Skip to main content
SpringerLink
Log in

A One-Time Single-bit Fault Leaks All Previous NTRU-HRSS Session Keys to a Chosen-Ciphertext Attack

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2022 (INDOCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13774))

Included in the following conference series:

  • 437 Accesses

Abstract

This paper presents an efficient attack that, in the standard IND-CCA2 attack model plus a one-time single-bit fault, recovers the NTRU-HRSS session key. This type of fault is expected to occur for many users through natural DRAM bit flips. In a multi-target IND-CCA2 attack model plus a one-time single-bit fault, the attack recovers every NTRU-HRSS session key that was encapsulated to the targeted public key before the fault. Software carrying out the full multi-target attack, using a simulated fault, is provided for verification. This paper also explains how a change in NTRU-HRSS in 2019 enabled this attack.

This work was funded by the Intel Crypto Frontiers Research Center; by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) as part of the Excellence Strategy of the German Federal and State Governments—EXC 2092 CASA—390781972 “Cyber Security in the Age of Large-Scale Adversaries”; by the U.S. National Science Foundation under grant 1913167; by the Taiwan’s Executive Yuan Data Safety and Talent Cultivation Project (AS-KPQ-109-DSTCP); and by the Cisco University Research Program. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: 662cf4ad8f5bff33ae4d71d56051a656d8a62e48. Date: 2022.10.24.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See, e.g., [77]: “We conclude that the CNS attack is a concern for the ISO 9796-2 signature scheme with partial message recovery in environments where the attacker is capable of obtaining the signatures of a significant number (e.g., one million) of chosen messages. In environments where the attacker is not capable of obtaining these signatures, the CNS attack is not a concern.”.

  2. 2.

    Exception: In the context of protocols that use the cryptosystem key just once, such as the SIGMA approach to secure sessions, the literature often encourages targeting merely IND-CPA. See [60] for a recent example. On the other hand, it is a mistake from a systems-security perspective to give users (1) a cryptosystem designed for IND-CCA2 and (2) a non-IND-CCA2 cryptosystem designed merely for IND-CPA. As [71] put it: “CPA vs CCA security is a subtle and dangerous distinction, and if we’re going to invest in a post-quantum primitive, better it not be fragile.”.

  3. 3.

    Occasionally exceptions are made for security notions proven to be unachievable.

  4. 4.

    A standard could insist that implementors take a majority vote of three independent implementations, but experience shows that there are correlations among errors from different implementors. Furthermore, a coding error could replace the majority vote with taking just the result of the first implementation, or an implementor could “misuse” the scheme by taking just one implementation; either way, a coding error in that implementation could cause disaster even if other implementations are perfect.

  5. 5.

    In its latest report [2], NIST criticized Classic McEliece for a “misuse scenario” where “reusing the same error vector when encapsulating for multiple public keys” would damage security—even though (1) there have been no examples of this scenario occurring for Classic McEliece, (2) the official Classic McEliece software has always used RNGs correctly, and (3) no encapsulation mechanism is safe against external RNG failures. Meanwhile none of NIST’s reports criticized Dilithium for the “misuse scenario” of reusing randomness inside a single signature—even though (1) this scenario occurred in the official Dilithium software, (2) this destroyed the security of that software, and (3) the problem was in that software, not in an external RNG.

  6. 6.

    This 12.5% overhead is not the best that can be done. The overhead of a distance-4 error-correcting code, such as an extended Hamming code, drops as the dimension increases. DRAM today is normally accessed in 512-bit blocks (“lines”), larger than the 64-bit blocks conventionally used for SECDED. A 512-bit line encoded as 528 bits can be stored as 16 bits on each chip in a 33-chip module, which in principle should cost just 3.125% more than a 32-chip module; and 523 bits are enough to encode 512 bits with SECDED, as noted in, e.g., [104].

  7. 7.

    Presumably this is an underestimate of the error rate: one would not expect average user devices to be as reliable as Google’s air-conditioned, systematically monitored, frequently replaced servers.

