Fault analysis of the NTRUSign digital signature scheme

We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = pl, $\mathcal{B}$, standard, $\mathcal{N}$), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, succeeds with probability $\approx 1-\frac{1}{p}$ and requires O((qN)t) steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated.

[1]  Christof Paar,et al.  Comparison of innovative signature algorithms for WSNs , 2008, WiSec '08.

[2]  Jean-Guillaume Dumas,et al.  Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable , 2009, CT-RSA.

[3]  H. Silverman Almost Inverses and Fast NTRU Key Creation , 1999 .

[4]  William Whyte,et al.  Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign , 2010, The LLL Algorithm.

[5]  Shen Lei,et al.  Differential Fault Analysis on AES and DES , 2013 .

[6]  James A. Muir,et al.  Seifert's RSA Fault Attack: Simplified Analysis and Generalizations , 2006, ICICS.

[7]  Maciej Nikodem,et al.  Fault Cryptanalysis of ElGamal Signature Scheme , 2005, EUROCAST.

[8]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[9]  Ingrid Biehl,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems ( Extended Abstract ) , 2000 .

[10]  Johannes Blömer,et al.  Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered , 2006, FDTC.

[11]  Israel Koren,et al.  Fault-Tolerant Systems , 2007 .

[12]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[13]  William Whyte,et al.  Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign , 2005, IACR Cryptol. ePrint Arch..

[14]  Jean-Pierre Seifert,et al.  On authenticated computing and RSA-based authentication , 2005, CCS '05.

[15]  J. Silverman Invertibility in Truncated Polynomial Rings , 1998 .

[16]  J. Hoffstein,et al.  An introduction to mathematical cryptography , 2008 .

[17]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[18]  Cécile Canovas,et al.  Perturbating RSA Public Keys: An Improved Attack , 2008, CHES.

[19]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[20]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[21]  Phong Q. Nguyen,et al.  Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures , 2006, EUROCRYPT.

[22]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[23]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.

[24]  Seungjoo Kim,et al.  RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis , 2003, IEEE Trans. Computers.

[25]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[26]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[27]  Sarah Meiklejohn,et al.  Review of an introduction to mathematical cryptography by Jeffrey Hoffstein, Jill Pipher, and Joseph Silverman Springer-Verlag, 2008 , 2010, SIGA.

[28]  Christophe Giraud,et al.  Improved Fault Analysis of Signature Schemes , 2010, CARDIS.

[29]  Kwangjo Kim,et al.  Weak Property of Malleability in NTRUSign , 2004, ACISP.

[30]  Abdel Alim Kamal,et al.  Fault Analysis of the NTRUEncrypt Cryptosystem , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[31]  M. Joye,et al.  Practical Fault Countermeasures for Chinese Remaindering Based RSA ( Extended Abstract ) , 2005 .

[32]  Michael Szydlo,et al.  Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures , 2003, EUROCRYPT.

[33]  Christophe Clavier,et al.  Why One Should Also Secure RSA Public Key Elements , 2006, CHES.

[34]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[35]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[36]  Craig Gentry,et al.  Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001 , 2001, ASIACRYPT.

[37]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.