Assessment of the Key-Reuse Resilience of NewHope

Aurélie Bauer; Henri Gilbert; Guénaël Renault; Mélissa Rossi

doi:10.1007/978-3-030-12612-4_14

Assessment of the Key-Reuse Resilience of NewHope

Aurélie Bauer, Henri Gilbert, Guénaël Renault, Mélissa Rossi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

NewHopeÂ is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHopeÂ when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHopeÂ recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CASÂ implementation. While the presented key mismatch oracleÂ attacks do not break any of the designers’ security claims for the NewHopeÂ KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

Original language	English
Title of host publication	Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings
Editors	Mitsuru Matsui
Publisher	Springer Verlag
Pages	272-292
Number of pages	21
ISBN (Print)	9783030126117
DOIs	https://doi.org/10.1007/978-3-030-12612-4_14
Publication status	Published - 1 Jan 2019
Externally published	Yes
Event	Cryptographers Track at the RSA Conference 2019, CT-RSA 2019 - San Francisco, United States Duration: 4 Mar 2019 → 8 Mar 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11405 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Cryptographers Track at the RSA Conference 2019, CT-RSA 2019
Country/Territory	United States
City	San Francisco
Period	4/03/19 → 8/03/19

Keywords

Active attack
Lattice based cryptography
PQ-crypto
Side channels

Access to Document

10.1007/978-3-030-12612-4_14

Cite this

Bauer, A., Gilbert, H., Renault, G., & Rossi, M. (2019). Assessment of the Key-Reuse Resilience of NewHope. In M. Matsui (Ed.), Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings (pp. 272-292). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11405 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-12612-4_14

Bauer, Aurélie ; Gilbert, Henri ; Renault, Guénaël et al. / Assessment of the Key-Reuse Resilience of NewHope. Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings. editor / Mitsuru Matsui. Springer Verlag, 2019. pp. 272-292 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{c89e9006ce9b435fb9d5cfb774a8f86b,

title = "Assessment of the Key-Reuse Resilience of NewHope",

abstract = "NewHope{\^A} is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope{\^A} when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope{\^A} recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS{\^A} implementation. While the presented key mismatch oracle{\^A} attacks do not break any of the designers{\textquoteright} security claims for the NewHope{\^A} KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.",

keywords = "Active attack, Lattice based cryptography, PQ-crypto, Side channels",

author = "Aur{\'e}lie Bauer and Henri Gilbert and Gu{\'e}na{\"e}l Renault and M{\'e}lissa Rossi",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; Cryptographers Track at the RSA Conference 2019, CT-RSA 2019 ; Conference date: 04-03-2019 Through 08-03-2019",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-12612-4\_14",

language = "English",

isbn = "9783030126117",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "272--292",

editor = "Mitsuru Matsui",

booktitle = "Topics in Cryptology – CT-RSA 2019 - The Cryptographers{\textquoteright} Track at the RSA Conference 2019, Proceedings",

}

Bauer, A, Gilbert, H, Renault, G & Rossi, M 2019, Assessment of the Key-Reuse Resilience of NewHope. in M Matsui (ed.), Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11405 LNCS, Springer Verlag, pp. 272-292, Cryptographers Track at the RSA Conference 2019, CT-RSA 2019, San Francisco, United States, 4/03/19. https://doi.org/10.1007/978-3-030-12612-4_14

Assessment of the Key-Reuse Resilience of NewHope. / Bauer, Aurélie; Gilbert, Henri; Renault, Guénaël et al.
Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings. ed. / Mitsuru Matsui. Springer Verlag, 2019. p. 272-292 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11405 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Assessment of the Key-Reuse Resilience of NewHope

AU - Bauer, Aurélie

AU - Gilbert, Henri

AU - Renault, Guénaël

AU - Rossi, Mélissa

PY - 2019/1/1

Y1 - 2019/1/1

N2 - NewHopeÂ is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHopeÂ when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHopeÂ recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CASÂ implementation. While the presented key mismatch oracleÂ attacks do not break any of the designers’ security claims for the NewHopeÂ KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

AB - NewHopeÂ is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHopeÂ when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHopeÂ recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CASÂ implementation. While the presented key mismatch oracleÂ attacks do not break any of the designers’ security claims for the NewHopeÂ KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

KW - Active attack

KW - Lattice based cryptography

KW - PQ-crypto

KW - Side channels

U2 - 10.1007/978-3-030-12612-4_14

DO - 10.1007/978-3-030-12612-4_14

M3 - Conference contribution

AN - SCOPUS:85062783407

SN - 9783030126117

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 272

EP - 292

BT - Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings

A2 - Matsui, Mitsuru

PB - Springer Verlag

T2 - Cryptographers Track at the RSA Conference 2019, CT-RSA 2019

Y2 - 4 March 2019 through 8 March 2019

ER -

Bauer A, Gilbert H, Renault G, Rossi M. Assessment of the Key-Reuse Resilience of NewHope. In Matsui M, editor, Topics in Cryptology – CT-RSA 2019 - The Cryptographers’ Track at the RSA Conference 2019, Proceedings. Springer Verlag. 2019. p. 272-292. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-12612-4_14

Assessment of the Key-Reuse Resilience of NewHope

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this