Skip to main content

Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

  • 172 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13301)


Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time.

We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from \(2^{128}\) to \(2^{104}\).


  • NTT
  • Harvey’s butterflies
  • Constant-time code
  • Compiler optimizations
  • Ring-LWE
  • Side-channel attacks

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-07689-3_8
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-07689-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. Albrecht, M., et al.: Homomorphic encryption security standard. Technical report,, Toronto, Canada, November 2018.

  2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015).

    MathSciNet  CrossRef  MATH  Google Scholar 

  3. Boemer, F., Kim, S., Seifu, G., de Souza, F.D., Gopal, V.: Intel HEXL: accelerating homomorphic encryption with Intel AVX512-IFMA52. Technical report (2021).

  4. Bradbury, J., Drucker, N., Hillenbrand, M.: NTT software optimization using an extended Harvey butterfly. Technical report (2021).

  5. GCC bugs: [Bug c++/98801] New: Request for a conditional move built-in function (2021).

  6. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson Jr., M.J. (eds.) Selected Areas in Cryptography - SAC 2018, pp. 347–368. Springer, Cham (2019).

  7. Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017).

    CrossRef  Google Scholar 

  8. Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of Complex Fourier Series. Math. Comput. 19(90), 297–301 (1965).

    MathSciNet  CrossRef  MATH  Google Scholar 

  9. Daan, S.: LLVM provides no side-channel resistance (2019).

  10. Dai, W., Sunar, B.: cuHE: a homomorphic encryption accelerator library. In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 169–186. Springer, Cham (2016).

    CrossRef  Google Scholar 

  11. Ducas, L., et al.: CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (2017).

  12. Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against StrongSwan and electromagnetic emanations in microcontrollers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1857–1874, CCS 2017. Association for Computing Machinery, New York, NY, USA (2017).

  13. Gentleman, W.M., Sande, G.: Fast Fourier transforms-For fun and profit. In: AFIPS Conference Proceedings - 1966 Fall Joint Computer Conference, AFIPS 1966, pp. 563–578 (1966).

  14. Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020).

    CrossRef  Google Scholar 

  15. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014).

    CrossRef  MATH  Google Scholar 

  16. Harvey, D.: Faster arithmetic for number-theoretic transforms. J. Symbolic Comput. 60, 113–119 (2014).

    MathSciNet  CrossRef  MATH  Google Scholar 

  17. Jung, W., et al.: HEAAN demystified: accelerating fully homomorphic encryption through architecture-centric analysis and optimization (2020)

    Google Scholar 

  18. Laine, K.: Simple encrypted arithmetic library 2.3.1. Technical report, Microsoft, WA, USA (2017).

  19. Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016).

    CrossRef  Google Scholar 

  20. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 1–35 (2013).

    MathSciNet  CrossRef  MATH  Google Scholar 

  21. Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT 2019. IACR Trans. Cryptographic Hardware Embed. Syst. 2019, 180–201 (2019).

  22. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017).

    CrossRef  Google Scholar 

  23. Sadegh Riazi, M., Laine, K., Pelton, B., Dai, W.: HEAX: an architecture for computing on encrypted data. In: International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, pp. 1295–1309 (2020).

  24. Schwabe, P., et al.: CRYSTALS-KYBER (2020).

  25. Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: 2nd Workshop on System Software for Trusted Execution (SysTEX), pp. 4:1–4:6. ACM, October 2017.

  26. Victor, S.: NTL - a library for doing numbery theory - version 11.5.1, commit 91acd5b3a7df709c0d8bf88a99a24bc340dc34f7 (2021).

  27. Yuriy, P., Kurt, R., Gerard, R.W., Dave, C.: PALISADE Lattice Cryptography Library, commmit d76213499af44558170cca6c72c5314755fec23c (2021).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Nir Drucker .

Editor information

Editors and Affiliations


A NTT Algorithms

Algorithms 3 and 4 are the forward and inverse NTT algorithms from [19], respectively.

figure am
figure an

B Generating the Primes

For reproduction purposes, we provide the SageMath script we used to generate the primes in Sect. 4.

figure ao

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Drucker, N., Pelleg, T. (2022). Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In: Dolev, S., Katz, J., Meisels, A. (eds) Cyber Security, Cryptology, and Machine Learning. CSCML 2022. Lecture Notes in Computer Science, vol 13301. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07688-6

  • Online ISBN: 978-3-031-07689-3

  • eBook Packages: Computer ScienceComputer Science (R0)