1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security Comments on D10] Date Submitted: [September 8, 2002] Source: [Daniel V. Bailey, Product Manager for Wireless Networks, William Whyte, Director of Cryptographic R&D, and Ari Singer, Principal Engineer] Company [NTRU] Address [5 Burlington Woods, Burlington, MA 01803] Voice:[(781) ], FAX: [(781) ], Re: [Draft P /D14] Abstract:[This presentation gives an overview of some recent results on NTRUEncrypt padding.] Purpose:[To familiarize the working group with some security-related comments from LB19.] Notice:This document has been prepared to assist the IEEE P It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P

2 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 2 Public-Key Cryptography in uses two kinds of cryptography: symmetric and public- key Symmetric cryptography used to encrypt bits to be transmitted over the air –AES-CCM the algorithm in Public-key cryptography used during authentication to establish symmetric keys This is done by public-key encrypting two random challenges: one from the DEV and one from the Security Manager Recent research asks: What if the challenges weren’t random? If Ophelia injected two random challenges into your device, and it encrypted one of them, could she tell which was which?

3 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 3 Padding for public-key cryptosystems What is Padding? –With a public-key cryptosystem, *anyone* can encrypt a message Just use the public key, which is, uh, public –So if I send a message that is “yes” or “no,” you can check which one I sent by encrypting “yes” and “no” both, and matching your resulting encrypted message to my transmitted message –These attacks only work if the attacker can guess the message. They don’t work if the message is random (e.g. a symmetric key, for example) –PADDING is just random data added to the message, so I send “YesXXXXXXXX” and if you encrypt “Yes” and try to match, it won’t match, unless the padding matches also Padding isn’t as simple as the example above – the padding has to be intermixed with the message so that: –Every bit of the padding affects every bit of the message –There are 80 bits of padding for 80-bit security, etc.

4 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 4 Overview: Results Nguyen and Pointcheval recently published a result about the provable security of NTRUEncrypt padding scheme SVES-1 –Prove that for N=251, individual encrypted messages have at least 2 40 (40-bit) strength, but cannot be proved to have 2 80 strength –Dai has since demonstrated how to construct specific messages that have only 2 40 strength in a specialized attack scenario A Chosen Plaintext Attack where the attacker chooses two messages, you encrypt one, and she tries to tell which one you encrypted –NTRU research team have applied this attack to general messages and a more general attack scenario (Known Plaintext Attack) This attack requires the ‘message space’ to be small The larger the set of messages, the less well the attack works Entirely ineffective against encrypted AES keys, or NTRUEncrypt as used in Analysis of the effectiveness of this attack with non-random messages is still ongoing

5 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 5 Overview: Recommendations This attack is not practical in any realistic setting –In particular, not effective against –Could carry on using SVES-1 entirely safely NTRU is proposing a new padding scheme –SVES-2 –Almost as efficient as SVES-1 (one more hash function call required) –… but proof of 2 80 strength for individual encrypted messages –Specified in EESS#1 draft 5. ( NTRU Recommendation: switches to use of SVES-2. –No danger from use of SVES-1 –… but no need to interoperate with legacy SVES-1. –All things being equal, it’s better to use schemes that have tighter bounds on their provable security

6 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 6 Scrutiny of padding methods How are these padding methods arrived at? –Either ad hoc, or by using methods with associated security proofs Proofs give additional level of assurance –RSA ad hoc padding attacked, addressed by use of security proof: ftp://ftp.rsasecurity.com/pub/pdfs/bulletn7.pdf –NTRUEncrypt ad hoc padding attacked, partially addressed by use of security proof: Result this year says NTRUEncrypt padding cannot be proved to offer more than 40-bit security if the message can be dictated by the attacker: –[NP02] Phong Q. Nguyen, David Pointcheval. Analysis and Improvements of NTRU Encryption Paddings. CRYPTO 2002, LNCS 2442, Proposed new padding method has 80-bit provable security

7 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 7 NTRUEncrypt padding and Padding-based attacks work when the encrypted message is guessable (so-called “chosen-plaintext” attacks and dictionary, or “known-plaintext” attacks) or modifiable (“chosen-ciphertext’ attacks) Padding-based attacks don’t work when the original message is random (e.g. symmetric security keys) and the attacker can’t modify the ciphertext This new attack is not a threat to (using NTRUEncrypt SVES-1), because in the public-key cryptosystem encrypts a symmetric key and because SVES-1 ciphertexts cannot be modified [NP02] However, NTRU still recommends the use of the system with tighter security proofs as good practice.