DOCSLIB.ORG

Choosing Parameters for Ntruencrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Choosing Parameters for Ntruencrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H Choosing Parameters for NTRUEncrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H. Silverman, William Whyte, Zhenfei Zhang OnBoard Security / Brown University Security Innovation Embedded Business Unit is becoming Onboard Security! §Two sister companies being formed – OnBoard Security: Cryptography, Hardware Roots of Trust and Automotive Security – Security Innovation: Application Security Services and Education §Reasons – Increase strategic focus on core competencies – Unlock latent value – Attract pure-play investors Goal of presentation § Present new parameters as in published paper § Discuss parameter choices at a higher level to explore difference between published approaches – LWE – NTRU – NTRU Prime § Make a mysterious announcement A Lattice! (F,G) (f,g) Symmetric encryption with lattices: The Close Vector Problem Example over integers Lattice Basis B ((f,g), (F,G)) = ((7,1), (2,18)) • Pick m = (-2, 2). • (maximum norm of m < norm of shortest basis vector) • Pick random lattice point 5* (7,1) + 1*(2, 18) = (37, 23) • Add m to get e = (35, 25). 4.6 (f,g) 5 (f,g) + To decrypt: (F,G) 1 (F,G) • e = 4.6*(f,g) + 1.3*(F, G) 1.3 (F,G) … we get this by dividing: B-1 = ((G,-g), (-F, f)).[det(B)] -1. (f,g) • Round to closest lattice point = 5* (7,1) + 1*(2, 18) = (37, 23) • Subtract from e • Recover m = (-2, 2) Lattice-based crypto motivation § If I take E = a*H + b where H is known and a, b are random and “big enough”, then 1. For some size of a and b It is hard to recover a, b (the assumption used in NTRU) 2. For some larger size of a and b, E is indistinguishable from random (a stronger assumption) § If I take E = a*H + b where H is known and a, b are “small enough”, it may be possible to exploit the fact that E is derived from H to exchange a secret LWE key agreement § Publish: H § H = 723 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 2895 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = -1441 § A: calculate SA = aA * EB § SA = -5764 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = -5790 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement § Publish: H § H = 723 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 2895 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = -1441 § A: calculate SA = aA * EB § SA = -5764 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = -5790 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement § Publish: H § H = 723, q = 1024 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 847 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = 607 § A: calculate SA = aA * EB § SA = 380 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = 354 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement in a ring § Publish: H, R § R = any ring, e.g. & § A: generate small (aA, bA) ℤ" � /[� − 1] or & ℤ" � /[� + 1] – EA = aAH+bA, send EA – Choice of ring is § B: generate small (aB, bB) important, see later – EB = aBH+bB, send EB § H, aA, bA, aB, bB = polynomials in the ring § A: calculate SA = aA * EB – = aA * aB* H + aA * bB § For small enough a, b relative to q, top b § B: calculate SB = aB * EA – aA * aB* H + aA * bB § Top bits of each coefficient of SA, SB are the same If components are small enough and q is large enough LWE Encryption § Public parameter: A in ring mod qPrivate key: s, e0, small § Public key: A, B = s*A + e0 § Encrypt n-bit message m: Publish – U = r*A + e1 – V = r*B + e2 + (m * q/2) § (Note, encrypter doesn’t know s so doesn’t know relationship between A and B) § Decrypt: Calculate V – s*U = – [r*B + e2 + (m * q/2)] - s*r*A - s*e1 = – s*r*A + r*e0 + e2 + (m * q/2) - s*r*A - s*e1 = – r*e0 + e2 - s*e1 + (m * q/2) – [small] [top bits of the coefficients] If components are small enough and q is large enough NTRU Encryption – trapdoor in H § Review: small * random + small is hard with high enough N § Small can be removed given a “clue” in R-LWE encryption § Can we embed a trapdoor in H itself? § Yes, with an additional assumption: – NTRU OBSERVATION (Properties of distribution): Given a collection of {f} small in R, then {f-1} looks uniformly randomly distributed – NTRU ASSUMPTION (Inversion version): Given h = g * f-1 in R, it is hard to recover g and f – NTRU ASSUMPTION (Decisional version): Given h in R, it is hard to tell whether it was randomly generated or generated as g * f-1 § Security of NTRU Encryption rests on the Inversion version of this problem Raw NTRUEncrypt Operations § Key Generation N – Generate f, g, “small” polynomials in Zq[X]/(X -1). -1 -1 – Public key h = p*f *g mod q; private key = (f, fp = f mod p). § Encrypt (Raw operation) – Encode message as “small” polynomial m. – Generate “small” random polynomial r – Ciphertext e = r*h + m mod q. § Decrypt (Raw operation) – Set a = f*e mod q. § “mod q” = in range [A, A+q-1]. – Set m = fp * a mod p. Why Decryption Works § a = f * e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*f-1 + m) (mod q) = p*r*g + f*m (mod q) since f*Fq = 1 (mod q) § All the components are small, so this equality holds over the integers, not just mod q – If components are small enough