  8. 8.

    As a different example of using just one fault, consider the IND-CCA2 game for KEMs. The attacker is free to send a ciphertext with one bit flipped, and to inspect the resulting session key; now simply hypothesize that a fault flips the bit back at the beginning of decapsulation. One reason that this is a less satisfactory example than [27] is that it requires a specific fault to occur during a narrow window of time, while a fault in a stored secret key at any moment—something more likely to occur naturally—opens up the attack of [27].

  9. 9.

    Perhaps the signing function could have been changed to reduce the chance of problems—see Sect. 1.1—but this is a separate issue.

  10. 10.

    Beware that there are several slightly different definitions of IND-CCA2 security for PKEs. See generally [7].

  11. 11.

    See generally [14, Section 8]. Even better, the usual decoding algorithm inside mceliece is shown in [14, Section 7] to be rigid even without reencryption. However, [14, Section 8.4] recommends reencryption for robustness.

  12. 12.

    Given recent misinformation regarding rounding, it seems necessary to emphasize that the cryptanalytic question here is whether rounding is stronger than adding random errors: this attack avenue obviously works against random errors, whereas analysis is required of the extent to which the attack avenue is blocked by rounding. See also [90], which finds that rounding complicates side-channel-assisted chosen-ciphertext attacks.

  13. 13.

    Presumably an all-or-nothing transform is overkill here, since most of the structure in the plaintext (bd) is not easy to see in ciphertexts \(bG+d\). It would be interesting to identify the relevant security properties of plaintext sets, and to optimize construction algorithms and recognition algorithms for secure sets.

  14. 14.

    See, e.g., [2, page 18]: “If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of Kyber.” There are also various relevant patents that do not seem to be considered in [2], such as CN107566121A.

  15. 15.

    Officially, NTRU-HRSS has three software releases and a development repository. Software release 1, via PQClean, was eliminated by PQClean in July 2022 [67] since NTRU is “no longer under consideration by NIST”, even though, as noted above, [2] says “NIST may consider selecting NTRU instead of Kyber”. Software release 2, via BoringSSL, is of the ntruhrss variant used in the CECPQ2 post-quantum deployment experiments in Google Chrome; this is “not compatible” with the NTRU-HRSS specification, although the reported reason for this—a different choice of hash function—should not matter for this paper. Software release 3, via the SUPERCOP [18] benchmarking framework, is what attackntrw uses.

  16. 16.

    Faults could also flip other bits of the secret key, or—in a broader model—bits of code, intermediate bits in computations, etc. This paper is analyzing the impact of faults in r; again, this should not be interpreted as making security claims regarding arbitrary fault attacks.

  17. 17.

    Exception: The multi-target IND-CCA2 attack model will also prevent successful decryption if a modified ciphertext happens to collide with another legitimate ciphertext. However, such collisions are so rare that they can safely be ignored.

  18. 18.

    For comparison, the specified mceliece secret-key format already includes a 256-bit seed that can be double-checked against the rest of the secret key. This seed was specified to allow compression, but implementors can reuse it for double-checks of whether various faults have occurred.

References

  1. — (no editor), IEEE international conference on communications, ICC 2017, IEEE, 2017. See [38]

    Google Scholar 

  2. Gorjan Alagic, Daniel Apon, David Cooper, Quynh Dang, Thinh Dang, John Kelsey, Jacob Lichtinger, Carl Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, Daniel Smith-Tone, Yi-Kai Liu, Status report on the third round of the NIST Post-Quantum Cryptography Standardization Process (2022). NISTIR 8413. Cited in §1.1, §3.14, §3.14, §4.2

  3. Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé, CRYSTALS-Kyber: Algorithm specifications and supporting documentation (2020). Cited in §3.14

  4. Ciprian Baetu, F. Betül Durak, Loïs Huguenin-Dumittan, Abdullah Talayhan, Serge Vaudenay, Misuse attacks on post-quantum cryptosystems, in Eurocrypt 2019 [61] (2019), 747–776. Cited in §3.7

