VIEWS: 0 PAGES: 33 POSTED ON: 3/6/2012 Public Domain
February, 2002 doc:.: 802.15-02/108r0 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Performance and Security of NTRU Security Suite] Date Submitted: [February 22, 2002] Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer] Company [NTRU] Address [5 Burlington Woods, Burlington, MA 01803] Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[dbailey@ntru.com] Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite] Abstract: [This presentation gives an overview of the performance and security of NTRU’s proposal for security suite for the 802.15.3 draft standard.] Purpose: [To familiarize the working group with the NTRU proposed security suite.] Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. Daniel V. Bailey, Ari Singer, NTRU 1 February, 2002 doc:.: 802.15-02/108r0 Agenda • NTRU Background • NTRU Security • Why Triple-DES? Daniel V. Bailey, Ari Singer, NTRU 2 February, 2002 doc:.: 802.15-02/108r0 Why NTRU Public-Key Cryptography? • Public-Key Cryptography was invented in the 1970s: – RSA – Elliptic Curve Cryptography • Uses complicated mathematics and large numbers – RSA: 1024 bit numbers (1 with 300 zeroes!) – ECC: 160 bit numbers and complex operations • Ratios of polynomials – Not suitable for devices with low processing power, memory, battery life… • NTRU: – Uses smaller numbers (<128) – Can be implemented efficiently on any processor – Fundamental breakthrough in cryptography Daniel V. Bailey, Ari Singer, NTRU 3 February, 2002 doc:.: 802.15-02/108r0 NTRU Advantages Why so fast? Why so small? Why so secure? Daniel V. Bailey, Ari Singer, NTRU 4 February, 2002 doc:.: 802.15-02/108r0 NTRU Buzzwords • NTRU uses convolution multiplication – RSA uses modular multiplication – Convolutions used in digital signal processing (voice, streaming multimedia, etc) • NTRU is based on the short lattice vector problem – RSA is based on the integer factorization problem – ECC is based on the elliptic curve discrete log problem – Short lattice vector problem has been proved very hard; other two are merely conjectured to be very hard. Daniel V. Bailey, Ari Singer, NTRU 5 February, 2002 doc:.: 802.15-02/108r0 NTRU Fundamentals • NTRU is a lattice-based public-key cryptosystem – Lattice operations are extremely fast – Lattice operations are easy to implement using 7- or 8-bit numbers – Lattice problems have been well studied and are hard in high dimension • Every NTRU key has its own random lattice • Each key is a concatenation of polynomial coefficients • NTRU keys are always completely independent • Two algorithms – NTRUEncrypt for encryption and decryption – NTRUSign for signature and verification • Only NTRUEncrypt needed for 802.15.3 Daniel V. Bailey, Ari Singer, NTRU 6 February, 2002 doc:.: 802.15-02/108r0 History of NTRUEncrypt • Developed by team of cryptographer/mathematicians – J. Hoffstein, J. Pipher, J. Silverman (1994-1996) • Presented by J. Hoffstein at CRYPTO ’96 • Immediate feedback from top cryptographers (Coppersmith, Hastad, Odlyzko, Shamir,…) used to set appropriate security parameters • Ongoing research by experts in lattices and cryptography (Nguyen, Stern, Schnorr, May, Gentry, Szydlo, Jaulmes, Joux…) reaffirms NTRU’s security • New IEEE P1363.1 standard based on NTRU • New CEES Efficient Embedded Security Standard based on NTRU Daniel V. Bailey, Ari Singer, NTRU 7 February, 2002 doc:.: 802.15-02/108r0 NTRUEncrypt Public Parameters The NTRUEncrypt Public Key Cryptosystem depends on three public parameters: N, p, q Typical values for these parameters, with approximate equivalent RSA security levels, are: NTRU RSA Level N p q (bits) 251 2+X 128 1024 347 2+X 128 2048 503 2+X 256 4096 Key size = ciphertext size = N * log2(q) bits Plaintext size = N bits Daniel V. Bailey, Ari Singer, NTRU 8 February, 2002 doc:.: 802.15-02/108r0 Convolution Multiplications NTRU’s basic operation is convolution product of two vectors of small numbers: [a0,…,aN-1] * [b0,…,bN-1] = [c0,…,cN-1] With ck = a0bk + a1bk-1 + a2bk-2 + … + aN-2bk+2 + aN-1bk+1 . Convolution products can be computed very rapidly using Karatsuba multiplication or Fast Fourier Transforms. Example with N=4 (Extra Rule: x4 = 1) (x3+2x-1)*(3x3-x2+x+2) = 3x6-x5+7x4-3x3+3x2+3x-2 = 3x2-x + 7 - 3x3+3x2+3x-2 = -3x3+6x2+2x+5 Daniel V. Bailey, Ari Singer, NTRU 9 February, 2002 doc:.: 802.15-02/108r0 Small Polynomials and Polynomials Mod q The coefficients of NTRU polynomials may be reduced modulo the parameter q. That means that the coefficients are replaced with their remainders after being divided by q. Example. 