and q is large enough § So – a mod p = f*m mod p – a * f-1 mod = f-1*f*m mod p = m mod p = m. NTRUEncrypt v Ring-LWE 15 § NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups – Some variants are not CCA-2; public expire 2021 keys cannot be reused – CCA-2; public keys can be long-term N and reused – Ring Z[X]/X +1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRUEncrypt v Ring-LWE: fundamental v optional differences 16 § NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups expire 2021 – Some variants are not CCA-2; public keys cannot be reused – CCA-2; public keys can be long-term and reused – Ring Z[X]/XN+1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRU history § NTRUEncrypt proposed 1996 – Hoffstein, Pipher, Silverman (Brown University) – Should perhaps be called HPS… § Not originally realized to be lattice based! Developed at same time as Ajtai, etc § Published 1998 – Best attacks: lattice reduction or meet-in-the-middle / brute force § NTRUSign proposed 2001 – Not zero-knowledge § 2006-2007: “Hybrid attack” (Howgrave-Graham) combines lattice reduction and meet-in- the-middle – “80-bit secure” parameter sets give 64 bits of security against this attack – Revised parameter sets proposed § 2008: IEEE standard 1363.1 – NTRUEncrypt § 2010: X9 standard X9.98 – NTRUEncrypt CPA / CCA / Key reusability § Raw NTRU is not CPA-secure – Leaks m(1) for known r(1) § Use NAEP to provide CPA and CCA-2 security – Similar to OAEP – Concatenate message with random “salt” – Hash to generate r – Hash (r *h) to generate mask – m’ = message + mask mod p (XOR or similar) – e = r*h + m’ – On decryption, recover m and salt and repeat encryption; discard if result is not equal to received ciphertext § Provides CCA2 security if decryption failure probability is negligible Decryption failures § Say a = p*r*g + f*m Distributions of a 2176 2048 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 then at least one coefficient of a is 1536 1408 1280 reduced mod q on decryption 1152 1024 896 § This leads to the resulting value for 768 640 -1 512 m being off by some rotation of (f 384 256 mod p) * q mod p 128 0 -3 7 17 27 37 47 57 67 Decryption failures Distributions of a 2176 2048 1920 1792 1664 1536 1408 1280 § Say a = p*r*g + f*m 1152 1024 896 768 640 § If maxCoeff(a) - minCoeff(a) ³ q 512 384 256 then at least one coefficient of a is 128 0 reduced mod q on decryption -3 7 17 27 37 47 57 67 Distributions of a 2176 § This leads to the resulting value for 2048 1920 -1 1792 m being off by some rotation of (f 1664 1536 1408 mod p) * q mod p 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 2176 2048 Distributions of a 1920 1792 1664 1536 Decryption failures 1408 1280 1152 1024 896 768 640 512 384 § Say a = p*r*g + f*m 256 Distributions of a 128 21760 2048-3 7 17 27 37 47 57 67 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 1536 then at least one coefficient of a is 1408 1280 1152 reduced mod q on decryption 1024 896 768 640 512 § This leads to the resulting value for 384 256 -1 128 Distributions of a m being off by some rotation of (f 0 2176-3 7 17 27 37 47 57 67 mod p) * q mod p 2048 1920 1792 1664 1536 1408 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 Philosophies of parameter choice § Ring parameters: N, q, p § Alternative ring moduli: – p, q must generate coprime ideals of – Ring Z [X]/(XN+1) with N a power of 2 N q the ring Zq[X]/(X -1).
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Circuit-Extension Handshakes for Tor Achieving Forward Secrecy in a Quantum World
    Proceedings on Privacy Enhancing Technologies ; 2016 (4):219–236 John M. Schanck*, William Whyte, and Zhenfei Zhang Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world Abstract: We propose a circuit extension handshake for 2. Anonymity: Some one-way authenticated key ex- Tor that is forward secure against adversaries who gain change protocols, such as ntor [13], guarantee that quantum computing capabilities after session negotia- the unauthenticated peer does not reveal their iden- tion. In doing so, we refine the notion of an authen- tity just by participating in the protocol. Such pro- ticated and confidential channel establishment (ACCE) tocols are deemed one-way anonymous. protocol and define pre-quantum, transitional, and post- 3. Forward Secrecy: A protocol provides forward quantum ACCE security. These new definitions reflect secrecy if the compromise of a party’s long-term the types of adversaries that a protocol might be de- key material does not affect the secrecy of session signed to resist. We prove that, with some small mod- keys negotiated prior to the compromise. Forward ifications, the currently deployed Tor circuit extension secrecy is typically achieved by mixing long-term handshake, ntor, provides pre-quantum ACCE security. key material with ephemeral keys that are discarded We then prove that our new protocol, when instantiated as soon as the session has been established. with a post-quantum key encapsulation mechanism, Forward secret protocols are a particularly effective tool achieves the stronger notion of transitional ACCE se- for resisting mass surveillance as they resist a broad curity. Finally, we instantiate our protocol with NTRU- class of harvest-then-decrypt attacks.
