Power Analysis on NTRU Prime

This paper applies a variety of power analysis techniques to several implementations of NTRU Prime, a Round 2 submission to the NIST PQC Standardization Project. The techniques include vertical correlation power analysis, horizontal indepth correlation power analysis, online template attacks, and chosen-input simple power analysis. The implementations include the reference one, the one optimized using smladx, and three protected ones. Adversaries in this study can fully recover private keys with one single trace of short observation span, with few template traces from a fully controlled device similar to the target and no a priori power model, or sometimes even with the naked eye. The techniques target the constant-time generic polynomial multiplications in the product scanning method. Though in this work they focus on the decapsulation, they also work on the key generation and encapsulation of NTRU Prime. Moreover, they apply to the ideal-lattice-based cryptosystems where each private-key coefficient comes from a small set of possibilities.

[1]  Mouna Nakkar,et al.  A power analysis resistant FPGA implementation of NTRUEncrypt , 2017, 2017 29th International Conference on Microelectronics (ICM).

[2]  William Whyte,et al.  Choosing Parameters for NTRUEncrypt , 2017, CT-RSA.

[3]  S. Cook,et al.  ON THE MINIMUM COMPUTATION TIME OF FUNCTIONS , 1969 .

[4]  Rong Chen,et al.  Research on NTRU Algorithm for Mobile Java Security , 2009, 2009 International Conference on Scalable Computing and Communications; Eighth International Conference on Embedded Computing.

[5]  H. Tschofenig,et al.  Performance of State-ofthe-Art Cryptography on ARM-based Microprocessors , 2015 .

[6]  Peter Schwabe,et al.  Faster Multiplication in \mathbb Z_2^m[x] on Cortex-M4 to Speed up NIST PQC Candidates , 2019, ACNS.

[7]  Martha Johanna Sepúlveda,et al.  Practical Evaluation of Masking for NTRUEncrypt on ARM Cortex-M4 , 2019, COSADE.

[8]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[9]  Reza Azarderakhsh,et al.  Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman , 2017, SAC.

[10]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[11]  A. A. Kamal,et al.  A Scan-Based Side Channel Attack on the NTRUEncrypt Cryptosystem , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[12]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[13]  Jan Camenisch,et al.  Selected Areas in Cryptography – SAC 2017 , 2017, Lecture Notes in Computer Science.

[14]  William Whyte,et al.  Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls , 2007, CT-RSA.

[15]  Suhri Kim,et al.  Single Trace Side Channel Analysis on NTRU Implementation , 2018, Applied Sciences.

[16]  Kyung-Ah Shim,et al.  Side-Channel Attacks on Post-Quantum Signature Schemes based on Multivariate Quadratic Equations - Rainbow and UOV - , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[17]  Peter Schwabe,et al.  Online template attacks , 2014, Journal of Cryptographic Engineering.

[18]  An Wang,et al.  First-order collision attack on protected NTRU cryptosystem , 2013, Microprocess. Microsystems.

[19]  Thomas Unterluggauer,et al.  Practical Attack on Bilinear Pairings to Disclose the Secrets of Embedded Devices , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[20]  Mehdi Tibouchi,et al.  Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers , 2017, CCS.

[21]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[22]  Elisabeth Oswald,et al.  Assessing the Feasibility of Single Trace Power Analysis of Frodo , 2018, IACR Cryptol. ePrint Arch..

[23]  Naofumi Homma,et al.  Cryptographic Hardware and Embedded Systems – CHES 2017 , 2017, Lecture Notes in Computer Science.

[24]  Ingrid Verbauwhede,et al.  Saber on ARM CCA-secure module lattice-based key encapsulation on ARM , 2018, IACR Cryptol. ePrint Arch..

[25]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[26]  Kimmo Järvinen,et al.  Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations , 2016, CARDIS.

[27]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[28]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[29]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[30]  Christof Paar,et al.  Generalizations of the Karatsuba Algorithm for Efficient Implementations , 2006, IACR Cryptol. ePrint Arch..

[31]  William Whyte,et al.  Optimizing Polynomial Convolution for NTRUEncrypt , 2018, IEEE Transactions on Computers.

[32]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[33]  Tim Güneysu,et al.  Practical CCA2-Secure and Masked Ring-LWE Implementation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[34]  Jintai Ding,et al.  Rainbow, a New Multivariable Polynomial Signature Scheme , 2005, ACNS.

[35]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[36]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[37]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[38]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[39]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[40]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[41]  Erich Wenger,et al.  Fast Multi-precision Multiplication for Public-Key Cryptography on Embedded Microprocessors , 2011, CHES.

[42]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[43]  Thomas S. Messerges,et al.  Investigations of Power Analysis Attacks on Smartcards , 1999, Smartcard.

[44]  An Wang,et al.  Power Analysis Attacks and Countermeasures on NTRU-Based Wireless Body Area Networks , 2013, KSII Trans. Internet Inf. Syst..

[45]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[46]  Dooho Choi,et al.  Countermeasures against Power Analysis Attacks for the NTRU Public Key Cryptosystem , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[47]  Tim Güneysu,et al.  Standard Lattice-Based Key Encapsulation on Embedded Devices , 2018, IACR Cryptol. ePrint Arch..

[48]  Andreas Gerstlauer,et al.  Horizontal side-channel vulnerabilities of post-quantum key exchange protocols , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[49]  Alessandro Barenghi,et al.  LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes , 2018, PQCrypto.

[50]  Óscar García-Morchón,et al.  Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M , 2018, IACR Cryptol. ePrint Arch..

[51]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[52]  Thomas Eisenbarth,et al.  Implementation Attacks on Post-Quantum Cryptographic Schemes , 2015, IACR Cryptol. ePrint Arch..

[53]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[54]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[55]  Johannes Wolkerstorfer,et al.  Attacking ECDSA-Enabled RFID Devices , 2009, ACNS.

[56]  Bei Zeng,et al.  16-qubit IBM universal quantum computer can be fully entangled , 2018, npj Quantum Information.

[57]  W. V. Eck Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? , 1996 .

[58]  Peter Schwabe,et al.  Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4 , 2019, IACR Cryptol. ePrint Arch..

[59]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.