Jintai Ding,Joshua Deaton,Kurt Schmidt,Vishakha,Zheng Zhang

2019-01-01

Abstract:In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced the famous NTRU cryptosystem, and called it "A ring-based public key cryptosystem". Actually, it turns out to be a lattice based cryptosystem that is resistant to Shor’s algorithm. There are several modifications to the original NTRU and two of them are selected as round 2 candidates of NIST post quantum public key scheme standardization. In this paper, we present a simple attack on the original NTRU scheme. The idea comes from Ding et al.’s key mismatch attack. Essentially, an adversary can find information on the private key of a KEM by not encrypting a message as intended but in a manner which will cause a failure in decryption if the private key is in a certain form. In the present, NTRU has the encrypter generating a random polynomial with "small" coefficients, but we will have the coefficients be "large". After this, some further work will create an equivalent key.

Zhuang Xu,Owen Pemberton,David Oswald,Zhiming Zheng

DOI: https://doi.org/10.1007/978-3-031-25319-5_12

2022-01-01

Abstract:NTRU is a well-known lattice-based cryptosystem that has been selected as one of the four key encapsulation mechanism finalists in Round 3 of NIST's post-quantum cryptography standardization. This paper presents two succinct and efficient chosen-ciphertext side-channel attacks on the latest variants of NTRU, i.e., NTRU-HPS and NTRU-HRSS as in Round 3 submissions. Both methods utilize the leakage from the polynomial modular reduction to recover the long-term secret key. For the first attack, although the side-channel leakage does not directly reveal the secret polynomial f, we recover differences between adjacent coefficients using appropriately chosen ciphertexts, and finally reconstruct f through linear algebra. The second attack is based on the inherent relation between the secret key and the public key in NTRU-HPS: we first reveal the "invisible" secret polynomial g with chosen ciphertexts and then use g and the public polynomial h to compute f. In theory, these attacks only need 4 and 2 ciphertexts, respectively. We then practically apply those attacks on all reference implementations of four instances in the PQClean library and show that the accuracy of secret-key recovery can reach 100% with only few traces (4 to 24 and 2 to 6, respectively). We also observe similar leakage in optimized implementations in the pqm4 library and propose an according analysis scheme.

Joohee Lee,Hansol Ryu,Minju Lee,Jaehui Park

DOI: https://doi.org/10.1109/tifs.2024.3471074

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:In IEEE TIFS 2023, NTRU+ has been proposed, an efficient lattice-based post-quantum Key Encapsulation Mechanism (KEM), which has also been submitted to the KpqC competition. In this paper, we propose an effective classical chosen ciphertext attack to recover the transmitted session key for NTRU+ with all but negligible probability for the first time. With the proposed attacks, we show that all the suggested parameters of NTRU+ do not satisfy the claimed IND-CCA security. Moreover, we elaborate on some flaws in the security proof, a part of which introduces our attack. We also suggest a way to modify the NTRU+ scheme to defend our attack while maintaining its practical performance.

computer science, theory & methods,engineering, electrical & electronic

Yue Qin,Chi Cheng,Jintai Ding

DOI: https://doi.org/10.1007/978-3-030-29962-0_24

2019-01-01

Abstract:In CT-RSA 2019, Bauer et al. have analyzed the case when the public key is reused for the NewHope key encapsulation mechanism (KEM), a second-round candidate in the NIST Post-quantum Standard process. They proposed an elegant method to recover coefficients ranging from -6 to 4 in the secret key. We repeat their experiments but there are two fundamental problems. First, even for coefficients in [-6, 4] we cannot recover at least 262 of them in each secret key with 1024 coefficients. Second, for the coefficient outside [-6, 4], they suggested an exhaustive search. But for each secret key on average there are 10 coefficients that need to be exhaustively searched, and each of them has 6 possibilities. This makes Bauer et al.'s method highly inefficient. We propose an improved method, which with 99.22% probability recovers all the coefficients ranging from - 6 to 4 in the secret key. Then, inspired by Ding et al.'s key mismatch attack, we propose an efficient strategy which with a probability of 96.88% succeeds in recovering all the coefficients in the secret key. Experiments show that our proposed method is very efficient, which completes the attack in about 137.56 ms using the NewHope parameters.

