Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

Slides:

Advertisements

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

Advertisements

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Cryptographic Multilinear Maps

Paper by: Craig Gentry Presented By: Daniel Henneberger.

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

A Designer’s Guide to KEMs Alex Dent

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Public Key Systems Public Key Systems 1.

Chapter 7-1 Signature Schemes.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

Introduction to Public Key Cryptography

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

The RSA Algorithm Rocky K. C. Chang, March

Cryptography Lecture 8 Stefan Dziembowski

Diophantine Approximation and Basis Reduction

RSA and its Mathematics Behind

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC

8.6. Knapsack Ciphers. The Concept At the core of the Knapsack cipher is the Knapsack problem: At the core of the Knapsack cipher is the Knapsack problem:

PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.

Fast algorithm for the Shortest Vector Problem er (joint with Aggarwal, Dadush, and Stephens-Davidowitz) Oded Regev Courant Institute, NYU UC Irvine, Sloan.

1 Markov Decision Processes Infinite Horizon Problems Alan Fern * * Based in part on slides by Craig Boutilier and Daniel Weld.

STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005.

Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems.

RSA and its Mathematics Behind July Topics  Modular Arithmetic  Greatest Common Divisor  Euler’s Identity  RSA algorithm  Security in RSA.

Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.

Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006.

Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.

Prepared by Dr. Lamiaa Elshenawy

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings.

1 Section Congruences In short, a congruence relation is an equivalence relation on the carrier of an algebra such that the operations of the algebra.

Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,

Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

COM 5336 Lecture 8 Digital Signatures

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

Attack on Fully Homomorphic Encryption over Principal Ideal Lattice

NTRUSign Parameters Challenge

Background: Lattices and the Learning-with-Errors problem

Lattices. Svp & cvp. lll algorithm. application in cryptography

z , and therefore u =  x ~ /s is an approximation of p z.

Presentation transcript:

Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

Cryptanalysis of the Revised NTRU Signature Scheme/ 2 A Brief History of NSS “Preliminary NSS” Presented at Crypto 2000 Rump Broken by Mironov, and by the inventors NSS in Eurocrypt 2001 proceedings Forgery / key recovery attacks presented at Eurocrypt Rump by Gentry, Jonsson, Stern, and Szydlo Motivated new key-gen, sign, and verify procedures “Revised” NSS Sketched at Eurocrypt 2001, details in EESS doc (May) Still insecure – we give key recovery attacks…

Cryptanalysis of the Revised NTRU Signature Scheme/ 3 Revised NSS, Details Basic Elements are Polynomials. Full (unreduced ring) is Z[x]/(x N -1), (N = 251) ( Also Called Cyclotomic Integers). Multiplication in ring also called convolution. Auxiliary Rings and Polynomials Truncated Polynomial Ring Z[x]/(x N -1) mod 128 A Small Polynomial” has only {-1,0,1} coefficients.

Cryptanalysis of the Revised NTRU Signature Scheme/ 4 Key Generation Private Components f1, g1, u  Z[x]/(x N -1) are small polynomials. (standardized number of {-1,0,1} coefficients). f=3*f1+u, and g=3*g1+u. are computed. Let v be the small polynomial with u*v=1 (mod 3). The private key components are (f,g,v) Public Components Let f_inv be a polynomial with f*f_inv=1 (mod 128). Let h be f_inv*g (mod 128). The public key is (h)

Cryptanalysis of the Revised NTRU Signature Scheme/ 5 Signature Signature (s, t) is computed from f, g, v and message m Algorithm: Let w1,w2 be random small masking polynomials. (Generated by a sub-algorithm). Let w0 be the small poly. with w0=(m+w1) (mod 3). Let s=f*(w0+3w2) (mod 128) Let t=g*(w0+3w2) (mod 128) The signature is (s, t). (Note t is also publicly computable from s and h)

Cryptanalysis of the Revised NTRU Signature Scheme/ 6 Verification Multiple Tests, including Norm Conditions Use division modulo 128 and centered norm. | (s-m)/p | < B, and | (t-m) | < B. | (s-t)/p | < B2, and | (t-m) | < B. Distribution Tests “Mod 3” - Bounds on # coefs of s & t (mod 3). “Quartile” - Bounds # of coefs in [-64,64] Thus s and t appear to be from right distribution.

Cryptanalysis of the Revised NTRU Signature Scheme/ 7 Lifting the Signatures Design motivation of reduction mod q Hide more information about f and g. Only known lattice was dimension 2N. (NTRU Lattice) “Unreduced” signatures would allow dim N. Attacks. For “equivalent” security use half the key size Lifting Technique: Apply CRT to congruences: f*w=m+w1 (mod 3), s=m (mod 128) The unknown w1 coefs. are mostly 0. Result: Nearly have the lifted multiples: f * w and g * w Approximations have about 25 errors (out of 251)

Cryptanalysis of the Revised NTRU Signature Scheme/ 8 Finishing the Lifting Goal: Find f * w and g * w, error-free. Take short transcript of signatures: Observation: We know correct liftings (f * w i ) * (g * w j ) – (f * w j ) * (g * w i ) = 0 S i * T j – S j * T i Measures the errors Iterative Error-Correction: Choose the correction to (S i, T i ) that sends S i * T j – S j * T i closest to 0. 4 signatures, 25 seconds  we get unreduced signatures (S i, T j )

Cryptanalysis of the Revised NTRU Signature Scheme/ 9 We Could Stop Here By finding unreduced f * w and g * w, we’ve already broken revised NSS. Dim N lattice (instead of 2N) – exp. easier to reduce w is GCD

Cryptanalysis of the Revised NTRU Signature Scheme/10 Computing f * f rev Quickly We average sigs to obtain f * f rev approximately. S * S rev   f * f rev Converges Quickly! We use approximation in N/2 Dim CVP lattice. With < 10 sigs (to obtain approx), LLL gives us f * f rev exactly.

Cryptanalysis of the Revised NTRU Signature Scheme/ 11 A Polynomial-time Approach Textbook GCD approach appears to be exp. in N Our approach: Polynomial in N (after experimentally very fast steps) Preliminary step Fast step: Compute f * f rev. Poly step: Use f * f rev and f * w to compute f. Running times: Fast step: Less than 1 minute for sugg. parameters Poly step: Not implimented, but provably O(N 7 ).

Cryptanalysis of the Revised NTRU Signature Scheme/ 12 Get f from f * f rev and f * w in Polynomial-time We help LLL – it doesn’t always find shortest vector! Fact: f p-1  1 (mod p) for prime p  1 (mod N) Use LLL to get f p-1 * a. We know a (mod p), thus maybe a exactly. Compute f p-1. Not difficult to compute f from power of f. This algorithm is efficient because LLL does not have to find the shortest vector in the lattice.

Cryptanalysis of the Revised NTRU Signature Scheme/ 13 Other Attacks Polynomial attack shows can’t just increase key size Alternate attacks using Lattices might be more efficient. Compute the ratio g/f in Z[x]/(x N -1) mod Q. Bigger Q improves lattice constants. Can translate into traditional Knapsack Gram Matrix Attack: (find the circulant M_f) A known matrix M defines GCD (f). Let G= U*U_rev= UF M_(1/f*f_rev) F_rev U_rev. Factor G with “modular-Gram-LLL”

Cryptanalysis of the Revised NTRU Signature Scheme/ 14 Conclusion These attacks render revised NSS (with sugg. parameters) very weak. We have presented a 3-Stage Attack First 2 stages very fast, use about 10 sigs. Last stage polynomial in N. First stage is enough to dramatically reduce its security.