  5. Mihir Bellare (editor), Advances in cryptology—CRYPTO 2000, LNCS, 1880, Springer, 2000. See [62]

    Google Scholar 

  6. Mihir Bellare, Hannah Davis, Felix Günther, Separate your domains: NIST PQC KEMs, oracle cloning and read-only indifferentiability, in Eurocrypt 2020 [32] (2020), 3–32. Cited in §3.10

  7. Mihir Bellare, Dennis Hofheinz, Eike Kiltz, Subtleties in the definition of IND-CCA: when and how should challenge decryption be disallowed?, Journal of Cryptology 28 (2015), 29–48. Cited in §3.4

  8. Daniel J. Bernstein, Re: Current consensus on ECC (2001). Cited in §1.1

  9. Daniel J. Bernstein, Curve25519: new Diffie-Hellman speed records, in PKC 2006 [103] (2006), 207–228. Cited in §1.1

  10. Daniel J. Bernstein, A subfield-logarithm attack against ideal lattices (2014). Cited in §3.3

  11. Daniel J. Bernstein, How to design an elliptic-curve signature system (2014). Cited in §2.4

  12. Daniel J. Bernstein, Comparing proofs of security for lattice-based encryption (2019). Second PQC Standardization Conference. Cited in §3.2

  13. Daniel J. Bernstein, On the looseness of FO derandomization (2021). Cited in §3.14

  14. Daniel J. Bernstein, Understanding binary-Goppa decoding (2022). Cited in §3.8, §3.8, §3.8

  15. Daniel J. Bernstein, libsecded (software package) (2022). Cited in §4.6

  16. Daniel J. Bernstein, attackntrw (software package) (2022). Cited in §4

  17. Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange, Lorenz Panny, HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction, in Africacrypt 2018 [64] (2018), 203–216. Cited in §3.7

  18. Daniel J. Bernstein, Tanja Lange (editors), eBACS: ECRYPT Benchmarking of Cryptographic Systems (2022). Accessed 25 August 2022. Cited in §4.2

  19. Daniel J. Bernstein, Edoardo Persichetti, Towards KEM unification (2018). Cited in §3.12, §4.4

  20. Eli Biham (editor), Fast software encryption, 4th international workshop, FSE ’97, LNCS, 1267, Springer, 1997. See [91]

    Google Scholar 

  21. Eli Biham, Lior Neumann, Breaking the Bluetooth pairing—the fixed coordinate invalid curve attack, in SAC 2019 [84] (2019), 250–273. Cited in §1.1

  22. Nina Bindel, Douglas Stebila, Shannon Veitch, Improved attacks against key reuse in learning with errors key exchange, in Latincrypt 2021 [74] (2021), 168–188. Cited in §3.7

  23. Mario Blaum, Patrick G. Farrell, Henk C. A. van Tilborg (editors), Information, coding and mathematics, Kluwer International Series in Engineering and Computer Science, 687, Kluwer, 2002. MR 2005a:94003. See [101]

    Google Scholar 

  24. Daniel Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Crypto 1998 [70] (1998), 1–12. Cited in §1

  25. Hanno Böck, Juraj Somorovsky, Craig Young, Return of Bleichenbacher’s oracle threat (ROBOT), in [43] (2018), 817–849. Cited in §1

  26. Dan Boneh (editor), Advances in cryptology—CRYPTO 2003, LNCS, 2729, Springer, 2003. See [56]

    Google Scholar 

  27. Dan Boneh, Richard A. DeMillo, Richard J. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract), in Eurocrypt 1997 [47] (1997), 37–51; see also newer version [28]. Cited in §2.3, §2.3, §2.3, §2.3, §2.4, §2.4, §2.5, §2.5, §2.5

