Abstract
Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time.
We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from \(2^{128}\) to \(2^{104}\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M., et al.: Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, November 2018. https://homomorphicencryption.org/standard/
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). https://doi.org/10.1515/jmc-2015-0016
Boemer, F., Kim, S., Seifu, G., de Souza, F.D., Gopal, V.: Intel HEXL: accelerating homomorphic encryption with Intel AVX512-IFMA52. Technical report (2021). https://eprint.iacr.org/2021/420
Bradbury, J., Drucker, N., Hillenbrand, M.: NTT software optimization using an extended Harvey butterfly. Technical report (2021). https://eprint.iacr.org/2021/1396
GCC bugs: [Bug c++/98801] New: Request for a conditional move built-in function (2021). https://www.mail-archive.com/gcc-bugs@gcc.gnu.org/msg676288.html
Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson Jr., M.J. (eds.) Selected Areas in Cryptography - SAC 2018, pp. 347–368. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_16
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of Complex Fourier Series. Math. Comput. 19(90), 297–301 (1965). https://doi.org/10.2307/2003354
Daan, S.: LLVM provides no side-channel resistance (2019). https://dsprenkels.com/cmov-conversion.html
Dai, W., Sunar, B.: cuHE: a homomorphic encryption accelerator library. In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 169–186. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29172-7_11
Ducas, L., et al.: CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (2017). https://pq-crystals.org/dilithium/data/dilithium-specification.pdf
Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against StrongSwan and electromagnetic emanations in microcontrollers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1857–1874, CCS 2017. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3133956.3134028
Gentleman, W.M., Sande, G.: Fast Fourier transforms-For fun and profit. In: AFIPS Conference Proceedings - 1966 Fall Joint Computer Conference, AFIPS 1966, pp. 563–578 (1966). https://doi.org/10.1145/1464291.1464352
Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_13
Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31
Harvey, D.: Faster arithmetic for number-theoretic transforms. J. Symbolic Comput. 60, 113–119 (2014). https://doi.org/10.1016/j.jsc.2013.09.002
Jung, W., et al.: HEAAN demystified: accelerating fully homomorphic encryption through architecture-centric analysis and optimization (2020)
Laine, K.: Simple encrypted arithmetic library 2.3.1. Technical report, Microsoft, WA, USA (2017). https://www.microsoft.com/en-us/research/uploads/prod/2017/11/sealmanual-2-3-1.pdf
Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_8
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 1–35 (2013). https://doi.org/10.1145/2535925
Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT 2019. IACR Trans. Cryptographic Hardware Embed. Syst. 2019, 180–201 (2019). https://doi.org/10.13154/tches.v2019.i3.180-201
Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25
Sadegh Riazi, M., Laine, K., Pelton, B., Dai, W.: HEAX: an architecture for computing on encrypted data. In: International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, pp. 1295–1309 (2020). https://doi.org/10.1145/3373376.3378523
Schwabe, P., et al.: CRYSTALS-KYBER (2020). https://pq-crystals.org/kyber/
Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: 2nd Workshop on System Software for Trusted Execution (SysTEX), pp. 4:1–4:6. ACM, October 2017. https://doi.org/10.1145/3152701.3152706
Victor, S.: NTL - a library for doing numbery theory - version 11.5.1, commit 91acd5b3a7df709c0d8bf88a99a24bc340dc34f7 (2021). https://github.com/libntl/ntl
Yuriy, P., Kurt, R., Gerard, R.W., Dave, C.: PALISADE Lattice Cryptography Library, commmit d76213499af44558170cca6c72c5314755fec23c (2021). https://gitlab.com/palisade/palisade-release
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Drucker, N., Pelleg, T. (2022). Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In: Dolev, S., Katz, J., Meisels, A. (eds) Cyber Security, Cryptology, and Machine Learning. CSCML 2022. Lecture Notes in Computer Science, vol 13301. Springer, Cham. https://doi.org/10.1007/978-3-031-07689-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-07689-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07688-6
Online ISBN: 978-3-031-07689-3
eBook Packages: Computer ScienceComputer Science (R0)