MaTRU A New NTRU-Based Cryptosystem

1
MaTRUA New NTRU-Based Cryptosystem
BokMin Goi Centre for Cryptography and
Information Security (CCIS) Multimedia
University, Cyberjaya, Malaysia
Michael Coglianese Macgregor, 321 Summer Street,
Boston MA, USA
The Sixth International Conference on Cryptology
(INDOCRYPT 2005) Indian Institute of Science,
Bangalore, India, December 10-12, 2005
2
Outline

• Introduction
• Notation
• Overview of the original NTRU PKC
• Our New NTRU-based PKC ? MaTRU
• Construction
• How it works
• Security Analysis Results
• Brute force and lattice attacks
• Parameter choices
• NTRU vs. MaTRU
• Concluding Remarks

3
Introduction
4
Introduction

• Revolution in cryptography in 1976, Diffie and
  Hellman present the idea of public key
  cryptosystem

• To provide non-repudiation service and solve key
  distribution problems

5
Introduction

• RSA PKC (1978)
• based on integer factorization problem
• McEliece PKC (1978)
• based on algebraic coding theory
• ElGamal PKC (1984)
• based on discrete log problem (DLP)
• ECC PKC (1987)
• based on the intractability of elliptic curve DLP
  
• Variants of Matsumoto-Imai PKC (1988)
• based on the systems of multivariable polynomials

6
Introduction...

• Problems
• Most of them are too slow and need large memory
  footprint
• Not suitable for low cost devices
• RFID, smardcards, mobile devices

7
NTRU

• NTRU, pronounced as aint true , by J.
  Hoffstein, J. Pipher and J. Silverman
• At rump session of CRPYTO 96 and then full paper
  in ANTS III (LNCS1423,1998)
• Based on properties of short polynomials over
  polynomial rings
• Less resources fast operating, but larger
  message expansion
• Have been studied comprehensively in cryptography
  communities
• So far, NTRUs core technology is still SECURE!!

8
NTRU

• All operations are done in

9
NTRU

• The width or L8 norm on R of an element g

• The size or L2 norm on R of an element g

10
NTRU
Defined by parameters (N, p, q ) and sets (Lf ,
Lg , L? , Lm ) in R.Note that q gtgt p and
g.c.d.(p,q) 1.
GEN (key generation algorithm) Randomly choose 2
polynomials f, g Fq f ? 1 (mod q
), Fp f ? 1 (mod p )
h ? Fq g (mod q )
(PK, SK ) (h, f )ENC (encryption
algorithm)Select m? Lm and randomly select ? ?
L?. e ? p ?
h m (mod q )DEC (decryption algorithm)
a ? f e (mod q )Then
choose the coefficient of a in the interval from
q/2 to q/2 m ? Fp a
(mod p )
11
Security Analysis

• Meet-in-the-Middle attacks
• Multiple Transmission attacks
• Lattice attacks
• h ? Fq g (mod q)
• f h ? g (mod q) gt short!

Use LLL lattice basic reduction algorithm to find
the shortest vector, r (?f,g)
12
Comparison
Speed Advantage of NTRU over RSA
13
Can we further improve the speed of NTRU while
keeping its security at comparative level?!!
14
MaTRU
15
MaTRU

• We propose a new NTRU-based PKC MaTRU
• pronounced as may-true
• All Operations are done in matrix ring, M of k by
  k matrices of elements in ZX/(Xn-1)
• fix nk2 N, for same message size with NTRU
• Matrix polynomial multiplication takes time
  O(n2k3)
• speed increase by a factor of O(k) over NTRU
• however the constant factor is ½, as the linear
  transformation in MaTRU is a
• two-sided matrix multiplication

16
Notations
17
Notations

• Permutation matrix, A (and B)
• is a binary matrix that has exactly one 1 in each
  row and column with all 0s elsewhere
• forms a multiplicative group of order k (i.e., Ak
  I A0)
• the set A0, A1, , Ak-1 are linearly
  independent, i.e.,

18
Notations

• E.g., if p3 n5, L(2) means on average each
  polyn. has 2 coefficients equal to 1, 2
  coefficients equal to -1, and 1 coefficients
  equal to 0.

• Or, if p2 n5, L(2) means on average has 2
  coefficients equal to 1, and the rest equal to 0.

19
MaTRU-Gen
GEN (key generation algorithm)
h is not short.
20
MaTRU-ENC
ENC (encryption algorithm)
Coefficients in e are spread over 0, q-1

21
MaTRU-DEC
DEC (decryption algorithm)
22
How it works

• In decryption

• In order to simplify it become,

have to be commutative!!
BUT, matrix multiplication is NOT generally
COMMUTATIVE!!
23
How it works

• But, here do
  indeed commute

24
How it works

• Hence, we can treat the polynomials in a having
  coefficients in integer, where a modulo p,
  leaving f m g (mod p)

25
Security Analysis Results
26
Security Analysis

• The key (or message) space depends on the 2k
  polynomials.

27
Security Analysis

• For p 2 or 3, the total number of possible key
  pairs,

• Using brute force attacks
• gt (key security)/2
• Using meet-in-the-middle attacks
• gt (key security)1/2

28
Lattice Attacks

• To discover the private key (f,g) or (?i, ?i),
  the attackers has to find the linear
  transformation
• Tf,g (J) J ? f ? J ? g

• Note that Tf,g (h) w
• Can form a 2nk2 by 2nk2 lattice matrix L

29
Lattice Attacks

• Since ?i, and ?j are short, ?i ?j will be pretty
  short.
• (?i ?j , w) is in the lattice L (T, T(h))

30
Lattice Attacks

• The size of the target vector (?i?j, w)

31
Parameter
32
Comparison
note that nk2 N
33
Concluding Remarks
34
Results

• We have introduced the MaTRU cryptosystem
• its construction
• security analysis parameter choices
• comparison with the original NTRU
• Due to non-commutative property, MaTRU wont face
  the multiple transmission attacks as in NTRU
• However, the security analysis is heuristic
• any other better attacks??

35
Future Work

• Construct experiment to further refine the
  suggested parameters for MaTRU
• Optimizing, improvement and cryptanalysis of
  MaTRU
• new lattice attack (subdividing L)
• impact of imperfect decryption

36
Thank you
for your attention!!