5x3 - 11x2 + 4x + 6 = -x3 + x2 + x (mod 3) (Note: usual reduction mod q reduces into the range [0, q-1]. In NTRU, sometimes we reduce into the range [-q/2, q/2) or some other range). Many polynomials used in NTRU are described as “small”. This means their coefficients are, by, and large, small relative to q. Daniel V. Bailey, Ari Singer, NTRU 10 February, 2002 doc:.: 802.15-02/108r0 NTRUEncrypt Key Creation Bob chooses two polynomials f(x) and g(x). f(x) has the form 1 + pF(x), where F(x) is small g(x) is small Bob computes the inverse of f(x) modulo q: Fq(x)*f(x) = 1 (mod q). Finding these inverses is very fast using the Euclidean algorithm. Bob computes the product h(x) = p*Fq(x)*g(x) (mod q). Bob’s Private Key: the polynomial f(x) Bob’s Public Key: the polynomial h(x) Daniel V. Bailey, Ari Singer, NTRU 11 February, 2002 doc:.: 802.15-02/108r0 NTRUEncrypt Encryption • Alice processes the message before encryption – pads the message with random data – blinds it, OAEP-style, to get the blinded message – converts the blinded message to a polynomial m(X). • Alice encrypts the message – generates a small random polynomial r(X) (using the blinded message as the seed for the random number generator) – calculates e(X) = r(X) * h(X) + m(X) • e(X) is the ciphertext. Daniel V. Bailey, Ari Singer, NTRU 12 February, 2002 doc:.: 802.15-02/108r0 NTRUEncrypt Decryption • Bob decrypts the message – calculates a(X) = f(X) . e(X) mod q. – places the coefficients of a(X) into the range [A, A+q-1] – reduces mod p. This recovers the polynomial m’(X). • Bob checks that the ciphertext was valid – converts the polynomial m’(X) to the blinded message – generates a small random polynomial r’(X) (using the blinded message as the seed for the random number generator) – calculates e’(X) = r’(X) . h(X) + m’(X) – If this is identical to e(X), accepts the message. Daniel V. Bailey, Ari Singer, NTRU 13 February, 2002 doc:.: 802.15-02/108r0 Why Does NTRUEncrypt Work? a =f*e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*Fq + m) (mod q) = p*r*g + (1 + pF)*m (mod q) since f*Fq = 1 (mod q). All of the polynomials r, g, f, m are small, so coefficients of p*r*g + (1 + pF)*m will all lie within q of each other. If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then a = p*r*g + m + pF*m = m (mod p) Daniel V. Bailey, Ari Singer, NTRU 14 February, 2002 doc:.: 802.15-02/108r0 In answer to those questions: • Why so fast? – NTRUEncrypt uses only adds on 7-bit numbers – For security of order N, needs only N ln N operations • other algorithms require N2 or N3 operations • Why so small? – NTRUEncrypt uses only adds on 7-bit numbers – No need for big integer arithmetic library – Fits in small amount of RAM • Why secure? – To be discussed… Daniel V. Bailey, Ari Singer, NTRU 15 February, 2002 doc:.: 802.15-02/108r0 How Fast is NTRUEncrypt? (RSA 1024 Level Security) Function Units NTRU 251 RSA 1024 NTRU Advantage NTRU vs. RSA on Encrypt Cycles 79,460 192,892 2 to 1 ARM9 Decrypt Cycles 167,033 9,600,000 57 to 1 Function Units NTRU 251 ECC 192 NTRU Advantage NTRU vs. ECC on Encrypt Cycles 79,460 3,040,000 38 to 1 ARM9 Decrypt Blocks/sec 167,033 3,040,000 18 to 1 Function Units NTRU 251 RSA 1024 NTRU Advantage NTRU vs. RSA on Encrypt Blocks/sec 21 0.5 42 to 1 PDAs Decrypt Blocks/sec 12 0.036 333 to 1 Function Units NTRU 251 ECC 163 NTRU Advantage NTRU vs. ECC on Encrypt Blocks/sec 21 0.4 52.5 to 