WO2009084752A1 - A secure method for calculating a polynomial convolution operation for an ntru cryptosystem - Google Patents
A secure method for calculating a polynomial convolution operation for an ntru cryptosystem Download PDFInfo
- Publication number
- WO2009084752A1 WO2009084752A1 PCT/KR2007/006988 KR2007006988W WO2009084752A1 WO 2009084752 A1 WO2009084752 A1 WO 2009084752A1 KR 2007006988 W KR2007006988 W KR 2007006988W WO 2009084752 A1 WO2009084752 A1 WO 2009084752A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- polynomial
- convolution operation
- array
- ntru
- cryptosystem
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000004458 analytical method Methods 0.000 abstract description 22
- 230000000903 blocking effect Effects 0.000 abstract description 3
- 238000007792 addition Methods 0.000 description 15
- 230000002265 prevention Effects 0.000 description 5
- 230000003321 amplification Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000003199 nucleic acid amplification method Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Definitions
- the present invention relates to a method for calculating a polynomial convolution operation for an n-th degree truncated polynomial ring (NTRU) cryptosystem as a public-key cryptosystem. More particularly, this invention relates to a method for configuring a secure security system, through operation unification and randomization, against a power analysis attack that discovers the password information by measuring power consumption patterns in the security system.
- NTRU n-th degree truncated polynomial ring
- the n-th degree truncated polynomial ring (NTRU) cryptosystem is a type of public key encryption that can provide a variety of security levels according to the choice of parameters.
- NTRU cryptosystem adjusts the level of the security to the same level as the conventional Rivest-Shamir-Adelman (RSA) and the conventional elliptic curve cryptosystem, it can perform encryption and decryption much faster than the conventional RSA and the conventional elliptic curve cryptosystem. Therefore, the NTRU cryptosystem has drawn attention as a next generation public key encryption.
- RSA Rivest-Shamir-Adelman
- elliptic curve cryptosystem it can perform encryption and decryption much faster than the conventional RSA and the conventional elliptic curve cryptosystem. Therefore, the NTRU cryptosystem has drawn attention as a next generation public key encryption.
- IEEE P1363.1 which complements standard IEEE P1363 related to the conventional RSA and the conventional elliptic curve cryptosystem.
- the standardization has been substantially progressed and yielded Draft 9, in 2007.
- the present invention solves the above problems, and provides: a secure cryptosystem designed so that a polynomial convolution operation, which is a primary operation of an NTRU cryptosystem, has resistance against power analysis attacks; and a method for blocking power analysis attacks, such as simple power analysis (SPA) and differential power attack (DPA).
- SPA simple power analysis
- DPA differential power attack
- the present invention further provides a method that can prevent power analysis attacks without large overheads and thus efficiently perform a polynomial convolution operation, thereby maintaining the performance of a security system above a certain level.
- the present invention provides a method for calculating a polynomial convolution operation with a first polynomial (which corresponds to a public key or a ciphertext) and a second polynomial arbitrarily selectable in n-th degree truncated polynomial ring (NTRU) encryption and NTRU decryption, the method including: (1) initializing respective elements of an array by an initial value that is not zero; and (2) storing the polynomial convolution operation result of the first and second polynomials in the array initialized by the initial value that is not zero.
- NTRU n-th degree truncated polynomial ring
- the initial value is the same value at all the elements of the array.
- the same value is identical to that of an operand in a modulo operation for the NTRU encryption.
- the initial value comprises randomly generated values for the respective elements of the array.
- the method may further include subtracting the randomly generated value from the polynomial convolution operation result stored in the array.
- the second polynomial includes a product-form polynomial.
- the polynomial convolution operation method can provide: a secure cryptosystem designed so that a polynomial convolution operation, which is a primary operation of an NTRU cryptosystem, has resistance against power analysis attacks; and a method for blocking power analysis attacks, such as simple power analysis (SPA) and differential power attack (DPA).
- SPA simple power analysis
- DPA differential power attack
- the polynomial convolution operation method can provide a method that prevents power analysis attacks without large overheads and thus efficiently performs a polynomial convolution operation, thereby maintaining the performance of a security system above a certain level.
- the polynomial convolution operation method can provide security to: smart cards, such as credit cards, cash cards, and transportation cards; one time password (OTP), as one of the next generation securing means, with which conventional security cards (a table of random numbers) for internet banking are replaced; universal subscriber identity module (USIM) that must be used in the 3 r generationmo- bilecommunication, such as WCDMA, etc. ; and embedded systems,etc.
- smart cards such as credit cards, cash cards, and transportation cards
- OTP one time password
- USB universal subscriber identity module
- WCDMA Wideband Code Division Multiple Access
- embedded systems etc.
- the polynomial convolution operation method can provide security to all systems other than the foregoing systems listed above, susceptible to power analysis attack.