  28. Dan Boneh, Richard A. DeMillo, Richard J. Lipton, On the importance of eliminating errors in cryptographic computations, Journal of Cryptology 14 (2001), 101–119; see also older version [27]

  29. Joe P. Buhler (editor), Algorithmic number theory, third international symposium, ANTS-III, LNCS, 1423, Springer, 1998. See [52]

    Google Scholar 

  30. Kevin Butler, Kurt Thomas (editors), 31st USENIX Security Symposium, USENIX Association, 2022. See [96]

    Google Scholar 

  31. L. Jean Camp, Stephen Lewis (editors), Economics of information security, Advances in Information Security, 12, Springer, 2004. See [80]

    Google Scholar 

  32. Anne Canteaut, Yuval Ishai (editors), Advances in cryptology—EUROCRYPT 2020, LNCS, 12106, Springer, 2020. See [6]

    Google Scholar 

  33. Anne Canteaut, François-Xavier Standaert (editors), Advances in cryptology—EUROCRYPT 2021, LNCS, 12697, Springer, 2021. See [34]

    Google Scholar 

  34. Pierre-Louis Cayrel, Brice Colombier, Vlad-Florin Dragoi, Alexandre Menu, Lilian Bossuet, Message-recovery laser fault injection attack on the Classic McEliece cryptosystem, in [33] (2021), 438–467. Cited in §2.2

  35. Cong Chen, Oussama Danba, Jeffrey Hoffstein, Andreas Hulsing, Joost Rijneveld, John M. Schanck, Peter Schwabe, William Whyte, Zhenfei Zhang, NTRU: algorithm specifications and supporting documentation (2019). Cited in §4.4

  36. Mauro Conti, Jianying Zhou, Emiliano Casalicchio, Angelo Spognardi (editors), Applied cryptography and network security—18th international conference, ACNS 2020, LNCS, 12146, Springer, 2020. See [59]

    Google Scholar 

  37. Alexander W. Dent, A designer’s guide to KEMs, in Cirencester 2003 [83] (2003), 133–151. Cited in §3.10

  38. Jintai Ding, Saed Alsayigh, R. V. Saraswathy, Scott R. Fluhrer, Xiaodong Lin, Leakage of signal function with reused keys in RLWE key exchange, in ICC 2017 [1] (2017), 1–6. Cited in §3.7

  39. Jintai Ding, Joshua Deaton, Kurt Schmidt, Vishakha, Zheng Zhang, A simple and efficient key reuse attack on NTRU cryptosystem (2019). Cited in §3.7

  40. Jintai Ding, Scott R. Fluhrer, Saraswathy RV, Complete attack on RLWE key exchange with reused keys, without signal leakage, in ACISP 2018 [97] (2018), 467–486. Cited in §3.7

  41. John R. Douceur, Albert G. Greenberg, Thomas Bonald, Jason Nieh (editors), Proceedings of the eleventh international joint conference on measurement and modeling of computer systems, SIGMETRICS/Performance 2009, ACM, 2009. See [93]

    Google Scholar 

  42. Orr Dunkelman, Stefan Dziembowski (editors), Advances in cryptology—EUROCRYPT 2022, LNCS, 13277, Springer, 2022. See [60]

    Google Scholar 

  43. William Enck, Adrienne Porter Felt (editors), 27th USENIX security symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, USENIX Association, 2018. See [25]

  44. Wieland Fischer, Naofumi Homma (editors), Cryptographic hardware and embedded systems—CHES 2017, LNCS, 10529, Springer, 2017. See [57]

    Google Scholar 

  45. Scott R. Fluhrer, Cryptanalysis of ring-LWE based key exchange with key share reuse (2016). Cited in §3.7

  46. Eiichiro Fujisaki, Tatsuaki Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in Crypto 1999 [102] (1999), 537–554. Cited in §3.8

  47. Walter Fumy (editor), Advances in cryptology—EUROCRYPT ’97, LNCS, 1233, Springer, 1997. See [27]

    Google Scholar 

  48. Debin Gao, Qi Li, Xiaohong Guan, Xiaofeng Liao (editors), Information and communications security—23rd international conference, ICICS 2021, LNCS, 12919, Springer, 2021. See [105]