1 PDAs Decrypt Blocks/sec 12 1.3 9 to 1 ARM9 Comparisons: NTRU’s NERI toolkit vs. Mike Scott’s MIRACL library, using a NIST curve PDA Comparisons: NTRU’s NERI portable toolkit vs. published results (for ECC, RSA) specialized for the Palm device, (RSA encryption exponent e=65537) Daniel V. Bailey, Ari Singer, NTRU 16 February, 2002 doc:.: 802.15-02/108r0 Performance on a Microcontroller • Speakers will have an 8051 if they’re lucky • Microcontrollers vary widely, so here’s three implementations of NTRUEncrypt: Architecture Internal Clock Enc. Time Dec. time RAM 8 bits 2.66 MHz 42.6 ms 60.0 ms 841 bytes 8 bits 3.4 MHz 41.3 ms 65.9 ms 841 bytes 16 bits 1 MHz 65 ms 119 ms 841 bytes Daniel V. Bailey, Ari Singer, NTRU 17 February, 2002 doc:.: 802.15-02/108r0 Comparison on a Microcontroller • For comparison, the top microcontroller has a 50,000 gate RSA/ECC coprocessor • 028r3-TG3-Coding-Criteria.ppt gives the following cost/power guidance: – In 0.18 micron technology, 100,000 gates cost 20 cents – Power is dissipated at a rate of 0.018 mW/(MHz*kgates) Algorithm Gate Count Gate Cost Gate Power Time NTRU 0 0 0 60 msec RSA 50,000 .10 2.4 mW 420 msec ECC 50,000 .10 2.4 mW 160 msec Daniel V. Bailey, Ari Singer, NTRU 18 February, 2002 doc:.: 802.15-02/108r0 Comparison in Hardware • What if you need NTRUEncrypt in hardware? • This is a complete implementation, including SHA-1 Algorithm Gate Count Gate Cost Gate Power Time NTRU 20,000 .04 0.96 mW 20 msec RSA 50,000 .10 2.4 mW 420 msec ECC 50,000 .10 2.4 mW 160 msec Daniel V. Bailey, Ari Singer, NTRU 19 February, 2002 doc:.: 802.15-02/108r0 Agenda • NTRU Background • NTRU Security • Why Triple-DES? Daniel V. Bailey, Ari Singer, NTRU 20 February, 2002 doc:.: 802.15-02/108r0 The NTRU Hard Problem The hard problem underlying NTRU is the Shortest Vector Problem in lattices of high dimension System Hard Problem Best Solution Method NTRU Short vector problem LLL lattice reduction RSA Integer factorization Number field sieve ECC Elliptic curve discrete log Pollard rho DH Discrete logarithm Index calculus Best Known Methods to Break: • NTRU and ECC are exponential (very slow) • RSA and DH are subexponential (faster) Daniel V. Bailey, Ari Singer, NTRU 21 February, 2002 doc:.: 802.15-02/108r0 Lattices • Lattice: Set of all vectors that are integer linear combinations of the basis vectors B = {b1, …, bn}. • Lattice Bases are not unique. • Lattice Basis Reduction: Finding a “good” basis, usually one with short, nearly orthogonal vectors. 1 5 (1,5) LB = 7 1 B (7,1) 13 3 B’ (13,-3) LB’ = 6 4 (6,-4) (Slide due to Craig Gentry) Daniel V. Bailey, Ari Singer, NTRU 22 February, 2002 doc:.: 802.15-02/108r0 Shortest Vector Problem • Shortest Vector Problem (SVP): Given a lattice basis, find the shortest (nonzero) vector in the lattice. • Example: Given LB’ below, find (1,5). • The SVP is NP-Hard (no algorithm with running time polynomial in lattice dimension that always find the SV). 1 5 (1,5) LB = 7 1 B (7,1) 13 3 × 1 B’ (13,-3) LB’ = 6 4 × -2 (6,-4) 1 5 (Slide due to Craig Gentry) Daniel V. Bailey, Ari Singer, NTRU 23 February, 2002 doc:.: 802.15-02/108r0 Brief History of Lattice Problems • Lattices, the SVP, and the CVP have been extensively studied for more than 100 years (Hermite 1870s, Minkowski 1890s,…). • Best computational tool was developed by Lenstra, Lenstra, and Lovasz (LLL algorithm) in early 1980s. • Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and others. • Algorithms to find small vectors in lattices have been extensively studied because they have applications to many areas outside of cryptography, including physics, combinatorics, number theory, computer algebra,…. • Contrast this with integer factorization (RSA) and elliptic curve discrete logarithms (ECC), where the only applications are to cryptography. Daniel V. Bailey, Ari Singer, NTRU 24 February, 2002 doc:.: 802.15-02/108r0 NTRU Security Cryptographic System Key/Block Size Processing Time (Bits) (MIPS-Years) RSA 512 1 X 104 NTRU 834 (N = 