02108r0P802 15 TG3 Performance and Security of NTRU Security Suite by d87EA6

VIEWS: 0 PAGES: 33

									February, 2002                                                              doc:.: 802.15-02/108r0
  Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Submission Title: [Performance and Security of NTRU Security Suite]
Date Submitted: [February 22, 2002]
Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer]
Company [NTRU]
Address [5 Burlington Woods, Burlington, MA 01803]
Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[dbailey@ntru.com]
Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite]
Abstract: [This presentation gives an overview of the performance and security of NTRU’s proposal for
security suite for the 802.15.3 draft standard.]
Purpose: [To familiarize the working group with the NTRU proposed security suite.]
Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for
discussion and is not binding on the contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further study. The contributor(s) reserve(s) the right
to add, amend or withdraw material contained herein.
Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE
and may be made publicly available by P802.15.




                                                                  Daniel V. Bailey, Ari Singer, NTRU      1
February, 2002                 doc:.: 802.15-02/108r0


 Agenda


  • NTRU Background

  • NTRU Security

  • Why Triple-DES?




                      Daniel V. Bailey, Ari Singer, NTRU   2
February, 2002                                            doc:.: 802.15-02/108r0


 Why NTRU Public-Key Cryptography?

    • Public-Key Cryptography was invented in the 1970s:
         – RSA
         – Elliptic Curve Cryptography
    • Uses complicated mathematics and large numbers
         – RSA: 1024 bit numbers (1 with 300 zeroes!)
         – ECC: 160 bit numbers and complex operations
             • Ratios of polynomials
         – Not suitable for devices with low processing power, memory, battery
           life…
    • NTRU:
         – Uses smaller numbers (<128)
         – Can be implemented efficiently on any processor
         – Fundamental breakthrough in cryptography

                                                 Daniel V. Bailey, Ari Singer, NTRU   3
February, 2002                                       doc:.: 802.15-02/108r0




    NTRU Advantages


                 Why so fast? Why so small? Why so secure?




                                            Daniel V. Bailey, Ari Singer, NTRU   4
February, 2002                                             doc:.: 802.15-02/108r0


 NTRU Buzzwords

  • NTRU uses convolution multiplication
      – RSA uses modular multiplication
      – Convolutions used in digital signal processing (voice, streaming
        multimedia, etc)
  • NTRU is based on the short lattice vector problem
      – RSA is based on the integer factorization problem
      – ECC is based on the elliptic curve discrete log problem
      – Short lattice vector problem has been proved very hard; other two are
        merely conjectured to be very hard.




                                                  Daniel V. Bailey, Ari Singer, NTRU   5
February, 2002                                            doc:.: 802.15-02/108r0


 NTRU Fundamentals

  • NTRU is a lattice-based public-key cryptosystem
      – Lattice operations are extremely fast
      – Lattice operations are easy to implement using 7- or 8-bit numbers
      – Lattice problems have been well studied and are hard in high dimension
  •   Every NTRU key has its own random lattice
  •   Each key is a concatenation of polynomial coefficients
  •   NTRU keys are always completely independent
  •   Two algorithms
      – NTRUEncrypt for encryption and decryption
      – NTRUSign for signature and verification
  • Only NTRUEncrypt needed for 802.15.3


                                                 Daniel V. Bailey, Ari Singer, NTRU   6
February, 2002                                             doc:.: 802.15-02/108r0


 History of NTRUEncrypt

    • Developed by team of cryptographer/mathematicians
         – J. Hoffstein, J. Pipher, J. Silverman (1994-1996)
    • Presented by J. Hoffstein at CRYPTO ’96
    • Immediate feedback from top cryptographers (Coppersmith,
      Hastad, Odlyzko, Shamir,…) used to set appropriate security
      parameters
    • Ongoing research by experts in lattices and cryptography
      (Nguyen, Stern, Schnorr, May, Gentry, Szydlo, Jaulmes,
      Joux…) reaffirms NTRU’s security
    • New IEEE P1363.1 standard based on NTRU
    • New CEES Efficient Embedded Security Standard based on
      NTRU

                                                  Daniel V. Bailey, Ari Singer, NTRU   7
February, 2002                                                doc:.: 802.15-02/108r0


 NTRUEncrypt Public Parameters

     The NTRUEncrypt Public Key Cryptosystem depends on three public
     parameters:
                                N, p, q