- Figure 1 is a view illustrating an example of an algorithm for implementing a polynomial convolution operation, which is a primary operation in an NTRU cryptosystem, according to the present invention
- Figure 2 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against SPA attack, according to an embodiment of the present invention
- Figure 3 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against DPA attack, according to an embodiment of the present invention
- Figures 4 and 5 are graphs illustrating experimental results when the DPA attack is performed using the algorithm of Figure 1, which does not employ protection against power analysis attacks;
- Figures 6 and 7 are views illustrating examples of an algorithm for implementing a polynomial convolution method for protection against DPA attacks, according to another embodiment of the present invention.
- [28] b an array indicating which of the coefficients of a(X), a binary polynomial having
- Z be a set of integers.
- quotient ring R is defined as Z[X]/(X -1)
- Hoff stein or Bailey is as follows:
- f 1 mod q is defined as a polynomial satisfying f*f ⁇ 1 mod q, where mod q means that every coefficient in the polynomial is reduced mod q, i.e., every coefficient is calculated by the remainders after every coefficient is divided by q.
- mod q means that every coefficient in the polynomial is reduced mod q, i.e., every coefficient is calculated by the remainders after every coefficient is divided by q.
- the private key is the polynomial f and the public key is the polynomial h.
- m be a polynomial representing a message.
- FIG. 1 is a view illustration an example of an algorithm for implementing a polynomial convolution operation, which is a primary operation in an NTRU cryptosystem, according to the present invention.
- c(X) is referred to as a first polynomial and a(X) is referred to as a second polynomial.
- a(X) is replaced with an array b that represents the location o f coefficient T and then inputs them to the algorithm.
- the total number of coefficient of a(X) and c(X) is N (integer).
- d denotes the number of elements in the array b.
- the binary polynomial a(X) corresponds to a private key in decryption or to a randomization polynomial r in encryption. Since the decryption and encryption are an internal operation, they do not allow direct access from the external side. That is, it can be designed so that the external side cannot be aware of the array b that represents which of N coefficients of the binary polynomial a(X) are 1. However, since only the general polynomial c(X) is an open part, it allows the access from the external side and can be arbitrarily altered by attackers. Attackers can input their arbitrarily generated or altered data and enable operations to perform using the input data, so that they can analyze the internal power consumption patterns of the system at the external side and then indirectly derive key information.
- the following description is a method for preventing a polynomial convolution operation in an NTRU cryptosystem from attacking, according to a method for protection against simple power analysis (SPA) attack and a method for protection against differential power analysis (DPA) attack.
- SPA simple power analysis
- DPA differential power analysis
- ZN denotes an addition operation of adding zero and a non-zero number
- NN denotes an addition operation of adding non-zero numbers.
- FIG. 2 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against SPA attack, according to an embodiment of the present invention.
- this algorithm every element in an array t is initialized not to zero but to q, so that additions with zero cannot be performed and all addition operations have similar power consumption patterns. Therefore, the SPA attack, which is performed based on the determination of the addition for zero, can be prevented. Also, since the algorithm of Figure 2 does not perform any additional operation except for alteration at the initial step, its performance is not deteriorated at all although SPA prevention function is added thereto.
- Rows 1 to 3 in the algorithm of Figure 2 correspond to a step for initializing every element of the array t(X) to a non-zero initial value (q).
- the array t(X) stores a polynomial convolution operation result of a first polynomial c(X) corresponding to a 'public key 1 or a 'ciphertext' and a second polynomial a(X) arbitrarily selectable.
- rows 4 to 11 correspond to a step for storing the convolution operation result of the first polynomial c(X) and the second polynomial a(X) in the array t(X) that was initialized by the non-zero initial value.
- row 2 in the algorithm of Figure 2 performs a step for storing the same initial value (q), not zero, in every element of the array t(X) that will intend to store the polynomial convolution operation result. Also, since row 2 in the algorithm of Figure 2 sets the same initial value, not zero, to the same value as operand q of a modulo operation, it does not need a subtracting step where every element of the array is subtracted to the initial value used at the initializing step after the array stores the polynomial convolution operation result.
- the algorithm can be performed so that the addition of adding zero to a number cannot be distinguished from the addition of adding non-zero numbers, however, it may still generate a minute difference of power consumption by a difference between operands of the addition operation.
- This difference can be hardly detected by a simple attack method, such as SPA, but can be detected by an enhanced attack method, such as DPA.
- An attacker using DPA for an NTRU alters and applies a variety of general polynomials c(X) for and to a constant binary polynomial a(X) (which causes a constant array b) to measure the power consumption pattern. After that, the attacker statistically analyzes the measured power consumption pattern and discovers information of the array b. Therefore, since the attacker has an amount of power consumption data greater than that of the SPA, the attacker can accumulate minute differences, which cannot be detected by the power analysis at one time, and cannot therefore perform an attack with a larger accuracy.
