power analysis on ntru prime
play

Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin - PowerPoint PPT Presentation

Mar 19, 2023 •868 likes •1.38k views

Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin Yang Academia Sinica, Taiwan CHES 2020 1 Topics NTRU Prime A Brief Preview Correlation Power Analysis: vertical vs. horizontal in-depth Online Template

  1. Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin Yang Academia Sinica, Taiwan CHES 2020 1

  2. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ 2

  3. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ 3

  4. Post-Quantum Cryptography (PQC) Shor’s Algorithm ❖ solving integer factorization and discrete logarithms efficiently ➢ Quantum Computers: estimated as arriving in 10~20 years ➢ 4 ● Peter W. Shor. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer.

  5. Post-Quantum Cryptography (PQC) Shor’s Algorithm ❖ solving integer factorization and discrete logarithms efficiently ➢ Quantum Computers: estimated as arriving in 10~20 years ➢ The NIST PQC Standardization Project ❖ key encapsulation mechanisms (KEM) + digital signatures ➢ lattices / error correction codes / multivariate quadratic equations / ... ➢ 5 ● Post-Quantum Cryptography | CSRC. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography

  6. NTRU Prime: lattice-based KEM Streamlined NTRU Prime / NTRU LPRime: 653 / 761 / 857 ❖ 6 ● Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. NTRU Prime: round 2.

  7. Interesting Multiplication in NTRU Prime The Product Scanning Method ❖ Inputs: known c in R/q and secret short f ➢ Ouput: e = ( c x f ) mod q ➢ Decap / Encap / KeyGen (only ntrulpr *) ➢ 7 ● Michael Hutter and Erich Wenger. Fast Multi-Precision Multiplication for Public-Key Cryptography on Embedded Microprocessors.

  8. Interesting Multiplication in NTRU Prime The Product Scanning Method ❖ Inputs: known c in R/q and secret short f ➢ Ouput: e = ( c x f ) mod q ➢ Decap / Encap / KeyGen (only ntrulpr *) ➢ 8

  9. Interesting Multiplication in NTRU Prime The Product Scanning Method ❖ Inputs: known c in R/q and secret short f ➢ Ouput: e = ( c x f ) mod q ➢ Decap / Encap / KeyGen (only ntrulpr *) ➢ 9

  10. Interesting Multiplication in NTRU Prime The Product Scanning Method ❖ Inputs: known c in R/q and secret short f ➢ Ouput: e = ( c x f ) mod q ➢ Decap / Encap / KeyGen (only ntrulpr *) ➢ 10

  11. Interesting Multiplication in NTRU Prime The Product Scanning Method ❖ Inputs: known c in R/q and secret short f ➢ Ouput: e = ( c x f ) mod q ➢ Decap / Encap / KeyGen (only ntrulpr *) ➢ 11

  12. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ 12

  13. Experiment Settings sntrup761 Decap on ARM Cortex-M4 ❖ p = 761, q = 4591, and w = 286 ➢ on STM32F303RCT7 and STM32F415RGT6 ➢ ● STMicroelectronics. Datasheet - STM32F303xB STM32F303xC. 13 ● STMicroelectronics. Datasheet - STM32F415xx STM32F417xx.

  14. Experiment Settings sntrup761 Decap on ARM Cortex-M4 ❖ p = 761, q = 4591, and w = 286 ➢ on STM32F303RCT7 and STM32F415RGT6 ➢ ChipWhisperer-Lite Two-Part Version ❖ random input generation + measurement + data collection ➢ Statistical Analysis: in Python 3.6.1 or C++ on a MacBook Air ❖ 14 ● ChipWhisperer-Lite (CW1173) Two-Part Version - NewAE Technology Inc. https://store.newae.com/chipwhisperer-lite-cw1173-two-part-version/

  15. STM32F415RGT6 + ChipWhisperer-Lite Mini-Circuits USB to PC SLP-10.7+ Target Board at 7.38MHz MacBook Air Coaxial Cable Control Board 15 ● Low Pass Filter - Mini Circuits. https://www.minicircuits.com/pdfs/SLP-10.7+.pdf

