Paper 2022/1125

A one-time single-bit fault leaks all previous NTRU-HRSS session keys to a chosen-ciphertext attack

Daniel J. Bernstein
Abstract

This paper presents an efficient attack that, in the standard IND-CCA2 attack model plus a one-time single-bit fault, recovers the NTRU-HRSS session key. This type of fault is expected to occur for many users through natural DRAM bit flips. In a multi-target IND-CCA2 attack model plus a one-time single-bit fault, the attack recovers every NTRU-HRSS session key that was encapsulated to the targeted public key before the fault. Software carrying out the full multi-target attack, using a simulated fault, is provided for verification. This paper also explains how a change in NTRU-HRSS in 2019 enabled this attack.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. INDOCRYPT 2022
DOI
10.1007/978-3-031-22912-1_27
Keywords
chosen-ciphertext attacksnatural faultsimplicit rejection
Contact author(s)
authorcontact-ntrw @ box cr yp to
History
2023-12-22: revised
2022-08-30: received
See all versions
Short URL
https://ia.cr/2022/1125
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1125,
      author = {Daniel J. Bernstein},
      title = {A one-time single-bit fault leaks all previous NTRU-HRSS session keys to a chosen-ciphertext attack},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1125},
      year = {2022},
      doi = {10.1007/978-3-031-22912-1_27},
      note = {\url{https://eprint.iacr.org/2022/1125}},
      url = {https://eprint.iacr.org/2022/1125}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.