Results 1  10
of
16
Making NTRU as secure as worstcase problems over ideal lattices
 In Proc. of EUROCRYPT, volume 6632 of LNCS
, 2011
"... Abstract. NTRUEncrypt, proposed in 1996 by Ho stein, Pipher and Silverman, is the fastest known latticebased encryption scheme. Its moderate keysizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discret ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
Abstract. NTRUEncrypt, proposed in 1996 by Ho stein, Pipher and Silverman, is the fastest known latticebased encryption scheme. Its moderate keysizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discretelog based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worstcase lattice problems, restricted to a family of lattices related to some cyclotomic elds. Our main contribution is to show that if the secret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the RLWE problem.
A hybrid latticereduction and meetinthemiddle attack against NTRU
, 2007
"... To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in f ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meetinthemiddle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 2 84.2 to 2 60.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of costmetric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meetinthemiddle attack has complexity 2 k even after an initial lattice basis reduction of complexity 2 k.
Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign
 In Proc. of Workshop on Mathematical Problems and Techniques in Cryptology
, 2005
"... this paper presents an outline of such a recipe for NTRUSign. NTRUSign has many more implementation options than NTRUEncrypt, and research is ongoing to improve the e#ciency of NTRUSign operations at a given security level. This paper is therefore not intended to be the last word on parameter genera ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
this paper presents an outline of such a recipe for NTRUSign. NTRUSign has many more implementation options than NTRUEncrypt, and research is ongoing to improve the e#ciency of NTRUSign operations at a given security level. This paper is therefore not intended to be the last word on parameter generation for NTRUSign, but to provide a specific parameter generation algorithm whose output has, we believe, the stated security properties. We also present certain technical advances upon which we intend to build in subsequent papers
Lowcost Implementations of NTRU for Pervasive Security
 In International Conference on ApplicationSpecific Systems, Architectures and Processors – ASAP 2008
, 2008
"... NTRU is a publickey cryptosystem based on the shortest vector problem in a lattice which is an alternative to RSA and ECC. This work presents a compact and low power NTRU design that is suitable for pervasive security applications such as RFIDs and sensor nodes. We have designed two architectures, ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
NTRU is a publickey cryptosystem based on the shortest vector problem in a lattice which is an alternative to RSA and ECC. This work presents a compact and low power NTRU design that is suitable for pervasive security applications such as RFIDs and sensor nodes. We have designed two architectures, one is only capable of encryption and the other one performs both encryption and decryption. The strategy for the designs includes clock gating of registers, operand isolation and precomputation. This work is also the first one to present a complete NTRU design with encryption/decryption circuitry. Our encryptiononly NTRU design has a gatecount of 2.8 kgates and dynamic power consumption of 1.72µW. Moreover, encryptiondecryption NTRU design consumes about 6µW dynamic power and consists of 10.5 kgates. 1.
Practical latticebased cryptography: NTRUEncrypt . . .
"... We provide a brief history and overview of lattice based cryptography and cryptanalysis: shortest vector problems, closest vector problems, subset sum problem and knapsack systems, GGH, AjtaiDwork and NTRU. A detailed discussion of the algorithms NTRUEncrypt and NTRUSign follows. These algorithms h ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We provide a brief history and overview of lattice based cryptography and cryptanalysis: shortest vector problems, closest vector problems, subset sum problem and knapsack systems, GGH, AjtaiDwork and NTRU. A detailed discussion of the algorithms NTRUEncrypt and NTRUSign follows. These algorithms have attractive operating speed and keysize and are based on hard problems that are seemingly intractable. We discuss the state of current knowledge about the security of both algorithms and identify areas for further research.
Recovering NTRU Secret Key From Inversion Oracles
"... Abstract. We consider the NTRU encryption scheme as lately suggested for use, and study the connection between inverting the NTRU primitive (i.e., the oneway function over the message and the blinding information which underlies the NTRU scheme) and recovering the NTRU secret key (universal breakin ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the NTRU encryption scheme as lately suggested for use, and study the connection between inverting the NTRU primitive (i.e., the oneway function over the message and the blinding information which underlies the NTRU scheme) and recovering the NTRU secret key (universal breaking). We model the inverting algorithms as blackbox oracles and do not take any advantage of the internal ways by which the inversion works (namely, it does not have to be done by following the standard decryption algorithm). This allows for secret key recovery directly from the output on several inversion queries even in the absence of decryption failures. Our oracles might be queried on both valid and invalid challenges e, however they are not required to reply (correctly) when their input is invalid. We show that key recovery can be reduced to inverting the NTRU function. The efficiency of the reduction highly depends on the specific values of the parameters. As a sideresult, we connect the collisions of the NTRU function with decryption failures which helps us gain a deeper insight into the NTRU primitive.
On estimating the lattice security of NTRU
, 2005
"... This report explicitly refutes the analysis behind a recent claim that NTRUEncrypt has a bit security of at most 74 bits. We also sum up some existing literature on NTRU and lattices, in order to help explain what should and what should not be classed as an improved attack against the hard probl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
This report explicitly refutes the analysis behind a recent claim that NTRUEncrypt has a bit security of at most 74 bits. We also sum up some existing literature on NTRU and lattices, in order to help explain what should and what should not be classed as an improved attack against the hard problem underlying NTRUEncrypt. We also show a connection between Schnorr's RSR technique and exhaustively searching the NTRU lattice.
New ChosenCiphertext Attacks on NTRU
 In Workshop on Practice and Theory in Public Key Cryptography – PKC 2007
, 2007
"... Abstract. We present new and efficient keyrecovery chosenciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosenciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failure ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present new and efficient keyrecovery chosenciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosenciphertext attacks on NTRUencrypt previously published at CRYPTO ’00 and CRYPTO ’03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key. 1
A Broadcast Attack against NTRU Using Ding’s Algorithm
"... Very recently, Ding proposed an ingenious algorithm to solve LWE problem with bounded errors in polynomial time. We find that it can be easily used to give a broadcast attack against NTRU, the most efficient latticebased publickey cryptosystem known to date. ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Very recently, Ding proposed an ingenious algorithm to solve LWE problem with bounded errors in polynomial time. We find that it can be easily used to give a broadcast attack against NTRU, the most efficient latticebased publickey cryptosystem known to date.
implementation perspective
"... Wireless sensor network security requires the cryptography software extremely low complex and energy efficient due to the limited memory and CPU capacity in a sensor. The NTRU (Nth degree truncated polynomial ring) encrypt algorithm has been shown to provide certain advantages when designing low pow ..."
Abstract
 Add to MetaCart
(Show Context)
Wireless sensor network security requires the cryptography software extremely low complex and energy efficient due to the limited memory and CPU capacity in a sensor. The NTRU (Nth degree truncated polynomial ring) encrypt algorithm has been shown to provide certain advantages when designing low power and resource constrained systems, while still providing comparable security levels to higher complexity algorithms. Unlike the current works that build NTRU software in a chip, this research focuses on the hardware implementation of NTRU algorithms because hardware implementation has much higher execution speed than software implementation. In contrast to previous research, the focus is shifted away from specific optimizations but rather provides a study of many of the recommended practices and suggested optimizations with particular emphasis on polynomial arithmetic and parameter selection. Recommendations for algorithm and parameter selection are made regarding implementation in hardware with respect to the resources available. Copyright # 2008 John Wiley & Sons, Ltd. KEY WORDS: sensor network security; NTRU; hardware design; cryptography algorithms 1.