February, 2002 doc:.: 802.15-02/108r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

1

February, 2002 doc:.: 802.15-02/108r0

Daniel V. Bailey, Ari Singer, NTRU

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Submission Title: [Performance and Security of NTRU Security Suite]Date Submitted: [February 22, 2002]Source: [Daniel V. Bailey, Product Manager for Wireless Networks and Ari Singer, Principal Engineer] Company [NTRU]Address [5 Burlington Woods, Burlington, MA 01803]Voice:[(781) 418-2500], FAX: [(781) 418-2507], E-Mail:[[email protected]]

Re: [Draft P802.15.3/D09, P802.15-02-074r1 802.15.3 Call For Proposals for a Security Suite]

Abstract: [This presentation gives an overview of the performance and security of NTRU’s proposal for security suite for the 802.15.3 draft standard.]

Purpose: [To familiarize the working group with the NTRU proposed security suite.]

Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

2

February, 2002 doc:.: 802.15-02/108r0


Agenda

• NTRU Background

• NTRU Security

• Why Triple-DES?

3

February, 2002 doc:.: 802.15-02/108r0


Why NTRU Public-Key Cryptography?

• Public-Key Cryptography was invented in the 1970s:– RSA

– Elliptic Curve Cryptography

• Uses complicated mathematics and large numbers– RSA: 1024 bit numbers (1 with 300 zeroes!)

– ECC: 160 bit numbers and complex operations• Ratios of polynomials

– Not suitable for devices with low processing power, memory, battery life…

• NTRU:– Uses smaller numbers (<128)

– Can be implemented efficiently on any processor

– Fundamental breakthrough in cryptography

4

February, 2002 doc:.: 802.15-02/108r0


NTRU Advantages

Why so fast? Why so small? Why so secure?

5

February, 2002 doc:.: 802.15-02/108r0


NTRU Buzzwords

• NTRU uses convolution multiplication– RSA uses modular multiplication

– Convolutions used in digital signal processing (voice, streaming multimedia, etc)

• NTRU is based on the short lattice vector problem– RSA is based on the integer factorization problem

– ECC is based on the elliptic curve discrete log problem

– Short lattice vector problem has been proved very hard; other two are merely conjectured to be very hard.

6

February, 2002 doc:.: 802.15-02/108r0


NTRU Fundamentals

• NTRU is a lattice-based public-key cryptosystem– Lattice operations are extremely fast

– Lattice operations are easy to implement using 7- or 8-bit numbers

– Lattice problems have been well studied and are hard in high dimension

• Every NTRU key has its own random lattice• Each key is a concatenation of polynomial coefficients• NTRU keys are always completely independent• Two algorithms

– NTRUEncrypt for encryption and decryption

– NTRUSign for signature and verification

• Only NTRUEncrypt needed for 802.15.3

7

February, 2002 doc:.: 802.15-02/108r0


History of NTRUEncrypt

• Developed by team of cryptographer/mathematicians– J. Hoffstein, J. Pipher, J. Silverman (1994-1996)

• Presented by J. Hoffstein at CRYPTO ’96• Immediate feedback from top cryptographers (Coppersmith,

Hastad, Odlyzko, Shamir,…) used to set appropriate security parameters

• Ongoing research by experts in lattices and cryptography (Nguyen, Stern, Schnorr, May, Gentry, Szydlo, Jaulmes, Joux…) reaffirms NTRU’s security

• New IEEE P1363.1 standard based on NTRU• New CEES Efficient Embedded Security Standard based on

NTRU

8

February, 2002 doc:.: 802.15-02/108r0


NTRUEncrypt Public Parameters

The NTRUEncrypt Public Key Cryptosystem depends on three public parameters:

N, p, q

Typical values for these parameters, with approximate equivalent RSA security levels, are:

NTRU RSA Level

N p q (bits)

251 2+X 128 1024

347 2+X 128 2048

503 2+X 256 4096

Key size = ciphertext size = N * log2(q) bitsPlaintext size = N bits

9

February, 2002 doc:.: 802.15-02/108r0


Convolution Multiplications

NTRU’s basic operation is convolution product of two vectors of small numbers:[a0,…,aN-1] * [b0,…,bN-1] = [c0,…,cN-1]

Withck = a0bk + a1bk-1 + a2bk-2 + … + aN-2bk+2 + aN-1bk+1 .

