Strengthening hardware implementations of NTRUEncrypt against fault analysis attacks

Abstract

NTRUEncrypt is a parameterized family of lattice-based public key cryptosystems. Similar to other public key systems, it is susceptible to fault analysis attacks. In this paper, we investigate several techniques to strengthen hardware implementations of NTRUEncrypt against this class of attacks. In particular, by utilizing the algebraic structure of the cipher, we propose several countermeasures based on error detection checksum codes, and spatial/temporal redundancies. The error detection capabilities of these countermeasures, as well as their impact on the decryption throughput and area, are also presented.

Appendix

Using the same notation as in Lemma 2, in this appendix, we derive a checksum formula (mod \(p\)) that holds between the input and output of the last step in the decryption process.

Lemma 3

Let \(F_p =\sum _{i=0}^{N-1} F_p^i x^i\), where \(F_p^i\) is the coefficient of \(x^i\) in the polynomial \(F_p\). Then, we have

$$\begin{aligned} \left( \sum _{i=0}^{N-1} F_p^i\right) \text{ mod } p = 1. \end{aligned}$$

Proof

By definition, \(f(x) \star F_p \text{ mod } \text{ p } =1\). Thus we have

$$\begin{aligned} \left( \begin{array}{c} 1 \\ 0 \\ \cdot \\ \cdot \\ \cdot \\ 0 \\ \end{array} \right)&= \! \left( \begin{array}{cccc} f_0 &{} f_{N-1} &{} \dots &{} f_1 \\ f_1 &{} f_0 &{} \dots &{} f_{N-2} \\ \cdot &{} \cdot &{} \cdot &{} \cdot \\ \cdot &{} \cdot &{} \cdot &{} \cdot \\ \cdot &{} \cdot &{} \cdot &{} \cdot \\ f_{N-1} &{}f_{N-2} &{} \dots &{} f_0 \\ \end{array} \right) \left( \begin{array}{c} F_p^0 \\ F_p^1 \\ \cdot \\ \cdot \\ \cdot \\ F_p^{N-1} \\ \end{array} \right) \nonumber \\&= \! \left( \begin{array}{c} (F_p^0f_0\!+\!F_p^1f_{N-1}\!+\!\dots \!+\!F_p^{N-1}f_1) \text{ mod } p \\ (F_p^0f_1\!+\!F_p^1f_0\!+\!\dots \!+\!F_p^{N-1}f_{N-2}) \text{ mod } p \\ \cdot \\ \cdot \\ \cdot \\ (F_p^0f_{N-1}\!+\!F_p^1f_{N-2}\!+\!\dots \!+\!F_p^{N-1}f_0) \text{ mod } p \\ \end{array} \right) .\nonumber \\ \end{aligned}$$

(6)

Again, by noting that \(\sum _{k= 0}^{N-1} f_k=1\), we have

$$\begin{aligned}&\left( \sum _{k= 0}^{N-1} F_p^k \times \sum _{j= 0}^{N-1} f_j \right) \text{ mod } p=1 \Rightarrow \left( \sum _{k= 0}^{N-1} F_p^k \right) \\&\quad \text{ mod } p=1. \end{aligned}$$

\(\square \)

Lemma 4

$$\begin{aligned} \left( \sum _{i=0}^{N-1} b_i \right) \text{ mod } p = \left( \sum _{i=0}^{N-1} m_i \right) \text{ mod } p. \end{aligned}$$

Proof

Similar to the proof of Lemma 2, we express the convolution operation \(m(x)=b(x) \star F_p(x)\) mod p in matrix form. Then, the proof follows by utilizing the result of Lemma 3 to simplify the resulting summation. \(\square \)