Vulnerability — Information Leakage of Reused Secret Key in NewHope

抄録

The NIST post-quantum project intends to standardize cryptographic systems that are secure against attacks by both quantum and classical computers. One of these cryptographic systems is NewHope that is a RING-LWE based key exchange scheme. The NewHope Key Encapsulation Method (KEM) allows to establish an encapsulated (secret) key shared by two participants. This scheme defines a private key that is used to encipher a random shared secret and the private key enables the deciphering. This paper presents Fault Information Leakage attacks, using conventional personal computers, if the attacked participant, say Bob, reuses his public key. This assumption is not so strong since reusing the pair (secret, public) keys saves Bob's device computing cost when the public global parameter is not changed. With our result we can conclude that, to prevent leakage, Bob should not reuse his NewHope secret and public keys because Bob's secret key can be retrieved with only 2 communications. We also found that Bob's secret keys can be retrieved for NewHopeToy2, NewHopeToy1 and NewHopeLudicrous with 1, 2, and 3 communications, respectively.