Convolution products can be computed very rapidly using Karatsuba multiplication

or Fast Fourier Transforms. Example with N=4 (Extra Rule: x4 = 1) (x3+2x-1)*(3x3-x2+x+2) = 3x6-x5+7x4-3x3+3x2+3x-2

= 3x2-x + 7 - 3x3+3x2+3x-2= -3x3+6x2+2x+5

10

February, 2002 doc:.: 802.15-02/108r0


The coefficients of NTRU polynomials may be reduced modulo the parameter q. That means that the coefficients are replaced with their remainders after being divided by q. Example.

5x3 - 11x2 + 4x + 6 = -x3 + x2 + x (mod 3)(Note: usual reduction mod q reduces into the range [0, q-1]. In NTRU, sometimes we reduce into the range [-q/2, q/2) or some other range).

Many polynomials used in NTRU are described as “small”. This means their coefficients are, by, and large, small relative to q.

Small Polynomials and Polynomials Mod q

11

February, 2002 doc:.: 802.15-02/108r0


NTRUEncrypt Key Creation

Bob chooses two polynomials f(x) and g(x).f(x) has the form 1 + pF(x), where F(x) is smallg(x) is small

Bob computes the inverse of f(x) modulo q:Fq(x)*f(x) = 1 (mod q).

Finding these inverses is very fast using the Euclidean algorithm.

Bob computes the producth(x) = p*Fq(x)*g(x) (mod q).

Bob’s Private Key: the polynomial f(x)Bob’s Public Key: the polynomial h(x)

12

February, 2002 doc:.: 802.15-02/108r0


NTRUEncrypt Encryption

• Alice processes the message before encryption– pads the message with random data

– blinds it, OAEP-style, to get the blinded message

– converts the blinded message to a polynomial m(X).

• Alice encrypts the message– generates a small random polynomial r(X) (using the blinded message

as the seed for the random number generator)

– calculatese(X) = r(X) * h(X) + m(X)

• e(X) is the ciphertext.

13

February, 2002 doc:.: 802.15-02/108r0


NTRUEncrypt Decryption

• Bob decrypts the message– calculates

a(X) = f(X) . e(X) mod q.

– places the coefficients of a(X) into the range [A, A+q-1]

– reduces mod p. This recovers the polynomial m’(X).

• Bob checks that the ciphertext was valid– converts the polynomial m’(X) to the blinded message

– generates a small random polynomial r’(X) (using the blinded message as the seed for the random number generator)

– calculatese’(X) = r’(X) . h(X) + m’(X)

– If this is identical to e(X), accepts the message.

14

February, 2002 doc:.: 802.15-02/108r0


Why Does NTRUEncrypt Work?

a = f * e (mod q)= f * (r*h + m) (mod q)= f * (r*p*g*Fq + m) (mod q)

= p*r*g + (1 + pF)*m (mod q) since f*Fq = 1 (mod q).

All of the polynomials r, g, f, m are small, so coefficients of

p*r*g + (1 + pF)*m

will all lie within q of each other. If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then

a = p*r*g + m + pF*m = m (mod p)

15

February, 2002 doc:.: 802.15-02/108r0


In answer to those questions:

• Why so fast?– NTRUEncrypt uses only adds on 7-bit numbers

– For security of order N, needs only N ln N operations• other algorithms require N2 or N3 operations

• Why so small?– NTRUEncrypt uses only adds on 7-bit numbers

– No need for big integer arithmetic library

– Fits in small amount of RAM

• Why secure?– To be discussed…

16

February, 2002 doc:.: 802.15-02/108r0


How Fast is NTRUEncrypt?(RSA 1024 Level Security)

Function Units NTRU 251 RSA 1024 NTRU Advantage

Encrypt Blocks/sec 21 0.5 42 to 1

Decrypt Blocks/sec 12 0.036 333 to 1

Function Units NTRU 251 ECC 163 NTRU Advantage

Encrypt Blocks/sec 21 0.4 52.5 to 1

Decrypt Blocks/sec 12 1.3 9 to 1

NTRU vs. ECC on PDAs

Function Units NTRU 251 RSA 1024 NTRU Advantage

Encrypt Cycles 79,460 192,892 2 to 1

Decrypt Cycles 167,033 9,600,000 57 to 1

Function Units NTRU 251 ECC 192 NTRU Advantage

Encrypt Cycles 79,460 3,040,000 38 to 1

Decrypt Blocks/sec 167,033 3,040,000 18 to 1

NTRU vs. RSA on PDAs

NTRU vs. RSA on ARM9

NTRU vs. ECC on ARM9

ARM9 Comparisons: NTRU’s NERI toolkit vs. Mike Scott’s MIRACL library, using a NIST curve

