Abstract
NTRUEncrypt is a parameterized family of lattice-based public key cryptosystems. Similar to other public key systems, it is susceptible to fault analysis attacks. In this paper, we investigate several techniques to strengthen hardware implementations of NTRUEncrypt against this class of attacks. In particular, by utilizing the algebraic structure of the cipher, we propose several countermeasures based on error detection checksum codes, and spatial/temporal redundancies. The error detection capabilities of these countermeasures, as well as their impact on the decryption throughput and area, are also presented.
Similar content being viewed by others
References
Hoffstein, J., Pipher, J., Silverman, J.H.: An introduction to mathematical cryptography. Undergraduate texts in mathematics. Springer, New York (2008)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring based public key cryptosystem. In: Buhler, J.P. (ed) Algorithmic number theory symposium-ANTS III, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
Kaliski, B.: Considerations for new public-key algorithms. Netw. Secur. 2000(9), 9–10 (2000)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed) Advances in cryptology-EUROCRYPT’97, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B. S. Jr. (ed) Advances in cryptology-CRYPTO’97, vol. 1294, pp. 513–525. Springer, Berlin (1997)
Hoch, J., Shamir, A.: Fault analysis of stream ciphers. In: Joye, M., Quisquatdr, J.-J. (eds) Cryptographic hardware and embedded systems-CHES’04, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)
Biehl, I., Meyer, B., Muller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Bellare, M. (ed) Advances in cryptology-CRYPTO’00, vol. 1880, pp. 131–146. Springer, Berlin (2000)
Kamal, A., Youssef, A.M.: Fault analysis of the NTRUSign digital signature scheme. Cryptogr. Commun. 4(2), 131–144 (2012)
Kamal, A., Youssef, A.M.: Fault analysis of the NTRUEncrypt cryptosystem. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94–A(4), 1156–1158 (2011)
Hoffstein, J., Lieman, D., Pipher, J., Silverman, J.H.: NTRU: a public key cryptosystem. Submissions and contributions to IEEE P1363.1, presented at the August 1999 and October 1999 meetings. http://grouper.ieee.org/groups/1363/lattPK/submissions/ntru.pdf
Silverman, J.: Almost inverses and fast NTRU key creation. Report #014, Version 1. http://www.securityinnovation.com/uploads/Crypto/NTRUTech014.pdf. Accessed Mar 2013
Atici, A.C., Batina, L., Verbauwhede, I.: Power analysis on NTRU implementation for RFIDs: first results. In: RFID security-RFIDSec’08, pp. 128–139 (2008)
Lee, M., Song, J., Choi, D., Han, D.: Countermeasures against power analysis attacks for the NTRU public key cryptosystem. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E93–A(1), 153–163 (2010)
Atici, A.C., Batina, L., Fan, J., Verbauwhede, I., Ors, S.B.: Low-cost implementations of NTRU for pervasive security. In: Application-specific systems, architectures and processors-ASAP, pp. 79–84 (2008)
Koren, I., Krishna, C.M.: Fault-tolerant systems. Elsevier/Morgan Kaufmann, Amsterdam (2007)
Wilhelm, K.: Aspects of hardware methodologies for the NTRU public key cryptosystem. Thesis submitted to Rochester institute of technology, Rochester, New York (2008)
Howgrave-Graham, N., Silverman, J., Singer, A., Whyte, W.: NAEP: provable security in the presence of decryption failures. Cryptology ePrint archive. Report 172 (2003)
Joye, M.: Protecting RSA against fault attacks: the embedding method. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 41–45 (2009)
Acknowledgments
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped improve the quality of the paper. This work is supported in part by the Natural Sciences and Engineering Research Council of Canada.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Using the same notation as in Lemma 2, in this appendix, we derive a checksum formula (mod \(p\)) that holds between the input and output of the last step in the decryption process.
Lemma 3
Let \(F_p =\sum _{i=0}^{N-1} F_p^i x^i\), where \(F_p^i\) is the coefficient of \(x^i\) in the polynomial \(F_p\). Then, we have
Proof
By definition, \(f(x) \star F_p \text{ mod } \text{ p } =1\). Thus we have
Again, by noting that \(\sum _{k= 0}^{N-1} f_k=1\), we have
\(\square \)
Lemma 4
Proof
Similar to the proof of Lemma 2, we express the convolution operation \(m(x)=b(x) \star F_p(x)\) mod p in matrix form. Then, the proof follows by utilizing the result of Lemma 3 to simplify the resulting summation. \(\square \)
Rights and permissions
About this article
Cite this article
Kamal, A.A., Youssef, A.M. Strengthening hardware implementations of NTRUEncrypt against fault analysis attacks. J Cryptogr Eng 3, 227–240 (2013). https://doi.org/10.1007/s13389-013-0061-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-013-0061-7