Yue Qin,Chi Cheng,Xiaohan Zhang,Yanbin Pan,Lei Hu,Jintai Ding

DOI: https://doi.org/10.1007/978-3-030-92068-5_4

2021-01-01

Abstract:Research on key mismatch attacks against lattice-based KEMs is an important part of the cryptographic assessment of the ongoing NIST standardization of post-quantum cryptography. There have been a number of these attacks to date. However, a unified method to evaluate these KEMs’ resilience under key mismatch attacks is still missing. Since the key index of efficiency is the number of queries needed to successfully mount such an attack, in this paper, we propose and develop a systematic approach to find lower bounds on the minimum average number of queries needed for such attacks. Our basic idea is to transform the problem of finding the lower bound of queries into finding an optimal binary recovery tree (BRT), where the computations of the lower bounds become essentially the computations of a certain Shannon entropy. The optimal BRT approach also enables us to understand why, for some lattice-based NIST candidate KEMs, there is a big gap between the theoretical bounds and bounds observed in practical attacks, in terms of the number of queries needed. This further leads us to propose a generic improvement method for these existing attacks, which are confirmed by our experiments. Moreover, our proposed method could be directly used to improve the side-channel attacks against CCA-secure NIST candidate KEMs.

Tomáš Rabas,Jiří Buček,Róbert Lórencz

DOI: https://doi.org/10.1007/s42979-023-02493-7

2024-01-27

SN Computer Science

Abstract:Most of the currently used cryptosystems are not secure in the presence of cryptographically relevant quantum computers. As the research in quantum technologies proceeds, a need for quantum-safe cryptography is imminent. NTRU is a post-quantum public-key cryptosystem based on lattices and was a finalist in the 3rd round of the post-quantum standardization process organized by the National Institute of Standards and Technology (NIST). This paper aims to study the implementation security of the cryptosystem with respect to an attacker with access to power leakage. Such a threat model is relevant especially, but not only, for embedded devices. We studied a countermeasure implementation of the NTRU decryption algorithm from An et al. (Appl Sci https://doi.org/10.3390/app8112014, 2018) that claimed its security against power attacks. This paper revisits an attack presented in as reported by Rabas (In: Proceedings of the 9th International Conference on Information Systems Security and Privacy, ICISSP 2023, Lisbon, 2023) that shows it is in fact vulnerable even in the case of just a single trace available to the enemy for extracting the key. We then describe a new profiling template attack on the implementation and show experimental results of the attack using the same datasets, resulting in a comparison of these two methods and further confirmation of the vulnerability of the algorithm even to generic profiling attacks. Several possible types of countermeasures are discussed.

Zhichuang Liang,Boyue Fang,Jieyu Zheng,Yunlei Zhao

DOI: https://doi.org/10.1016/j.csi.2023.103828

IF: 3.721

2024-01-01

Computer Standards & Interfaces

Abstract:The NTRU lattice is a promising candidate to construct practical cryptosystems, in particular key encapsulation mechanism (KEM), resistant to quantum computing attacks. Nevertheless, there are still some inherent obstacles to NTRU-based KEM schemes when considering integrated performance, taking security, bandwidth, error probability, and computational efficiency as a whole, that is as good as and even better than their {R,M}LWE-based counterparts. In this work, we address the challenges by presenting a new family of NTRU-based KEM schemes, denoted as CTRU and CNTR. By bridging low-dimensional lattice codes and high-dimensional NTRU-lattice-based cryptography with careful design and analysis, to the best of our knowledge, CTRU and CNTR are the first NTRU-based KEM schemes featuring scalable ciphertext compression via only one single ciphertext polynomial, and are the first that can outperform {R,M}LWE-based KEM schemes in terms of integrated performance. For instance, when compared to Kyber, the only KEM scheme currently standardized by NIST, our recommended parameter set CNTR-768 exhibits approximately 12% smaller ciphertext size, when its security is strengthened by (8,7) bits for classical and quantum security respectively, with a significantly lower error probability (2−230 for CNTR-768 vs. 2−164 for Kyber-768). In terms of the state-of-the-art AVX2 implementation of Kyber-768, CNTR-768,achieves a speedup of 2.7X in KeyGen, 3.3X in Encaps, and 1.6X in Decaps, respectively. When compared to the NIST Round 3 finalist NTRU-HRSS, CNTR-768,features 15% smaller ciphertext size, coupled with an improvement of (55,49) bits for classical and quantum security respectively. As for the AVX2 implementation, CNTR-768,outperforms NTRU-HRSS by 26X in KeyGen, 3.0X in Encaps, and 2.2X in Decaps, respectively. Along the way, we develop new techniques for more accurate error probability analysis, and a unified number theoretic transform (NTT) implementation for multiple parameter sets, which may be of independent interest.

