A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit <a rel="external noopener" href="https://tches.iacr.org/index.php/TCHES/article/download/9313/8878">the original URL</a>. The file type is <code>application/pdf</code>.
<i title="Universitatsbibliothek der Ruhr-Universitat Bochum">
<a target="_blank" rel="noopener" href="https://fatcat.wiki/container/yz7ssmvstjhsxiwixprnmyijnq" style="color: black;">Transactions on Cryptographic Hardware and Embedded Systems</a>
In this work, we propose generic and novel side-channel assisted chosenciphertext attacks on NTRU-based key encapsulation mechanisms (KEMs). These KEMs are IND-CCA secure, that is, they are secure in the chosen-ciphertext model. Our attacks involve the construction of malformed ciphertexts. When decapsulated by the target device, these ciphertexts ensure that a targeted intermediate variable becomes very closely related to the secret key. An attacker, who can obtain information about the<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.46586/tches.v2022.i1.722-761">doi:10.46586/tches.v2022.i1.722-761</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/7gx3tbfndrcozd33rq36k3b4gy">fatcat:7gx3tbfndrcozd33rq36k3b4gy</a> </span>
more »... dependent variable through side-channels, can subsequently recover the full secret key. We propose several novel CCAs which can be carried through by using side-channel leakage from the decapsulation procedure. The attacks instantiate three different types of oracles, namely a plaintext-checking oracle, a decryptionfailure oracle, and a full-decryption oracle, and are applicable to two NTRU-based schemes, which are NTRU and NTRU Prime. The two schemes are candidates in the ongoing NIST standardization process for post-quantum cryptography. We perform experimental validation of the attacks on optimized and unprotected implementations of NTRU-based schemes, taken from the open-source pqm4 library, using the EM-based side-channel on the 32-bit ARM Cortex-M4 microcontroller. All of our proposed attacks are capable of recovering the full secret key in only a few thousand chosen ciphertext queries on all parameter sets of NTRU and NTRU Prime. Our attacks, therefore, stress on the need for concrete side-channel protection strategies for NTRUbased KEMs.
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20211128214704/https://tches.iacr.org/index.php/TCHES/article/download/9313/8878" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/fa/b9/fab9e4caf46177f969fefcf000f72727346fda5f.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.46586/tches.v2022.i1.722-761"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="unlock alternate icon" style="background-color: #fb971f;"></i> Publisher / doi.org </button> </a>