- the attacker can detect a minute difference of power consumption between the case where the result value of t + c at row 6 in the algorithm of Figure 1 has a lowest bit k+b[j] k of 0 and the case where the result value of t k+b
- FIG. 3 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against DPA attack, according to an embodiment of the present invention.
- This algorithm is designed in such a way that the same input brings about different power consumption patterns whenever the algorithm is performed, under the conditions that every element in an array t is initialized to random numbers. After completing the operation, a corresponding random number is removed to compensate the operation result. Every element in the array t may be initialized by the same value. Therefore, this algorithm can prevent a DPA attack operating on the assumption that the same input brings about the same power consumption.
- Rows 1 to 3 in the algorithm of Figure 3 serve to perform a step for generating initial values, used for the initialization of every element in an array t(X), at random.
- the array t(X) stores a polynomial convolution operation result.
- rows 4 to 6 serve to perform a step for initializing every element of the array t(X) using initial values generated at random.
- Rows 12 to 14 serve to perform a step for subtracting a value that is generated at random from the stored polynomial convolution operation result.
- FIGS 4 and 5 are graphs illustrating experimental results when the DPA attack is performed using the algorithm of Figure 1, which does not employ protection against power analysis attack.
- the horizontal and vertical axes of the graphs denote time and the magnitude of a power signal, respectively.
- an attacker arbitrarily guesses b[j], the j-th element in an array b, which is fixed but the attacker didn't know and then performs the algorithm of Figure 1 for a plurality of different polynomials c(X). After that, the attacker sorts the result values t + c according the guess fails, the amplification signal does not show any particular signal but signals corresponding to random values, whose amplitudes are approximately zero, with respect to the horizontal axis symmetrically, as shown in Figure 4.
- FIGS 6 and 7 are views illustrating examples of an algorithm for implementing a polynomial convolution method for protection against DPA attacks, according to another embodiment of the present invention.
- Each of these algorithms is designed in such a way that the same input brings about different power consumption patterns whenever the algorithm is performed, under the conditions that every element in an array t is initialized to random numbers. After completing the operation, a corresponding random number is removed to compensate the operation result. Every element in the array t may be initialized by the same value. Therefore, these algorithms can prevent DPA attacks conducted on the assumption that the same input brings about the same power consumption.
- Figures 3, 6 and 7 are applied in the case where the polynomial a(X) is a binary polynomial, they can be applied to a product-form polynomial.
Abstract
A secure method is disclosed which calculates a polynomial convolution operation for an NTRU cryptosystem as a public-key cryptosystem. The secure method calculates a polynomial convolution operation with a first polynomial (which corresponds to a public key or a ciphertext) and a second polynomial arbitrarily selectable in NTRU encryption and decryption. The method comprising: (1) initializing respective elements of an array by an initial value that is not zero; and (2) storing the polynomial convolution operation result of the first and second polynomials in the array initialized by the initial value that is not zero. The secure method provides a secure cryptosystem designed so that a polynomial convolution operation, which is a primary operation of an NTRU cryptosystem, has resistance against power analysis attacks, and a method for blocking power analysis attacks, such as simple power analysis (SPA) and differential power attack (DPA). The secure method can prevent power analysis attacks without large overheads and thus efficiently perform a polynomial convolution operation, thereby maintaining the performance of a security system above a certain level.
Description
Description
A SECURE METHOD FOR CALCULATING A POLYNOMIAL
CONVOLUTION OPERATION FOR AN NTRU
CRYPTOSYSTEM
Technical Field
[1] The present invention relates to a method for calculating a polynomial convolution operation for an n-th degree truncated polynomial ring (NTRU) cryptosystem as a public-key cryptosystem. More particularly, this invention relates to a method for configuring a secure security system, through operation unification and randomization, against a power analysis attack that discovers the password information by measuring power consumption patterns in the security system. Background Art
[2] In recent years, with the exchange of private important information through wired/ wireless networks for internet shopping, internet banking, and electronic funds transferred through bank cards, credit cards, and mobile communication terminals, the importance of protecting information has increased. In line with this, cryptosystems that establishes a theoretical basis for protecting private information have also gradually come under the spotlight. These cryptosystems have already been standardized by a variety of standardization organizations for about 30 years and implemented through a variety of methods, such as hardware and software.
[3] The n-th degree truncated polynomial ring (NTRU) cryptosystem, recently developed, is a type of public key encryption that can provide a variety of security levels according to the choice of parameters. When the NTRU cryptosystem adjusts the level of the security to the same level as the conventional Rivest-Shamir-Adelman (RSA) and the conventional elliptic curve cryptosystem, it can perform encryption and decryption much faster than the conventional RSA and the conventional elliptic curve cryptosystem. Therefore, the NTRU cryptosystem has drawn attention as a next generation public key encryption. Recently, the IEEE has taken the NTRU cryptosystem into consideration as a next generation standard, i.e., IEEE P1363.1, which complements standard IEEE P1363 related to the conventional RSA and the conventional elliptic curve cryptosystem. The standardization has been substantially progressed and yielded Draft 9, in 2007.
