Skip to main content
SpringerLink
Log in

Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

  • Conference paper
  • First Online:
Cyber Security, Cryptology, and Machine Learning (CSCML 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13301))

Abstract

Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time.

We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from \(2^{128}\) to \(2^{104}\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Albrecht, M., et al.: Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, November 2018. https://homomorphicencryption.org/standard/

  2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). https://doi.org/10.1515/jmc-2015-0016

    Article  MathSciNet  MATH  Google Scholar 

  3. Boemer, F., Kim, S., Seifu, G., de Souza, F.D., Gopal, V.: Intel HEXL: accelerating homomorphic encryption with Intel AVX512-IFMA52. Technical report (2021). https://eprint.iacr.org/2021/420

  4. Bradbury, J., Drucker, N., Hillenbrand, M.: NTT software optimization using an extended Harvey butterfly. Technical report (2021). https://eprint.iacr.org/2021/1396

  5. GCC bugs: [Bug c++/98801] New: Request for a conditional move built-in function (2021). https://www.mail-archive.com/gcc-bugs@gcc.gnu.org/msg676288.html

  6. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson Jr., M.J. (eds.) Selected Areas in Cryptography - SAC 2018, pp. 347–368. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_16

  7. Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15

    Chapter  Google Scholar 

  8. Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of Complex Fourier Series. Math. Comput. 19(90), 297–301 (1965). https://doi.org/10.2307/2003354

    Article  MathSciNet  MATH  Google Scholar 

  9. Daan, S.: LLVM provides no side-channel resistance (2019). https://dsprenkels.com/cmov-conversion.html

  10. Dai, W., Sunar, B.: cuHE: a homomorphic encryption accelerator library. In: Pasalic, E., Knudsen, L.R. (eds.) BalkanCryptSec 2015. LNCS, vol. 9540, pp. 169–186. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29172-7_11

    Chapter  Google Scholar 

  11. Ducas, L., et al.: CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (2017). https://pq-crystals.org/dilithium/data/dilithium-specification.pdf

  12. Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Side-channel attacks on BLISS lattice-based signatures: exploiting branch tracing against StrongSwan and electromagnetic emanations in microcontrollers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1857–1874, CCS 2017. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3133956.3134028

  13. Gentleman, W.M., Sande, G.: Fast Fourier transforms-For fun and profit. In: AFIPS Conference Proceedings - 1966 Fall Joint Computer Conference, AFIPS 1966, pp. 563–578 (1966). https://doi.org/10.1145/1464291.1464352

  14. Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_13

    Chapter  Google Scholar 

  15. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31

    Chapter  MATH  Google Scholar 

  16. Harvey, D.: Faster arithmetic for number-theoretic transforms. J. Symbolic Comput. 60, 113–119 (2014). https://doi.org/10.1016/j.jsc.2013.09.002

    Article  MathSciNet  MATH  Google Scholar 

  17. Jung, W., et al.: HEAAN demystified: accelerating fully homomorphic encryption through architecture-centric analysis and optimization (2020)

    Google Scholar 

  18. Laine, K.: Simple encrypted arithmetic library 2.3.1. Technical report, Microsoft, WA, USA (2017). https://www.microsoft.com/en-us/research/uploads/prod/2017/11/sealmanual-2-3-1.pdf

  19. Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48965-0_8

    Chapter  Google Scholar 

  20. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 1–35 (2013). https://doi.org/10.1145/2535925

    Article  MathSciNet  MATH  Google Scholar 

  21. Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT 2019. IACR Trans. Cryptographic Hardware Embed. Syst. 2019, 180–201 (2019). https://doi.org/10.13154/tches.v2019.i3.180-201

  22. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    Chapter  Google Scholar 

  23. Sadegh Riazi, M., Laine, K., Pelton, B., Dai, W.: HEAX: an architecture for computing on encrypted data. In: International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS, pp. 1295–1309 (2020). https://doi.org/10.1145/3373376.3378523

  24. Schwabe, P., et al.: CRYSTALS-KYBER (2020). https://pq-crystals.org/kyber/

  25. Van Bulck, J., Piessens, F., Strackx, R.: SGX-Step: a practical attack framework for precise enclave execution control. In: 2nd Workshop on System Software for Trusted Execution (SysTEX), pp. 4:1–4:6. ACM, October 2017. https://doi.org/10.1145/3152701.3152706

  26. Victor, S.: NTL - a library for doing numbery theory - version 11.5.1, commit 91acd5b3a7df709c0d8bf88a99a24bc340dc34f7 (2021). https://github.com/libntl/ntl

  27. Yuriy, P., Kurt, R., Gerard, R.W., Dave, C.: PALISADE Lattice Cryptography Library, commmit d76213499af44558170cca6c72c5314755fec23c (2021). https://gitlab.com/palisade/palisade-release

Download references

Author information

Authors and Affiliations

  1. IBM Research - Haifa, Haifa, Israel

    Nir Drucker & Tomer Pelleg

Authors
  1. Nir Drucker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomer Pelleg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nir Drucker .

Editor information

Editors and Affiliations

  1. Ben-Gurion University of the Negev, Be’er Sheva, Israel

    Shlomi Dolev

  2. University of Maryland, College Park, MD, USA

    Jonathan Katz

  3. Ben-Gurion University of the Negev, Be’er Sheva, Israel

    Amnon Meisels

Appendices

A NTT Algorithms

Algorithms 3 and 4 are the forward and inverse NTT algorithms from [19], respectively.

figure am
figure an

B Generating the Primes

For reproduction purposes, we provide the SageMath script we used to generate the primes in Sect. 4.

figure ao

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Drucker, N., Pelleg, T. (2022). Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In: Dolev, S., Katz, J., Meisels, A. (eds) Cyber Security, Cryptology, and Machine Learning. CSCML 2022. Lecture Notes in Computer Science, vol 13301. Springer, Cham. https://doi.org/10.1007/978-3-031-07689-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07689-3_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07688-6

  • Online ISBN: 978-3-031-07689-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation