Assessment of the Key-Reuse Resilience of NewHope View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2019-02-03

AUTHORS

Aurélie Bauer , Henri Gilbert , Guénaël Renault , Mélissa Rossi

ABSTRACT

NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse. More... »

PAGES

272-292

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-030-12612-4_14

DOI

http://dx.doi.org/10.1007/978-3-030-12612-4_14

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1111894767


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0804", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Data Format", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "ANSSI, Paris, France", 
          "id": "http://www.grid.ac/institutes/None", 
          "name": [
            "ANSSI, Paris, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Bauer", 
        "givenName": "Aur\u00e9lie", 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "UVSQ, Versailles, France", 
          "id": "http://www.grid.ac/institutes/grid.12832.3a", 
          "name": [
            "ANSSI, Paris, France", 
            "UVSQ, Versailles, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Gilbert", 
        "givenName": "Henri", 
        "id": "sg:person.012771236207.08", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012771236207.08"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Sorbonne Universit\u00e9, CNRS, Inria, Laboratoire d\u2019Informatique de Paris 6, LIP6, \u00c9quipe PolSys, Paris, France", 
          "id": "http://www.grid.ac/institutes/grid.462751.3", 
          "name": [
            "ANSSI, Paris, France", 
            "Sorbonne Universit\u00e9, CNRS, Inria, Laboratoire d\u2019Informatique de Paris 6, LIP6, \u00c9quipe PolSys, Paris, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Renault", 
        "givenName": "Gu\u00e9na\u00ebl", 
        "id": "sg:person.014126756314.83", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014126756314.83"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "D\u00e9partement d\u2019informatique de l\u2019Ecole normale sup\u00e9rieure, CNRS, PSL Research University, Inria, Paris, France", 
          "id": "http://www.grid.ac/institutes/grid.503141.2", 
          "name": [
            "Thales, Gennevilliers, France", 
            "D\u00e9partement d\u2019informatique de l\u2019Ecole normale sup\u00e9rieure, CNRS, PSL Research University, Inria, Paris, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Rossi", 
        "givenName": "M\u00e9lissa", 
        "id": "sg:person.010543270346.40", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010543270346.40"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2019-02-03", 
    "datePublishedReg": "2019-02-03", 
    "description": "NewHope\u00a0is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope\u00a0when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly \u2013 either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope\u00a0recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS\u00a0implementation. While the presented key mismatch oracle\u00a0attacks do not break any of the designers\u2019 security claims for the NewHope\u00a0KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.", 
    "editor": [
      {
        "familyName": "Matsui", 
        "givenName": "Mitsuru", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-030-12612-4_14", 
    "isAccessibleForFree": true, 
    "isPartOf": {
      "isbn": [
        "978-3-030-12611-7", 
        "978-3-030-12612-4"
      ], 
      "name": "Topics in Cryptology \u2013 CT-RSA 2019", 
      "type": "Book"
    }, 
    "keywords": [
      "key encapsulation mechanism", 
      "key reuse", 
      "key establishment protocol", 
      "side channels", 
      "thousands of queries", 
      "full private key", 
      "NewHope", 
      "Ring Learning", 
      "active adversary", 
      "establishment protocol", 
      "attack model", 
      "reuse situations", 
      "private key", 
      "security claims", 
      "encapsulation mechanism", 
      "NIST call", 
      "oracle", 
      "key values", 
      "reuse", 
      "attacks", 
      "short duration", 
      "adversary", 
      "attacker", 
      "instances", 
      "queries", 
      "security", 
      "faults", 
      "designers", 
      "key", 
      "high probability", 
      "implementation", 
      "cases", 
      "duration", 
      "critical step", 
      "suite", 
      "error", 
      "proposal", 
      "protocol", 
      "access", 
      "model", 
      "channels", 
      "thousands", 
      "transform", 
      "assessment", 
      "calls", 
      "standardization", 
      "guess", 
      "parties", 
      "situation", 
      "CAS", 
      "better insight", 
      "resilience", 
      "step", 
      "mechanism", 
      "probability", 
      "part", 
      "results", 
      "values", 
      "parameters", 
      "insights", 
      "claims", 
      "paper"
    ], 
    "name": "Assessment of the Key-Reuse Resilience of NewHope", 
    "pagination": "272-292", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1111894767"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-030-12612-4_14"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-030-12612-4_14", 
      "https://app.dimensions.ai/details/publication/pub.1111894767"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-11-24T21:11", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20221124/entities/gbq_results/chapter/chapter_116.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-030-12612-4_14"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-12612-4_14'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-12612-4_14'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-12612-4_14'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-12612-4_14'


 

This table displays all metadata directly associated to this object as RDF triples.

153 TRIPLES      22 PREDICATES      86 URIs      79 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-030-12612-4_14 schema:about anzsrc-for:08
2 anzsrc-for:0804
3 schema:author Ndb5ebb10e2454e85a614353fe8d11558
4 schema:datePublished 2019-02-03
5 schema:datePublishedReg 2019-02-03
6 schema:description NewHope is a suite of two efficient Ring-Learning-With-Error based key encapsulation mechanisms (KEMs) that has been proposed to the NIST call for proposals for post-quantum standardization. In this paper, we study the security of NewHope when an active adversary takes part in a key establishment protocol and is given access to an oracle, called key mismatch oracle, which indicates whether her guess of the shared key value derived by the party targeted by the attack is correct or not. This attack model turns out to be relevant in private key reuse situations since an attacker may then be able to access such an oracle repeatedly – either directly or using faults or side channels, depending on the considered instance of NewHope. Following this model we show that, by using NewHope recommended parameters, several thousands of queries are sufficient to recover the full private key with high probability. This result has been experimentally confirmed using Magma CAS implementation. While the presented key mismatch oracle attacks do not break any of the designers’ security claims for the NewHope KEMs, they provide better insight into the resilience of these KEMs against key reuse. In the case of the CPA-KEM instance of NewHope, they confirm that key reuse (e.g. key caching at server side) should be strictly avoided, even for an extremely short duration. In the case of the CCA-KEM instance of NewHope, they allow to point out critical steps inside the CCA transform that should be carefully protected against faults or side channels in case of potential key reuse.
7 schema:editor Nf916c7b15dd341f5a8e05dac3abca046
8 schema:genre chapter
9 schema:isAccessibleForFree true
10 schema:isPartOf Ne8e7183e0aac48659a0a0ed889e1b00d
11 schema:keywords CAS
12 NIST call
13 NewHope
14 Ring Learning
15 access
16 active adversary
17 adversary
18 assessment
19 attack model
20 attacker
21 attacks
22 better insight
23 calls
24 cases
25 channels
26 claims
27 critical step
28 designers
29 duration
30 encapsulation mechanism
31 error
32 establishment protocol
33 faults
34 full private key
35 guess
36 high probability
37 implementation
38 insights
39 instances
40 key
41 key encapsulation mechanism
42 key establishment protocol
43 key reuse
44 key values
45 mechanism
46 model
47 oracle
48 paper
49 parameters
50 part
51 parties
52 private key
53 probability
54 proposal
55 protocol
56 queries
57 resilience
58 results
59 reuse
60 reuse situations
61 security
62 security claims
63 short duration
64 side channels
65 situation
66 standardization
67 step
68 suite
69 thousands
70 thousands of queries
71 transform
72 values
73 schema:name Assessment of the Key-Reuse Resilience of NewHope
74 schema:pagination 272-292
75 schema:productId N8197900e942842f596b19a24a75472ab
76 N8659af2031364b9b9d96aba99c23a11b
77 schema:publisher N05d4492cece44cdf80fc5239b211ffe9
78 schema:sameAs https://app.dimensions.ai/details/publication/pub.1111894767
79 https://doi.org/10.1007/978-3-030-12612-4_14
80 schema:sdDatePublished 2022-11-24T21:11
81 schema:sdLicense https://scigraph.springernature.com/explorer/license/
82 schema:sdPublisher N21654830b4e74796a411ef45e2ac68dc
83 schema:url https://doi.org/10.1007/978-3-030-12612-4_14
84 sgo:license sg:explorer/license/
85 sgo:sdDataset chapters
86 rdf:type schema:Chapter
87 N05d4492cece44cdf80fc5239b211ffe9 schema:name Springer Nature
88 rdf:type schema:Organisation
89 N21654830b4e74796a411ef45e2ac68dc schema:name Springer Nature - SN SciGraph project
90 rdf:type schema:Organization
91 N40ff538f72db4756be0dcd0abb655ca4 schema:affiliation grid-institutes:None
92 schema:familyName Bauer
93 schema:givenName Aurélie
94 rdf:type schema:Person
95 N4cbfc4f4d6284e5fb584d3c51eb3403b rdf:first sg:person.010543270346.40
96 rdf:rest rdf:nil
97 N574a386293a24fbc9f1c56b797c5bd3a schema:familyName Matsui
98 schema:givenName Mitsuru
99 rdf:type schema:Person
100 N6b209ba27f4148b797a408a8c308487b rdf:first sg:person.012771236207.08
101 rdf:rest Ne82068eabb3042028bef46345ab7a583
102 N8197900e942842f596b19a24a75472ab schema:name doi
103 schema:value 10.1007/978-3-030-12612-4_14
104 rdf:type schema:PropertyValue
105 N8659af2031364b9b9d96aba99c23a11b schema:name dimensions_id
106 schema:value pub.1111894767
107 rdf:type schema:PropertyValue
108 Ndb5ebb10e2454e85a614353fe8d11558 rdf:first N40ff538f72db4756be0dcd0abb655ca4
109 rdf:rest N6b209ba27f4148b797a408a8c308487b
110 Ne82068eabb3042028bef46345ab7a583 rdf:first sg:person.014126756314.83
111 rdf:rest N4cbfc4f4d6284e5fb584d3c51eb3403b
112 Ne8e7183e0aac48659a0a0ed889e1b00d schema:isbn 978-3-030-12611-7
113 978-3-030-12612-4
114 schema:name Topics in Cryptology – CT-RSA 2019
115 rdf:type schema:Book
116 Nf916c7b15dd341f5a8e05dac3abca046 rdf:first N574a386293a24fbc9f1c56b797c5bd3a
117 rdf:rest rdf:nil
118 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
119 schema:name Information and Computing Sciences
120 rdf:type schema:DefinedTerm
121 anzsrc-for:0804 schema:inDefinedTermSet anzsrc-for:
122 schema:name Data Format
123 rdf:type schema:DefinedTerm
124 sg:person.010543270346.40 schema:affiliation grid-institutes:grid.503141.2
125 schema:familyName Rossi
126 schema:givenName Mélissa
127 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010543270346.40
128 rdf:type schema:Person
129 sg:person.012771236207.08 schema:affiliation grid-institutes:grid.12832.3a
130 schema:familyName Gilbert
131 schema:givenName Henri
132 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012771236207.08
133 rdf:type schema:Person
134 sg:person.014126756314.83 schema:affiliation grid-institutes:grid.462751.3
135 schema:familyName Renault
136 schema:givenName Guénaël
137 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014126756314.83
138 rdf:type schema:Person
139 grid-institutes:None schema:alternateName ANSSI, Paris, France
140 schema:name ANSSI, Paris, France
141 rdf:type schema:Organization
142 grid-institutes:grid.12832.3a schema:alternateName UVSQ, Versailles, France
143 schema:name ANSSI, Paris, France
144 UVSQ, Versailles, France
145 rdf:type schema:Organization
146 grid-institutes:grid.462751.3 schema:alternateName Sorbonne Université, CNRS, Inria, Laboratoire d’Informatique de Paris 6, LIP6, Équipe PolSys, Paris, France
147 schema:name ANSSI, Paris, France
148 Sorbonne Université, CNRS, Inria, Laboratoire d’Informatique de Paris 6, LIP6, Équipe PolSys, Paris, France
149 rdf:type schema:Organization
150 grid-institutes:grid.503141.2 schema:alternateName Département d’informatique de l’Ecole normale supérieure, CNRS, PSL Research University, Inria, Paris, France
151 schema:name Département d’informatique de l’Ecole normale supérieure, CNRS, PSL Research University, Inria, Paris, France
152 Thales, Gennevilliers, France
153 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...