Page 16 - index
P. 16
it again using its keys. This approach makes it nearly impossible to crack, by normal computers
and quantum computers as well. For RSA and ECC, a quantum computer attack, without diving
into Shor’s Algorithm , basically does very rapid factorization and a machine with an appropriate
number of Qubits should be able to crack any key in a matter of seconds. NTRU math makes
this kind of attack impossible and reduces the attacker to a brute force approach where the
system not only has to find all the “needles” in the haystack, but put them together in a cogent
fashion; replicating the private key. In order to do this every possible combination of “needles”
needs to be tried. It’s estimated that NTRU’s strength will be reduced by 50% under a brute
force attack by a sufficiently large Quantum computer; far better than the 100% effectiveness
against the factor based systems. Building cryptographic strength like this into todays
applications means that they will be secure and remain secure far into the future.
Performance and strength are key to success in a public key system, but its just as important
that the algorithms be open and available for scrutiny to eliminate the possibility of hidden back
doors or other security holes. Security Innovation, the owner of NTRU, recently open sourced
the patents and reference code with the goal of driving its adoption and helping to lock down
the Internet as soon as possible. They’ve put together an Open Source licensing model that
includes GPL 2 and higher , a FOSS exception and include statements that its an irrevocable
grant by Security Innovation and/or any future owners of the patented NTRU algorithms.
They’ve also provided a commercial license for non-open source applications, so there are no
barriers to adoption due to licensing issues—the bugaboo of open source projects.
All this strength, performance and openness is great, but the real problem with introducing a
new algorithm is the adoption curve. There needs to be an ever increasing number of system
that have implemented a system before it can be used effectively—the old chicken and egg
problem. Implementation of NTRU is no different and requires adoption of the algorithm
generally and at both ends of the connection to work. It’s risky as there’s no guarantee that it
will be implemented everywhere, hence it makes sense to not do a complete replacement but to
implement it side by side with one or more of the major public key systems. William Whyte,
Security Innovation’s Chief Scientist, suggests that well built systems would use both ECC and
NTRU encryption keys and use the ECC and NTRU signing mechanisms to transport the
appropriate digital certificates. He goes further to say that there should be a well defined
process for integrating other algorithms as they become available. Using this side by side
approach reduces risk by providing options for future strength and backwards compatibility,
smoothing the NTRU adoption curve.
NTRU, which was developed in 1996, has been peer reviewed and adopted as a standard by
two standards bodies so far, IEEE 1363 and the Financial Services Industry’s Accredited
Standards Committee X9. The system has also been reviewed by NIST who state “Of the
various lattice based cryptographic schemes that have been developed, the NTRU family of
cryptographic algorithms appears to be the most practical...smallest key size...highest
16 Cyber Warnings E-Magazine – December 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