  16. CPA: Correlation Power Analysis Power Analysis Methods SPA: Simple Power Analysis Vertical CPA: robust and fast ❖ Horizontal In-Depth CPA: using one single short trace ❖ Online Template Attacks: fast profiling with few template traces ❖ Chosen-Input SPA: with the naked eye ❖ 16

  17. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ ● Mun-Kyu Lee et al. Countermeasures against Power Analysis Attacks for the NTRU Public Key Cryptosystem. 17 ● Aydin Aysu et al. Horizontal Side-Channel Vulnerabilities of Post-Quantum Key Exchange Protocols.

  18. Vertical CPA 18

  19. Vertical CPA likely to confuse with Reveal and at a time. 19

  20. Vertical CPA likely to confuse with Reveal and at a time. Reveal one by one. 20

  21. In-Depth CPA Vertical CPA: one coefficient at a time with multiple short traces ❖ How to squeeze more information from each short trace? ➢ 21

  22. In-Depth CPA Vertical CPA: one coefficient at a time with multiple short traces ❖ How to squeeze more information from each short trace? ➢ In-Depth CPA: multiple coefficients at a time with one short trace ❖ The intermediate state of depends on the current ➢ and all the previous . ➝ Extend-and-Prune ➢ 22

  23. Candidate Pruning Block Size m = 67 + Pruning Period n = 6 ❖ 23

  24. Tail-Error Removal Tail Errors: at the end of the block ❖ In the current block recovery, the correlation still looks great. ➢ In the next block recovery, no hypotheses survive. ➢ 24

  25. Tail-Error Removal Tail Errors: at the end of the block ❖ In the current block recovery, the correlation still looks great. ➢ In the next block recovery, no hypotheses survive. ➢ Roll Back: by half a block ❖ once no hypotheses survive in the current block recovery. ➢ tail errors in the final block ➝ exhaustive search ➢ 25

  26. A Toy Example: m = 5, n = 2, l = 5 26

  27. A Toy Example: m = 5, n = 2, l = 5 27

  28. Horizontal In-Depth CPA (HIDCPA) In-Depth CPA: inefficient and inaccurate ❖ every m coefficients mapped to only m samples ➢ the lack of data ➝ ineffective candidate pruning ➢ 28

  29. Horizontal In-Depth CPA (HIDCPA) In-Depth CPA: inefficient and inaccurate ❖ every m coefficients mapped to only m samples ➢ the lack of data ➝ ineffective candidate pruning ➢ Learn from horizontal attacks! ❖ Observe the calculation of . ➢ For l ≪ p , we have nearly l times as many data. ➢ 29

  30. A Real-World Example: m = 67, n = 6, l = 5 The Top Tail Error 30

  31. A Real-World Example: m = 67, n = 6, l = 5 The Middle 31

  32. A Real-World Example: m = 67, n = 6, l = 5 Corrected The Bottom 32

  33. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ 33 ● Lejla Batina, Lukasz Chmielewski, Louiza Papachristodoulou, Peter Schwabe, and Michael Tunstall. Online Template Attacks.

  34. Template Attacks What if the assumption of simple power models fails? ❖ Classical Correlation Attacks: the Hamming weight/distance models ➢ Classical Template Attacks: multivariate normal distribution ➢ 34

  35. Template Attacks What if the assumption of simple power models fails? ❖ Classical Correlation Attacks: the Hamming weight/distance models ➢ Classical Template Attacks: multivariate normal distribution ➢ The Profiling Stage ❖ numerous template traces + heavy computational power ➢ Can we mount template attacks with few template traces? 35

  36. Online Template Attacks (OTA) Step: 1 2, 4, 6, ... 3, 5, 7, ... Can we mount template attacks with fewer executions? 36

  37. The Chosen-Input Offline Variant Chosen-Input: ❖ enhancing the reusability of template traces ➢ 37

  38. The Chosen-Input Offline Variant Illegitimate Private Key: f* on the template generator ❖ generating all the required template traces within four executions ➢ and expressed as ➢ 38

  39. Topics NTRU Prime ❖ A Brief Preview ❖ Correlation Power Analysis: vertical vs. horizontal in-depth ❖ Online Template Attacks ❖ Chosen-Input Simple Power Analysis ❖ Finale ❖ 39 ● Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis.