Zhenhui Qin,Rui Tong,Xingjun Wu,Guoqiang Bai,Liji Wu,L. Su

DOI: https://doi.org/10.1109/cisce52179.2021.9446042

2021-01-01

Abstract:With the emergence and development of quantum computers, the traditional public-key cryptography (PKC) is facing the risk of being cracked. In order to resist quantum attacks and ensure long-term communication security, NIST launched a global collection of Post Quantum Cryptography (PQC) standards in 2016, and it is currently in the third round of selection. There are three Lattice-based PKC algorithms that stand out, and NTRU is one of them. In this article, we proposed the first complete and compact full hardware implementation of NTRU algorithm submitted in the third round. By using one structure to complete the design of the three types of complex polynomial multiplications in the algorithm, we achieved better performance while reducing area costs.

Yang Yu,Guangwu Xu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-54365-8_17

2017-01-01

Abstract:Due to its remarkable performance and potential resistance to quantum attacks, NTRUEncrypt has drawn much attention recently; it also has been standardized by IEEE. However, classical NTRUEncrypt lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehle and Steinfeld first proposed a variant of NTRUEncrypt with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings Z[X]/(X-n + 1) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for RLWE, over Z[X]/(X-n + 1) are simple and efficient, these rings are quite scarce and different from the classical NTRU setting. In this work, we consider a variant of NTRUEncrypt over prime cyclotomic rings, i.e. Z[X]/(Xn-1 + ... + X + 1) with n an odd prime, and obtain IND-CPA secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original NTRU, as Z[X]/(Xn-1 + ... + X + 1) is a large subring of the NTRU ring Z[X]/(X-n -1). Some tools for prime cyclotomic rings are also developed.

Jintai Ding,Yanbin Pan,Yingpu Deng

DOI: https://doi.org/10.1007/978-3-642-31448-3_10

2012-01-01

Abstract:In this paper, we propose an algebraic broadcast attack against NTRU, which recovers a single message encrypted multiple times using different NTRU public keys. Namely, when a message is broadcasted, under some reasonable assumptions, our attack can be completed in polynomial time and space. To the best of our knowledge, this is the first successful broadcast attack against NTRU.

Jianhua Yan,Xiuhua Lu,Muzi Li,Licheng Wang,Jingxian Zhou,Wenbin Yao

DOI: https://doi.org/10.3390/e25121651

2023-12-13

Abstract:Based on the NTRU trapdoor used in NIST's Falcon, a signcryption scheme following the sign-then-encrypt paradigm is constructed. The existing partitioning technique based on Waters hash over the lattice can not complete the security reduction in the standard model for the signature part due to the "partiality" of the pre-image generated with the NTRU trapdoor. To address this, a variant of Waters hash over small integers is proposed and, the probability of the successful reduction is analyzed. The resulting signcryption achieves existential unforgeability under the adaptive chosen-message attacks. By utilizing the uniqueness of the secret and the noise in an NTRU instance, the tag used in encryption is eliminated. Furthermore, a method to construct tamper-sensitive lattice public key encryption is proposed. This approach implants the ciphertext-sensitive information into the lattice public key encryption and binds it to the encrypted information. The malleability to the public key ciphertext triggers the change of the message-signature pair so that the IND-CCA2 security of the entire ciphertext can be guaranteed by the signature for the message. Thanks to the rational design and the efficiency of the NTRU trapdoor, the computational overhead of the proposed scheme is reduced significantly compared to the existing lattice-based signcryption scheme, reaching orders of magnitude improvement in efficiency. The experiment shows that the proposed scheme is efficient.

Miguel Bote,Javier Diaz-Vargas

DOI: https://doi.org/10.3934/amc.2024027

2024-06-15

Advances in Mathematics of Communications

Abstract:NTRU is a public-key cryptosystem whose operation is based on convolutional polynomial rings over . This work focuses on presenting STRU, the variant of NTRU that results from replacing with (the ring of integers of ). In addition, we study the main features of STRU such as its speed, decryption failure probability and resistance to lattice attacks. Comparing these features we find that, at least theoretically, STRU is faster and slightly more resistant than NTRU. Also, we present and discuss properties of the ring and its division algorithm.

