Paper 2019/075

Assessment of the Key-Reuse Resilience of NewHope

Aurélie Bauer, Henri Gilbert, Guénaël Renault, and Mélissa Rossi

Abstract

NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary accesses a key establishment and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in key reuse situations since an attacker may then be able to access such an oracle repeatedly with the same key either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Minor revision. CT-RSA 2019
Keywords
Post-quantum cryptographylattice based cryptographyactive attackside channels
Contact author(s)
melissa rossi @ ens fr
History
2019-03-22: revised
2019-01-25: received
See all versions
Short URL
https://ia.cr/2019/075
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/075,
      author = {Aurélie Bauer and Henri Gilbert and Guénaël Renault and Mélissa Rossi},
      title = {Assessment of the Key-Reuse Resilience of {NewHope}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/075},
      year = {2019},
      url = {https://eprint.iacr.org/2019/075}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.