     Typical values for these parameters, with approximate equivalent RSA
     security levels, are:
                               NTRU                                    RSA Level

             N                   p                   q                    (bits)

            251                 2+X                  128                  1024
            347                 2+X                  128                  2048
            503                 2+X                  256                  4096

     Key size = ciphertext size = N * log2(q) bits
     Plaintext size = N bits
                                                     Daniel V. Bailey, Ari Singer, NTRU   8
February, 2002                                              doc:.: 802.15-02/108r0


 Convolution Multiplications

  NTRU’s basic operation is convolution product of two vectors of small numbers:
                         [a0,…,aN-1] * [b0,…,bN-1] = [c0,…,cN-1]
  With
                   ck = a0bk + a1bk-1 + a2bk-2 + … + aN-2bk+2 + aN-1bk+1 .

  Convolution products can be computed very rapidly using Karatsuba multiplication
     or Fast Fourier Transforms.

  Example with N=4     (Extra Rule: x4 = 1)

  (x3+2x-1)*(3x3-x2+x+2)     = 3x6-x5+7x4-3x3+3x2+3x-2
                             = 3x2-x + 7 - 3x3+3x2+3x-2
                             = -3x3+6x2+2x+5




                                                   Daniel V. Bailey, Ari Singer, NTRU   9
February, 2002                                             doc:.: 802.15-02/108r0

 Small Polynomials and Polynomials
 Mod q

    The coefficients of NTRU polynomials may be reduced modulo the
    parameter q. That means that the coefficients are replaced with their
    remainders after being divided by q.

    Example.
                    5x3 - 11x2 + 4x + 6 = -x3 + x2 + x (mod 3)
    (Note: usual reduction mod q reduces into the range [0, q-1]. In NTRU,
    sometimes we reduce into the range [-q/2, q/2) or some other range).

    Many polynomials used in NTRU are described as “small”. This means
    their coefficients are, by, and large, small relative to q.




                                                  Daniel V. Bailey, Ari Singer, NTRU   10
February, 2002                                             doc:.: 802.15-02/108r0


 NTRUEncrypt Key Creation

      Bob chooses two polynomials f(x) and g(x).
              f(x) has the form 1 + pF(x), where F(x) is small
              g(x) is small

      Bob computes the inverse of f(x) modulo q:
               Fq(x)*f(x) = 1 (mod q).
      Finding these inverses is very fast using the Euclidean algorithm.

      Bob computes the product
                           h(x) = p*Fq(x)*g(x) (mod q).

      Bob’s Private Key:         the polynomial f(x)
      Bob’s Public Key:          the polynomial h(x)



                                                  Daniel V. Bailey, Ari Singer, NTRU   11
February, 2002                                           doc:.: 802.15-02/108r0


 NTRUEncrypt Encryption

  • Alice processes the message before encryption
      – pads the message with random data
      – blinds it, OAEP-style, to get the blinded message
      – converts the blinded message to a polynomial m(X).
  • Alice encrypts the message
      – generates a small random polynomial r(X) (using the blinded message
        as the seed for the random number generator)
      – calculates
         e(X) = r(X) * h(X) + m(X)
  • e(X) is the ciphertext.




                                                Daniel V. Bailey, Ari Singer, NTRU   12
February, 2002                                              doc:.: 802.15-02/108r0


 NTRUEncrypt Decryption

  • Bob decrypts the message
      – calculates
          a(X) = f(X) . e(X) mod q.
      – places the coefficients of a(X) into the range [A, A+q-1]
      – reduces mod p. This recovers the polynomial m’(X).
  • Bob checks that the ciphertext was valid
      – converts the polynomial m’(X) to the blinded message
      – generates a small random polynomial r’(X) (using the blinded message
        as the seed for the random number generator)
      – calculates
           e’(X) = r’(X) . h(X) + m’(X)
      – If this is identical to e(X), accepts the message.


                                                   Daniel V. Bailey, Ari Singer, NTRU   13
February, 2002                                                 doc:.: 802.15-02/108r0


 Why Does NTRUEncrypt Work?

      a =f*e                           (mod q)
        = f * (r*h + m)                (mod q)
        = f * (r*p*g*Fq + m)           (mod q)
        = p*r*g + (1 + pF)*m           (mod q)     since f*Fq = 1 (mod q).

