STRONG security that fits everywhere. NTRUSign and P1363.1 William Whyte, 2006-04-11.

Slides:



Advertisements
Similar presentations
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
Advertisements

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Presentation by Prabhjot Singh
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Hybrid Signcryption with Insider Security Alexander W. Dent.
NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
SOWK6190/SOWK6127 Cognitive Behavioural Therapy and Cognitive Behavioural Intervention Week 5 - Identifying automatic thoughts and emotions Dr. Paul Wong,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
Cryptographic Technologies
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 Validation and Verification of Simulation Models.
1 BA 555 Practical Business Analysis Review of Statistics Confidence Interval Estimation Hypothesis Testing Linear Regression Analysis Introduction Case.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Electronic Mail Security. Authentication and confidentiality problems Two systems: - PGP (Pretty Good Privacy) - S/MIME (Science Multipurpose Internet.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 Digital Signature
Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
The RSA Algorithm Rocky K. C. Chang, March
Dark Matter Masses of Galaxies Gravity and Light Black Holes What is Dark Matter?
Copyright © 2010, 2007, 2004 Pearson Education, Inc. All Rights Reserved Section 10-3 Regression.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
September 20 th, 2006 U-Prove crypto overview Copyright © 2006, Quebec Inc. Proprietary and Confidential.
Statistics for Data Miners: Part I (continued) S.T. Balke.
Section Copyright © 2014, 2012, 2010 Pearson Education, Inc. Lecture Slides Elementary Statistics Twelfth Edition and the Triola Statistics Series.
Fundamentals of Data Analysis Lecture 9 Management of data sets and improving the precision of measurement.
Project Post-Mortem University of California Berkeley Extension Copyright © 2008 Patrick McDermott From an AutoContent Wizard 10/27/2007.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
1 Estimation From Sample Data Chapter 08. Chapter 8 - Learning Objectives Explain the difference between a point and an interval estimate. Construct and.
1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Chapter 14 Inference for Regression © 2011 Pearson Education, Inc. 1 Business Statistics: A First Course.
PROPRIETARY AND CONFIDENTIAL Lattice Breaking Times William Whyte NTRU Cryptosystems March 2004.
Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.
STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems.
STRONG security that fits everywhere William Whyte, editor Troy, MI June 2009.
Chapter 12 Confidence Intervals and Hypothesis Tests for Means © 2010 Pearson Education 1.
Public Key Cryptosystem Introduced in 1976 by Diffie and Hellman [2] In PKC different keys are used for encryption and decryption 1978: First Two Implementations.
SonOf3039 Status Russ Housley Security Area Director.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
COM 5336 Lecture 8 Digital Signatures
Homework #2 J. H. Wang Oct. 31, 2012.
STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
NTRUSign Parameters Challenge
IEEE P1363 Standards Activity
Efficient CRT-Based RSA Cryptosystems
Digital Certificates and X.509
Quality Criteria Near Final.
May 2008 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [TG3c Project Plan] Date Submitted: [15 May.
July 2008 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [TG3c Project Plan] Date Submitted: [ July.
Presentation transcript:

STRONG security that fits everywhere. NTRUSign and P William Whyte,

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Summary  There’s a paper at Eurocrypt that presents an attack on one flavor of NTRUSign –  recommends a different flavor and it’s not clear whether this attack applies to the flavor  It seems appropriate to take some time to investigate this attack properly  In order not to slow down NTRUEncrypt standardization, suggest separating NTRUSign into a a standard and moving ahead with NTRUEncrypt in

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 NTRUSign  Sign a message by applying the private key to it –This gradually leaks information about the private key –Important to quantify information leakage  Signing produces a lattice point that is close to the message  Verification: –Check that the signature is a lattice point –Check that it is sufficiently close to the message  Private key is a good lattice basis  Public key is a bad lattice basis –lets you check that points are in. lattice… –… but if you “sign” with it, error is much bigger than with private key

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Two flavors of signing  Unperturbed: –Hash the message to a point using a public hash function –Apply the private key  Perturbed: –Hash the message to a point using a public hash function –Apply a private perturbation function to move the message point slightly  “perturbed message point” –Apply the private key to the perturbed message point

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 In pictures (note: animation) Unperturbed Perturbed Apply perturbation Sign perturbed point

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Differences between perturbed and unperturbed signatures  Perturbed signatures are bigger –Advantage of private key over public key is smaller –Requires larger keys for same security against forgery  Perturbed signatures are drawn from a more complicated distribution –Unperturbed signatures lie within a parallelopipied –Distribution can be transformed to a hypercube and symmetries exploited –Eurocrypt attack consists of transforming to a hypercube and finding a diagonal of the hypercube –No such transformation possible for perturbed case  Distribution much more like a sphere –Need to perform higher-moment averages and eliminate perturbations using linear algebra

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Security estimates  NTRU recommendation: –Only use unperturbed signing to generate 10,000 signatures or less –Use perturbed signing (with one perturbation) to generate up to a billion signatures –After this number of signatures, generate a new private key and throw the old one away –Recommendations based on theoretical analysis of information leakage from transcript  Very conservative! This number of signatures is considered to be almost certainly safe: dangerous to go much beyond it.  Eurocrypt paper: –With unperturbed signing, can recover private key after 90,000+ signatures  No application yet known to perturbed signing –Best attack yet demonstrated  Users who follow NTRU guidance would nevertheless be safe

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Implications of attack  As it stands, attack does not affect estimated security of parameter sets –Requires bigger transcript than allowed by NTRU guidelines for unperturbed case –Not known to apply to perturbed case  However, attack is quite new. –Unknown if it can be extended to perturbed case (although perturbed transcript is in a way fundamentally different from unperturbed) –Seems appropriate to allow some months to see if there’s an obvious extension

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Implications of attack for  PAR expires this year –Would like to get something completed –Including NTRUSign could jeopardize this  Suggest: –Keep NTRUEncrypt in –Move PAR for a, “Standard specifications for public key cryptography over lattices: additional techniques” –Move NTRUSign to this.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2006 Proposed timeline  Next week: –Circulate proposed a PAR –E-Motion to accept PAR and move NTRUSign to a  Next teleconference (2006/06?): Final talk through  Late 2006/06: First E-Motion to move to sponsor ballot  2006/08 meeting: Resolve comments arising from this first E-motion  2006/08: E-Motion to accept comment resolution and move to sponsor ballot  2006/10: Sponsor ballot opens  2006/11: Resolve sponsor ballot comments  2006/12: Recirculation ballot  2007/01: Submit to RevCom; switch focus back to a

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.