visualizing size security tradeoffs for lattice based
play

Visualizing size-security tradeoffs for lattice-based encryption - PowerPoint PPT Presentation

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:


  1. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  2. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  3. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  4. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  5. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext. But long term: Use IND-CCA2 to multicast+cache public keys (2015 McGrew). Lattice traffic is then much closer to ciphertext than to key+ciphertext. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  6. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  7. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  8. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate. Some work on better estimates; should continue this work, re-estimate all the schemes, draw new graphs. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  9. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  10. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  11. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  12. 320 314 286 283 281 281 281 257 256 256 256 254 235 203 199 199 199 194 194 194 181 179 176 175 155 154 153 147 145 136 133 133 133 131 131 131 130 129 round5nd 125 lac sntrup 112 111 threebears 106 ntru 620 620 620 699 712 736 736 740 740 740 897 917 931 934 934 934 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1184 1188 1230 1285 1285 1285 1307 1312 1424 1472 1509 1509 1509 1568 1697 2208 ntrulpr saber kyber newhope round5n1 frodo

  13. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 153 153 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  14. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  15. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 User requires sec 111 for kyber . size ≤ 1024: sec 129 for sntrup . 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  16. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 User requires sec 111 for kyber . size ≤ 1024: sec 129 for sntrup . 129 129 User requires size 1088 for kyber . sec ≥ 128: size 897 for sntrup . 111 736 897 897 1039 1039 1088 1184 1184 1568

  17. Ciphertext-size comparison examples Core-SVP for sntrup options: 129, 153, 175. User picks λ ≥ 100, requires Core-SVP ≥ λ . size( sntrup ) < size( X ) for λ in X { 100 , . . . , 175 } frodo { 112 , . . . , 153 } kyber { 148 , . . . , 175 } lac { 100 , . . . , 175 } newhope � { 146 , . . . , 175 } { 107 , . . . , 129 } ntru { 100 , . . . , 175 } round5n1 {} round5nd { 126 , . . . , 153 } saber � { 155 , . . . , 175 } { 100 , . . . , 129 } threebears Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Recommend


More recommend