Advertisement

Practical Evaluation of Masking for NTRUEncrypt on ARM Cortex-M4

  • Thomas SchambergerEmail author
  • Oliver Mischke
  • Johanna Sepulveda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)

Abstract

To protect against the future threat of large scale quantum computing, cryptographic schemes that are considered appropriately secure against known quantum algorithms have gained in popularity and are currently in the process of standardization by NIST. One of the more promising so-called post-quantum schemes is NTRUEncrypt, which withstood scrutiny from the scientific community for over 20 years.

Similar to classical algorithms like AES, implementations of NTRUEncrypt must be protected against physical attacks. While different masking and hiding countermeasures have been proposed in the past, practical power analysis evaluations of masking for NTRUEncrypt are lacking. We therefore provide a practical evaluation of masking applied to index-based multiplication and a modern parameter set using trinary polynomials. With the use of SIMD instructions available in the Cortex-M4 microcontroller, we are able to implement additive masking without any significant performance overhead compared to an unmasked implementation. Our implementation showed no observable first-order leakage using a HW model and two million measurement traces. Successful second-order attacks are demonstrated for our implementation using SIMD instructions, which processes the mask and masked data simultaneously, as well as for a sequential implementation built for comparison. Finally, we show that applying both our low cost masking countermeasure together with a known and equally efficient shuffling scheme can provide a good trade-off achieving a high level of security without a large performance penalty.

Keywords

Post-quantum cryptography Side-channel analysis NTRUEncrypt Countermeasures Masking 

Notes

Acknowledgment

This work was partly funded by the German Federal Ministry of Education and Research in the project HQS through grant number 16KIS0616.

References

  1. 1.
    Bailey, D.V., Coffin, D., Elbirt, A., Silverman, J.H., Woodbury, A.D.: NTRU in constrained devices. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 262–272. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44709-1_22CrossRefGoogle Scholar
  2. 2.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_26CrossRefGoogle Scholar
  3. 3.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing parameters for NTRUEncrypt. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 3–18. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_1CrossRefGoogle Scholar
  4. 4.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
  5. 5.
    Hoffstein, J., Pipher, J., Silverman, J.H.: An Introduction to Mathematical Cryptography. UTM. Springer, New York (2014).  https://doi.org/10.1007/978-1-4939-1711-2CrossRefzbMATHGoogle Scholar
  6. 6.
    Hoffstein, J., Silverman, J.: Optimizations for NTRU. In: Public-Key Cryptography and Computational Number Theory, Warsaw, pp. 77–88 (2001)Google Scholar
  7. 7.
    Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30574-3_10CrossRefGoogle Scholar
  8. 8.
    IEEE: IEEE standard specification for public key cryptographic techniques based on hard problems over lattices. IEEE Std 1363.1-2008, pp. C1–69, March 2009.  https://doi.org/10.1109/IEEESTD.2009.4800404
  9. 9.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  10. 10.
    Lee, M.K., Song, J.E., Choi, D., Han, D.G.: Countermeasures against power analysis attacks for the NTRU public key cryptosystem. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E93–A(1), 153–163 (2010).  https://doi.org/10.1587/transfun.e93.a.153CrossRefGoogle Scholar
  11. 11.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).  https://doi.org/10.1137/s0097539795293172MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Standaert, F.-X., et al.: The world is not enough: another look on second-order DPA. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 112–129. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_7CrossRefGoogle Scholar
  13. 13.
    Wang, A., Wang, C., Zheng, X., Tian, W., Xu, R., Zhang, G.: Random key rotation: side-channel countermeasure of NTRU cryptosystem for resource-limited devices. Comput. Electr. Eng. 63, 220–231 (2017).  https://doi.org/10.1016/j.compeleceng.2017.05.007CrossRefGoogle Scholar
  14. 14.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt NIST Sumission. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
  15. 15.
    Zheng, X., Wang, A., Wei, W.: First-order collision attack on protected NTRU cryptosystem. Microprocess. Microsyst. 37(6–7), 601–609 (2013).  https://doi.org/10.1016/j.micpro.2013.04.008CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Thomas Schamberger
    • 1
    Email author
  • Oliver Mischke
    • 2
  • Johanna Sepulveda
    • 1
  1. 1.Technical University of MunichMunichGermany
  2. 2.Infineon Technologies AGMunichGermany

Personalised recommendations