Abstract
NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.
This research has been partially funded by ANRT under the program CIFRE 2016/1583. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ P141580. This work is also partially supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The single potential exception to this requirement is the publicseed part of the public key, whose caching “for say a few hours” seems to be considered by the designers as a viable alternative in situations where the preferred solution of a systematic renewal would turn out to be prohibitively expensive.
- 2.
On the other hand this requirement is not fully in line with the former observation, in the NewHope-Usenix paper, that “One could enable key caching with a transformation from the CPA-secure key establishment to a CCA-secure key establishment [...]”. Given the performance advantage that may be provided by key caching at server side in certain applications, one can wonder whether it will be strictly followed in practice in all deployments of CCA-KEM if strong cryptanalytic arguments in favour of this conservative choice are not developed during the evaluation of the candidates to the NIST call.
- 3.
A similar need to investigate the resilience of candidate algorithms in misuse situations was encountered in the framework of the CAESAR competition aimed at selecting authenticated encryption primitives. In that competition, much analysis was conducted on the resistance of candidates to key recovery attacks in misuse cases such as nonce or decryption-misuse and this provided quite useful information for the algorithms selection process.
- 4.
It is worth noticing that the same direct access to a key mismatch oracle remains feasible if the KEM exchange is embedded in an authenticated key establishment protocol, under the sole condition that the adversary is the owner of a valid authentication (or signature) key.
- 5.
While key reuse is against the designers’ requirements of the NIST submission NewHope, as expressed in the footnote in the design rationale on p. 16, this requirement does not seem to be formally reflected in the algorithm description of Sect. 1.2. This section indeed defines separate algorithms for key pairs generation, (en/de)capsulation, but does not state that a pair shall be used only once. Thus, though running NewHope with key reuse represents a misuse situation, analyzing the security of this scheme in this situation is definitely much more relevant question than considering variations in the formal specification of NewHope and investigating resulting weaknesses.
- 6.
The Magma code can be found at https://www.di.ens.fr/~mrossi/.
References
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343. USENIX Association (2016)
Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the Key-Reuse Resilience of NewHope (2019, to appear)
Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of lattice-based encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_12
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055716
Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)
Braithwaite, M.: Experimenting with Post-quantum Cryptography. Posting on the Google Security Blog (2016)
Ding, J.: A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. Cryptology ePrint Archive, Report 2012/688 (2012). https://eprint.iacr.org/2012/688
Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S.R., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: IEEE International Conference on Communications, ICC 2017, pp. 1–6. IEEE (2017)
Ding, J., Fluhrer, S., Saraswathy, R.V.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27
Fluhrer, S.: Cryptanalysis of Ring-LWE based Key Exchange with Key Share Reuse. Cryptology ePrint Archive, Report 2016/085 (2016). https://eprint.iacr.org/2016/085
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_2
Hoffstein, J., Silverman, J.H.: Protecting NTRU against chosen ciphertext and reaction attacks. Technical report 16, NTRU Cryptosystems Technical report (2000)
Hoffstein, J., Silverman, J.H.: Reaction attacks against the NTRU public key cryptosystem. Technical report 15, NTRU Cryptosystems Technical report (1999)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Joye, M., Tunstall, M. (eds.): Fault Analysis in Cryptography. Information Security and Cryptography. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29656-7
Kirkwood, D., Lackey, B., McVey, J., Motley, M., Solinas, J., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. In: NIST Workshop on Cybersecurity in a Post Quantum World (2015)
Menezes, A., Ustaoglu, B.: On reusing ephemeral keys in Diffie-Hellman key agreement protocols. IJACT 2(2), 154–158 (2010)
Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. IACR Transactions on CHES (2016). https://eprint.iacr.org/2016/1109
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Pöppelmann, T., et al.: NewHope. Submission to Round 1 of NIST Post Quantum Cryptography Competition (2017)
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Schwabe, P., Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: NewHope without Reconciliation. Cryptology ePrint Archive, Report 2016/1157 (2016). https://eprint.iacr.org/2016/1157
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bauer, A., Gilbert, H., Renault, G., Rossi, M. (2019). Assessment of the Key-Reuse Resilience of NewHope. In: Matsui, M. (eds) Topics in Cryptology – CT-RSA 2019. CT-RSA 2019. Lecture Notes in Computer Science(), vol 11405. Springer, Cham. https://doi.org/10.1007/978-3-030-12612-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-12612-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12611-7
Online ISBN: 978-3-030-12612-4
eBook Packages: Computer ScienceComputer Science (R0)