NTRUSign Parameters Challenge STRONG security that fits everywhere

  • Slides: 5
Download presentation
NTRUSign Parameters Challenge STRONG security that fits everywhere. William Whyte NTRU Cryptosystems, Inc. PROPRIETARY

NTRUSign Parameters Challenge STRONG security that fits everywhere. William Whyte NTRU Cryptosystems, Inc. PROPRIETARY AND CONFIDENTIAL

Ground Rules STRONG security that fits everywhere. § What’s a break? – We’re going

Ground Rules STRONG security that fits everywhere. § What’s a break? – We’re going to say things have a certain security level. – Anything below that IS A BREAK. – If we say 80 bits and it’s 79 bits, that’s a break. § Cash prizes for break: – There are no cash prizes for a break. PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005

NTRUSign STRONG security that fits everywhere. § Pick two short polynomials (f, g) in

NTRUSign STRONG security that fits everywhere. § Pick two short polynomials (f, g) in ring R = Z[X]/(XN-1) § Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2) § Then is an R-module / lattice with det q and a basis vectors of length N 1/2, N: private key § And , h = g/f mod q, is an R-module / lattice with a basis of vectors of length N 3/2: public key § Signing: message is point, solve CVP for this point using good basis. § Verification: check signature is in lattice (using bad basis) and close to message point. PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005

Lattice Reduction STRONG security that fits everywhere. § Speed of lattice reduction depends on

Lattice Reduction STRONG security that fits everywhere. § Speed of lattice reduction depends on size of good basis v expected size of short vector in lattice with given determinant. § For ((f g) (F G)) lattice, N = 251 gives 80 -bit security. § But if we swap g and F: – Determinant is still f. G-g. F = q, but (f F) is much bigger than (f g) – Get greater lattice security at lower dimensions! – For free! § (remember: no cash prizes) PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005

Improved Parameter Sets STRONG security that fits everywhere. § Up now at http: //www.

Improved Parameter Sets STRONG security that fits everywhere. § Up now at http: //www. ntru. com. . . § k: security level; d: f consists of d+1 +1 s, d -1 s, and (N-2 d-1) 0 s; beta: signature normalization factor; Norm: how close you have to be for a signature to pass § tau: attacker requires >> 2tau signatures to recover private key. § Have at them! k 80 112 128 160 192 256 N 157 197 223 263 313 349 PROPRIETARY AND CONFIDENTIAL d 29 28 32 45 50 75 q 256 256 512 512 beta 0. 384 0. 514 0. 655 0. 315 0. 406 0. 185 Norm 150. 02 206. 91 277. 52 276. 53 384. 41 368. 62 tau 31. 9 32. 2 31. 2 34. 9 35. 6 38. 9 NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005

NTRUSign Parameters Challenge STRONG security that fits everywhereNTRUSign Parameters Challenge STRONG security that fits everywhere
Challenge Challenge Challenge Challenge Challenge Challenge Challenge ChallengeChallenge Challenge Challenge Challenge Challenge Challenge Challenge Challenge
LIMITS FITS AND TOLERANCES NEED OF LIMITS FITSLIMITS FITS AND TOLERANCES NEED OF LIMITS FITS
EML 2023 Clearance Fits Lecture 2 Clearance FitsEML 2023 Clearance Fits Lecture 2 Clearance Fits