140 likes | 275 Views
1363.1. Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems. Overview. Attack from Crypto 2007: details Isodual lattice reduction P1363.1 status and schedule. Attack. NTRU keys are defined by h = public key, N coefficients uniformly distributed mod q f = private key
E N D
1363.1 Parameter Changes and Standard Status William Whyte, NTRU Cryptosystems
Overview • Attack from Crypto 2007: details • Isodual lattice reduction • P1363.1 status and schedule
Attack • NTRU keys are defined by h = public key, N coefficients uniformly distributed mod q f = private key f * h mod q = g, both f and g are small (binary / trinary) • We can brute-force f: try all possible values until we find an f s.t. f*h is small • Or, since f = f1 + f2, we can try all possible f1*h and f2*h and file the results • Then if f1*h is “close to” -f2*h, (f1+f2)*h will be small • This “combinatorial attack” allows us to trade off running time against memory • If memory is free the optimal result is to (roughly) square root the running time
Add {-1, 0, 1} * each rotation of h = (5, 17, 22, 9, 11) Reduce mod q = 32 Stop when the result (= g) is small (trinary or binary) Brute force attack in linear algebra terms
Add {-1, 0, 1} * each of the top 4 rows to get vector G. Reduce G mod (8, *, *, *, *, *) ie add/subtract row 5 until first coeff is < 8 Reduce G mod (0, 16, *, *, *, *) ie add/subtract row 6 until second coeff is < 16 Reduce all other coeffs of G mod 32 Stop when G is small (= g) Improving brute force attack with lattice reduction
Improving brute force attack with lattice reduction: analysis • Why is this an improvement? • Brute force search is exponential in N • Reducing search space even by 1 dimension greatly reduces search time • Tradeoffs? • Attacker is assuming that reducing mod 4 will help find the shortest vector – ie that that coefficient of the shortest vector is shorter than 2 • This could be wrong: short vector could possibly be a rotation that has 2.1 in that position • The lower the diagonal coefficient is, the greater the risk that “weak reduction” will give the wrong answer • The attacker wants to (a) reduce the number of {-1, 0, 1}s in the right column and (b) only perform weak reduction with sufficiently large diagonal values. • This technique can also be used to speed up combinatorial attacks.
Combined lattice and combinatorial attack • Consider N=251 key of form (f, g) where • f is binary, with df = 48 1s • g is binary with 125 1s • Combinatorial attack takes (N/2 pick df/2) time • Say we perform lattice reduction so that we can weakly reduce on 10% of the top N rows instead of having to binary-search them • Then we can perform a combinatorial search taking time ((90%*N/2) pick (90%*df/2)) time • For the figures above this reduces search operations from 284 to 274 • A net saving so long as lattice reduction time is < 274 operations • As lattice reduction time goes up, combinatorial search time goes down • Two lines cross at 260.4 operations • Weakly reduce against 65 rows, combinatorial search in the remaining 186.
How to defend? • For k bits of security • Determine experimentally how many q-vectors can be consumed for a given value of q with k bits of lattice reduction effort • Call this N1 • For a given N and df, remaining combinatorial effort is approx ((N-N1) pick (df *(N-N1)/N)) • Actually slightly smaller as some rotations of f will leave fewer than (df*(N-N1)/N) coefficients to pick • Pick K, d s.t. (K pick d) gives required level of combinatorial security • Then N = N1+K, df = d *(N/(N-N1)) will give k bits of combinatorial security *after* k bits of lattice reduction
New parameter sets • Change: take p = 3, q = power of 2. • Previous drafts had p = 2, q prime • p = 3, q = power of 2 were used in the first proposed NTRU parameter sets • Security considerations for (p = 3, q = power of 2) and (p = 2, q prime) not known to be different • Keys are now trinary, with df 1s, df -1s, (N-2df) 0s. • Product form: F = f1*f2+f3, each with df’ 1s and -1s, s.t. df’*df’+df’ = df • Combinatorial goes from (N/2 pick df/2) to (N pick df) • Running time goes from df*N to 2*df*N
Calculating lattice security 2N • Lattice reduction algorithm: Blockwise Korkine-Zolotarev (BKZ) • No theoretical bound on running time; need to find running times experimentally • Fundamental parameter: blocksize b • BKZ uses exhaustive search to find the actual shortest vector in each sublattice of dimension b • The larger b is, the greater the chance that this is also the shortest vector in the entire lattice • For each value of q: • Generate an NTRU lattice of high dimension • Run BKZ on the central section of that lattice for blocksize b = 2, 3, 4, … • Plot q-vectors consumed v running time q h 1 Reduced with b = 2 Reduced with b = 3
Results • Running time goes as bb for blocksize b • Number of q-vectors consumed is linear in b • As q increases, number of q-vectors consumed for a given b also increases • Graph plots q-vectors removed v bits of effort • upward curve – slightly more than exponential running time • Fit (b log b) line to the graph, then take the tangent at the last data point
Isodual lattice reduction • Incremental improvement in lattice reduction techniques that appears to lower slope of extrapolated lattice reduction time line. • Results to be posted on ePrint before 10/30 • Requires additional small increase in lattice dimension to maintain security
To do • Complete migration of supporting algorithms from binary to trinary • Complete update of security considerations • Complete specification of parameter generation algorithm • ETA: 10/31