      All of the polynomials r, g, f, m are small, so coefficients of

                                   p*r*g + (1 + pF)*m

      will all lie within q of each other. If its coefficients are reduced into the
      right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then

                          a = p*r*g + m + pF*m = m (mod p)




                                                      Daniel V. Bailey, Ari Singer, NTRU   14
February, 2002                                                 doc:.: 802.15-02/108r0


 In answer to those questions:

  • Why so fast?
      – NTRUEncrypt uses only adds on 7-bit numbers
      – For security of order N, needs only N ln N operations
          • other algorithms require N2 or N3 operations
  • Why so small?
      – NTRUEncrypt uses only adds on 7-bit numbers
      – No need for big integer arithmetic library
      – Fits in small amount of RAM
  • Why secure?
      – To be discussed…




                                                      Daniel V. Bailey, Ari Singer, NTRU   15
February, 2002                                                                                                          doc:.: 802.15-02/108r0


 How Fast is NTRUEncrypt?
 (RSA 1024 Level Security)
                           Function              Units                    NTRU 251                 RSA 1024                  NTRU Advantage
     NTRU vs.
      RSA on               Encrypt               Cycles                   79,460                   192,892                   2 to 1
       ARM9                Decrypt               Cycles                   167,033                  9,600,000                 57 to 1

                           Function              Units                    NTRU 251                 ECC 192                   NTRU Advantage
     NTRU vs.
      ECC on               Encrypt               Cycles                   79,460                   3,040,000                 38 to 1
       ARM9                Decrypt               Blocks/sec               167,033                  3,040,000                 18 to 1

                           Function              Units                    NTRU 251                 RSA 1024                  NTRU Advantage
     NTRU vs.
      RSA on               Encrypt               Blocks/sec               21                       0.5                       42 to 1
       PDAs                Decrypt               Blocks/sec               12                       0.036                     333 to 1

                           Function              Units                    NTRU 251                 ECC 163                   NTRU Advantage
     NTRU vs.
      ECC on               Encrypt               Blocks/sec               21                       0.4                       52.5 to 1
       PDAs                Decrypt               Blocks/sec               12                       1.3                       9 to 1
  ARM9 Comparisons: NTRU’s NERI toolkit vs. Mike Scott’s MIRACL library, using a NIST curve
  PDA Comparisons: NTRU’s NERI portable toolkit vs. published results (for ECC, RSA) specialized for the Palm device, (RSA encryption exponent e=65537)

                                                                                                       Daniel V. Bailey, Ari Singer, NTRU                 16
February, 2002                                                      doc:.: 802.15-02/108r0


 Performance on a Microcontroller

  • Speakers will have an 8051 if they’re lucky
  • Microcontrollers vary widely, so here’s three implementations of
    NTRUEncrypt:

      Architecture   Internal Clock   Enc. Time   Dec. time         RAM
      8 bits         2.66 MHz         42.6 ms     60.0 ms           841 bytes
      8 bits         3.4 MHz          41.3 ms     65.9 ms           841 bytes
      16 bits        1 MHz            65 ms       119 ms            841 bytes




                                                           Daniel V. Bailey, Ari Singer, NTRU   17
February, 2002                                              doc:.: 802.15-02/108r0


 Comparison on a Microcontroller

  • For comparison, the top microcontroller has a 50,000 gate
    RSA/ECC coprocessor
  • 028r3-TG3-Coding-Criteria.ppt gives the following cost/power
    guidance:
      – In 0.18 micron technology, 100,000 gates cost 20 cents
      – Power is dissipated at a rate of 0.018 mW/(MHz*kgates)
    Algorithm    Gate Count   Gate Cost   Gate Power      Time
    NTRU         0            0           0               60 msec
    RSA          50,000       .10         2.4 mW          420 msec
    ECC          50,000       .10         2.4 mW          160 msec




                                                   Daniel V. Bailey, Ari Singer, NTRU   18
February, 2002                                               doc:.: 802.15-02/108r0


 Comparison in Hardware

  • What if you need NTRUEncrypt in hardware?
  • This is a complete implementation, including SHA-1




    Algorithm    Gate Count   Gate Cost   Gate Power       Time
    NTRU         20,000       .04         0.96 mW          20 msec
    RSA          50,000       .10         2.4 mW           420 msec
    ECC          50,000       .10         2.4 mW           160 msec




                                                    Daniel V. Bailey, Ari Singer, NTRU   19
February, 2002                 doc:.: 802.15-02/108r0


 Agenda


  • NTRU Background

  • NTRU Security

  • Why Triple-DES?




