Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March 2004 PROPRIETARY AND CONFIDENTIAL What started all this? The following slide, presented at the August P1363 meeting… PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 2 Lattice Strength The lower a and c, the faster reduction algorithms run. Run experiments at a and c much lower than those obtained for our parameter sets. – a = 0.535, c = 1.73; – Breaking time goes as 10 .1095N - 12.6 MIPS-years. N = 251 ==> 1.37*1013 MIPS-years, taking “zero-forcing” into account. – 80-bit security: ~1012 MIPS-years Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative. Paper available on X9 website PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 3 A question about the graphs The points come from ten runs at each N value But if log is log10, then there are cases where the weakest key is 100 times weaker than the average Can we really claim k-bit security in this case? PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 4 The answer! In the graphs shown, log is ln, not log10. Weakest keys break 7 times faster than average, not 100 Not clearly mad, but is it reasonable? PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 5 What variation is reasonable for running times? Consider the following strategy for an attack on any cryptosystem where we know the average running time is T: – Set a cutoff time of C for some C<T – For keys 1…k, try to break each key. – If a given key is not broken by the cutoff time, abort that breaking run If the variation is such that one key in T/C has breaking time less than C, this will break a single key in time less than T. In the rest of this presentation, we apply this strategy to different cryptographic problems and observe how it works. PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 6 Notation and Overview Denote by E(MK) the expected minimum breaking time on K keys. Typically, we can approximate E(MK) as K-s(A) s(A) is the stability exponent for the algorithm Running time of ‘cutoff algorithm’ is CK ~ K E(MK) ~ K.K-s(A) ~ K1-s(A) So if s(A) > 1, cutoff algorithm helps; otherwise, it doesn’t Formal definition of s: PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 7 Stability Exponent for Symmetric Systems If we have N possible keys – the chance that we find a key after exactly t attempts is 1/N – the chance that we find a key in t or fewer attempts is t/N We show that E(MK) ~ 2/K – So lim (log(E(MK))/log(K)) = 1 – Cutoff algorithm neither helps nor hinders PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 8 Stability Exponent for Collision Algorithms Collision Algorithms – algorithms like Pollard-rho Normalized running time is given by E(MK) is given by And stability exponent = ½ – Cutoff strategy doesn’t help PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 9 Stability Exponent for Lattice Reduction Here, have to obtain E(MK) experimentally – 100 runs at different lattice dimensions PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 10 Stability Exponent for Lattice Reduction (2) Approximate stability exponent with For c = 1.73, a = 0.53, we find Dim K Mean Min S 180 100 449 205 0.17 200 100 1012.5 298 0.266 220 100 2302.5 584 0.298 250 100 8994 2059 0.32 PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 11 Stability Exponent for Lattice Reduction: Conclusions At measurable dimensions, stability exponent is very low – Lower than for other cryptosystems It seems to be increasing as dimension increases – However, it would have to increase considerably for the cutoff strategy to be of any use Conclusion: standard measures of security, based on average running times, are appropriate measures for NTRU lattices. Questions? PROPRIETARY AND CONFIDENTIAL NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2004 12
© Copyright 2026 Paperzz