Will You Cross the Threshold for Me?

In this work, we propose generic and novel side-channel assisted chosenciphertext attacks on NTRU-based key encapsulation mechanisms (KEMs). These KEMs are IND-CCA secure, that is, they are secure in the chosen-ciphertext model. Our attacks involve the construction of malformed ciphertexts. When decapsulated by the target device, these ciphertexts ensure that a targeted intermediate variable becomes very closely related to the secret key. An attacker, who can obtain information about the secret-dependent variable through side-channels, can subsequently recover the full secret key. We propose several novel CCAs which can be carried through by using side-channel leakage from the decapsulation procedure. The attacks instantiate three different types of oracles, namely a plaintext-checking oracle, a decryptionfailure oracle, and a full-decryption oracle, and are applicable to two NTRU-based schemes, which are NTRU and NTRU Prime. The two schemes are candidates in the ongoing NIST standardization process for post-quantum cryptography. We perform experimental validation of the attacks on optimized and unprotected implementations of NTRU-based schemes, taken from the open-source pqm4 library, using the EM-based side-channel on the 32-bit ARM Cortex-M4 microcontroller. All of our proposed attacks are capable of recovering the full secret key in only a few thousand chosen ciphertext queries on all parameter sets of NTRU and NTRU Prime. Our attacks, therefore, stress on the need for concrete side-channel protection strategies for NTRUbased KEMs.

How Many Weak-Keys Exist in T-310 ?

T-310 is an important Cold War cipher. The cipher is extremely complex and it outputs extremely few bits from the internal state. A recent paper [Courtois, N. T.: Decryption oracle slide attacks on T-310, Cryptologia, 42 (2018), no. 3, 191–204] shows an example of a highly anomalous key such that T-310 can be broken by a slide attack with a decryption oracle. In this paper, we show that the same attacks are ALSO possible for regular keys which satisfy all the official KT1 requirements. Two other recent papers [Courtois, N. T.—Georgiou, M.—Scarlata, M.: Slide attacks and LC-weak keys in T-310, Cryptologia 43 (2019), no. 3, 175–189]; [Courtois, N. T.—Oprisanu, M. B.—Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s, Cryptologia (published online), December 5, 2018] show that some of the KT1 keys are very weak w.r.t. Linear Cryptanalysis. In this paper, we show that a vast number of such weak keys exist and study the exact pre-conditions which make them weak. In addition we introduce a new third class of weak keys for RKDC (Related-Key Differential Cryptanalysis). We show that the original designers in the 1970s have ensured that these RKDC properties cannot happen for 4 rounds. We have discovered that these properties can happen for as few as 5 rounds for some keys, and for 10 to 16 rounds they become hard to avoid. The main reason why we study weak keys is to show that none of these properties occur by accident, rather that they are governed by precise pre-conditions which guarantee their existence, and countless other keys with the same properties exist. Eventually, this is how interesting attacks can be found.

Securing Public Key Encryption Against Adaptive Chosen Ciphertext Attacks

To deal with active attacks in public key encryptions, the notion of security against an adaptive chosen ciphertext attack has been defined by Researchers. If an adversary can inject messages into a network, these messages may be ciphertexts, and the adversary may be able to extract partial information about the corresponding cleartexts through its interaction with parties in the network. The Security against chosen ciphertext attack is defined using an “decryption oracle.” Given an encryption of a message the “ciphertext” we want to guarantee that the adversary cannot obtain any partial information about the message. A method of securing Public Key Cryptosystems using hash functions is described in this chapter.