Authorea

Scott Fluhrer edited section_Abstract_This_paper_explores__.tex almost 9 years ago

Commit id: 75922b672f9a513dbcdd77fb18b96d1f0dee298c

deletions | additions

\begin{itemize} \item It selects a random bitstring that is the design strength of the parameter set, plus 64 bits (for example, for a 128 bit parameter set, it obtains 192 bits from the internal random number generator) \item It encodes the value $b$, the message $m$ and a portion of the public key into a string, and hash that string to form a value $\rho$. It uses SHA-1 as the hash function if $k \le 160$ and SHA-256 if $k > 160$ \item It hashes this random number (with SHA-1 if the parameter strength $k \le 160$ and SHA-256 if $k > 160$) given us a hash value $H$, $h$, and uses that hash value $H$ $h$ (and nothing else) to seed a random number generator, which selects a polynomial F \item It uses a similar process to select a polynomial G \end{itemize} This process is similar to the process used to select the random polynomial $R$ during encryption (largely because it uses reuses the same code). This key generation procedure immediately gives us a potential key recovery attack; given a public key $H$, we use Grover's algorithm to guess the hash value $h$; our verification step would seed the random number generator, selects a polynomial F', and then compute the product $F'H \pmod{q}$; if that consists solely of elements in the set $\{-p, 0, p\}$, then we accept. This works because if $H = F^{-1}G$, and so multiplying that by the correct value of $F$ will yield $G$ (which has the special form listed). \section{Plaintext Recovery Attack 1} If someone has a Quantum Computer, one way they may try A similar approach to recover the plaintext given a ciphertext $C$ and a public key $H$ is to run Grover's algorithm, with the guess this time being $\rho$ the output of the hashed string. That is, they would use the function that takes a value for $\rho$, run it through the random number generator to generate a guess of $R$, and check if the polynomial $C-HR$ consists solely of the coefficients $\{0, 1, -1\}$; the correct guess of the hash will do that (as $C-HR$ is the encoded message $M$, which is a polynomial with those coefficients); an incorrect guess is quite unlikely to have coefficients limited to that range. For security levels 112, 128, we use a 160 bit hash (and $2^{160}$ possible values for $\rho$), hence this approach will take an expected $O(2^{80})$ operations. For security levels 192, 256, we use a 256 bit hash, hence this approach will take an expected $O(2^{128})$ operations; in both cases, the work required is significantly smaller than the target security levels. This is quite similar to one of the key recovery attacks we have presented earlier above (because both attacks work against the common logic used to generate both $F$ and $R$). However, there is a distinction in that the key generation procedure can could be modified to use a stronger method to select $F$ (and $G$) without any interoperability issue. In contrast, we cannot modify how we generate $R$ without modifying how decryption is done (as the decryptor will expect to be able to regenerate $R$ as part of the post-decryption validation process. Covering this plaintext recovery attack would require modifying the NTRU padding method. \section{Plaintext Recovery Attack 2} Another way an attacker can attempt to recover the plaintext, if the plaintext is low entropy, is to notice that the ciphertext is a deterministic function of the plaintext, the public key, and the $k$-bit random value $b$. If the entropy of the plaintext is low (had only $2^n$ possible values, for $n \lll k$), then what an attacker with a Quantum Computer could do is model the system as one with $2^{n+k}$ inputs (which consists of the $2^n$ possible inputs for the plaintext, paired with the $2^k$ possible values for $b$), and then apply Grover's algorithm to find a solution (that is, $m$ and $b$) that generates the known ciphertext in $O(2^{(n+k)/2})$ time, which is less than the security level $2^k$ (and if $n$ is sufficiently small, this value may be even smaller than the previous attack).