PDA Comparisons: NTRU’s NERI portable toolkit vs. published results (for ECC, RSA) specialized for the Palm device, (RSA encryption exponent e=65537)

17

February, 2002 doc:.: 802.15-02/108r0


Performance on a Microcontroller

• Speakers will have an 8051 if they’re lucky• Microcontrollers vary widely, so here’s three implementations

of NTRUEncrypt:

Architecture Internal Clock Enc. Time Dec. time RAM

8 bits 2.66 MHz 42.6 ms 60.0 ms 841 bytes

8 bits 3.4 MHz 41.3 ms 65.9 ms 841 bytes

16 bits 1 MHz 65 ms 119 ms 841 bytes

18

February, 2002 doc:.: 802.15-02/108r0


Comparison on a Microcontroller

• For comparison, the top microcontroller has a 50,000 gate RSA/ECC coprocessor

• 028r3-TG3-Coding-Criteria.ppt gives the following cost/power guidance:– In 0.18 micron technology, 100,000 gates cost 20 cents

– Power is dissipated at a rate of 0.018 mW/(MHz*kgates)

Algorithm Gate Count Gate Cost Gate Power Time

NTRU 0 0 0 60 msec

RSA 50,000 .10 2.4 mW 420 msec

ECC 50,000 .10 2.4 mW 160 msec

19

February, 2002 doc:.: 802.15-02/108r0


Comparison in Hardware

• What if you need NTRUEncrypt in hardware?• This is a complete implementation, including SHA-1

Algorithm Gate Count Gate Cost Gate Power Time

NTRU 20,000 .04 0.96 mW 20 msec

RSA 50,000 .10 2.4 mW 420 msec

ECC 50,000 .10 2.4 mW 160 msec

20

February, 2002 doc:.: 802.15-02/108r0


Agenda

• NTRU Background

• NTRU Security

• Why Triple-DES?

21

February, 2002 doc:.: 802.15-02/108r0


The NTRU Hard Problem

The hard problem underlying NTRU is the

Shortest Vector Problem

in lattices of high dimension

System Hard Problem Best Solution Method

NTRU Short vector problem LLL lattice reduction

RSA Integer factorization Number field sieve

ECC Elliptic curve discrete log Pollard rho

DH Discrete logarithm Index calculus

Best Known Methods to Break:• NTRU and ECC are exponential (very slow)• RSA and DH are subexponential (faster)

22

February, 2002 doc:.: 802.15-02/108r0


Lattices

• Lattice: Set of all vectors that are integer linear combinations of the basis vectors B = {b1, …, bn}.

• Lattice Bases are not unique.• Lattice Basis Reduction: Finding a “good” basis, usually one with short, nearly orthogonal vectors.

B

(1,5)

(7,1)

LB =

17

51

B’(13,-3)

(6,-4)

LB’ =

46

313

(Slide due to Craig Gentry)

23

February, 2002 doc:.: 802.15-02/108r0


Shortest Vector Problem

• Shortest Vector Problem (SVP): Given a lattice basis, find the shortest (nonzero) vector in the lattice.

• Example: Given LB’ below, find (1,5).

• The SVP is NP-Hard (no algorithm with running time polynomial in lattice dimension that always find the SV).

B

(1,5)

(7,1)

B’(13,-3)

(6,-4)

LB =

17

51

LB’ =

46

313

51

× 1× -2

(Slide due to Craig Gentry)

24

February, 2002 doc:.: 802.15-02/108r0


Brief History of Lattice Problems

• Lattices, the SVP, and the CVP have been extensively studied for more than 100 years (Hermite 1870s, Minkowski 1890s,…).

• Best computational tool was developed by Lenstra, Lenstra, and Lovasz (LLL algorithm) in early 1980s.

• Improvements to LLL are due to Schnorr, Euchner, Horner, Koy, and others.

• Algorithms to find small vectors in lattices have been extensively studied because they have applications to many areas outside of cryptography, including physics, combinatorics, number theory, computer algebra,….

• Contrast this with integer factorization (RSA) and elliptic curve discrete logarithms (ECC), where the only applications are to cryptography.

