february, 2002 doc:.: 802.15-02/108r0 daniel v. bailey, ari singer, ntru 1 project: ieee p802.15...
Post on 18-Dec-2015
216 Views
Preview:
TRANSCRIPT
1
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)
Submission Title: [Performance and Security of NTRU Security Suite]Date Submitted: [February 22, 2002]Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer] Company [NTRU]Address [5 Burlington Woods, Burlington, MA 01803]Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[dbailey@ntru.com]
Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite]
Abstract: [This presentation gives an overview of the performance and security of NTRU’s proposal for security suite for the 802.15.3 draft standard.]
Purpose: [To familiarize the working group with the NTRU proposed security suite.]
Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.
2
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Agenda
• NTRU Background
• NTRU Security
• Why Triple-DES?
3
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Why NTRU Public-Key Cryptography?
• Public-Key Cryptography was invented in the 1970s:– RSA
– Elliptic Curve Cryptography
• Uses complicated mathematics and large numbers– RSA: 1024 bit numbers (1 with 300 zeroes!)
– ECC: 160 bit numbers and complex operations• Ratios of polynomials
– Not suitable for devices with low processing power, memory, battery life…
• NTRU:– Uses smaller numbers (<128)
– Can be implemented efficiently on any processor
– Fundamental breakthrough in cryptography
4
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Advantages
Why so fast? Why so small? Why so secure?
5
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Buzzwords
• NTRU uses convolution multiplication– RSA uses modular multiplication
– Convolutions used in digital signal processing (voice, streaming multimedia, etc)
• NTRU is based on the short lattice vector problem– RSA is based on the integer factorization problem
– ECC is based on the elliptic curve discrete log problem
– Short lattice vector problem has been proved very hard; other two are merely conjectured to be very hard.
6
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Fundamentals
• NTRU is a lattice-based public-key cryptosystem– Lattice operations are extremely fast
– Lattice operations are easy to implement using 7- or 8-bit numbers
– Lattice problems have been well studied and are hard in high dimension
• Every NTRU key has its own random lattice• Each key is a concatenation of polynomial coefficients• NTRU keys are always completely independent• Two algorithms
– NTRUEncrypt for encryption and decryption
– NTRUSign for signature and verification
• Only NTRUEncrypt needed for 802.15.3
7
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
History of NTRUEncrypt
• Developed by team of cryptographer/mathematicians– J. Hoffstein, J. Pipher, J. Silverman (1994-1996)
• Presented by J. Hoffstein at CRYPTO ’96• Immediate feedback from top cryptographers (Coppersmith,
Hastad, Odlyzko, Shamir,…) used to set appropriate security parameters
• Ongoing research by experts in lattices and cryptography (Nguyen, Stern, Schnorr, May, Gentry, Szydlo, Jaulmes, Joux…) reaffirms NTRU’s security
• New IEEE P1363.1 standard based on NTRU• New CEES Efficient Embedded Security Standard based on
NTRU
8
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRUEncrypt Public Parameters
The NTRUEncrypt Public Key Cryptosystem depends on three public parameters:
N, p, q
Typical values for these parameters, with approximate equivalent RSA security levels, are:
NTRU RSA Level
N p q (bits)
251 2+X 128 1024
347 2+X 128 2048
503 2+X 256 4096
Key size = ciphertext size = N * log2(q) bitsPlaintext size = N bits
9
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Convolution Multiplications
NTRU’s basic operation is convolution product of two vectors of small numbers:[a0,…,aN-1] * [b0,…,bN-1] = [c0,…,cN-1]
Withck = a0bk + a1bk-1 + a2bk-2 + … + aN-2bk+2 + aN-1bk+1 .
Convolution products can be computed very rapidly using Karatsuba multiplication
or Fast Fourier Transforms. Example with N=4 (Extra Rule: x4 = 1) (x3+2x-1)*(3x3-x2+x+2) = 3x6-x5+7x4-3x3+3x2+3x-2
= 3x2-x + 7 - 3x3+3x2+3x-2= -3x3+6x2+2x+5
10
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
The coefficients of NTRU polynomials may be reduced modulo the parameter q. That means that the coefficients are replaced with their remainders after being divided by q. Example.
5x3 - 11x2 + 4x + 6 = -x3 + x2 + x (mod 3)(Note: usual reduction mod q reduces into the range [0, q-1]. In NTRU, sometimes we reduce into the range [-q/2, q/2) or some other range).
Many polynomials used in NTRU are described as “small”. This means their coefficients are, by, and large, small relative to q.
Small Polynomials and Polynomials Mod q
11
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRUEncrypt Key Creation
Bob chooses two polynomials f(x) and g(x).f(x) has the form 1 + pF(x), where F(x) is smallg(x) is small
Bob computes the inverse of f(x) modulo q:Fq(x)*f(x) = 1 (mod q).
Finding these inverses is very fast using the Euclidean algorithm.
Bob computes the producth(x) = p*Fq(x)*g(x) (mod q).