    Google Scholar 

  49. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten, Lest we remember: cold boot attacks on encryption keys, in USENIX Security 2008 [82] (2008), 45–60. Cited in §2.6, §2.6, §2.6, §2.6

  50. Chris Hall, Ian Goldberg, Bruce Schneier, Reaction attacks against several public-key cryptosystems, in ICICS 1999 [100] (1999), 2–12. Cited in §3.6, §3.6, §3.6

  51. Martin Hirt, Adam D. Smith (editors), Theory of cryptography—14th international conference, TCC 2016-B, LNCS, 9986, 2016. See [98]

    Google Scholar 

  52. Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman, NTRU: a ring-based public key cryptosystem, in ANTS III [29] (1998), 267–288. Cited in §3.3, §3.3

  53. Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman, NTRU: a new high speed public key cryptosystem (2016). Circulated at Crypto 1996, put online in 2016. Cited in §3.3

  54. Jeffrey Hoffstein, Joseph H. Silverman, Reaction attacks against the NTRU public key cryptosystem (2000). Cited in §3.7, §4.5

  55. Dennis Hofheinz, Kathrin Hövelmanns, Eike Kiltz, A modular analysis of the Fujisaki-Okamoto transformation, in TCC 2017-1 [65] (2017), 341–371. Cited in §3.11, §3.12

  56. Nick Howgrave-Graham, Phong Q. Nguyen, David Pointcheval, John Proos, Joseph H. Silverman, Ari Singer, William Whyte, The impact of decryption failures on the security of NTRU encryption, in Crypto 2003 [26] (2003), 226–246. Cited in §3.7

  57. Andreas Hülsing, Joost Rijneveld, John M. Schanck, Peter Schwabe, High-speed key encapsulation from NTRU, in [44] (2017), 232–252. Cited in §4.4

  58. Andreas Hülsing, Joost Rijneveld, John M. Schanck, Peter Schwabe, NTRU-HRSS-KEM: algorithm specifications and supporting documentation (2017). Cited in §4.4

  59. Loïs Huguenin-Dumittan, Serge Vaudenay, Classical misuse attacks on NIST round 2 PQC—the power of rank-based schemes, in ACNS 2020 [36] (2020), 208–227. Cited in §3.7

  60. Loïs Huguenin-Dumittan, Serge Vaudenay, On IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3, in Eurocrypt 2022 [42] (2022), 613–642. Cited in §1

  61. Yuval Ishai, Vincent Rijmen (editors), Advances in cryptology—EUROCRYPT 2019, LNCS, 11477, Springer, 2019. See [4]

    Google Scholar 

  62. Éliane Jaulmes, Antoine Joux, A chosen-ciphertext attack against NTRU, in Crypto 2000 [5] (2000), 20–35. Cited in §3.7

  63. Simon Josefsson, Ilari Liusvaara, Edwards-curve digital signature algorithm (EdDSA) (2017). Cited in §2.4

  64. Antoine Joux, Abderrahmane Nitaj, Tajjeeddine Rachidi (editors), Progress in cryptology—AFRICACRYPT 2018, LNCS, 10831, Springer, 2018. See [17]

    Google Scholar 

  65. Yael Kalai, Leonid Reyzin (editors), Theory of cryptography—15th international conference, TCC 2017, LNCS, 10677, Springer, 2017. See [55]

    Google Scholar 

  66. Burt Kaliski, PKCS #1: RSA encryption version 1.5 (1998). Cited in §2.4

  67. Matthias Kannwischer, Remove schemes that are no longer under consideration by NIST (2022). Cited in §4.2

  68. Jonathan Katz, Yehuda Lindell, Introduction to modern cryptography: principles and protocols, Chapman & Hall/CRC, 2007. Cited in §1.1

