1 / 18

Ngo Chan 28 May, 2007

A Chosen Ciphertext Attack on Optimized NTRU. Ngo Chan 28 May, 2007. Content. Optimized NTRU. Attack Exploiting Modulo q Reduction. Attack Using p q . Attack Using Public Key h . Conclusion. Optimized NTRU.

saniya
Download Presentation

Ngo Chan 28 May, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Chosen Ciphertext Attack on Optimized NTRU. Ngo Chan 28 May, 2007

  2. Content. Optimized NTRU. Attack Exploiting Modulo q Reduction. Attack Using pq. Attack Using Public Key h. Conclusion.

  3. Optimized NTRU. In optimized NTRU, the parameter p is a polynomial X + 2. And the private key f is the special form like f = 1 + pF. In practice, the polynomial F is chosen to be either A binary polynomial or of the form a*b + c, where all of them are binary polynomials. How to reduce modulo p = X + 2? Given a polynomial , there (almost) always exists a unique polynomial g, satisfying

  4. Optimized NTRU. We also define the operator will be a unique integer which congruent to n modulo q, contained in the interval (A – q/2, A + q/2] And A can be calculated such that

  5. Attack Exploiting q Modulo Reduction. The Attack. We describe the attack with N = 251, q = 128. We will present the private key f in the form f = 0.f0 + 1.f1 + 2.f2and we use the ciphertext is a constant e. So the coefficients of f*e belong to the set {0,e,2e}. With e = 63, we have

  6. Attack Exploiting q Modulo Reduction. With e’ = 105, we have, With the position relative to A(e) for some values of e is:

  7. Attack Exploiting q Modulo Reduction.

  8. Attack Exploiting q Modulo Reduction. And we obtain the difference between two outputs of decryption machine is:

  9. Attack Exploiting q Modulo Reduction. So we have, If we work with e = 24 and e’ = 63, we can obtain f2in the same way. The remaining terms equal to 1. Hence, we absolutely get the private key f.

  10. Attack Using pq. To attack, we use the ciphertext e = pq. If q = 2k, Simple Case Since F is binary polynomial so with the high probability, we have

  11. Attack Using pq. Apply the property of modulo operation: (A mod n – B mod n) mod n = (A – B) mod n. We have, With a high probability we have since F is binary polynomial.

  12. Attack Using pq. Wrapping Case. In the simple case, it is false if, Some coefficients c of such that c < A + q/2 < c + 1. And the corresponding coefficients of F equal to 1. We assume that ci satisfies these conditions above. So

  13. Attack Using pq. Note: If there are t coefficients which satisfy the conditions, we will have 2t candidates F and one of them corresponds to the true private key f.

  14. Attack Using Public Key h. To perform this attack, we use the ciphertext e = pq * h through the decryption machine. And the output is We have, We assume that dc(0) = dc(1) = d. Then we can write

  15. Attack Using Public Key h. Hence, And then we can obtain the private key f from g like this,

  16. Attack Using Public Key h. Remark: If dc(0) <> dc(1), we can use –pq*hin the similar attack.

  17. Conclusion. All three attacks presented above depend on the special form of the private key f = 1 + p.F and NTRU is unpadded version. None of them can apply to original NTRU cryptosystem. Open research: Can apply these attack to padding NTRU Cryptosystem?

  18. Thank You and Questions.

More Related