139) 1 x 104 DES 56 5 x 105 RSA 1024 8 x 109 NTRU 1757 (N = 251) 5 x 1010 ECC ~1000 (p = 163) 7 x 1011 RSA 2048 1 x 1020 NTRU 2429 (N = 347) 2 x 1021 AES 128 2 x 1027 NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium Daniel V. Bailey, Ari Singer, NTRU 25 February, 2002 doc:.: 802.15-02/108r0 Scrutiny and Standardization Daniel V. Bailey, Ari Singer, NTRU 26 February, 2002 doc:.: 802.15-02/108r0 Scrutiny • NTRUEncrypt has been widely studied since it was first announced in 1996 – Papers on NTRU techniques appear at every major cryptography conference – Nguyen and Stern (CaLC-2001): “this makes NTRU the leading candidate among knapsack-based and lattice-based cryptosystems, and allows high dimension lattices.” – Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite Normal Form, the most secure form for a general lattice • NTRU encourages peer review – Challenge problems – Support to Crypto community (CaLC conference, etc) Daniel V. Bailey, Ari Singer, NTRU 27 February, 2002 doc:.: 802.15-02/108r0 NTRU Standardization work • IEEE P1363 • Draft of P1363.1 available on IEEE P1363 WG web site with NTRUEncrypt included • Vote on permanently including NTRUEncrypt passed at May 2001 meeting • Consortium for Efficient Embedded Security (CEES) • Draft of EESS #1 standardizing NTRUEncrypt currently available from http://www.ceesstandards.org • Drafts include complete specification, encodings, certificate formats, etc. • VHN (Versatile Home Networking) • NTRU included in EIA/CEA-851 Daniel V. Bailey, Ari Singer, NTRU 28 February, 2002 doc:.: 802.15-02/108r0 NTRU Standardization work • IETF • TLS: NTRU ciphersuites proposed May 2001. • Expected to proceed to Informational RFC. • PKIX: “Supplemental Algorithms for PKI” Internet Draft • Edited by NTRU, includes NTRUEncrypt • Also includes new US Government algorithms: DSA2, SHA-256… • WAP • NTRU active participants in WSG Daniel V. Bailey, Ari Singer, NTRU 29 February, 2002 doc:.: 802.15-02/108r0 Implications of High Data Rate • Symmetric components must meet the data rate • Public key costs on a per-session basis, not per-bit • For enough gates (612,834 actually), 2 Gbps is practical with AES • Smallest implementation with local subkey storage is 43,000 gates – 17,000 gates if you hit external memory every cycle • The challenge: minimize footprint to meet a target data rate at a target cost (area, clock rate,…) • You’ll need a custom hardware implementation for encryption and integrity • We’ve been evaluating algorithms and… Daniel V. Bailey, Ari Singer, NTRU 30 February, 2002 doc:.: 802.15-02/108r0 Triple-DES • Hits the data rate at lowest gate count • DES has a 64-bit block size. • DES encryption has 16 rounds. Triple-DES encryption has 48. • Using DES for integrity takes another 16 rounds, except for the last block, which takes 48. • So we need 64 rounds per 64 bits. • Instantiating two rounds of DES gives a throughput of 2 bits/cycle. • So you’ll need at least a 23 MHz clock for 55 Mbps. • Synthesized with LeonardoSpectrum, that’s 9196 gates • With 802.15.3’s assumptions, that’s $0.02, 5.4 mW Daniel V. Bailey, Ari Singer, NTRU 31 February, 2002 doc:.: 802.15-02/108r0 Triple-DES Security • Encryption standardized in ANSI X9.52, FIPS 46-3, … • Well-studied since the late 1970s. • 112-bit key makes brute force attacks infeasible • MAC standardized in ISO 9797, … • We MAC the ciphertext, not the plaintext • 64-bit block size means we’d expect a MAC collision after 232 blocks • Sequence numbers in MAC calculation prevent the attacker from substituting one message for another! – The attacker isn’t looking for two messages that give the same MAC… – She needs two messages with the same sequence number that give the same MAC Daniel V. Bailey, Ari Singer, NTRU 32 February, 2002 doc:.: 802.15-02/108r0 Conclusions • NTRUEncrypt and Triple-DES are the most cost-effective solutions for 802.15.3. • Both have received intense scrutiny • Both are believed to be secure Daniel V. Bailey, Ari Singer, NTRU 33