1 / 5

Timing Attacks on NTRUEncrypt Decryption based on number of hash calls

Timing Attacks on NTRUEncrypt Decryption based on number of hash calls. William Whyte, June 2006. Observation. On NTRUEncrypt decryption calculate m’ = (f*e mod q) mod 2, q odd r = G (m’  H (e – m’)), G & H two hash functions r*h and perform consistency check r is:

moya
Download Presentation

Timing Attacks on NTRUEncrypt Decryption based on number of hash calls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timing Attacks on NTRUEncrypt Decryption based on number of hash calls William Whyte, June 2006

  2. Observation • On NTRUEncrypt decryption calculate • m’ = (f*e mod q) mod 2, q odd • r = G(m’  H(e – m’)), G & H two hash functions • r*h and perform consistency check • r is: • entirely determined by e and m’ • defined as dr unique indices mod N • f*e, r*h, and H(e-m’) are essentially constant-time, but… • Length of time to run G depends on how long it takes to find unique indices • In practice, G is instantiated using SHA • For N=251, dr = 48, may take 3 or 4 SHA calls to generate 48 distinct indices mod 251 • One SHA call is a *big* difference! • If we can guess m’, can confirm guess using decryption times

  3. Exploiting this • f*e produces m; f = 1+2F, F binary • Pick m to have two non-zero entries λ, λ even, 3λ < q < 4λ • Why? So λ, 2λ, 3λ mod q mod 2 = 0, 4λ mod q mod 2 = 1. e f q m’ f*e • If number of 1s in m’ is in general small, may be brute-forceable

  4. Attack • Build a database of decryption times for all (e, m’) pairs where • e has two non-zero entries • m’ has less than a threshold δ of 1s • Size of database = • N*(N-1)/2 (for e) … • … times (N choose δ) (for m’) • Use the fact that e rotated one place  m’ rotated one place to confirm guesses for (e, m’) pairs • Each m’ identified will give away about 2 dm’ of the 1s in F • Size of database: trade-off between precomputation work and brute-force work to recover remaining 1s in F. • Note: all ciphertexts will get rejected by encryption scheme but timing information still leaks

  5. Results and Countermeasures • In general at claimed k-bit security level, require database slightly larger than 2k/2 to recover keys with effort less than 2k/2. • 80-bit parameters broken with 47.2 bits of precomputation • 128-bit parameters broken with 70.0 bits of precomputation • Unit of precomputation = 1 calculation of r from (e, m’) • NB: Attack hasn’t been implemented – theoretical results • Countermeasure: Increase default number of SHA calls • ~Doubling number of SHA calls puts chance of additional call at 2-k • Maintains compatibility with existing standards • Minor performance impact • Still requires generating less than N indices – more efficient than naïve random shuffle

More Related