[4] Since the security of cryptosystem comes from key protection, it is important to safely protect keys in the system and to perform operations directly related to the key when cryptosystem is implemented, so that key-related information cannot be leaked. However, when a cryptosystem is implemented in a relatively small system, for
example, a smart card or an embedded system, etc., external attackers can accurately measure the power consumption patterns of these systems, due to the simplicity of the structure of these systems, and guess the key, which is called a power analysis attack. Although a theoretically secure cryptosystem is designed, the power analysis attack is a very strong attack method that can physically incapacitate the encryption during implementation. For the RSA and the elliptic curve cryptosystem, a variety of methods for protection against power analysis attack have been developed, however, similar methods for the NTRU cryptosystem have not yet been developed. Disclosure of Invention Technical Problem
[5] The present invention solves the above problems, and provides: a secure cryptosystem designed so that a polynomial convolution operation, which is a primary operation of an NTRU cryptosystem, has resistance against power analysis attacks; and a method for blocking power analysis attacks, such as simple power analysis (SPA) and differential power attack (DPA).
[6] The present invention further provides a method that can prevent power analysis attacks without large overheads and thus efficiently perform a polynomial convolution operation, thereby maintaining the performance of a security system above a certain level.
Technical Solution
[7] In accordance with an exemplary embodiment of the present invention, the present invention provides a method for calculating a polynomial convolution operation with a first polynomial (which corresponds to a public key or a ciphertext) and a second polynomial arbitrarily selectable in n-th degree truncated polynomial ring (NTRU) encryption and NTRU decryption, the method including: (1) initializing respective elements of an array by an initial value that is not zero; and (2) storing the polynomial convolution operation result of the first and second polynomials in the array initialized by the initial value that is not zero.
[8] Preferably, the initial value is the same value at all the elements of the array.
[9] Preferably, the same value is identical to that of an operand in a modulo operation for the NTRU encryption.
[10] Preferably, the initial value comprises randomly generated values for the respective elements of the array.
[11] Preferably, the method may further include subtracting the randomly generated value from the polynomial convolution operation result stored in the array.
[12] Preferably, the second polynomial includes a product-form polynomial.
Advantageous Effects
[13] As described above, the polynomial convolution operation method, according to the present invention, can provide: a secure cryptosystem designed so that a polynomial convolution operation, which is a primary operation of an NTRU cryptosystem, has resistance against power analysis attacks; and a method for blocking power analysis attacks, such as simple power analysis (SPA) and differential power attack (DPA).
[14] Also, the polynomial convolution operation method can provide a method that prevents power analysis attacks without large overheads and thus efficiently performs a polynomial convolution operation, thereby maintaining the performance of a security system above a certain level.
[15] Additionally, the polynomial convolution operation method can provide security to: smart cards, such as credit cards, cash cards, and transportation cards; one time password (OTP), as one of the next generation securing means, with which conventional security cards (a table of random numbers) for internet banking are replaced; universal subscriber identity module (USIM) that must be used in the 3r generationmo- bilecommunication, such as WCDMA, etc. ; and embedded systems,etc.
[16] Furthermore, the polynomial convolution operation method can provide security to all systems other than the foregoing systems listed above, susceptible to power analysis attack.
Brief Description of Drawings
[17] The features and advantages of the present invention will be more apparent from the following detailed description in conjunction with the accompanying drawings, in which:
[18] Figure 1 is a view illustrating an example of an algorithm for implementing a polynomial convolution operation, which is a primary operation in an NTRU cryptosystem, according to the present invention;
[19] Figure 2 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against SPA attack, according to an embodiment of the present invention;
[20] Figure 3 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against DPA attack, according to an embodiment of the present invention;
[21] Figures 4 and 5 are graphs illustrating experimental results when the DPA attack is performed using the algorithm of Figure 1, which does not employ protection against power analysis attacks; and
[22] Figures 6 and 7 are views illustrating examples of an algorithm for implementing a polynomial convolution method for protection against DPA attacks, according to another embodiment of the present invention.
[23]
[24] <Brief Description of Symbols in the Drawings>
[25] c(X): a first polynomial corresponding to a 'public key' or 'ciphertext'
[26] a(X): a second polynomial that is arbitrarily selectable
[27] t(X): an array for storing polynomial convolution operation results
[28] b: an array indicating which of the coefficients of a(X), a binary polynomial having
N coefficients, are 1
[29] q: an operand in the modulo operation
[30] r : aninitialvaluegeneratedatrandom
Best Mode for Carrying out the Invention
[31] Hereinafter, exemplary embodiments of the present invention are described in detail with reference to the accompanying drawings.
