MaTRU A New NTRU-Based Cryptosystem - PowerPoint PPT Presentation

About This Presentation
Title:

MaTRU A New NTRU-Based Cryptosystem

Description:

MaTRU A New NTRU-Based Cryptosystem Bok Min Goi Centre for Cryptography and Information Security (CCIS) Multimedia University, Cyberjaya, Malaysia – PowerPoint PPT presentation

Number of Views:258
Avg rating:3.0/5.0
Slides: 37
Provided by: coglianes
Category:

less

Transcript and Presenter's Notes

Title: MaTRU A New NTRU-Based Cryptosystem


1
MaTRUA New NTRU-Based Cryptosystem
BokMin Goi Centre for Cryptography and
Information Security (CCIS) Multimedia
University, Cyberjaya, Malaysia
Michael Coglianese Macgregor, 321 Summer Street,
Boston MA, USA
The Sixth International Conference on Cryptology
(INDOCRYPT 2005) Indian Institute of Science,
Bangalore, India, December 10-12, 2005
2
Outline
  • Introduction
  • Notation
  • Overview of the original NTRU PKC
  • Our New NTRU-based PKC ? MaTRU
  • Construction
  • How it works
  • Security Analysis Results
  • Brute force and lattice attacks
  • Parameter choices
  • NTRU vs. MaTRU
  • Concluding Remarks

3
Introduction
4
Introduction
  • Revolution in cryptography in 1976, Diffie and
    Hellman present the idea of public key
    cryptosystem
  • To provide non-repudiation service and solve key
    distribution problems

5
Introduction
  • RSA PKC (1978)
  • based on integer factorization problem
  • McEliece PKC (1978)
  • based on algebraic coding theory
  • ElGamal PKC (1984)
  • based on discrete log problem (DLP)
  • ECC PKC (1987)
  • based on the intractability of elliptic curve DLP
  • Variants of Matsumoto-Imai PKC (1988)
  • based on the systems of multivariable polynomials

6
Introduction...
  • Problems
  • Most of them are too slow and need large memory
    footprint
  • Not suitable for low cost devices
  • RFID, smardcards, mobile devices

7
NTRU
  • NTRU, pronounced as aint true , by J.
    Hoffstein, J. Pipher and J. Silverman
  • At rump session of CRPYTO 96 and then full paper
    in ANTS III (LNCS1423,1998)
  • Based on properties of short polynomials over
    polynomial rings
  • Less resources fast operating, but larger
    message expansion
  • Have been studied comprehensively in cryptography
    communities
  • So far, NTRUs core technology is still SECURE!!

8
NTRU
  • All operations are done in

9
NTRU
  • The width or L8 norm on R of an element g
  • The size or L2 norm on R of an element g

10
NTRU
Defined by parameters (N, p, q ) and sets (Lf ,
Lg , L? , Lm ) in R.Note that q gtgt p and
g.c.d.(p,q) 1.
GEN (key generation algorithm) Randomly choose 2
polynomials f, g Fq f ? 1 (mod q
), Fp f ? 1 (mod p )
h ? Fq g (mod q )
(PK, SK ) (h, f )ENC (encryption
algorithm)Select m? Lm and randomly select ? ?
L?. e ? p ?
h m (mod q )DEC (decryption algorithm)
a ? f e (mod q )Then
choose the coefficient of a in the interval from
q/2 to q/2 m ? Fp a
(mod p )
11
Security Analysis
  • Meet-in-the-Middle attacks
  • Multiple Transmission attacks
  • Lattice attacks
  • h ? Fq g (mod q)
  • f h ? g (mod q) gt short!

Use LLL lattice basic reduction algorithm to find
the shortest vector, r (?f,g)
12
Comparison
Speed Advantage of NTRU over RSA
13
Can we further improve the speed of NTRU while
keeping its security at comparative level?!!
14
MaTRU
15
MaTRU
  • We propose a new NTRU-based PKC MaTRU
  • pronounced as may-true
  • All Operations are done in matrix ring, M of k by
    k matrices of elements in ZX/(Xn-1)
  • fix nk2 N, for same message size with NTRU
  • Matrix polynomial multiplication takes time
    O(n2k3)
  • speed increase by a factor of O(k) over NTRU
  • however the constant factor is ½, as the linear
    transformation in MaTRU is a
  • two-sided matrix multiplication

16
Notations
17
Notations
  • Permutation matrix, A (and B)
  • is a binary matrix that has exactly one 1 in each
    row and column with all 0s elsewhere
  • forms a multiplicative group of order k (i.e., Ak
    I A0)
  • the set A0, A1, , Ak-1 are linearly
    independent, i.e.,

18
Notations
  • E.g., if p3 n5, L(2) means on average each
    polyn. has 2 coefficients equal to 1, 2
    coefficients equal to -1, and 1 coefficients
    equal to 0.
  • Or, if p2 n5, L(2) means on average has 2
    coefficients equal to 1, and the rest equal to 0.

19
MaTRU-Gen
GEN (key generation algorithm)
h is not short.
20
MaTRU-ENC
ENC (encryption algorithm)
Coefficients in e are spread over 0, q-1

21
MaTRU-DEC
DEC (decryption algorithm)
22
How it works
  • In decryption
  • In order to simplify it become,

have to be commutative!!
BUT, matrix multiplication is NOT generally
COMMUTATIVE!!
23
How it works
  • But, here do
    indeed commute

24
How it works
  • Hence, we can treat the polynomials in a having
    coefficients in integer, where a modulo p,
    leaving f m g (mod p)

25
Security Analysis Results
26
Security Analysis
  • The key (or message) space depends on the 2k
    polynomials.

27
Security Analysis
  • For p 2 or 3, the total number of possible key
    pairs,
  • Using brute force attacks
  • gt (key security)/2
  • Using meet-in-the-middle attacks
  • gt (key security)1/2

28
Lattice Attacks
  • To discover the private key (f,g) or (?i, ?i),
    the attackers has to find the linear
    transformation
  • Tf,g (J) J ? f ? J ? g
  • Note that Tf,g (h) w
  • Can form a 2nk2 by 2nk2 lattice matrix L

29
Lattice Attacks
  • Since ?i, and ?j are short, ?i ?j will be pretty
    short.
  • (?i ?j , w) is in the lattice L (T, T(h))

30
Lattice Attacks
  • The size of the target vector (?i?j, w)

31
Parameter
32
Comparison
note that nk2 N
33
Concluding Remarks
34
Results
  • We have introduced the MaTRU cryptosystem
  • its construction
  • security analysis parameter choices
  • comparison with the original NTRU
  • Due to non-commutative property, MaTRU wont face
    the multiple transmission attacks as in NTRU
  • However, the security analysis is heuristic
  • any other better attacks??

35
Future Work
  • Construct experiment to further refine the
    suggested parameters for MaTRU
  • Optimizing, improvement and cryptanalysis of
    MaTRU
  • new lattice attack (subdividing L)
  • impact of imperfect decryption

36
Thank you
for your attention!!
Write a Comment
User Comments (0)
About PowerShow.com