                      Daniel V. Bailey, Ari Singer, NTRU   20
February, 2002                                                 doc:.: 802.15-02/108r0


 The NTRU Hard Problem

     The hard problem underlying NTRU is the

                                   Shortest Vector Problem

     in lattices of high dimension
     System          Hard Problem                            Best Solution Method

     NTRU            Short vector problem                    LLL lattice reduction

     RSA             Integer factorization                   Number field sieve

     ECC             Elliptic curve discrete log             Pollard rho

     DH              Discrete logarithm                      Index calculus


     Best Known Methods to Break:
     • NTRU and ECC are exponential (very slow)
     • RSA and DH are subexponential (faster)


                                                      Daniel V. Bailey, Ari Singer, NTRU   21
February, 2002                                           doc:.: 802.15-02/108r0

                                   Lattices
      • Lattice: Set of all vectors that are integer linear
        combinations of the basis vectors B = {b1, …, bn}.
      • Lattice Bases are not unique.
      • Lattice Basis Reduction: Finding a “good” basis, usually
        one with short, nearly orthogonal vectors.

                                                                   1 5
                    (1,5)                                LB =      7 1 
                                                                       
                     B        (7,1)
                                                                  13  3
                              B’
                                      (13,-3)            LB’ =     6  4
                                                                        
                     (6,-4)



                                                 (Slide due to Craig Gentry)
                                                Daniel V. Bailey, Ari Singer, NTRU   22
February, 2002                                           doc:.: 802.15-02/108r0

                   Shortest Vector Problem
      • Shortest Vector Problem (SVP): Given a lattice basis, find
        the shortest (nonzero) vector in the lattice.
      • Example: Given LB’ below, find (1,5).
      • The SVP is NP-Hard (no algorithm with running time
        polynomial in lattice dimension that always find the SV).

                                                                   1 5
                    (1,5)                                LB =      7 1 
                                                                       
                     B        (7,1)
                                                                  13  3 × 1
                              B’
                                      (13,-3)            LB’ =     6  4 × -2
                                                                        
                     (6,-4)


                                                                   1    5
                                                 (Slide due to Craig Gentry)
                                                Daniel V. Bailey, Ari Singer, NTRU   23
February, 2002                                               doc:.: 802.15-02/108r0


 Brief History of Lattice Problems
    • Lattices, the SVP, and the CVP have been extensively studied for
      more than 100 years (Hermite 1870s, Minkowski 1890s,…).
    • Best computational tool was developed by Lenstra, Lenstra, and
      Lovasz (LLL algorithm) in early 1980s.
    • Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and
      others.
    • Algorithms to find small vectors in lattices have been extensively
      studied because they have applications to many areas outside of
      cryptography, including physics, combinatorics, number theory,
      computer algebra,….
    • Contrast this with integer factorization (RSA) and elliptic curve
      discrete logarithms (ECC), where the only applications are to
      cryptography.


                                                    Daniel V. Bailey, Ari Singer, NTRU   24
February, 2002                                              doc:.: 802.15-02/108r0


 NTRU Security

       Cryptographic System      Key/Block Size          Processing Time
                                     (Bits)                (MIPS-Years)
       RSA                             512                      1 X 104
       NTRU                       834 (N = 139)                 1 x 104
       DES                             56                       5 x 105
       RSA                            1024                      8 x 109
       NTRU                       1757 (N = 251)                5 x 1010
       ECC                       ~1000 (p = 163)                7 x 1011
       RSA                            2048                      1 x 1020
       NTRU                       2429 (N = 347)                2 x 1021
       AES                             128                      2 x 1027


    NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium
                                                   Daniel V. Bailey, Ari Singer, NTRU   25
February, 2002                     doc:.: 802.15-02/108r0




    Scrutiny and Standardization




                          Daniel V. Bailey, Ari Singer, NTRU   26
February, 2002                                          doc:.: 802.15-02/108r0