25

February, 2002 doc:.: 802.15-02/108r0


NTRU Security

Cryptographic System Key/Block Size (Bits)

Processing Time

(MIPS-Years)

RSA 512 1 X 104

NTRU 834 (N = 139) 1 x 104

DES 56 5 x 105

RSA 1024 8 x 109

NTRU 1757 (N = 251) 5 x 1010

ECC ~1000 (p = 163) 7 x 1011

RSA 2048 1 x 1020

NTRU 2429 (N = 347) 2 x 1021

AES 128 2 x 1027

NOTE: 4 x 103 MIPS-Years = c. 1 year on a 450 MHz Pentium

26

February, 2002 doc:.: 802.15-02/108r0


Scrutiny and Standardization

27

February, 2002 doc:.: 802.15-02/108r0


Scrutiny

• NTRUEncrypt has been widely studied since it was first announced in 1996– Papers on NTRU techniques appear at every major cryptography

conference

– Nguyen and Stern (CaLC-2001): “this makes NTRU the leading candidate among knapsack-based and lattice-based cryptosystems, and allows high dimension lattices.”

– Miccancio (IMAP 2002) observed that NTRU lattices are in Hermite Normal Form, the most secure form for a general lattice

• NTRU encourages peer review– Challenge problems

– Support to Crypto community (CaLC conference, etc)

28

February, 2002 doc:.: 802.15-02/108r0


NTRU Standardization work

• IEEE P1363• Draft of P1363.1 available on IEEE P1363 WG web site with

NTRUEncrypt included• Vote on permanently including NTRUEncrypt passed at May

2001 meeting

• Consortium for Efficient Embedded Security (CEES)• Draft of EESS #1 standardizing NTRUEncrypt currently available

from http://www.ceesstandards.org• Drafts include complete specification, encodings, certificate

formats, etc.

• VHN (Versatile Home Networking)• NTRU included in EIA/CEA-851

29

February, 2002 doc:.: 802.15-02/108r0


NTRU Standardization work

• IETF• TLS: NTRU ciphersuites proposed May 2001.

• Expected to proceed to Informational RFC.

• PKIX: “Supplemental Algorithms for PKI” Internet Draft• Edited by NTRU, includes NTRUEncrypt

• Also includes new US Government algorithms: DSA2, SHA-256…

• WAP• NTRU active participants in WSG

30

February, 2002 doc:.: 802.15-02/108r0


Implications of High Data Rate

• Symmetric components must meet the data rate• Public key costs on a per-session basis, not per-bit• For enough gates (612,834 actually), 2 Gbps is practical with AES• Smallest implementation with local subkey storage is 43,000 gates

– 17,000 gates if you hit external memory every cycle

• The challenge: minimize footprint to meet a target data rate at a target cost (area, clock rate,…)

• You’ll need a custom hardware implementation for encryption and integrity

• We’ve been evaluating algorithms and…

31

February, 2002 doc:.: 802.15-02/108r0


Triple-DES

• Hits the data rate at lowest gate count• DES has a 64-bit block size.• DES encryption has 16 rounds. Triple-DES encryption has 48.• Using DES for integrity takes another 16 rounds, except for the last

block, which takes 48.• So we need 64 rounds per 64 bits.• Instantiating two rounds of DES gives a throughput of 2 bits/cycle.• So you’ll need at least a 23 MHz clock for 55 Mbps.• Synthesized with LeonardoSpectrum, that’s 9196 gates• With 802.15.3’s assumptions, that’s $0.02, 5.4 mW

32

February, 2002 doc:.: 802.15-02/108r0


Triple-DES Security

• Encryption standardized in ANSI X9.52, FIPS 46-3, …• Well-studied since the late 1970s.• 112-bit key makes brute force attacks infeasible• MAC standardized in ISO 9797, …• We MAC the ciphertext, not the plaintext• 64-bit block size means we’d expect a MAC collision after 232 blocks• Sequence numbers in MAC calculation prevent the attacker from

substituting one message for another!– The attacker isn’t looking for two messages that give the same MAC…

– She needs two messages with the same sequence number that give the same MAC

33

February, 2002 doc:.: 802.15-02/108r0


Conclusions

• NTRUEncrypt and Triple-DES are the most cost-effective solutions for 802.15.3.

• Both have received intense scrutiny• Both are believed to be secure

Documents

February, 2002 doc:.: 802.15-02/108r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)