computer science, theory & methods,mathematics, applied

Qinghao Wu,Juan Zhang,Zichen Li

DOI: https://doi.org/10.3390/electronics13214293

IF: 2.9

2024-11-01

Electronics

Abstract:The NTRU (Number Theory Research Unit) is a prominent post-quantum public key cryptography algorithm and a current focus of research. Although many NTRU variants have been proposed, a comprehensive generalization of these variants is still lacking. To address this issue, we propose the G-NTRU (Generalized NTRU), an algorithmic framework for NTRU variants on algebraic rings. This framework generalizes specific ring extensions to more general algebraic structures, allowing the unification of various NTRU variants. We then analyze the key properties of the G-NTRU, including correctness, lattice-based characteristics, and security. The semantic security of the G-NTRU is demonstrated through the introduction of the G-AGCD (Generalized Approximate Greatest Common Divisor). To validate the generality of the G-NTRU framework, we introduce the CNTRU (Complex Number NTRU), a variant of the NTRU over the ring of complex numbers. The CNTRU shares the same properties as the G-NTRU, further confirming the versatility of the G-NTRU in studying NTRU variants over algebraic rings.

engineering, electrical & electronic,computer science, information systems,physics, applied

Prasanna Ravi,Bolin Yang,Shivam Bhasin,Fan Zhang,Anupam Chattopadhyay

DOI: https://doi.org/10.46586/tches.v2023.i2.447-481

2023-01-01

Abstract:In this work, we present the first fault injection analysis of the Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single fault vulnerability in the NTT, which severely reduces the entropy of its output. This in turn enables us to perform a wide-range of attacks applicable to lattice-based KEMs as well as signature schemes. In particular, we demonstrate novel key recovery and message recovery attacks targeting the key generation and encryption procedure of Kyber KEM. We also propose novel existential forgery attacks targeting deterministic and probabilistic signing procedure of Dilithium, followed by a novel verification bypass attack targeting its verification procedure. All proposed exploits are demonstrated with high success rate using electromagnetic fault injection on optimized implementations of Kyber and Dilithium, from the open-source pqm4 library on the ARM Cortex-M4 microcontroller. We also demonstrate that our proposed attacks are capable of bypassing concrete countermeasures against existing fault attacks on lattice-based KEMs and signature schemes. We believe our work motivates the need for more research towards development of countermeasures for the NTT against fault injection attacks.

Tingle Shen,Li Miao,Bin Hua,Shuai Li

DOI: https://doi.org/10.3390/math12132051

IF: 2.4

2024-07-01

Mathematics

Abstract:An important feature of Nyberg-Rueppel type digital signature algorithms is message recovery, this signature algorithm can recover the original information from the signature directly by the verifier in the verification phase after signing the message. However, this algorithm is currently vulnerable to quantum attacks and its security cannot be guaranteed. Number Theory Research Unit (NTRU) is an efficient public-key cryptosystem and is considered to be one of the best quantum-resistant encryption schemes. This paper proposes an NTRU-like message recoverable signature algorithm to meet the key agreement requirements in the post-quantum world. This algorithm, designed for the Internet of Things (IoT), constructs a secure system using the Group-Based Message Recoverable Signature Algorithm (NR-GTRU), by integrating a Group-Based NTRU-Like Public-Key Cryptosystem (GTRU) with an efficient Nyberg-Rueppel type of NTRU digital signature algorithm (NR-NTRU). This signature algorithm, resistant to quantum algorithm attacks, offers higher security at the cost of a slight efficiency reduction compared to traditional NTRU signature algorithms, and features Nyberg-Rueppel message recovery, making it well-suited for IoT applications.

mathematics

Daniel J. Bernstein,Billy Bob Brumley,Ming-Shing Chen,Nicola Tuveri

DOI: https://doi.org/10.48550/arXiv.2106.08759

2021-12-15

Abstract:Google's CECPQ1 experiment in 2016 integrated a post-quantum key-exchange algorithm, newhope1024, into TLS 1.2. The Google-Cloudflare CECPQ2 experiment in 2019 integrated a more efficient key-exchange algorithm, ntruhrss701, into TLS 1.3. This paper revisits the choices made in CECPQ2, and shows how to achieve higher performance for post-quantum key exchange in TLS 1.3 using a higher-security algorithm, sntrup761. Previous work had indicated that ntruhrss701 key generation was much faster than sntrup761 key generation, but this paper makes sntrup761 key generation much faster by generating a batch of keys at once. Batch key generation is invisible at the TLS protocol layer, but raises software-engineering questions regarding the difficulty of integrating batch key exchange into existing TLS libraries and applications. This paper shows that careful choices of software layers make it easy to integrate fast post-quantum software, including batch key exchange, into TLS with minor changes to TLS libraries and no changes to applications. As a demonstration of feasibility, this paper reports successful integration of its fast sntrup761 library, via a lightly patched OpenSSL, into an unmodified web browser and an unmodified TLS terminator. This paper also reports TLS 1.3 handshake benchmarks, achieving more TLS 1.3 handshakes per second than any software included in OpenSSL.

