norm on R of an element g
The size or L2 norm on R of an element g
g is short, if
g is said to be pretty / moderately short if
- Note that the constant value is experimentally determined
10/39
…NTRU
GEN (key generation algorithm)
Randomly choose 2 polynomials f, g
Fq * f 1 (mod q ), Fp * f 1
(mod p )
h Fq * g (mod q )
(PK, SK ) = (h, f )ENC (encryption algorithm)Select m Lm and randomly select L.
e p * h + m (mod q )DEC (decryption algorithm) a f * e (mod q )Then choose the coefficient of a in the interval from –q/2 to q/2
m Fp * a (mod p )
Defined by parameters (N, p, q ) and sets (Lf , Lg , L , Lm ) in
R.
Note that q >> p and g.c.d.(p,q) = 1.
11/39
Security Analysis Meet-in-the-Middle attacks Multiple Transmission attacks Lattice attacks
h Fq * g (mod q)
f *h g (mod q) => short!Use LLL lattice basic reduction
algorithm to find the shortest vector, r =
(f,g)
12/39
Comparison
Speed Advantage of NTRU over RSA
Can we further improve the speed of NTRU while keeping
its security at comparative level?!!
MaTRU
15/39
MaTRU We propose a new NTRU-based PKC – MaTRU
pronounced as “may-true” All Operations are done in matrix ring, M of k by k
matrices of elements in Z[X]/(Xn-1) fix nk2 = N, for same message size with NTRU
Matrix polynomial multiplication takes time O(n2k3) speed increase by a factor of O(k) over NTRU however the constant factor is ½, as the linear
transformation in MaTRU is a
two-sided matrix multiplication
16/39
Notations…
17/39
…Notations Permutation matrix, A (and B)
is a binary matrix that has exactly one 1 in each row and column with all 0s elsewhere
forms a multiplicative group of order k (i.e., Ak = I = A0) the set {A0, A1, …, Ak-1} are linearly independent, i.e.,
18/39
E.g., if p=3 & n=5, L(2) means on average each polyn. has 2 coefficients equal to 1, 2 coefficients equal to -1, and 1 coefficients equal to 0.
Or, if p=2 & n=5, L(2) means on average has 2 coefficients equal to 1, and the rest equal to 0.
…Notations
19/39
MaTRU-GenGEN (key generation algorithm)
** h is not short.
20/39
MaTRU-ENCENC (encryption algorithm)
** Coefficients in e are spread over [0, q-1]
21/39
MaTRU-DECDEC (decryption algorithm)
22/39
How it works…
In decryption:
In order to simplify it become,
have to be commutative!!
BUT, matrix multiplication is NOT generally COMMUTATIVE!!
23/39
…How it worksBut, here do indeed commute:
24/39
…How it works
Hence, we can treat the polynomials in a having coefficients in integer, where a modulo p, leaving
f * m * g (mod p)
For appropriate parameter choices,
will be PRETTY SHORT!
d Fp * a * Gp
m (mod p)
The plaintext can be obtained,
Security Analysis &
Results
26/39
Security Analysis…
The key (or message) space depends on the 2k
polynomials.
27/39
…Security Analysis
For p = 2 or 3, the total number of possible key
pairs,
Using brute force attacks
=> (key security)/2
Using meet-in-the-middle attacks
=> (key security)1/2
28/39
To discover the private key (f,g) or (i, i), the attackers has to find the linear transformation
Tf,g (J): J f J g
Lattice Attacks…
Note that Tf,g (h) = w
Can form a 2nk2 by
2nk2 lattice matrix
L I = nk2 by nk2 identity matrix
O = nk2 by nk2 zero matrix
Q = n by n diagonal matrix with non-zero element value of q
Hi,j = n by n matrix computed based on (h, A, B), for i,j = 0,1,…,k-1
29/39
…Lattice Attacks
Since i, and j are short, i j will be pretty short.
(i j , w) is in the lattice L = {(T, T(h))}
30/39
The size of the target vector (ij, w)
…Lattice Attacks
By the Gaussian heuristic, the expected shortest vector in
a random L,
Note that as ch approaches 1, LLL algo. will take longer time to find
the shortest vector!
31/39
Parameter
32/39
Comparison
** note that nk2 = N
Concluding Remarks
34/39
We have introduced the MaTRU cryptosystem its construction
security analysis & parameter choices
comparison with the original NTRU
Due to non-commutative property, MaTRU
won’t face the multiple transmission attacks as
in NTRU
However, the security analysis is heuristic any other better attacks??
Results
35/39
Future Work
Construct experiment to further refine the suggested
parameters for MaTRU
Optimizing, improvement and cryptanalysis of MaTRU– new lattice attack (subdividing L)
– impact of imperfect decryption