Bob’s Private Key: the polynomial f(x)Bob’s Public Key: the polynomial h(x)
12
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRUEncrypt Encryption
• Alice processes the message before encryption– pads the message with random data
– blinds it, OAEP-style, to get the blinded message
– converts the blinded message to a polynomial m(X).
• Alice encrypts the message– generates a small random polynomial r(X) (using the blinded message
as the seed for the random number generator)
– calculatese(X) = r(X) * h(X) + m(X)
• e(X) is the ciphertext.
13
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRUEncrypt Decryption
• Bob decrypts the message– calculates
a(X) = f(X) . e(X) mod q.
– places the coefficients of a(X) into the range [A, A+q-1]
– reduces mod p. This recovers the polynomial m’(X).
• Bob checks that the ciphertext was valid– converts the polynomial m’(X) to the blinded message
– generates a small random polynomial r’(X) (using the blinded message as the seed for the random number generator)
– calculatese’(X) = r’(X) . h(X) + m’(X)
– If this is identical to e(X), accepts the message.
14
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Why Does NTRUEncrypt Work?
a = f * e (mod q)= f * (r*h + m) (mod q)= f * (r*p*g*Fq + m) (mod q)
= p*r*g + (1 + pF)*m (mod q) since f*Fq = 1 (mod q).
All of the polynomials r, g, f, m are small, so coefficients of
p*r*g + (1 + pF)*m
will all lie within q of each other. If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then
a = p*r*g + m + pF*m = m (mod p)
15
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
In answer to those questions:
• Why so fast?– NTRUEncrypt uses only adds on 7-bit numbers
– For security of order N, needs only N ln N operations• other algorithms require N2 or N3 operations
• Why so small?– NTRUEncrypt uses only adds on 7-bit numbers
– No need for big integer arithmetic library
– Fits in small amount of RAM
• Why secure?– To be discussed…
16
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
How Fast is NTRUEncrypt?(RSA 1024 Level Security)
Function Units NTRU 251 RSA 1024 NTRU Advantage
Encrypt Blocks/sec 21 0.5 42 to 1
Decrypt Blocks/sec 12 0.036 333 to 1
Function Units NTRU 251 ECC 163 NTRU Advantage
Encrypt Blocks/sec 21 0.4 52.5 to 1
Decrypt Blocks/sec 12 1.3 9 to 1
NTRU vs. ECC on PDAs
Function Units NTRU 251 RSA 1024 NTRU Advantage
Encrypt Cycles 79,460 192,892 2 to 1
Decrypt Cycles 167,033 9,600,000 57 to 1
Function Units NTRU 251 ECC 192 NTRU Advantage
Encrypt Cycles 79,460 3,040,000 38 to 1
Decrypt Blocks/sec 167,033 3,040,000 18 to 1
NTRU vs. RSA on PDAs
NTRU vs. RSA on ARM9
NTRU vs. ECC on ARM9
ARM9 Comparisons: NTRU’s NERI toolkit vs. Mike Scott’s MIRACL library, using a NIST curve
PDA Comparisons: NTRU’s NERI portable toolkit vs. published results (for ECC, RSA) specialized for the Palm device, (RSA encryption exponent e=65537)
17
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Performance on a Microcontroller
• Speakers will have an 8051 if they’re lucky• Microcontrollers vary widely, so here’s three implementations
of NTRUEncrypt:
Architecture Internal Clock Enc. Time Dec. time RAM
8 bits 2.66 MHz 42.6 ms 60.0 ms 841 bytes
8 bits 3.4 MHz 41.3 ms 65.9 ms 841 bytes
16 bits 1 MHz 65 ms 119 ms 841 bytes
18
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Comparison on a Microcontroller
• For comparison, the top microcontroller has a 50,000 gate RSA/ECC coprocessor
• 028r3-TG3-Coding-Criteria.ppt gives the following cost/power guidance:– In 0.18 micron technology, 100,000 gates cost 20 cents
– Power is dissipated at a rate of 0.018 mW/(MHz*kgates)
Algorithm Gate Count Gate Cost Gate Power Time
NTRU 0 0 0 60 msec
RSA 50,000 .10 2.4 mW 420 msec
ECC 50,000 .10 2.4 mW 160 msec
19
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Comparison in Hardware
• What if you need NTRUEncrypt in hardware?• This is a complete implementation, including SHA-1
Algorithm Gate Count Gate Cost Gate Power Time
NTRU 20,000 .04 0.96 mW 20 msec
RSA 50,000 .10 2.4 mW 420 msec
ECC 50,000 .10 2.4 mW 160 msec
20
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Agenda
• NTRU Background
• NTRU Security
• Why Triple-DES?
21
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
The NTRU Hard Problem
The hard problem underlying NTRU is the
Shortest Vector Problem
in lattices of high dimension
System Hard Problem Best Solution Method
NTRU Short vector problem LLL lattice reduction
RSA Integer factorization Number field sieve
ECC Elliptic curve discrete log Pollard rho
DH Discrete logarithm Index calculus
Best Known Methods to Break:• NTRU and ECC are exponential (very slow)• RSA and DH are subexponential (faster)
22
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Lattices
• Lattice: Set of all vectors that are integer linear combinations of the basis vectors B = {b1, …, bn}.