[32] First, a polynomial convolution operation and NTRU public key cryptosystem will be briefly described, following the polynomial convolution operation method according to the present invention.
[33]
[34] 1. Polynomial convolution operation
[35] Let Z be a set of integers. A polynomial ring over Z, denoted Z[X], becomes the set of all polynomials with coefficients in the integers. When quotient ring R is defined as Z[X]/(X -1), this means a set of all possible remainder polynomials that may be created when an arbitrary polynomial with integer coefficients is divided by a polynomial X -I. Therefore, an element a in R can be expressed as a polynomial or a vector, as the following equation (1).
C36] <X) = ∑ϊ^1 O1X* = [α0. α j aN-L]
— (1)
[37] The convolution product c of elements a and b in R has a coefficient expressed by the following equation (2).
C38] Ck = ∑Lo ath:-t +
( mod N) aib3
- (2)
[39] Where XN = 1 mod (XN - 1).
[40] Technically, the operation requires N integer multiplications, and this causes a large number of computations. However, for the polynomial convolution operation used by NTRU, one of elements a and b has small coefficients, so the computation of a*b is very fast.
[41]
[42] 2. NTRU public key cryptosystem
[43] A variety of NTRU cryptosystems exist, however, the improved version proposed by
Hoff stein or Bailey is as follows:
[44] - NTRU is set up by three public parameters, N, p, and q, where the greatest common divisor (gcd) of p and q is 1, i.e., gcd (p, q) = 1, and p « q.
[45] - Coefficients of the polynomial are reduced mod p or q
[46] - Inverse of a polynomial f over mod q, denoted f 1 mod q, is defined as a polynomial satisfying f*f ≡ 1 mod q, where mod q means that every coefficient in the polynomial is reduced mod q, i.e., every coefficient is calculated by the remainders after every coefficient is divided by q.
[47] Working draft of standard IEEE P 1363.1 proposes a set of typical parameters for an
NTRU, one of which is (N, p, q) = (251, 2, 197).
[48]
[49] 2.1 Key generation
[50] Let's choose polynomials, F and g, with small coefficients in R and then calculate f
:= 1 + pF and h := pf *g mod q. Here, mod q means that every coefficient in the polynomial is reduced mod q, i.e., every coefficient is calculated by the remainders after every coefficient is divided by q. The private key is the polynomial f and the public key is the polynomial h.
[51]
[52] 2.2 Encryption
[53] Let m be a polynomial representing a message. A polynomial r of N- 1 degree with small coefficients is arbitrarily chosen and then ciphertext e (e := r*h + m mod q)is calculated.
[54]
[55] 2.3 Decryption
[56] In order to decrypt the ciphertext e, the element a (a := e*f mod q)is first calculated.
The coefficients of a are chosen so as to be A < a < A+q, where A is, as a fixed value, determined by a simple formula depending on the remaining parameters. After that, a plaintext m (m := a mod q) is recovered.
[57]
[58] 2.4 Validity of decryption
[59] The polynomial a calculated at Section 2.3 satisfies the following equation (3).
[60] a ≡ e * f mod q
≡ (r * h + m ) * f mod q (since e ≡ r * h + m)
≡ /JΓ * g + rn * / mod q (since h * / ≡≡ pg * / * / = pg)
— (3) [61] Let's take the final polynomial pr*g+m*f into consideration. By appropriately
choosing parameters, the coefficients can be adjusted to fall within an interval less than q. Therefore, the polynomial a can be recovered as per the following equation (4).
[62] a = pr * g + m * f = pr * g -\- m * ( 1 + pF) - (4)
[63] The m can be established not with respect to mod q but by a precise equality, i.e., m
= a mod p.
[64] Based on the foregoing description, the polynomial convolution operation method of the present invention will be described in detail below.
[65] Figure 1 is a view illustration an example of an algorithm for implementing a polynomial convolution operation, which is a primary operation in an NTRU cryptosystem, according to the present invention. This algorithm inputs a general polynomial c(X) with integers, which are equal to or greater than 0 and smaller than a natural number q, and a binary polynomial a(X) with coefficients of a binary number T or '0,' and then calculates a convolution product of the polynomials c(X) and a(X), t(X)=a(X)*c(X). c(X) is referred to as a first polynomial and a(X) is referred to as a second polynomial. Here, a(X) is replaced with an array b that represents the location o f coefficient T and then inputs them to the algorithm. The total number of coefficient of a(X) and c(X) is N (integer). Also, d denotes the number of elements in the array b.
[66] The binary polynomial a(X) corresponds to a private key in decryption or to a randomization polynomial r in encryption. Since the decryption and encryption are an internal operation, they do not allow direct access from the external side. That is, it can be designed so that the external side cannot be aware of the array b that represents which of N coefficients of the binary polynomial a(X) are 1. However, since only the general polynomial c(X) is an open part, it allows the access from the external side and can be arbitrarily altered by attackers. Attackers can input their arbitrarily generated or altered data and enable operations to perform using the input data, so that they can analyze the internal power consumption patterns of the system at the external side and then indirectly derive key information.