 Scrutiny

    • NTRUEncrypt has been widely studied since it was first
      announced in 1996
         – Papers on NTRU techniques appear at every major cryptography
           conference
         – Nguyen and Stern (CaLC-2001): “this makes NTRU the leading
           candidate among knapsack-based and lattice-based cryptosystems,
           and allows high dimension lattices.”
         – Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite
           Normal Form, the most secure form for a general lattice
    • NTRU encourages peer review
         – Challenge problems
         – Support to Crypto community (CaLC conference, etc)



                                               Daniel V. Bailey, Ari Singer, NTRU   27
February, 2002                                       doc:.: 802.15-02/108r0


 NTRU Standardization work

  • IEEE P1363
      • Draft of P1363.1 available on IEEE P1363 WG web site with
        NTRUEncrypt included
      • Vote on permanently including NTRUEncrypt passed at May
        2001 meeting
  • Consortium for Efficient Embedded Security (CEES)
      • Draft of EESS #1 standardizing NTRUEncrypt currently available
        from http://www.ceesstandards.org
      • Drafts include complete specification, encodings, certificate
        formats, etc.
  • VHN (Versatile Home Networking)
      • NTRU included in EIA/CEA-851
                                            Daniel V. Bailey, Ari Singer, NTRU   28
February, 2002                                           doc:.: 802.15-02/108r0


 NTRU Standardization work

  • IETF
      • TLS: NTRU ciphersuites proposed May 2001.
          • Expected to proceed to Informational RFC.
      • PKIX: “Supplemental Algorithms for PKI” Internet Draft
          • Edited by NTRU, includes NTRUEncrypt
          • Also includes new US Government algorithms: DSA2, SHA-256…
  • WAP
      • NTRU active participants in WSG




                                                Daniel V. Bailey, Ari Singer, NTRU   29
February, 2002                                            doc:.: 802.15-02/108r0


 Implications of High Data Rate

  •   Symmetric components must meet the data rate
  •   Public key costs on a per-session basis, not per-bit
  •   For enough gates (612,834 actually), 2 Gbps is practical with AES
  •   Smallest implementation with local subkey storage is 43,000 gates
      – 17,000 gates if you hit external memory every cycle
  • The challenge: minimize footprint to meet a target data rate at a
    target cost (area, clock rate,…)
  • You’ll need a custom hardware implementation for encryption and
    integrity
  • We’ve been evaluating algorithms and…




                                                 Daniel V. Bailey, Ari Singer, NTRU   30
February, 2002                                           doc:.: 802.15-02/108r0


 Triple-DES

  •   Hits the data rate at lowest gate count
  •   DES has a 64-bit block size.
  •   DES encryption has 16 rounds. Triple-DES encryption has 48.
  •   Using DES for integrity takes another 16 rounds, except for the last
      block, which takes 48.
  •   So we need 64 rounds per 64 bits.
  •   Instantiating two rounds of DES gives a throughput of 2 bits/cycle.
  •   So you’ll need at least a 23 MHz clock for 55 Mbps.
  •   Synthesized with LeonardoSpectrum, that’s 9196 gates
  •   With 802.15.3’s assumptions, that’s $0.02, 5.4 mW




                                                Daniel V. Bailey, Ari Singer, NTRU   31
February, 2002                                           doc:.: 802.15-02/108r0


 Triple-DES Security

  •   Encryption standardized in ANSI X9.52, FIPS 46-3, …
  •   Well-studied since the late 1970s.
  •   112-bit key makes brute force attacks infeasible
  •   MAC standardized in ISO 9797, …
  •   We MAC the ciphertext, not the plaintext
  •   64-bit block size means we’d expect a MAC collision after 232 blocks
  •   Sequence numbers in MAC calculation prevent the attacker from
      substituting one message for another!
       – The attacker isn’t looking for two messages that give the same MAC…
       – She needs two messages with the same sequence number that give the
         same MAC



                                                Daniel V. Bailey, Ari Singer, NTRU   32
February, 2002                                      doc:.: 802.15-02/108r0


 Conclusions

  • NTRUEncrypt and Triple-DES are the most cost-effective solutions
    for 802.15.3.
  • Both have received intense scrutiny
  • Both are believed to be secure




                                           Daniel V. Bailey, Ari Singer, NTRU   33

								
To top