  40. Not Countermeasures Apply a random mask to each output coefficient. ❖ integer offsets added at the beginning and removed at the end ➢ Shuffle multiply-and-accumulates for each output coefficient. ❖ input-coefficient pairs accessed in a random order ➢ 40 ● Mun-Kyu Lee et al. Countermeasures against Power Analysis Attacks for the NTRU Public Key Cryptosystem.

  41. Not Countermeasures Apply a random mask to each output coefficient. ❖ integer offsets added at the beginning and removed at the end ➢ subject to chosen-input SPA (CISPA) Shuffle multiply-and-accumulates for each output coefficient. ❖ input-coefficient pairs accessed in a random order ➢ subject to chosen-input SPA (CISPA) 41

  42. CISPA on Countermeasure 2 42

  43. CISPA on Countermeasure 1 Two Stages: nonzero identification + clustering ❖ The First Stage: continuous? discontinuous? ❖ similar to CISPA on Countermeasure 2 ➢ Zero or Nonzero: output coefficient ➝ private-key coefficient ➢ 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NTRU Prime Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit

NTRU Prime Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit

1 NTRU Prime Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische

1.4k views • 66 slides
NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

1 2 NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers Preneel RIPEMD-160: University of Illinois at Chicago & a strengthened version of Technische Universiteit Eindhoven RIPEMD: It is

1.93k views • 149 slides
NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast and compact Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal 29 June 2018 Bernstein, Chuengsatiansup,

1.18k views • 36 slides
Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

1 2 Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round 2 Table 2: Daniel J. Bernstein Ignoring cost of memory: 368 185 enum, ignoring hybrid Tanja Lange 230 169 enum, including hybrid 153

2k views • 65 slides
Computational 2013.07 talk slide online: algebraic number theory I think NTRU should switch

Computational 2013.07 talk slide online: algebraic number theory I think NTRU should switch

Computational 2013.07 talk slide online: algebraic number theory I think NTRU should switch to tackles lattice-based cryptography random prime-degree extensions with big Galois groups. Daniel J. Bernstein University of Illinois at

1.8k views • 136 slides
NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia (partly based on joint work with

1.29k views • 76 slides
PATERSON RELATIONSHIP & INFLUENCE MAPPING EQUATION (PRIME) PRIME GOALS PRIME is an

PATERSON RELATIONSHIP & INFLUENCE MAPPING EQUATION (PRIME) PRIME GOALS PRIME is an

PATERSON RELATIONSHIP & INFLUENCE MAPPING EQUATION (PRIME) PRIME GOALS PRIME is an organized analysis of the political and institutional factors that impact economic, development and social services outcomes in Paterson New Jersey.

409 views • 16 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and

929 views • 38 slides
CSE not every positive integer is prime 311 some positive integer is not prime prime

CSE not every positive integer is prime 311 some positive integer is not prime prime

Negations of quantifiers CSE not every positive integer is prime 311 some positive integer is not prime prime numbers do not exist Foundations of every positive integer is not prime Computing I Fall 2014 Negations of

351 views • 6 slides
PRIME Introduction to PRIME Logistics and Timelines About Us 1 Office of Global Programs &

PRIME Introduction to PRIME Logistics and Timelines About Us 1 Office of Global Programs &

2020 Marshall School of Business GSBA 580 PRIME Introduction to PRIME Logistics and Timelines About Us 1 Office of Global Programs & Partnerships (GPP) What We Do 2 Our role in facilitating your Agenda PRIME experience Program

162 views • 14 slides
2: Power as Prime Motive Moral Relativism 2. Meta-ethical: A moral judgement can only be assessed

2: Power as Prime Motive Moral Relativism 2. Meta-ethical: A moral judgement can only be assessed

2: Power as Prime Motive Moral Relativism 2. Meta-ethical: A moral judgement can only be assessed for validity within its own culture; no one (system of) value(s) is universally more valid than any other. 3. Normative: Given (2), we cannot

