Abstract
This report studies timing attacks on NTRUEncrypt based on variation in the number of hash calls made on decryption. The attacks apply to the parameter sets of [8,6]. To mount the attacker, an attacker performs a variable amount of precomputation, then submits a relatively small number of specially constructed ciphertexts for decryption and measures the decryption times. Comparison of the decryption times with the precomputed data allows the attacker to recover the key in greatly reduced time compared to standard attacks on NTRUEncrypt. The precomputed data can be used for all keys generated with a specific parameter set and tradeoffs exist that increase the amount of precomputation in order to decrease the time required to recover an individual key. For parameter sets in [3] that claim k-bit security but are vulnerable to this attack, we find that an attacker can typically recover a single key with about k/2 bits of effort.
Finally, we describe a simple means to prevent these attacks by ensuring that all operations take a constant number of SHA calls. The recommended countermeasure does not break interoperability with the parameter sets of [8,6] and has only a slight effect on performance.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Brumley, D., Boneh, D.: Remote timing attacks are practical. Journal of Computer Networks (2005)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A new high speed public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
Hoffstein, J., Silverman, J.H.: Optimizations for NTRU. In: Public Key Cryptography and Computational Number Theory, September 11–15, 2000, pp. 77–88. Walter de Gruyter, Berlin (2001)
Howgrave-Graham, N.A., Silverman, J.H., Whyte, W.: A Meet-in-the-Middle Attack on an NTRU Private key. Technical report, NTRU Cryptosystems, Report #004, version 2 (June 2003), http://www.ntru.com
Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NAEP: Provable Security in the Presence of Decryption Failures. IACR ePrint Archive, Report 2003-172, http://eprint.iacr.org/2003/172/
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005), www.ntru.com/cryptolab/articles.htm#2005_1
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 2 (2003)
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS) #1 version 3 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Silverman, J.H., Whyte, W. (2006). Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls. In: Abe, M. (eds) Topics in Cryptology – CT-RSA 2007. CT-RSA 2007. Lecture Notes in Computer Science, vol 4377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11967668_14
Download citation
DOI: https://doi.org/10.1007/11967668_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69327-7
Online ISBN: 978-3-540-69328-4
eBook Packages: Computer ScienceComputer Science (R0)