Cryptography and Security

Xuyun Nie,Lei Hu,Jintai Ding,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-72738-5_7

2007-01-01

Abstract:In 2006, the inventors of TRMC public key cryptosystem proposed a new variant of TRMC, TRMC-4, which can resist the existing attack, in particular, the Joux et al attack. In this paper, we show that the new version is vulnerable to attack via the linearization equations (LE) method. For any given valid ciphertext and its corresponding TRMC-4 public key, we can derive the corresponding plaintext within 224$\mathbb{F}_{2^8}$-operations, after performing once for the public key a computation of complexity less than 234. Our results are confirmed by computer experiments.

Neslihan Yaman Gökce,Anıl Burak Gökce,Murat Cenk

DOI: https://doi.org/10.1016/j.jisa.2023.103688

IF: 4.96

2024-01-08

Journal of Information Security and Applications

Abstract:The fast and efficient operation of post-quantum cryptographic algorithms has become an important research topic, especially with the recent developments and the process of the PQC Standardization Project by NIST. Various algorithms based on lattices are chosen to be finalists in this project. Number Theoretic Transform (NTT), Toom–Cook, Karatsuba, and Toeplitz matrix–vector product (TMVP) are considered in order to efficiently perform multiplications in quotient polynomial rings required by the cryptographic schemes based on lattices. In this paper, we propose a 5-way split TMVP-based algorithm for multiplication in polynomial quotient rings and determine its computational complexity . The new algorithm is derived from a 5-term polynomial multiplication algorithm using 13 multiplications with coefficients of only 1 or -1 that provide efficiency. We also implement it for all parameter sets of NTRU. The results show that we have up to 34%, 35%, and 157% speed-up against Toom4-Karatsuba implementation in key generation, encapsulation, and decapsulation, respectively.

computer science, information systems

Tolun Tosun,Erkay Savas

DOI: https://doi.org/10.1109/tifs.2024.3359890

IF: 7.231

2024-02-14

IEEE Transactions on Information Forensics and Security

Abstract:Lattice-based cryptographic schemes such as Crystals-Kyber and Dilithium are post-quantum algorithms selected to be standardized by NIST as they are considered to be secure against quantum computing attacks. The multiplication in polynomial rings is the most time-consuming operation in many lattice-based cryptographic schemes, which is also subject to side-channel attacks. While NTT-based polynomial multiplication is almost a norm in a wide range of implementations, a relatively new method, incomplete NTT is preferred to accelerate lattice-based cryptography, especially on some computing platforms that feature special instructions. In this paper, we present a novel, efficient and non-profiled power/EM side-channel attack targeting polynomial multiplication based on the incomplete NTT algorithm. We apply the attack on the Crystals-Dilithium signature algorithm and Crystals-Kyber KEM. We demonstrate that the method accelerates attack run-time when compared to the existing approaches. While a conventional non-profiled side-channel attack tests a much larger hypothesis set because it needs to predict two coefficients of secret polynomials together, we propose a much faster zero-value filtering attack (ZV-FA), which reduces the size of the hypothesis set by targeting the coefficients individually. We also propose an effective and efficient validation and correction technique employing the inverse NTT to estimate and modify the mispredicted coefficients. Our experimental results show that we can achieve a speed-up of over brute-force.

computer science, theory & methods,engineering, electrical & electronic

Jia Xie,Yupu Hu,Juntao Gao,Wen Gao,Mingming Jiang

DOI: https://doi.org/10.3837/tiis.2016.10.030

2016-01-01

KSII Transactions on Internet and Information Systems

Abstract:Because of the advantages of certificateless and no escrow feature over the regular signature and identity-based signature, certificateless signature has been widely applied in e-business, e-government and software security since it was proposed in 2003. Although a number of certificateless signature schemes have been proposed, there is only one lattice-based certificateless signature scheme which is still secure in the quantum era. But its efficiency is not very satisfactory. In this paper, the first certificateless signature scheme on NTRU lattice is proposed, which is proven to be secure in random oracle model. Moreover, the efficiency of the new scheme is higher than that of the only one lattice-based certificateless signature.