Cold Boot Attacks on NTRU

Cold boot attacks target memory remanence effects in hardware to secret key material. Such attacks were first explored in the scientific literature by Halderman et al. (USENIX Security Symposium 2008) and, since then, different attacks have been developed against a range of asymmetric key and symmetric key algorithms. Such attacks in general receive as input a noisy version of the secret key as stored in memory, and use redundancy in the key (and possibly knowledge of a public key) to recover the secret key. The challenge is to recover the key as efficiently as possible in the face of increasing levels of noise. For the first time, we explore the vulnerability of lattice-based cryptosystems to this form of analysis, focussing in particular on NTRU, a well-established and attractive public-key encryption scheme that seems likely to be a strong candidate for standardisation in NIST’s post-quantum process. We look at two distinct NTRU implementations, showing how the attacks that can be developed depend critically on the in-memory representation of the secret key. We develop, efficient, dedicated key-recovery algorithms for the two implementations and provide the results of an empirical evaluation of our algorithms.

[1]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[2]  Elisabeth Oswald,et al.  Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations , 2016, IACR Cryptol. ePrint Arch..

[3]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[4]  Abdel Alim Kamal,et al.  Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[5]  Nick Howgrave-Graham,et al.  Chapter 1 Practical lattice-based cryptography : NTRUEncrypt and NTRUSign , 2008 .

[6]  Dongdai Lin,et al.  A New Method for Solving Polynomial Systems with Noise over $\mathbb{F}_2$ and Its Applications in Cold Boot Key Recovery , 2012, Selected Areas in Cryptography.

[7]  Jung Hee Cheon,et al.  Correcting Errors in Private Keys Obtained from Cold Boot Attacks , 2011, ICISC.

[8]  Elisabeth Oswald,et al.  Counting Keys in Parallel After a Side Channel Attack , 2015, ASIACRYPT.

[9]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[10]  Bertram Poettering,et al.  Cold Boot Attacks in the Discrete Logarithm Setting , 2015, CT-RSA.

[11]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[12]  Martin R. Albrecht,et al.  Cold Boot Key Recovery by Solving Polynomial Systems with Noise , 2011, ACNS.

[13]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[14]  Andrey Bogdanov,et al.  Fast and Memory-Efficient Key Recovery in Side-Channel Attacks , 2015, SAC.

[15]  Avishai Wool,et al.  A Bounded-Space Near-Optimal Key Enumeration Algorithm for Multi-subkey Side-Channel Attacks , 2017, CT-RSA.

[16]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[17]  Kenneth G. Paterson,et al.  Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts , 2017, ESORICS.

[18]  Kenneth G. Paterson,et al.  A Coding-Theoretic Approach to Recovering Noisy RSA Keys , 2012, IACR Cryptol. ePrint Arch..

[19]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.