[67] The following description is a method for preventing a polynomial convolution operation in an NTRU cryptosystem from attacking, according to a method for protection against simple power analysis (SPA) attack and a method for protection against differential power analysis (DPA) attack.
[68]
[69] (1) Protection against SPA attack
[70] In SPA attack for an NRTU, an attacker can detect a minute difference of power consumption as to the cases where one of x and y is zero and both x and y are not zero when an addition operation x + y is performed in the system. Using this fact, the attacker establishes a general polynomial c(X) whose coefficients are not zero and then
enables the system to perform a polynomial convolution to analyze key information. [71] In particular, as described in Figure 1, rows 5 to 7 of the algorithm of the polynomial convolution operation for an NTRU are to perform an addition operation of two integers by N times. Since t are all initialized to zero, when j is set to zero (j = zero) at row 4, N operations at rows 5 to 7 become all additions whose one operand is zero. However, when j is set to 1 (j = 1) at row 4 at the next step, a part of the N operations become additions whose all operands are not zero and the remaining part of the N operations become additions where one of the operands is zero. When measurement is performed as to where the latter case occurs, a relative difference between the first element, b[0], and the second element, b[l] of array b can be obtained. When the attacker repeats this procedure, the relative differences between the adjacent elements of array b can be all acquired. When only the first element b[0] is obtained by a simple exhaustive search, all elements in array b can be obtained to recover a key.
[72] For example, if N=7 and b=[l, 4, 6], power consumption patterns for rows 5 to 7 in the algorithm of Figure 1 can be shown in time by order as follows.
[73] j = 0: ZN ZN ZN ZN ZN ZN ZN
[74] j = l: NN NN NN NN ZN ZN ZN
[75] j = 2: NN NN NN NN NN ZN ZN
[76] Where, ZN denotes an addition operation of adding zero and a non-zero number, and
NN denotes an addition operation of adding non-zero numbers.
[77] For j=l, three ZN's at the later part represent the relative difference between b[0] and b[l] is 3. For j=2, two ZN's at the later part represent the relative difference between b[l] and b[2] is 2. An attacker can guess b using only the power consumption pattern described above, without being aware of the contents of b. When the attacker guesses b[0] as x, b = [x, x+3, x+5] can be obtained. Therefore, although the attacker didn't know each element of b, only if one value, x, is obtained, all the elements of b can be substantially acquired. Therefore, when an exhaustive search is applied to the value x, b can be found out.
[78] It is understood that the attack described above can be applied to all convolution algorithms whose form is similar to that of the algorithm of Figure 1 as well as the algorithm described in Figure 1.
[79] Figure 2 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against SPA attack, according to an embodiment of the present invention. In this algorithm, every element in an array t is initialized not to zero but to q, so that additions with zero cannot be performed and all addition operations have similar power consumption patterns. Therefore, the SPA attack, which is performed based on the determination of the addition for zero, can be prevented. Also, since the algorithm of Figure 2 does not perform any additional
operation except for alteration at the initial step, its performance is not deteriorated at all although SPA prevention function is added thereto.
[80] Rows 1 to 3 in the algorithm of Figure 2 correspond to a step for initializing every element of the array t(X) to a non-zero initial value (q). The array t(X) stores a polynomial convolution operation result of a first polynomial c(X) corresponding to a 'public key1 or a 'ciphertext' and a second polynomial a(X) arbitrarily selectable. Also, rows 4 to 11 correspond to a step for storing the convolution operation result of the first polynomial c(X) and the second polynomial a(X) in the array t(X) that was initialized by the non-zero initial value. In particular, row 2 in the algorithm of Figure 2 performs a step for storing the same initial value (q), not zero, in every element of the array t(X) that will intend to store the polynomial convolution operation result. Also, since row 2 in the algorithm of Figure 2 sets the same initial value, not zero, to the same value as operand q of a modulo operation, it does not need a subtracting step where every element of the array is subtracted to the initial value used at the initializing step after the array stores the polynomial convolution operation result.
[81]
[82] (2) Protection against DPA attack
[83] After adding the SPA prevention function, the algorithm can be performed so that the addition of adding zero to a number cannot be distinguished from the addition of adding non-zero numbers, however, it may still generate a minute difference of power consumption by a difference between operands of the addition operation. This difference can be hardly detected by a simple attack method, such as SPA, but can be detected by an enhanced attack method, such as DPA. An attacker using DPA for an NTRU alters and applies a variety of general polynomials c(X) for and to a constant binary polynomial a(X) (which causes a constant array b) to measure the power consumption pattern. After that, the attacker statistically analyzes the measured power consumption pattern and discovers information of the array b. Therefore, since the attacker has an amount of power consumption data greater than that of the SPA, the attacker can accumulate minute differences, which cannot be detected by the power analysis at one time, and cannot therefore perform an attack with a larger accuracy.
