124 Hits in 3.6 sec

Recovering NTRU Secret Key from Inversion Oracles [chapter]

Petros Mol, Moti Yung
Public Key Cryptography – PKC 2008  
which underlies the NTRU scheme) and recovering the NTRU secret key (universal breaking).  ...  This allows for secret key recovery directly from the output on several inversion queries even in the absence of decryption failures.  ...  Universal Breaking from Inversion Oracles We denote the problem of finding the NTRU secret key pair as UB N T RU (Universal Breaking). Definition 5.1.  ... 
doi:10.1007/978-3-540-78440-1_2 dblp:conf/pkc/MolY08 fatcat:fbi2s2opv5a6ndxqnph56dho3m

Will You Cross the Threshold for Me?

Prasanna Ravi, Martianus Frederic Ezerman, Shivam Bhasin, Anupam Chattopadhyay, Sujoy Sinha Roy
2021 Transactions on Cryptographic Hardware and Embedded Systems  
All of our proposed attacks are capable of recovering the full secret key in only a few thousand chosen ciphertext queries on all parameter sets of NTRU and NTRU Prime.  ...  An attacker, who can obtain information about the secret-dependent variable through side-channels, can subsequently recover the full secret key.  ...  This realizes a decryption-failure (DF) oracle whose responses can recover the full secret key.  ... 
doi:10.46586/tches.v2022.i1.722-761 fatcat:7gx3tbfndrcozd33rq36k3b4gy

Unstructured Inversion of New Hope [article]

Ben Adler
2021 arXiv   pre-print
With respect to this tessellation, New Hope may not withstand inversion attempts augmented with Grover's search algorithm.  ...  The structure of the exchange is lattice based, implementing Peikert's key encapsulation mechanism as a modified form of ring learning with errors.  ...  Having isolated equal to and then showing −2 = 0, we apply the additive inverse to produce − − = + . We now have + = 0 = (1 + 1). For a coefficient of x resulting in mod , the weight of exp − 2  ... 
arXiv:1608.04993v4 fatcat:bkggndvy2rhh3ky6xmzu3njjs4

Key Recovery Attacks on NTRU without Ciphertext Validation Routine [chapter]

Daewan Han, Jin Hong, Jae Woo Han, Daesung Kwon
2003 Lecture Notes in Computer Science  
Assuming access to a decryption oracle, we show ways to recover the private key of NTRU systems that do not include a ciphertext validating procedure.  ...  NTRU is an efficient public-key cryptosystem proposed by Hoffstein, Pipher, and Silverman.  ...  We show how to exploit the wrapping behavior of the modulo q reduction process done during decryption to recover the private key, using less than 2N calls to the decryption oracle.  ... 
doi:10.1007/3-540-45067-x_24 fatcat:vkaaywhjrzhr7fr3pz7bpkwhqu

The Impact of Decryption Failures on the Security of NTRU Encryption [chapter]

Nick Howgrave-Graham, Phong Q. Nguyen, David Pointcheval, John Proos, Joseph H. Silverman, Ari Singer, William Whyte
2003 Lecture Notes in Computer Science  
This affects the provable security properties of a cryptosystem, as it limits the ability to build a simulator in the random oracle model without knowledge of the private key.  ...  We demonstrate attacks which use decryption failures to recover the private key. Such attacks work for all standard parameter sets, and one of them applies to any padding.  ...  1 (The NTRU Inversion Problem).  ... 
doi:10.1007/978-3-540-45146-4_14 fatcat:bhrs5vc2xjfzdbn53vln4vn34q

NTTRU: Truly Fast NTRU Using NTT

Vadim Lyubashevsky, Gregor Seiler
2019 Transactions on Cryptographic Hardware and Embedded Systems  
We present NTTRU – an IND-CCA2 secure NTRU-based key encapsulation scheme that uses the number theoretic transform (NTT) over the cyclotomic ring Z7681[X]/(X768−X384+1) and produces public keys and ciphertexts  ...  We additionally give a simple transformation that allows one to provably deal with small decryption errors in OW-CPA encryption schemes (such as NTRU) when using them to construct an IND-CCA2 key encapsulation  ...  The version of the NTRU encryption scheme we will be using is "randomness-recovering". That is, once the decryption function recovers m, it can also recover the randomness r.  ... 
doi:10.13154/tches.v2019.i3.180-201 dblp:journals/tches/LyubashevskyS19 fatcat:yeaqxzel6faktg2rzpi5u3f7ku

A Practical Implementation of Identity-Based Encryption Over NTRU Lattices [chapter]

Sarah McCarthy, Neil Smyth, Elizabeth O'Sullivan
2017 Lecture Notes in Computer Science  
An identity-based encryption scheme enables the efficient distribution of keys in a multi-user system.  ...  User Key Extraction demonstrates a 180% speed increase and Encrypt and Decrypt demonstrate increases of over 500% and 1200% respectively for 80-bit security on an Intel Core i7-6700 CPU at 4.0 GHz, with  ...  −f1 −f2 ... f0   The NTRU lattice assumption is that it is a hard problem to recover polynomials f, g from h, where h = g/f , i.e. it is hard to obtain B nice from B bad .  ... 
doi:10.1007/978-3-319-71045-7_12 fatcat:6sl6mpecijdldazju3ankwqlrq

High-Speed Key Encapsulation from NTRU [chapter]

