Cryptology ePrint Archive: Report 2019/075

Assessment of the Key-Reuse Resilience of NewHope

Aurélie Bauer and Henri Gilbert and Guénaël Renault and Mélissa Rossi

Abstract: NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary accesses a key establishment and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in key reuse situations since an attacker may then be able to access such an oracle repeatedly with the same key either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.

Category / Keywords: public-key cryptography / Post-quantum cryptography, lattice based cryptography, active attack, side channels

Original Publication (with minor differences): CT-RSA 2019

Date: received 22 Jan 2019

Contact author: melissa rossi at ens fr

Available format(s): PDF | BibTeX Citation

Version: 20190125:221513 (All versions of this report)

Short URL: ia.cr/2019/075


[ Cryptology ePrint archive ]