    [Show full text]
  • NSS: an NTRU Lattice –Based Signature Scheme
    ISSN(Online) : 2319 - 8753 ISSN (Print) : 2347 - 6710 International Journal of Innovative Research in Science, Engineering and Technology (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 4, April 2015 NSS: An NTRU Lattice –Based Signature Scheme S.Esther Sukila Department of Mathematics, Bharath University, Chennai, Tamil Nadu, India ABSTRACT: Whenever a PKC is designed, it is also analyzed whether it could be used as a signature scheme. In this paper, how the NTRU concept can be used to form a digital signature scheme [1] is described. I. INTRODUCTION Digital Signature Schemes The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions etc. Digital signatures are equivalent to traditional handwritten signatures. Properly implemented digital signatures are more difficult to forge than the handwritten type. 1.1A digital signature scheme typically consists of three algorithms A key generationalgorithm, that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm, that given a message and a private key produces a signature.
    [Show full text]
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange
    Overview of post-quantum public-key cryptosystems for key exchange Annabell Kuldmaa Supervised by Ahto Truu December 15, 2015 Abstract In this report we review four post-quantum cryptosystems: the ring learning with errors key exchange, the supersingular isogeny key exchange, the NTRU and the McEliece cryptosystem. For each protocol, we introduce the underlying math- ematical assumption, give overview of the protocol and present some implementa- tion results. We compare the implementation results on 128-bit security level with elliptic curve Diffie-Hellman and RSA. 1 Introduction The aim of post-quantum cryptography is to introduce cryptosystems which are not known to be broken using quantum computers. Most of today’s public-key cryptosys- tems, including the Diffie-Hellman key exchange protocol, rely on mathematical prob- lems that are hard for classical computers, but can be solved on quantum computers us- ing Shor’s algorithm. In this report we consider replacements for the Diffie-Hellmann key exchange and introduce several quantum-resistant public-key cryptosystems. In Section 2 the ring learning with errors key exchange is presented which was introduced by Peikert in 2014 [1]. We continue in Section 3 with the supersingular isogeny Diffie–Hellman key exchange presented by De Feo, Jao, and Plut in 2011 [2]. In Section 5 we consider the NTRU encryption scheme first described by Hoffstein, Piphe and Silvermain in 1996 [3]. We conclude in Section 6 with the McEliece cryp- tosystem introduced by McEliece in 1978 [4]. As NTRU and the McEliece cryptosys- tem are not originally designed for key exchange, we also briefly explain in Section 4 how we can construct key exchange from any asymmetric encryption scheme.
    [Show full text]
  • Lecture 14: Elgamal Encryption, Hash Functions from DL, Prgs from DDH 1 Topics Covered 2 Recall 3 Key Agreement from the Diffie
    CS 7880 Graduate Cryptography October 29, 2015 Lecture 14: ElGamal Encryption, Hash Functions from DL, PRGs from DDH Lecturer: Daniel Wichs Scribe: Biswaroop Maiti 1 Topics Covered • Public Key Encryption • A Public Key Encryption from the DDH Assumption • El Gamal Encryption • CRHF from Discrete Log • PRG from DDH 2 Recall Recall the three number theoretic assumptions we saw last time. We will build Crypto- graphic schemes or protocols based on the hardness of these problems. Definition 1 (G; g; q) Groupgen(1n) } Assumption 1 DL Given g; gX , it is hard to find X. Assumption 2 Computational Diffie Hellman Given g; gX ; gY , it is hard to find gXY . Assumption 3 Decisional Diffie Hellman Given g; gX ; gY , it is hard to distinguish between gXY and gZ , where Z is chosen at random. (g; gX ; gY ; gXY ) ≈ (g; gX ; gY ; gZ ) 3 Key Agreement from the Diffie Helman scheme AB x Zq X hA = g −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−£ Y hB = g ¡−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Y Zq X XY Y XY hB = g hA = g The keys agreed upon by A and B is gXY . Lecture 14, Page 1 It is interesting to note that in this scheme, A and B were able to agree upon a key without communicating about it. Each party generates a puzzle uniformly at random: A X Y generates hA = g , and B generates hB = g . Then, they send their puzzles to each other, and establish the key to be gXY . Proving this scheme is secure is equivalent to showing that the DDH assumption holds. 4 Public Key Encryption The general syntax of Public Key Encryption is the following.