Andreas Hülsing, Joost Rijneveld, John Schanck, Peter Schwabe
2017 Lecture Notes in Computer Science  
This paper presents software demonstrating that the 20year-old NTRU cryptosystem is competitive with more recent latticebased cryptosystems in terms of speed, key size, and ciphertext size.  ...  random oracle model, and present highly optimized software targeting Intel CPUs with the AVX2 vector instruction set.  ...  not recover the secret key [26] .  ... 
doi:10.1007/978-3-319-66787-4_12 fatcat:rq7slwi2ajduzkbngdbc5oajmy

NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model [chapter]

Ron Steinfeld, San Ling, Josef Pieprzyk, Christophe Tartary, Huaxiong Wang
2012 Lecture Notes in Computer Science  
As an intermediate step, we present a construction for an All-But-One (ABO) lossy trapdoor function from pNE, which may be of independent interest.  ...  NTRUEncrypt is a fast and practical lattice-based public-key encryption scheme, which has been standardized by IEEE, but until recently, its security analysis relied only on heuristic arguments.  ...  Inversion algorithm F −1 : On input y ∈ Y , b ∈ B and secret key sk, the deterministic algorithm F −1 returns x = F −1 (sk, b, y) ∈ X ∪ {⊥} (where ⊥ indicates an inversion failure).  ... 
doi:10.1007/978-3-642-30057-8_21 fatcat:5pcdq34otjbexajswvgq5gyi64

Physical Protection of Lattice-Based Cryptography

Ayesha Khalid, Tobias Oder, Felipe Valencia, Maire O' Neill, Tim Güneysu, Francesco Regazzoni
2018 Proceedings of the 2018 on Great Lakes Symposium on VLSI - GLSVLSI '18  
Post-quantum (or quantum-resistant) cryptography is an active research area, endeavoring to develop novel and quantum resistant public key cryptography.  ...  With the advent of powerful quantum computers public key cryptographic schemes will become vulnerable to Shor's quantum algorithm, undermining the security current communications systems.  ...  The attack is able to fully recover the secret key.  ... 
doi:10.1145/3194554.3194616 dblp:conf/glvlsi/KhalidOVOGR18 fatcat:lfintj5vbbf5xllxwoxeer6hdu

Compact and Efficient NTRU-based KEM with Scalable Ciphertext Compression [article]

Zhichuang Liang, Boyue Fang, Jieyu Zheng, Yunlei Zhao
2022 arXiv   pre-print
Nevertheless, there are still some obstacles to the computational efficiency and bandwidth complexity of NTRU-based constructions of key encapsulation mechanisms (KEM).  ...  It demonstrates a new approach to decrypting NTRU ciphertext, where the plaintext message is recovered with the aid of our decoding algorithm in the scalable E_8 lattice.  ...  CTRU has a similar form of public key and secret key to those of the traditional NTRU-based KEM schemes, but the method to recover message in CTRU is significantly differ- ent from them.  ... 
arXiv:2205.05413v1 fatcat:h7lage463venfb4otqu3t26the

BAT: Small and Fast KEM over NTRU Lattices

Pierre-Alain Fouque, Paul Kirchner, Thomas Pornin, Yang Yu
2022 Transactions on Cryptographic Hardware and Embedded Systems  
We present BAT – an IND-CCA secure key encapsulation mechanism (KEM) that is based on NTRU but follows an encryption/decryption paradigm distinct from classical NTRU KEMs.  ...  However, since the secret key is now a short basis (not a vector), we need to modify the decryption algorithm and we present a new NTRU decoder.  ...  While the public key of an NTRU-based scheme is h itself, the secret key can have different forms. For most NTRU encryption schemes, the secret key is (g, f ) itself, i.e. one short vector of L h,q .  ... 
doi:10.46586/tches.v2022.i2.240-265 fatcat:pswp6sxt6fasxlgmsigpzi6rx4

Efficient Identity-Based Encryption over NTRU Lattices [chapter]

Léo Ducas, Vadim Lyubashevsky, Thomas Prest
2014 Lecture Notes in Computer Science  
In this work, we show that using a particular distribution over NTRU lattices can make GPV-based schemes suitable for practice.  ...  As a by-product, we also obtain digital signature schemes which are shorter than the previously most-compact ones of Ducas, Durmus, Lepoint, and Lyubashevsky from Crypto 2013.  ...  ' secret keys.  ... 
doi:10.1007/978-3-662-45608-8_2 fatcat:rlfi7asddng2pho3o4s6le4azi

A Lattice-Based Authentication Scheme for Roaming Service in Ubiquitous Networks with Anonymity

Yousheng Zhou, Longan Wang
2020 Security and Communication Networks  
There are many roaming authentication schemes which have been proposed; however, with the progress of quantum computation, quantum attack poses security threats to many traditional public key cryptography-based  ...  In consideration of the advantages of lattice in antiquantum, an NTRU-based authentication scheme with provable security and conditional privacy preservation is proposed to remedy these security weaknesses  ...  If b � 0, the oracle returns a random value of the same length as the session key, and if b � 1, the oracle returns the real session key held by 􏽑 i U .  ... 
doi:10.1155/2020/2637916 fatcat:jmpnk535ivfvdlelq4ijjykbem

The Whole is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based AKEs [chapter]

Rafael del Pino, Vadim Lyubashevsky, David Pointcheval
2016 Lecture Notes in Computer Science  
the secret key.  ...  the NTRU assumption with rings of smaller dimension.  ...  It is then direct that aborting before the third flow of the protocol prevents the attacker from distinguishing between users U 0 and U 1 as the first flow of the protocol is completely independent from  ... 
doi:10.1007/978-3-319-44618-9_15 fatcat:s6dxf2ab2vhsnnvugfimschovu
« Previous Showing results 1 — 15 out of 124 results