Assessment of the Key-Reuse Resilience of NewHope

NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

[1]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..

[2]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[3]  Jintai Ding,et al.  A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem , 2012, IACR Cryptol. ePrint Arch..

[4]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[5]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[6]  David Pointcheval,et al.  The Impact of Decryption Failures on the Security of NTRU Encryption , 2003, CRYPTO.

[7]  Alfred Menezes,et al.  On reusing ephemeral keys in Diffie-Hellman key agreement protocols , 2010, Int. J. Appl. Cryptogr..

[8]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[9]  Bruce Schneier,et al.  Reaction Attacks against several Public-Key Cryptosystems , 1999, ICICS.

[10]  Tanja Lange,et al.  HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction , 2018, IACR Cryptol. ePrint Arch..

[11]  Jintai Ding,et al.  Complete Attack on RLWE Key Exchange with reused keys, without Signal Leakage , 2018, IACR Cryptol. ePrint Arch..

[12]  Jintai Ding,et al.  Leakage of signal function with reused keys in RLWE key exchange , 2017, 2017 IEEE International Conference on Communications (ICC).

[13]  Thomas Johansson,et al.  A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors , 2016, ASIACRYPT.

[14]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[15]  Joseph H. Silverman,et al.  Protecting NTRU Against Chosen Ciphertext and Reaction Attacks , 2000 .

[16]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[17]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[18]  Tim Güneysu,et al.  Practical CCA2-Secure and Masked Ring-LWE Implementation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[19]  Erdem Alkim,et al.  NewHope without reconciliation , 2016, IACR Cryptol. ePrint Arch..

[20]  Marc Joye,et al.  Fault Analysis in Cryptography , 2012, Information Security and Cryptography.

[21]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.