  69. Neal Koblitz, The uneasy relationship between mathematics and cryptography, Notices of the American Mathematical Society 54 (2007), 972–979. Cited in §4.4, §4.4

  70. Hugo Krawczyk (editor), Advances in cryptology—CRYPTO ’98, LNCS, 1462, Springer, 1998. See [24]

    Google Scholar 

  71. Adam Langley, CECPQ2 (2018). Cited in §1

  72. Arjen K. Lenstra, Memo on RSA signature generation in the presence of faults (1996). Cited in §2.3, §2.5

  73. Joseph K. Liu, Hui Cui (editors), Information security and privacy—25th Australasian conference, ACISP 2020, LNCS, 12248, Springer, 2020. See [81]

    Google Scholar 

  74. Patrick Longa, Carla Ràfols (editors), Progress in cryptology—LATINCRYPT 2021, LNCS, 12912, Springer, 2021. See [22]

    Google Scholar 

  75. Vadim Lyubashevsky, OFFICIAL COMMENT: CRYSTALS-DILITHIUM (2018). Cited in §1.1

  76. Robert J. McEliece, A public-key cryptosystem based on algebraic coding theory (1978), 114–116. JPL DSN Progress Report. Cited in §3.3, §3.3

  77. Alfred Menezes, Evaluation of security level of cryptography: RSA signature schemes (PKCS#1 v1.5, ANSI X9.31, ISO 9796) (2002). Cited in §1

  78. National Institute of Standards and Technology, Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). Cited in §1

  79. Jesper Buus Nielsen, Vincent Rijmen (editors), Advances in cryptology—EUROCRYPT 2018, LNCS, 10822, Springer, 2018. See [92]

    Google Scholar 

  80. Andrew M. Odlyzko, Privacy, economics, and price discrimination on the internet, in [31] (2004), 187–211. Cited in §4.6

  81. Satoshi Okada, Yuntao Wang, Tsuyoshi Takagi, Improving key mismatch attack on NewHope with fewer queries, in ACISP 2020 [73] (2020), 505–524. Cited in §3.7

  82. Paul C. van Oorschot (editor), Proceedings of the 17th USENIX security symposium, USENIX Association, 2008. See [49]

    Google Scholar 

  83. Kenneth G. Paterson (editor), Cryptography and coding, 9th IMA international conference, LNCS, 2898, Springer, 2003. See [37]

    Google Scholar 

  84. Kenneth G. Paterson, Douglas Stebila (editors), Selected areas in cryptography—SAC 2019, LNCS, 11959, Springer, 2020. See [21]

    Google Scholar 

  85. Trevor Perrin, The XEdDSA and VXEdDSA signature schemes (2016). Cited in §2.4

  86. Edoardo Persichetti, Improving the efficiency of code-based cryptography, Ph.D. thesis, 2012. Cited in §3.11

  87. Bart Preneel (editor), Advances in cryptology—EUROCRYPT 2000, LNCS, 1807, Springer, 2000. See [95]

    Google Scholar 

  88. Yue Qin, Chi Cheng, Xiaohan Zhang, Yanbin Pan, Lei Hu, Jintai Ding, A systematic approach and analysis of key mismatch attacks on lattice-based NIST candidate KEMs, in Asiacrypt 2021 [99] (2021), 92–121. Cited in §3.7

  89. Yue Qin, Ruoyu Ding, Chi Cheng, Nina Bindel, Yanbin Pan, Jintai Ding, Light the signal: optimization of signal leakage attacks against LWE-based key exchange (2022). Cited in §3.7

  90. Prasanna Ravi, Martianus Frederic Ezerman, Shivam Bhasin, Anupam Chattopadhyay, Sujoy Sinha Roy, Will you cross the threshold for me? Generic side-channel assisted chosen-ciphertext attacks on NTRU-based KEMs, IACR Transactions on Cryptographic Hardware and Embedded Systems 2022.1 (2022), 722–761. Cited in §3.13

