Visualizing size-security tradeoffs for lattice-based encryption - - PowerPoint PPT Presentation

Visualizing size-security tradeoffs for lattice-based encryption

Daniel J. Bernstein

Horizontal axis: ciphertext size

Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Horizontal axis: ciphertext size

Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Horizontal axis: ciphertext size

Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Horizontal axis: ciphertext size

Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext. But long term: Use IND-CCA2 to multicast+cache public keys (2015 McGrew). Lattice traffic is then much closer to ciphertext than to key+ciphertext.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Vertical axis: Core-SVP security estimate

Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to:

• Overstating security.
• Understating security—damaging deployment.
• Damaging comparisons: e.g. omitting “hybrid

attacks”; e.g. overstating sntrup “rotations”.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Vertical axis: Core-SVP security estimate

Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to:

• Overstating security.
• Understating security—damaging deployment.
• Damaging comparisons: e.g. omitting “hybrid

attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Vertical axis: Core-SVP security estimate

Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to:

• Overstating security.
• Understating security—damaging deployment.
• Damaging comparisons: e.g. omitting “hybrid

attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate. Some work on better estimates; should continue this work, re-estimate all the schemes, draw new graphs.

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

148 214 279 9720 15744 21632 146 193 257 5788 9716 14708 112 257 1120 2208 111 181 254 736 1088 1568 125 203 283 736 1088 1472 130 155 176 1025 1167 1312 106 136 145 179 699 931 1138 1230 154 235 314 917 1307 1697 129 153 175 897 1039 1184 147 286 320 712 1188 1424 131 133 194 199 256 281 620 740 934 1103 1285 1509 131 133 194 199 256 281 620 740 934 1103 1285 1509

frodo round5n1 newhope kyber saber ntrulpr ntru threebears sntrup lac round5nd

131 133 194 199 256 281 620 740 934 1103 1285 1509

148 214 279 9720 15744 21632 146 193 257 5788 9716 14708 112 257 1120 2208 111 181 254 736 1088 1568 125 203 283 736 1088 1472 130 155 176 1025 1167 1312 106 136 145 179 699 931 1138 1230 154 235 314 917 1307 1697 129 153 175 897 1039 1184 147 286 320 712 1188 1424 131 133 194 199 256 281 620 740 934 1103 1285 1509 131 133 194 199 256 281 620 740 934 1103 1285 1509

frodo round5n1 newhope kyber saber ntrulpr ntru threebears sntrup lac round5nd

131 133 194 199 256 281 620 740 934 1103 1285 1509

148 214 279 9720 15744 21632 146 193 257 5788 9716 14708 112 257 1120 2208 111 181 254 736 1088 1568 125 203 283 736 1088 1472 130 155 176 1025 1167 1312 106 136 145 179 699 931 1138 1230 154 235 314 917 1307 1697 129 153 175 897 1039 1184 147 286 320 712 1188 1424 131 133 194 199 256 281 620 740 934 1103 1285 1509 131 133 194 199 256 281 620 740 934 1103 1285 1509

frodo round5n1 newhope kyber saber ntrulpr ntru threebears sntrup lac round5nd

131 133 194 199 256 281 620 740 934 1103 1285 1509

112 257 1120 2208 111 181 254 736 1088 1568 125 203 283 736 1088 1472 130 155 176 1025 1167 1312 106 136 145 179 699 931 1138 1230 154 235 314 917 1307 1697 129 153 175 897 1039 1184 147 286 320 712 1188 1424 131 133 194 199 256 281 620 740 934 1103 1285 1509 131 133 194 199 256 281 620 740 934 1103 1285 1509

frodo round5n1 newhope kyber saber ntrulpr ntru threebears sntrup lac round5nd

131 133 194 199 256 281 620 740 934 1103 1285 1509

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

How the first graph misleads readers

kyber is above and to the left of sntrup. Better Core-SVP sec level at each size. Better size at each sec level.

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

How the first graph misleads readers

kyber is above and to the left of sntrup. Better Core-SVP sec level at each size. Better size at each sec level. But this is not true.

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

How the first graph misleads readers

kyber is above and to the left of sntrup. Better Core-SVP sec level at each size. Better size at each sec level. But this is not true. User requires sec 111 for kyber. size ≤ 1024: sec 129 for sntrup.

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

How the first graph misleads readers

kyber is above and to the left of sntrup. Better Core-SVP sec level at each size. Better size at each sec level. But this is not true. User requires sec 111 for kyber. size ≤ 1024: sec 129 for sntrup. User requires size 1088 for kyber. sec ≥ 128: size 897 for sntrup.

Ciphertext-size comparison examples

Core-SVP for sntrup options: 129, 153, 175. User picks λ ≥ 100, requires Core-SVP ≥ λ. X size(sntrup) < size(X) for λ in frodo {100, . . . , 175} kyber {112, . . . , 153} lac {148, . . . , 175} newhope {100, . . . , 175} ntru {107, . . . , 129}

{146, . . . , 175}

round5n1 {100, . . . , 175} round5nd {} saber {126, . . . , 153} threebears {100, . . . , 129}

{155, . . . , 175} Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Ciphertext-size comparison examples

Core-SVP for sntrup options: 129, 153, 175. User picks λ ≥ 100, requires Core-SVP ≥ λ. X size(sntrup) < size(X) for λ in frodo

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

kyber

112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

lac

148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

newhope

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

ntru

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

round5n1

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

round5nd saber

126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

threebears

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Core-SVP comparison examples

Ciphertext sizes for sntrup: 897, 1039, 1184. User picks S ≤ 1280, requires ciphertext size ≤ S. X sec(sntrup) > sec(X) for S in frodo {897, . . . , 1280} kyber {897, . . . , 1087} lac {1039, . . . , 1187} newhope {897, . . . , 1280} ntru {897, . . . , 930}

{1039, . . . , 1229}

round5n1 {897, . . . , 1280} round5nd {} saber {897, . . . , 1087} threebears {897, . . . , 916}

{1184, . . . , 1280} Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

How the second graph misleads readers

Human eye fills in the fake lines.

111 181 254 736 1088 1568 129 153 175 897 1039 1184 129 153 175 897 1039 1184

Third graph: the correct lines

111 181 254 736 1088 1568 114 121 129 132 153 154 175 182 197 211 784 897 912 1039 1088 1123 1158 1184 1284 1505 1520 114 121 129 132 153 154 175 182 197 211 784 897 912 1039 1088 1123 1158 1184 1284 1505 1520

Should graphs include more parameters?

111 181 254 736 1088 1568 111 115 120 121 129 132 153 164 166 175 182 195 221 756 774 806 897 912 1039 1088 1094 1109 1184 1284 1330 1492 111 115 120 121 129 132 153 164 166 175 182 195 221 756 774 806 897 912 1039 1088 1094 1109 1184 1284 1330 1492

Should graphs include more parameters?