MaTRUA New NTRU-Based Cryptosystem

The Sixth International Conference on Cryptology (INDOCRYPT 2005) Indian Institute of Science, Bangalore, India, December 10-12, 2005

Michael Coglianese Macgregor,

321 Summer Street, Boston MA, USA

Bok–Min GoiCentre for Cryptography and Information Security (CCIS) Multimedia University,

Cyberjaya, Malaysia

2/39

Outline Introduction

Notation

Overview of the original NTRU PKC

Our New NTRU-based PKC MaTRU Construction

How it works

Security Analysis & Results Brute force and lattice attacks

Parameter choices

NTRU vs. MaTRU

Concluding Remarks

Introduction

4/39

Introduction…

Revolution in cryptography in 1976, Diffie and Hellman

present the idea of public key cryptosystem

To provide non-repudiation service and solve key

distribution problems

5/39

Introduction… RSA PKC (1978)

– based on integer factorization problem McEliece PKC (1978)

– based on algebraic coding theory ElGamal PKC (1984)

– based on discrete log problem (DLP) ECC PKC (1987)

– based on the intractability of elliptic curve DLP Variants of Matsumoto-Imai PKC (1988)

– based on the systems of multivariable polynomials

6/39

Introduction...

Problems

Most of them are too slow and

need large memory footprint

Not suitable for low cost devices

RFID, smardcards, mobile devices …

7/39

NTRU, pronounced as “ain’t – true” , by J. Hoffstein, J. Pipher and J. Silverman

– At rump session of CRPYTO ’96 and then full paper in ANTS III (LNCS1423,1998)

Based on properties of short polynomials over polynomial rings

Less resources + fast operating, but larger message expansion

Have been studied comprehensively in cryptography communities

So far, NTRU’s core technology is still SECURE!!

NTRU…

8/39

NTRU… All operations are done in

Polynomial Multiplication (cyclic convolution product)

**computational complexity is O(N2) (assuming no FFT)

9/39

NTRU… The width or L∞ norm on R of an element g

The size or L2 norm on R of an element g

g is short, if

g is said to be pretty / moderately short if

- Note that the constant value is experimentally determined

10/39

…NTRU

GEN (key generation algorithm)

Randomly choose 2 polynomials f, g

Fq * f 1 (mod q ), Fp * f 1

(mod p )

h Fq * g (mod q )

(PK, SK ) = (h, f )ENC (encryption algorithm)Select m Lm and randomly select L.

e p * h + m (mod q )DEC (decryption algorithm) a f * e (mod q )Then choose the coefficient of a in the interval from –q/2 to q/2

m Fp * a (mod p )

Defined by parameters (N, p, q ) and sets (Lf , Lg , L , Lm ) in

R.

Note that q >> p and g.c.d.(p,q) = 1.

11/39

Security Analysis Meet-in-the-Middle attacks Multiple Transmission attacks Lattice attacks

h Fq * g (mod q)

f *h g (mod q) => short!Use LLL lattice basic reduction

algorithm to find the shortest vector, r =

(f,g)

12/39

Comparison

Speed Advantage of NTRU over RSA

Can we further improve the speed of NTRU while keeping

its security at comparative level?!!

MaTRU

15/39

MaTRU We propose a new NTRU-based PKC – MaTRU

pronounced as “may-true” All Operations are done in matrix ring, M of k by k

matrices of elements in Z[X]/(Xn-1) fix nk2 = N, for same message size with NTRU

Matrix polynomial multiplication takes time O(n2k3) speed increase by a factor of O(k) over NTRU however the constant factor is ½, as the linear

transformation in MaTRU is a

two-sided matrix multiplication

16/39

Notations…

17/39

…Notations Permutation matrix, A (and B)

is a binary matrix that has exactly one 1 in each row and column with all 0s elsewhere

forms a multiplicative group of order k (i.e., Ak = I = A0) the set {A0, A1, …, Ak-1} are linearly independent, i.e.,

18/39

E.g., if p=3 & n=5, L(2) means on average each polyn. has 2 coefficients equal to 1, 2 coefficients equal to -1, and 1 coefficients equal to 0.

Or, if p=2 & n=5, L(2) means on average has 2 coefficients equal to 1, and the rest equal to 0.

…Notations

19/39

MaTRU-GenGEN (key generation algorithm)

** h is not short.

20/39

MaTRU-ENCENC (encryption algorithm)

** Coefficients in e are spread over [0, q-1]

21/39

MaTRU-DECDEC (decryption algorithm)

22/39

How it works…

In decryption:

In order to simplify it become,

have to be commutative!!

BUT, matrix multiplication is NOT generally COMMUTATIVE!!

23/39

…How it worksBut, here do indeed commute:

24/39

…How it works

Hence, we can treat the polynomials in a having coefficients in integer, where a modulo p, leaving

f * m * g (mod p)

For appropriate parameter choices,

will be PRETTY SHORT!

d Fp * a * Gp

m (mod p)

The plaintext can be obtained,

Security Analysis &

Results

26/39

Security Analysis…

The key (or message) space depends on the 2k

polynomials.

27/39

…Security Analysis

For p = 2 or 3, the total number of possible key

pairs,

Using brute force attacks

=> (key security)/2

Using meet-in-the-middle attacks

=> (key security)1/2

28/39

To discover the private key (f,g) or (i, i), the attackers has to find the linear transformation

Tf,g (J): J f J g

Lattice Attacks…

Note that Tf,g (h) = w

Can form a 2nk2 by

2nk2 lattice matrix

L I = nk2 by nk2 identity matrix

O = nk2 by nk2 zero matrix

Q = n by n diagonal matrix with non-zero element value of q

Hi,j = n by n matrix computed based on (h, A, B), for i,j = 0,1,…,k-1

29/39

…Lattice Attacks

Since i, and j are short, i j will be pretty short.

(i j , w) is in the lattice L = {(T, T(h))}

30/39

The size of the target vector (ij, w)

…Lattice Attacks

By the Gaussian heuristic, the expected shortest vector in

a random L,

Note that as ch approaches 1, LLL algo. will take longer time to find

the shortest vector!

31/39

Parameter

32/39

Comparison

** note that nk2 = N

Concluding Remarks

34/39

We have introduced the MaTRU cryptosystem its construction

security analysis & parameter choices

comparison with the original NTRU

Due to non-commutative property, MaTRU

won’t face the multiple transmission attacks as

in NTRU

However, the security analysis is heuristic any other better attacks??

Results

35/39

Future Work

Construct experiment to further refine the suggested

parameters for MaTRU

Optimizing, improvement and cryptanalysis of MaTRU– new lattice attack (subdividing L)

– impact of imperfect decryption