[84] More specifically, to accomplish the aim of discovering the elements in the array b, the attacker can detect a minute difference of power consumption between the case where the result value of t + c at row 6 in the algorithm of Figure 1 has a lowest bit k+b[j] k of 0 and the case where the result value of t k+b|j] + c k at row 6 in the alg toorithm of Fig toure
1 has a lowest bit of 1. Here, such a difference does not allows for detection by a one power measurement, such as SPA, rather it can be detected by performing operations for a variety of polynomials c(X) and then accumulating and measuring the differences of power consumption. Performing such an attack is based on the rationale that the
addition for the same operand has the same power consumption pattern. Therefore, when the same operand can be calculated so as to always bring about different power consumption patterns, DPA can be prevented.
[85] Figure 3 is a view illustrating an example of an algorithm for implementing a polynomial convolution method for protection against DPA attack, according to an embodiment of the present invention. This algorithm is designed in such a way that the same input brings about different power consumption patterns whenever the algorithm is performed, under the conditions that every element in an array t is initialized to random numbers. After completing the operation, a corresponding random number is removed to compensate the operation result. Every element in the array t may be initialized by the same value. Therefore, this algorithm can prevent a DPA attack operating on the assumption that the same input brings about the same power consumption.
[86] Rows 1 to 3 in the algorithm of Figure 3 serve to perform a step for generating initial values, used for the initialization of every element in an array t(X), at random. The array t(X) stores a polynomial convolution operation result. Also, rows 4 to 6 serve to perform a step for initializing every element of the array t(X) using initial values generated at random. Rows 12 to 14 serve to perform a step for subtracting a value that is generated at random from the stored polynomial convolution operation result.
[87] Figures 4 and 5 are graphs illustrating experimental results when the DPA attack is performed using the algorithm of Figure 1, which does not employ protection against power analysis attack. The horizontal and vertical axes of the graphs denote time and the magnitude of a power signal, respectively. In the experiments, an attacker arbitrarily guesses b[j], the j-th element in an array b, which is fixed but the attacker didn't know and then performs the algorithm of Figure 1 for a plurality of different polynomials c(X). After that, the attacker sorts the result values t + c according
the guess fails, the amplification signal does not show any particular signal but signals corresponding to random values, whose amplitudes are approximately zero, with respect to the horizontal axis symmetrically, as shown in Figure 4. On the contrary, when the guess is correct, a peak signal corresponding to a peak value appears at a certain portion as shown in Figure 5. The attacker repeatedly guesses possible values for b[j], and sorts and amplifies processes, until a peak value from the guessed value appears.
[88] When the DPA prevention method according to the present invention is applied to the algorithm, the case where the peak value does not appear as shown in Figure 5. Therefore, although an attacker performs a precise guess, a signal amplification graph similar to that of Figure 4 is obtained, so that the attacker's guessed value cannot be
checked as to whether it is correct or not, and thus the attacker cannot succeed in their attack.
[89] Figures 6 and 7 are views illustrating examples of an algorithm for implementing a polynomial convolution method for protection against DPA attacks, according to another embodiment of the present invention. Each of these algorithms is designed in such a way that the same input brings about different power consumption patterns whenever the algorithm is performed, under the conditions that every element in an array t is initialized to random numbers. After completing the operation, a corresponding random number is removed to compensate the operation result. Every element in the array t may be initialized by the same value. Therefore, these algorithms can prevent DPA attacks conducted on the assumption that the same input brings about the same power consumption.
[90] As the SPA prevention algorithm of Figure 2 and the DPA prevention algorithms of
Figures 3, 6 and 7 are applied in the case where the polynomial a(X) is a binary polynomial, they can be applied to a product-form polynomial. The product-form polynomial means a type of polynomial, such as a(X) = a (X) * a (X), a(X) = (a (X) * a (X) + a (X)), or a(X) = a (X) * a (X) * a (X), for a binary polynomial, a (X), a (X),
2 3 1 2 3 1 2 and a (X).
[91] Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Claims
(1) initializing respective elements of an array by an initial value that is not zero; and
(2) storing the polynomial convolution operation result of the first and second polynomials in the array initialized by the initial value that is not zero.