• Lattice Bases are not unique.• Lattice Basis Reduction: Finding a “good” basis, usually one with short, nearly orthogonal vectors.
B
(1,5)
(7,1)
LB =
17
51
B’(13,-3)
(6,-4)
LB’ =
46
313
(Slide due to Craig Gentry)
23
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Shortest Vector Problem
• Shortest Vector Problem (SVP): Given a lattice basis, find the shortest (nonzero) vector in the lattice.
• Example: Given LB’ below, find (1,5).
• The SVP is NP-Hard (no algorithm with running time polynomial in lattice dimension that always find the SV).
B
(1,5)
(7,1)
B’(13,-3)
(6,-4)
LB =
17
51
LB’ =
46
313
51
× 1× -2
(Slide due to Craig Gentry)
24
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Brief History of Lattice Problems
• Lattices, the SVP, and the CVP have been extensively studied for more than 100 years (Hermite 1870s, Minkowski 1890s,…).
• Best computational tool was developed by Lenstra, Lenstra, and Lovasz (LLL algorithm) in early 1980s.
• Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and others.
• Algorithms to find small vectors in lattices have been extensively studied because they have applications to many areas outside of cryptography, including physics, combinatorics, number theory, computer algebra,….
• Contrast this with integer factorization (RSA) and elliptic curve discrete logarithms (ECC), where the only applications are to cryptography.
25
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Security
Cryptographic System Key/Block Size (Bits)
Processing Time
(MIPS-Years)
RSA 512 1 X 104
NTRU 834 (N = 139) 1 x 104
DES 56 5 x 105
RSA 1024 8 x 109
NTRU 1757 (N = 251) 5 x 1010
ECC ~1000 (p = 163) 7 x 1011
RSA 2048 1 x 1020
NTRU 2429 (N = 347) 2 x 1021
AES 128 2 x 1027
NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium
26
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Scrutiny and Standardization
27
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Scrutiny
• NTRUEncrypt has been widely studied since it was first announced in 1996– Papers on NTRU techniques appear at every major cryptography
conference
– Nguyen and Stern (CaLC-2001): “this makes NTRU the leading candidate among knapsack-based and lattice-based cryptosystems, and allows high dimension lattices.”
– Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite Normal Form, the most secure form for a general lattice
• NTRU encourages peer review– Challenge problems
– Support to Crypto community (CaLC conference, etc)
28
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Standardization work
• IEEE P1363• Draft of P1363.1 available on IEEE P1363 WG web site with
NTRUEncrypt included• Vote on permanently including NTRUEncrypt passed at May
2001 meeting
• Consortium for Efficient Embedded Security (CEES)• Draft of EESS #1 standardizing NTRUEncrypt currently available
from http://www.ceesstandards.org• Drafts include complete specification, encodings, certificate
formats, etc.
• VHN (Versatile Home Networking)• NTRU included in EIA/CEA-851
29
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
NTRU Standardization work
• IETF• TLS: NTRU ciphersuites proposed May 2001.
• Expected to proceed to Informational RFC.
• PKIX: “Supplemental Algorithms for PKI” Internet Draft• Edited by NTRU, includes NTRUEncrypt
• Also includes new US Government algorithms: DSA2, SHA-256…
• WAP• NTRU active participants in WSG
30
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Implications of High Data Rate
• Symmetric components must meet the data rate• Public key costs on a per-session basis, not per-bit• For enough gates (612,834 actually), 2 Gbps is practical with AES• Smallest implementation with local subkey storage is 43,000 gates
– 17,000 gates if you hit external memory every cycle
• The challenge: minimize footprint to meet a target data rate at a target cost (area, clock rate,…)
• You’ll need a custom hardware implementation for encryption and integrity
• We’ve been evaluating algorithms and…
31
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Triple-DES
• Hits the data rate at lowest gate count• DES has a 64-bit block size.• DES encryption has 16 rounds. Triple-DES encryption has 48.• Using DES for integrity takes another 16 rounds, except for the last
block, which takes 48.• So we need 64 rounds per 64 bits.• Instantiating two rounds of DES gives a throughput of 2 bits/cycle.• So you’ll need at least a 23 MHz clock for 55 Mbps.• Synthesized with LeonardoSpectrum, that’s 9196 gates• With 802.15.3’s assumptions, that’s $0.02, 5.4 mW
32
February, 2002 doc:.: 802.15-02/108r0
Daniel V. Bailey, Ari Singer, NTRU
Triple-DES Security
• Encryption standardized in ANSI X9.52, FIPS 46-3, …• Well-studied since the late 1970s.• 112-bit key makes brute force attacks infeasible• MAC standardized in ISO 9797, …• We MAC the ciphertext, not the plaintext• 64-bit block size means we’d expect a MAC collision after 232 blocks• Sequence numbers in MAC calculation prevent the attacker from
substituting one message for another!– The attacker isn’t looking for two messages that give the same MAC…
– She needs two messages with the same sequence number that give the same MAC
top related