PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

Slides:



Advertisements
Similar presentations
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Advertisements

Break-even ‘SPLAT!!!’. is all the money that comes into a business. Many businesses keep their money in a bank account that pays them a regular income..
Data Encryption Standard (DES)
Slide 5-2 Copyright © 2008 Pearson Education, Inc. Chapter 5 Probability and Random Variables.
Slide Slide 1 Copyright © 2007 Pearson Education, Inc Publishing as Pearson Addison-Wesley. Lecture Slides Elementary Statistics Tenth Edition and the.
Topic 6: Introduction to Hypothesis Testing
Scenario  You have last week’s closing stock price for a particular company. You are trying to place a value to a European call option which expires a.
Chapter 4 Probability Distributions
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Experimental Evaluation
Copyright © 2009 Pearson Education, Inc. CHAPTER 5: Exponential and Logarithmic Functions 5.1 Inverse Functions 5.2 Exponential Functions and Graphs 5.3.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
1 Chapter 10 Correlation and Regression We deal with two variables, x and y. Main goal: Investigate how x and y are related, or correlated; how much they.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 10-3 Regression.
Reading Strategies ‘Unlocking the Text’. Revenue is all the money that comes into a business. Interest: Many businesses keep their money in a bank account.
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
Sociology 5811: Lecture 7: Samples, Populations, The Sampling Distribution Copyright © 2005 by Evan Schofer Do not copy or distribute without permission.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 10-1 Review and Preview.
Copyright © Cengage Learning. All rights reserved.
Number Sense Standards Measurement and Geometry Statistics, Data Analysis and Probability CST Math 6 Released Questions Algebra and Functions 0 Questions.
Evidence Based Medicine
McGraw-Hill/IrwinCopyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. Chapter 7 Sampling Distributions.
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Sampling Distributions.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved. Chapter 5 Discrete Probability Distributions 5-1 Review and Preview 5-2.
Slide 1 Copyright © 2004 Pearson Education, Inc..
Chapter 7 Estimates and Sample Sizes
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Organic Chemistry Second Edition Chapter 3 David Klein Acids and Bases
Slide Slide 1 Copyright © 2007 Pearson Education, Inc Publishing as Pearson Addison-Wesley. Lecture Slides Elementary Statistics Tenth Edition and the.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Lecture Slides Elementary Statistics Eleventh Edition and the Triola.
Psy B07 Chapter 4Slide 1 SAMPLING DISTRIBUTIONS AND HYPOTHESIS TESTING.
AP STATISTICS LESSON 10 – 2 DAY 1 TEST OF SIGNIFICANCE.
Quest Review Unit 2. Get same bases; set exponents = 1. 2 x = x = 2 7 x = 7 2.  3 x = /2x = 3 5 1/2x = 5 x = x = x = 2 5 x.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 8-3 Testing a Claim About a Proportion.
Confidence intervals are one of the two most common types of statistical inference. Use a confidence interval when your goal is to estimate a population.
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Chapter 7 Sampling Distributions.
Slide Slide 1 Copyright © 2007 Pearson Education, Inc Publishing as Pearson Addison-Wesley. Lecture Slides Elementary Statistics Tenth Edition and the.
PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.
STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005.
Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems.
© 2008 Pearson Addison-Wesley. All rights reserved Chapter 5 Statistical Reasoning.
Section Copyright © 2014, 2012, 2010 Pearson Education, Inc. Lecture Slides Elementary Statistics Twelfth Edition and the Triola Statistics Series.
Segmented Hash: An Efficient Hash Table Implementation for High Performance Networking Subsystems Sailesh Kumar Patrick Crowley.
Issues concerning the interpretation of statistical significance tests.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Information Assurance Management Cryptographic Techniques Week 12-2.
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved. Section 7-4 Estimating a Population Mean:  Not Known.
Copyright © 2005 Pearson Education, Inc. Slide 6-1.
Section 12.3 Logarithmic Functions Review 2 = 4 2 = 8 2 = 13 2 = This is a pretty good approximation to the answer, but it is not the EXACT.
Section 5.5 Solving Exponential and Logarithmic Equations Copyright ©2013, 2009, 2006, 2001 Pearson Education, Inc.
STRONG security that fits everywhere. NTRUSign and P William Whyte,
Ch 8 Estimating with Confidence 8.1: Confidence Intervals.
Chapter 5 Probability Distributions 5-1 Overview 5-2 Random Variables 5-3 Binomial Probability Distributions 5-4 Mean, Variance and Standard Deviation.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,
Slide 1 Copyright © 2004 Pearson Education, Inc. Chapter 5 Probability Distributions 5-1 Overview 5-2 Random Variables 5-3 Binomial Probability Distributions.
Statistical Decision Making. Almost all problems in statistics can be formulated as a problem of making a decision. That is given some data observed from.
1 Chapter 10 Statistical Inference: One- Sample Hypothesis Test IScientific Hypothesis A testable supposition that is tentatively adopted to account for.
Chapter 5: Integration Section 5.1 An Area Problem; A Speed-Distance Problem An Area Problem An Area Problem (continued) Upper Sums and Lower Sums Overview.
Logarithmic Functions
The normal distribution
Inferential Statistics Inferences from Two Samples
Elementary Statistics
NTRUSign Parameters Challenge
Lecture Slides Elementary Statistics Eleventh Edition
3.1 Section 2.2 Average and Instantaneous Rate of Change
unit Measurement number 42.5 g 1.05 mL 16 cm measurement:
3. Use an in-line sensor to sense when the effects of tool wear...
Module Recognition Algorithms
Presentation transcript:

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What started all this?  The following slide, presented at the August P1363 meeting…

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as N MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © A question about the graphs  The points come from ten runs at each N value  But if log is log 10, then there are cases where the weakest key is 100 times weaker than the average  Can we really claim k-bit security in this case?

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © The answer!  In the graphs shown, log is ln, not log 10.  Weakest keys break 7 times faster than average, not 100  Not clearly mad, but is it reasonable?

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © What variation is reasonable for running times?  Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: –Set a cutoff time of C for some C<T –For keys 1…k, try to break each key. –If a given key is not broken by the cutoff time, abort that breaking run  If the variation is such that one key in T/C has breaking time less than C, this will break a single key in time less than T.  In the rest of this presentation, we apply this strategy to different cryptographic problems and observe how it works.

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Notation and Overview  Denote by E(M K ) the expected minimum breaking time on K keys.  Typically, we can approximate E(M K ) as K -s(A)  s(A) is the stability exponent for the algorithm  Running time of ‘cutoff algorithm’ is CK ~ K E(M K ) ~ K.K -s(A) ~ K 1-s(A)  So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t  Formal definition of s:

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Symmetric Systems  If we have N possible keys –the chance that we find a key after exactly t attempts is 1/N –the chance that we find a key in t or fewer attempts is t/N  We show that E(M K ) ~ 2/K –So lim (log(E(M K ))/log(K)) = 1 –Cutoff algorithm neither helps nor hinders

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Collision Algorithms  Collision Algorithms – algorithms like Pollard-rho  Normalized running time is given by  E(M K ) is given by  And stability exponent = ½ –Cutoff strategy doesn’t help

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction  Here, have to obtain E(M K ) experimentally –100 runs at different lattice dimensions

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction (2)  Approximate stability exponent with  For c = 1.73, a = 0.53, we find DimKMeanMinS

PROPRIETARY AND CONFIDENTIALNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © Stability Exponent for Lattice Reduction: Conclusions  At measurable dimensions, stability exponent is very low –Lower than for other cryptosystems  It seems to be increasing as dimension increases –However, it would have to increase considerably for the cutoff strategy to be of any use  Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices.  Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.