[2] The method according to claim 1, wherein the initial value is the same value at all the elements of the array. [3] The method according to claim 2, wherein the same value is identical to that of an operand in a modulo operation for the NTRU encryption. [4] The method according to claim 1, wherein the initial value comprises: randomly generated values for the respective elements of the array. [5] The method according to claim 4, further comprising: subtracting the randomly generated value from the polynomial convolution operation result stored in the array. [6] The method according to claim 1, wherein the second polynomial comprises: a product-form polynomial.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR10-2007-0140162 | 2007-12-28 | ||
| KR1020070140162A KR100876442B1 (en) | 2007-12-28 | 2007-12-28 | A secure method for calculating a polynomial convolution operation for an ntru cryptosystem |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2009084752A1 true WO2009084752A1 (en) | 2009-07-09 |
Family
ID=40373348
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/KR2007/006988 WO2009084752A1 (en) | 2007-12-28 | 2007-12-28 | A secure method for calculating a polynomial convolution operation for an ntru cryptosystem |
Country Status (2)
| Country | Link |
|---|---|
| KR (1) | KR100876442B1 (en) |
| WO (1) | WO2009084752A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683102A (en) * | 2013-11-29 | 2015-06-03 | 上海复旦微电子集团股份有限公司 | SM2 signature calculation method and device |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102243889B1 (en) | 2019-12-13 | 2021-04-23 | 국방과학연구소 | Data decoding apparatus and method |
| CN112818366B (en) * | 2021-02-01 | 2023-09-26 | 东北大学 | Image feature detection method based on ntru full homomorphic encryption |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6081597A (en) * | 1996-08-19 | 2000-06-27 | Ntru Cryptosystems, Inc. | Public key cryptosystem method and apparatus |
| KR20030043448A (en) * | 2001-11-28 | 2003-06-02 | 한국전자통신연구원 | apparatus for NTRU Cryptosystem |
| WO2003050998A1 (en) * | 2001-12-07 | 2003-06-19 | Ntru Cryptosystems, Inc. | Digital signature and authentication method and apparatus |
-
2007
- 2007-12-28 WO PCT/KR2007/006988 patent/WO2009084752A1/en active Application Filing
- 2007-12-28 KR KR1020070140162A patent/KR100876442B1/en not_active IP Right Cessation
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6081597A (en) * | 1996-08-19 | 2000-06-27 | Ntru Cryptosystems, Inc. | Public key cryptosystem method and apparatus |
| KR20030043448A (en) * | 2001-11-28 | 2003-06-02 | 한국전자통신연구원 | apparatus for NTRU Cryptosystem |
| WO2003050998A1 (en) * | 2001-12-07 | 2003-06-19 | Ntru Cryptosystems, Inc. | Digital signature and authentication method and apparatus |
Non-Patent Citations (1)
| Title |
|---|
| O'ROURKE C.M. ET AL.: "the paper of Master's Degree submitted to the faculty of the Worcester Polytechnic Institute", EFFICIENT NTRU IMPLEMENTATIONS., April 2002 (2002-04-01), pages 12 - 19 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104683102A (en) * | 2013-11-29 | 2015-06-03 | 上海复旦微电子集团股份有限公司 | SM2 signature calculation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| KR100876442B1 (en) | 2008-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1648111B1 (en) | Tamper-resistant encryption using a private key | |
| EP1050133B2 (en) | Leak-resistant cryptographic method and apparatus | |
| CA2614120C (en) | Elliptic curve point multiplication | |
| US8595513B2 (en) | Method and system for protecting a cryptography device | |
| Vigilant | RSA with CRT: A new cost-effective solution to thwart fault attacks | |
| EP2820791B1 (en) | Countermeasure method against side channel analysis for cryptographic algorithms using boolean operations and arithmetic operations | |
| US20170187529A1 (en) | Modular multiplication device and method | |
| CN1415147A (en) | Portable data storage medium provided with access protection by key for redecomposition | |
| WO2007113697A2 (en) | Secure decryption method | |
| RU2579990C2 (en) | Protection from passive sniffing | |
| EP2154604A1 (en) | Countermeasure securing exponentiation based cryptography | |
| US10461922B2 (en) | Method and system for protecting a cryptographic operation | |
| US7227947B2 (en) | Cryptographic method and cryptographic device | |
| US20200344056A1 (en) | Device and method for protecting execution of a cryptographic operation | |
| US9780946B2 (en) | Elliptic curve encryption method comprising an error detection | |
| Blömer et al. | Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered | |
| WO2009084752A1 (en) | A secure method for calculating a polynomial convolution operation for an ntru cryptosystem | |
| KR20030075146A (en) | Cryptography private key storage and recovery method and apparatus | |
| CN116938434A (en) | Data security detection method and device in privacy calculation | |
| EP1691501B1 (en) | Leak-resistant cryptography method an apparatus | |
| WO2022132186A1 (en) | Randomization methods in isogeny-based cryptosystems | |
| US11924357B2 (en) | Methods and apparatus for cryptographic signature generation | |
| KR100875461B1 (en) | A method and a computer readable media resistant to power analysis attacks for calculating an ntru polynomial convolution operation | |
| Lochter et al. | Twist insecurity | |
| Souror et al. | Hybrid Security Enhancement of ECC with Side Channel And Sign Fault Attack Countermeasures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07860765 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 07860765 Country of ref document: EP Kind code of ref document: A1 |