415 views • 12 slides
Indian Oil Corporation Limited Mathura Refinery 1 What is Prime-G + Prime-G + Process

Indian Oil Corporation Limited Mathura Refinery 1 What is Prime-G + Prime-G + Process

Indian Oil Corporation Limited Mathura Refinery 1 What is Prime-G + Prime-G + Process & APC from Licensers perspective APC in IOCL Prime-G + APC scheme Model and Control Concept APC Performance APC Benefit in

1.59k views • 29 slides
So how hard is solving LWE/NTRU anyway? Martin R. Albrecht @martinralbrecht 10 January 2019, RWC

So how hard is solving LWE/NTRU anyway? Martin R. Albrecht @martinralbrecht 10 January 2019, RWC

So how hard is solving LWE/NTRU anyway? Martin R. Albrecht @martinralbrecht 10 January 2019, RWC Based on joint work with Alex Davidson, Amit Deo, Benjamin R. Curtis, Eamonn W. Postlethwaite, Elena Kirshanova, Fernando Virdia, Florian Gpfert,

651 views • 45 slides
Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 20/2/2012 Learning a Parallelepiped: Bar-Ilan University Dept. of Computer Science Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv

422 views • 29 slides
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded

A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded

A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht , Shi Bai and Lo Ducas London-ish Lattice Coding and Cryptography Meeting, Star Wars Day, 2016 Outline

1.35k views • 66 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides
Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released

Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released

Principles of Software Construction: Objects, Design, and Concurrency DevOps Charlie Garrod Chris Timperley 17-214 1 Administrivia Homework 6 has been released Sequential implementation due by Tuesday, Nov. 26 Parallel

597 views • 47 slides
Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket

Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket

Upgrade to MongoDB 4.0 Antonios Giannopoulos DBA @ Rackspace/ObjectRocket linkedin.com/in/antonis/ 1 Introduction Antonios Giannopoulos www.objectrocket.com 2 Overview Upgrade Procedure Application Layer Middleware

750 views • 60 slides
Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy,

Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy,

Rough times? TUF shines A Framework for Secure Software Updates Trishank Karthik Kuppusamy, Vladimir Diaz, Sebastien Awwad Lukas Phringer , Justin Cappos Software updates Experts agree that software updates are the most important thing

613 views • 27 slides
Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

561 views • 27 slides
How to implement continuous delivery and testing Tamas Csako November 2019 1 TAMAS CSAKO,

How to implement continuous delivery and testing Tamas Csako November 2019 1 TAMAS CSAKO,

How to implement continuous delivery and testing Tamas Csako November 2019 1 TAMAS CSAKO, PH.D. Senior Software Testing Manager Head of Cloud & DevTestSecOps Practice EPAM Hungary 10+ years experience in IT 6+ years experience

166 views • 15 slides
Dynamic Vertical Memory Scalability for OpenJDK Cloud Applications Rodrigo Bruno , Paulo Ferreira

Dynamic Vertical Memory Scalability for OpenJDK Cloud Applications Rodrigo Bruno , Paulo Ferreira

Dynamic Vertical Memory Scalability for OpenJDK Cloud Applications Rodrigo Bruno , Paulo Ferreira : INESC-ID / Instituto Superior Tcnico, University of Lisbon Ruslan Synytsky, Tetiana Fydorenchyk : Jelastic Jia Rao : The University of Texas at

1.02k views • 44 slides
Application of AIRS v5.0 Averaging Kernels Eric Maddy, Chris Barnet, Murty Divakarla, Jennifer

Application of AIRS v5.0 Averaging Kernels Eric Maddy, Chris Barnet, Murty Divakarla, Jennifer

Application of AIRS v5.0 Averaging Kernels Eric Maddy, Chris Barnet, Murty Divakarla, Jennifer Wei, Antonia Gambacorta, Mitch Goldberg 10/6/06 AIRS Science Team Meeting Greenbelt, MD 1 Outline Provide an overview of v5.0 averaging

419 views • 24 slides

More recommend