Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls
This report studies timing attacks on NTRUEncrypt based on variation in the number of hash calls made on decryption. The attacks apply to the parameter sets of [8,6]. To mount the attacker, an attacker performs a variable amount of precomputation, then submits a relatively small number of specially constructed ciphertexts for decryption and measures the decryption times. Comparison of the decryption times with the precomputed data allows the attacker to recover the key in greatly reduced time compared to standard attacks on NTRUEncrypt. The precomputed data can be used for all keys generated with a specific parameter set and tradeoffs exist that increase the amount of precomputation in order to decrease the time required to recover an individual key. For parameter sets in  that claim k-bit security but are vulnerable to this attack, we find that an attacker can typically recover a single key with about k/2 bits of effort.
Finally, we describe a simple means to prevent these attacks by ensuring that all operations take a constant number of SHA calls. The recommended countermeasure does not break interoperability with the parameter sets of [8,6] and has only a slight effect on performance.
KeywordsHash Function Timing Attack Smart Card Hypergeometric Distribution Decryption Oracle
Unable to display preview. Download preview PDF.
- 1.Brumley, D., Boneh, D.: Remote timing attacks are practical. Journal of Computer Networks (2005)Google Scholar
- 3.Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public Key Cryptography and Computational Number Theory, September 11–15, 2000, pp. 77–88. Walter de Gruyter, Berlin (2001)Google Scholar
- 4.Howgrave-Graham, N.A., Silverman, J.H., Whyte, W.: A Meet-in-the-Middle Attack on an NTRU Private key. Technical report, NTRU Cryptosystems, Report #004, version 2 (June 2003), http://www.ntru.com
- 5.Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures. IACR ePrint Archive, Report 2003-172, http://eprint.iacr.org/2003/172/
- 7.Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 2 (2003)Google Scholar
- 8.Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 3 (2005)Google Scholar