  91. Ronald L. Rivest, All-or-nothing encryption and the package transform, in FSE 1997 [20] (1997), 210–218. Cited in §3.5

  92. Tsunekazu Saito, Keita Xagawa, Takashi Yamakawa, Tightly-secure key-encapsulation mechanism in the quantum random oracle model, in Eurocrypt 2018 [79] (2018), 520–551. Cited in §4.4, §4.4, §4.4, §4.4

  93. Bianca Schroeder, Eduardo Pinheiro, Wolf-Dietrich Weber, DRAM errors in the wild: a large-scale field study, in [41] (2009), 193–204. Cited in §1.2, §1.2, §1.2

  94. Mark Seaborn, Thomas Dullien, Exploiting the DRAM rowhammer bug to gain kernel privileges (2015). Cited in §2.2

  95. Victor Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Eurocrypt 2000 [87] (2000), 275–288. Cited in §3.5

  96. George Arnold Sullivan, Jackson Sippe, Nadia Heninger, Eric Wustrow, Open to a fault: On the passive compromise of TLS keys via transient errors, in USENIX Security 2022 [30] (2022), 233–250. Cited in §2.3, §2.3, §2.3, §2.3

  97. Willy Susilo, Guomin Yang (editors), Information security and privacy—23rd Australasian conference, ACISP 2018, LNCS, 10946, Springer, 2018. See [40]

    Google Scholar 

  98. Ehsan Ebrahimi Targhi, Dominique Unruh, Post-quantum security of the Fujisaki-Okamoto and OAEP transforms, in [51] (2016), 192–216. Cited in §4.4

  99. Mehdi Tibouchi, Huaxiong Wang (editors), Advances in cryptology—ASIACRYPT 2021, LNCS, 13093, Springer, 2021. See [88]

    Google Scholar 

  100. Vijay Varadharajan, Yi Mu (editors), Information and communication security, second international conference, ICICS’99, Springer, 1999. See [50]

    Google Scholar 

  101. Eric R. Verheul, Jeroen M. Doumen, Henk C. A. van Tilborg, Sloppy Alice attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem, in [23] (2002), 99–119. MR 2005b:94041. Cited in §3.6, §3.6, §3.6

  102. Michael J. Wiener (editor), Advances in cryptology—CRYPTO ’99, LNCS, 1666, Springer, 1999. See [46]

    Google Scholar 

  103. Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, Tal Malkin (editors), Public key cryptography—9th international conference on theory and practice in public-key cryptography, LNCS, 3958, Springer, 2006. See [9]

    Google Scholar 

  104. Meilin Zhang, Vladimir M. Stojanovic, Paul Ampadu, Reliable ultra-low-voltage cache design for many-core systems, IEEE Transactions on Circuits and Systems II: Express Briefs 59 (2012), 858–862. Cited in §1.2

  105. Xiaohan Zhang, Chi Cheng, Ruoyu Ding, Small leaks sink a great ship: an evaluation of key reuse resilience of PQC third round finalist NTRU-HRSS, in ICICS 2021 [48] (2021), 283–300. Cited in §3.7

Download references

Acknowledgments

This paper is inspired by a series of discussions with Tanja Lange regarding IND-CCA2 attacks and defenses. In particular, Lange pointed out plaintext confirmation as a countermeasure to fault attacks.

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, Chicago, USA

    Daniel J. Bernstein

  2. Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany

    Daniel J. Bernstein

Authors
  1. Daniel J. Bernstein
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel J. Bernstein .

Editor information

Editors and Affiliations

  1. University of Hyogo, Hyogo, Japan

    Takanori Isobe

  2. Indian Institute of Technology Madras, Chennai, India

    Santanu Sarkar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bernstein, D.J. (2022). A One-Time Single-bit Fault Leaks All Previous NTRU-HRSS Session Keys to a Chosen-Ciphertext Attack. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22912-1_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22911-4

  • Online ISBN: 978-3-031-22912-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation