Advertisement

Defeating NewHope with a Single Trace

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12100)

Abstract

The key encapsulation method “NewHope” allows two parties to agree on a secret key. The scheme includes a private and a public key. While the public key is used to encipher a random shared secret, the private key enables to decipher the ciphertext. NewHope is a candidate in the NIST post-quantum project, whose aim is to standardize cryptographic systems that are secure against attacks originating from both quantum and classical computers. While NewHope relies on the theory of quantum-resistant lattice problems, practical implementations have shown vulnerabilities against side-channel attacks targeting the extraction of the private key. In this paper, we demonstrate a new attack on the shared secret. The target consists of the C reference implementation as submitted to the NIST contest, being executed on a Cortex-M4 processor. Based on power measurement, the complete shared secret can be extracted from data of one single trace only. Further, we analyze the impact of different compiler directives. When the code is compiled with optimization turned off, the shared secret can be read from an oscilloscope display directly with the naked eye. When optimizations are enabled, the attack requires some more sophisticated techniques, but the attack still works on single power traces.

Keywords

Post-quantum cryptography Side-channel attack NewHope Message encoding 

Notes

Acknowledgment

We thank the anonymous reviewers for their accurate reviews and valuable comments. This work was supported by Innosuisse, the federal agency responsible for encouraging science-based innovation in Switzerland.

References

  1. 1.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).  https://doi.org/10.1145/359340.359342MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).  https://doi.org/10.1137/S0097539795293172MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Dyakonov, M.: The case against quantum computing. IEEE Spectr. 56(3), 24–29 (2019)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Mosca, M.: Cybersecurity in an era with quantum computers: will we be ready? IEEE Secur. Priv. 16(5), 38–41 (2018).  https://doi.org/10.1109/MSP.2018.3761723CrossRefGoogle Scholar
  5. 5.
    National Institute of Standards and Technology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016)Google Scholar
  6. 6.
    Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. NISTIR 8240 (2019).  https://doi.org/10.6028/NIST.IR.8240
  7. 7.
    Alkim, E., et al.: NewHope - algorithm specifications and supporting documentation. Version 1.02 (2019)Google Scholar
  8. 8.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: NewHope without reconciliation. IACR Cryptology ePrint Archive, p. 1157 (2016). http://eprint.iacr.org/2016/1157
  9. 9.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 327–343 (2016)Google Scholar
  10. 10.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1CrossRefGoogle Scholar
  11. 11.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005).  https://doi.org/10.1145/1060590.1060603
  12. 12.
    Regev, O.: The learning with errors problem (invited survey). In: Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC 2010, Cambridge, Massachusetts, USA, 9–12 June 2010, pp. 191–204 (2010).  https://doi.org/10.1109/CCC.2010.26
  13. 13.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  15. 15.
    Mulder, E.D., et al.: Electromagnetic analysis attack on an FPGA implementation of an elliptic curve cryptosystem. In: EUROCON 2005 - The International Conference on “Computer as a Tool”, vol. 2, pp. 1879–1882 (2005).  https://doi.org/10.1109/EURCON.2005.1630348
  16. 16.
    Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4_25CrossRefGoogle Scholar
  17. 17.
    Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2018, Washington, DC, USA, 30 April–4 May 2018, pp. 81–88 (2018).  https://doi.org/10.1109/HST.2018.8383894
  18. 18.
    Bos, J.W., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1006–1018 (2016).  https://doi.org/10.1145/2976749.2978425
  19. 19.
    Park, A., Han, D.: Chosen ciphertext simple power analysis on software 8-bit implementation of ring-LWE encryption. In: 2016 IEEE Asian Hardware-Oriented Security and Trust, AsianHOST 2016, Yilan, Taiwan, 19–20 December 2016, pp. 1–6 (2016).  https://doi.org/10.1109/AsianHOST.2016.7835555
  20. 20.
    Huang, W., Chen, J., Yang, B.: Correlation power analysis on NTRU prime and related countermeasures. IACR Cryptology ePrint Archive, p. 100 (2019). https://eprint.iacr.org/2019/100
  21. 21.
    Zheng, X., Wang, A., Wei, W.: First-order collision attack on protected NTRU cryptosystem. Microprocess. Microsyst. Embed. Hardw. Design 37(6–7), 601–609 (2013).  https://doi.org/10.1016/j.micpro.2013.04.008CrossRefGoogle Scholar
  22. 22.
    Reparaz, O., Roy, S.S., de Clercq, R., Vercauteren, F., Verbauwhede, I.: Masking ring-LWE. J. Cryptogr. Eng. 6(2), 139–153 (2016).  https://doi.org/10.1007/s13389-016-0126-5CrossRefzbMATHGoogle Scholar
  23. 23.
    Reparaz, O., de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Additively homomorphic ring-LWE masking. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 233–244. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29360-8_15CrossRefGoogle Scholar
  24. 24.
    Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. IACR Trans. Cryptogr. Hardw. Embed. Syst., 142–174 (2018).  https://doi.org/10.13154/tches.v2018.i1.142-174
  25. 25.
    Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Archive, p. 85 (2016). http://eprint.iacr.org/2016/085
  26. 26.
    Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S.R., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: IEEE International Conference on Communications, ICC 2017, Paris, France, 21–25 May 2017, pp. 1–6 (2017).  https://doi.org/10.1109/ICC.2017.7996806
  27. 27.
    Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-12612-4_14CrossRefGoogle Scholar
  28. 28.
    Qin, Y., Cheng, C., Ding, J.: A complete and optimized key mismatch attack on NIST candidate NewHope. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019, Part II. LNCS, vol. 11736, pp. 504–520. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-29962-0_24CrossRefGoogle Scholar
  29. 29.
    Avanzi, R., et al.: CRYSTALS-Kyber algorithm specifications and supporting documentation. Version 2.0 (2019)Google Scholar
  30. 30.
    Fisher, R.A., Yates, F., et al.: Statistical tables for biological, agricultural and medical research (1963). http://hdl.handle.net/2440/10701
  31. 31.
    Khalid, A., Oder, T., Valencia, F., O’Neill, M., Güneysu, T., Regazzoni, F.: Physical protection of lattice-based cryptography: challenges and solutions. In: Proceedings of the 2018 on Great Lakes Symposium on VLSI, GLSVLSI 2018, Chicago, IL, USA, 23–25 May 2018, pp. 365–370 (2018).  https://doi.org/10.1145/3194554.3194616

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.IMES Institute for Microelectronics and Embedded SystemsHSR Hochschule für Technik RapperswilRapperswil-JonaSwitzerland
  2. 2.Securosys SAZürichSwitzerland

Personalised recommendations