Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems
Overview Attack from Crypto 2007: details Isodual lattice reduction P status and schedule
Attack NTRU keys are defined by h = public key, N coefficients uniformly distributed mod q f = private key f * h mod q = g, both f and g are small (binary / trinary) We can brute-force f: try all possible values until we find an f s.t. f*h is small Or, since f = f1 + f2, we can try all possible f1*h and f2*h and file the results –Then if f1*h is “close to” -f2*h, (f1+f2)*h will be small –This “combinatorial attack” allows us to trade off running time against memory –If memory is free the optimal result is to (roughly) square root the running time
Brute force attack in linear algebra terms Add {-1, 0, 1} * each rotation of h = (5, 17, 22, 9, 11) Reduce mod q = 32 Stop when the result (= g) is small (trinary or binary)
Improving brute force attack with lattice reduction Add {-1, 0, 1} * each of the top 4 rows to get vector G. Reduce G mod (8, *, *, *, *, *) –ie add/subtract row 5 until first coeff is < 8 Reduce G mod (0, 16, *, *, *, *) –ie add/subtract row 6 until second coeff is < 16 Reduce all other coeffs of G mod 32 Stop when G is small (= g)
Improving brute force attack with lattice reduction: analysis Why is this an improvement? –Brute force search is exponential in N –Reducing search space even by 1 dimension greatly reduces search time Tradeoffs? –Attacker is assuming that reducing mod 4 will help find the shortest vector – ie that that coefficient of the shortest vector is shorter than 2 –This could be wrong: short vector could possibly be a rotation that has 2.1 in that position –The lower the diagonal coefficient is, the greater the risk that “weak reduction” will give the wrong answer –The attacker wants to (a) reduce the number of {-1, 0, 1}s in the right column and (b) only perform weak reduction with sufficiently large diagonal values. This technique can also be used to speed up combinatorial attacks.
Combined lattice and combinatorial attack Consider N=251 key of form (f, g) where –f is binary, with df = 48 1s –g is binary with 125 1s Combinatorial attack takes (N/2 pick df/2) time Say we perform lattice reduction so that we can weakly reduce on 10% of the top N rows instead of having to binary-search them Then we can perform a combinatorial search taking time ((90%*N/2) pick (90%*df/2)) time For the figures above this reduces search operations from 2 84 to 2 74 –A net saving so long as lattice reduction time is < 2 74 operations As lattice reduction time goes up, combinatorial search time goes down Two lines cross at operations –Weakly reduce against 65 rows, combinatorial search in the remaining 186.
How to defend? For k bits of security –Determine experimentally how many q-vectors can be consumed for a given value of q with k bits of lattice reduction effort Call this N1 –For a given N and df, remaining combinatorial effort is approx ((N-N1) pick (df *(N-N1)/N)) Actually slightly smaller as some rotations of f will leave fewer than (df*(N-N1)/N) coefficients to pick –Pick K, d s.t. (K pick d) gives required level of combinatorial security –Then N = N1+K, df = d *(N/(N-N1)) will give k bits of combinatorial security *after* k bits of lattice reduction
New parameter sets Change: take p = 3, q = power of 2. –Previous drafts had p = 2, q prime –p = 3, q = power of 2 were used in the first proposed NTRU parameter sets Security considerations for (p = 3, q = power of 2) and (p = 2, q prime) not known to be different –Keys are now trinary, with df 1s, df -1s, (N-2df) 0s. Product form: F = f1*f2+f3, each with df’ 1s and -1s, s.t. df’*df’+df’ = df –Combinatorial goes from (N/2 pick df/2) to (N pick df) –Running time goes from df*N to 2*df*N
Calculating lattice security Lattice reduction algorithm: Blockwise Korkine-Zolotarev (BKZ) –No theoretical bound on running time; need to find running times experimentally –Fundamental parameter: blocksize b BKZ uses exhaustive search to find the actual shortest vector in each sublattice of dimension b The larger b is, the greater the chance that this is also the shortest vector in the entire lattice For each value of q: –Generate an NTRU lattice of high dimension –Run BKZ on the central section of that lattice for blocksize b = 2, 3, 4, … –Plot q-vectors consumed v running time 2N Reduced with b = 2 Reduced with b = 3 qh 1
Results Running time goes as b b for blocksize b Number of q-vectors consumed is linear in b As q increases, number of q- vectors consumed for a given b also increases Graph plots q-vectors removed v bits of effort –upward curve – slightly more than exponential running time Fit (b log b) line to the graph, then take the tangent at the last data point
Isodual lattice reduction Incremental improvement in lattice reduction techniques that appears to lower slope of extrapolated lattice reduction time line. Results to be posted on ePrint before 10/30 Requires additional small increase in lattice dimension to maintain security
Anticipated parameter sets kN previous N dfdf’ops previous ops q
To do Complete migration of supporting algorithms from binary to trinary Complete update of security considerations Complete specification of parameter generation algorithm ETA: 10/31