Abstract
We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = p l, \(\mathcal{B}\), standard, \(\mathcal{N}\)), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, succeeds with probability \(\approx 1-\frac{1}{p}\) and requires O((qN)t) steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated.
Similar content being viewed by others
References
Hoffstein, J., Graham, N., Pipher, J., Silverman, J., Whyte, W.: NTRUSign: Digital signatures using the NTRU lattice. Draft 2, NTRU Cryptosystem Inc. (2002). Available at: www.sisecure.com/cryptolab/pdf/NTRUSign-preV2.ps
Hoffstein, J., Graham, N., Pipher, J., Silverman, J., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Proc. of CT-RSA’03, LNCS 2612, pp. 122–140. Springer (2003)
Hoffstein, J., Pipher, J., Silverman, J.: An Introduction to Mathematical Cryptography. Undergraduate Texts in Mathematics. Springer (2008)
Consortium for Efficient Embedded Security. Efficient Embedded Security Standard (EESS)#1: Implementation Aspects of NTRUEncrypt and NTRUSign (2003). Available at http://grouper.ieee.org/groups/1363/lattPK/submissions/EESS1v2.pdf
Hoffstein, J., Pipher, J., Silverman, J.: NSS: an NTRU lattice-based signature scheme. In: Proc. of EUROCRYPT’01, LNCS 2045, pp. 211–228. Springer (2001)
Gentry, C., Jonsson, J., Stern, J., Szydlo, M.: Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In: Proc. of ASIACRYPT’01, LNCS 2248, pp. 1–20. Springer (2001)
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Proc. of EUROCRYPT’02, LNCS 2332, pp. 299–320. Springer (2002)
Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Proc. of CRYPTO’97, LNCS 1294, pp. 112–131. Springer (1997)
Min, S., Yamamoto, G., Kim, K.: Weak property of malleability in NTRUSign. In: Proc. ACISP’04, LNCS 3108, pp. 379–390. Springer (2004)
Szydlo, M.: Hypercubic lattice reduction and analysis of GGH and NTRU signatures. In: Proc. of EUROCRYPT’03, LNCS 2656, pp. 433–448. Springer (2003)
Nguyen, P., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Proc. of EUROCRYPT’06, LNCS 4004, pp. 215–233. Springer (2006)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Proc. of EUROCRYPT’97, LNCS 1233, pp. 37–51. Springer, Heidelberg (1997)
Biernat, J., Nikodem, M.: Fault cryptanalysis of ElGamal signature scheme. In: Proc. of EUROCAST’05, LNCS 3643, pp. 327–336. Springer (2005)
Giraud, C., Knudsen, E., Tunstall, M.: Improved fault analysis of signature schemes. In: Proc. of CARDIS’10, LNCS 6035, pp. 164–181. Springer (2010)
Biehl, I., Meyer, B., Muller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Proc. of CRYPTO’00, LNCS 1880, pp. 131–146. Springer (2000)
Seifert, J.: On authenticated computing and RSA-based authentication. In: Proc. of ACM CCS’05, pp. 122–127. ACM Press (2005)
Muir, J.: Seifert’s RSA fault attack: simplified analysis and generalizations. In: Proc. of ICICS’06, LNCS 4307, pp. 420–434. Springer (2006)
Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why one should also secure RSA public key elements. In: Proc. of CHES’06, LNCS 4249, pp. 324–338. Springer (2006)
Berzati, A., Canovas, C., Goubin, L.: Perturbating RSA public keys: an improved attack. In: Proc. of CHES’08, LNCS 5141 , pp. 380–395. Springer (2008)
Berzati, A., Canovas, C., Doumas, J., Goubin, L.: Fault attacks on RSA public keys: left-to-right implementations are also vulnerable. In: Proc. of CT-RSA’09, LNCS 5473, pp. 414–428. Springer (2009)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Proc. of CRYPTO’97, LNCS 1294, pp. 513–525. Springer (1997)
Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on AES. In: Proc. of ACNS’03, LNCS 2846, pp. 293–306. Springer (2003)
Hoch, J., Shamir, A.: Fault analysis of stream ciphers. In: Proc. of CHES’04, LNCS 3156, pp. 240–253. Springer (2004)
Kamal, A., Youssef, A.: Fault analysis of NTRUEncrypt. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94-A(4), 1156–1158 (2011)
Blömer, J., Otto, M.: Wagner’s attack on a secure CRT-RSA algorithm reconsidered. In: Proc. of FDTC’06, LNCS 4236, pp. 13–23. Springer (2006)
Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent #5991415, November 23, 1999. Also presented at the rump session of EUROCRYPT’97
Kim, C., Quisquater, J.: Fault attacks for CRT based RSA: new attacks, new results, and new countermeasures. In: Proc. of WISTP’07, LNCS 4462, pp. 215–228. Springer (2007)
Yen, S., Kim, S., Lim, S., Moon, S.: RSA speedup with Chinese Remainder Theorem immune against hardware fault cryptanalysis. IEEE Trans. Comput. 52(4), 461–472 (2003)
Blömer, J., Otto, M., Seifert, J.: A new CRT-RSA algorithm secure against Bellcore attacks. In: Proc. of CCS’03, pp. 311–320 (2003)
Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based RSA. In: Proc. of FDTC’05, pp. 124–131 (2005)
Driessen, B., Poschmann, A., Paar, C.: Comparison of innovative signature algorithms for WSNs. In: Proc. of WiSec’08, pp. 30–35. ACM Press (2008)
Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: Proc. of CHES’03, LNCS 2523, pp. 2–12. Springer (2003)
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: The LLL Algorithm, pp. 1–42. Springer, Berlin (2010)
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J., Whyte, W.: Performance improvements and a baseline parameter generation algorithm for NTRUSign. In: Workshop on Mathematical Problems and Techniques in Cryptology, Barcelona, Spain (2005)
Silverman, J.: Almost inverses and fast NTRU key creation. NTRU Report 014, NTRU Cryptosystem Inc. (1999). Available at: http://securityinnovation.com/cryptolab/pdf/NTRUTech014.pdf
Silverman, J.: Invertibility in truncated polynomial rings. NTRU Report 009, NTRU cryptosystem Inc. (1998). Available at: http://securityinnovation.com/cryptolab/pdf/NTRUTech009.pdf
Koren, I., Mani Krishna, C.: Fault-Tolerant Systems. Elsevier/Morgan Kaufmann (2007)
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped improve the quality of the paper. This work is supported in part by the Natural Sciences and Engineering Research Council of Canada.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kamal, A.A., Youssef, A.M. Fault analysis of the NTRUSign digital signature scheme. Cryptogr. Commun. 4, 131–144 (2012). https://doi.org/10.1007/s12095-011-0061-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-011-0061-3
Keywords
- Side channel attacks
- Lattice-based public key cryptosystems
- Fault analysis and countermeasures
- Digital signature schemes
- NTRU