    [Show full text]
  • A Quantum-Safe Circuit-Extension Handshake for Tor
    A quantum-safe circuit-extension handshake for Tor John Schanck, William Whyte, and Zhenfei Zhang Security Innovation, Wilmington, MA 01887 fjschanck,wwhyte,[email protected] Abstract. We propose a method for integrating NTRUEncrypt into the ntor key exchange protocol as a means of achieving a quantum-safe variant of forward secrecy. The proposal is a minimal change to ntor, essentially consisting of an NTRUEncrypt-based key exchange performed in parallel with the ntor handshake. Performance figures are provided demonstrating that the client bears most of the additional overhead, and that the added load on the router side is acceptable. We make this proposal for two reasons. First, we believe it to be an interesting case study into the practicality of quantum-safe cryptography and into the difficulties one might encounter when transi­ tioning to quantum-safe primitives within real-world protocols and code-bases. Second, we believe that Tor is a strong candidate for an early transition to quantum-safe primitives; users of Tor may be jus­ tifiably concerned about adversaries who record traffic in the present and store it for decryption when technology or cryptanalytic techniques improve in the future. 1 Introduction such as [12,23], as well as some Diffie-Hellman proto­ cols like ntor [8]. A key exchange protocol allows two parties who share no common secrets to agree on a common key over Forward secrecy. A protocol achieves forward secrecy a public channel. In addition to achieving this ba­ if the compromise of any party’s long-term key ma­ sic goal, key exchange protocols may satisfy various terial does not affect the secrecy of session keys de­ secondary properties that are deemed important to rived prior to the compromise.
    [Show full text]
  • Implementing Several Attacks on Plain Elgamal Encryption Bryce D
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2008 Implementing several attacks on plain ElGamal encryption Bryce D. Allen Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Mathematics Commons Recommended Citation Allen, Bryce D., "Implementing several attacks on plain ElGamal encryption" (2008). Graduate Theses and Dissertations. 11535. https://lib.dr.iastate.edu/etd/11535 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Implementing several attacks on plain ElGamal encryption by Bryce Allen A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics Program of Study Committee: Clifford Bergman, Major Professor Paul Sacks Sung-Yell Song Iowa State University Ames, Iowa 2008 Copyright c Bryce Allen, 2008. All rights reserved. ii Contents CHAPTER 1. OVERVIEW . 1 1.1 Introduction . .1 1.2 Hybrid Cryptosystems . .2 1.2.1 Symmetric key cryptosystems . .2 1.2.2 Public key cryptosystems . .3 1.2.3 Combining the two systems . .3 1.2.4 Short messages and public key systems . .4 1.3 Implementation . .4 1.4 Splitting Probabilities . .5 CHAPTER 2. THE ELGAMAL CRYPTOSYSTEM . 7 2.1 The Discrete Log Problem . .7 2.2 Encryption and Decryption . .8 2.3 Security . .9 2.4 Efficiency .
    [Show full text]
  • A Study on the Security of Ntrusign Digital Signature Scheme
    A Thesis for the Degree of Master of Science A Study on the Security of NTRUSign digital signature scheme SungJun Min School of Engineering Information and Communications University 2004 A Study on the Security of NTRUSign digital signature scheme A Study on the Security of NTRUSign digital signature scheme Advisor : Professor Kwangjo Kim by SungJun Min School of Engineering Information and Communications University A thesis submitted to the faculty of Information and Commu- nications University in partial fulfillment of the requirements for the degree of Master of Science in the School of Engineering Daejeon, Korea Jan. 03. 2004 Approved by (signed) Professor Kwangjo Kim Major Advisor A Study on the Security of NTRUSign digital signature scheme SungJun Min We certify that this work has passed the scholastic standards required by Information and Communications University as a thesis for the degree of Master of Science Jan. 03. 2004 Approved: Chairman of the Committee Kwangjo Kim, Professor School of Engineering Committee Member Jae Choon Cha, Assistant Professor School of Engineering Committee Member Dae Sung Kwon, Ph.D NSRI M.S. SungJun Min 20022052 A Study on the Security of NTRUSign digital signature scheme School of Engineering, 2004, 43p. Major Advisor : Prof. Kwangjo Kim. Text in English Abstract The lattices have been studied by cryptographers for last decades, both in the field of cryptanalysis and as a source of hard problems on which to build encryption schemes. Interestingly, though, research about building secure and efficient
    [Show full text]