Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

Nir Drucker; Tomer Pelleg

doi:10.1007/978-3-031-07689-3_8

Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

Nir Drucker, Tomer Pelleg

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time. We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from 2 ¹²⁸ to 2 ¹⁰⁴.

Original language	English
Title of host publication	Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings
Editors	Shlomi Dolev, Amnon Meisels, Jonathan Katz
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	99-117
Number of pages	19
ISBN (Print)	9783031076886
DOIs	https://doi.org/10.1007/978-3-031-07689-3_8
State	Published - 2022
Externally published	Yes
Event	6th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2022 - Beer Sheva, Israel Duration: 30 Jun 2022 → 1 Jul 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13301 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	6th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2022
Country/Territory	Israel
City	Beer Sheva
Period	30/06/22 → 1/07/22

Bibliographical note

Publisher Copyright:
© 2022, Springer Nature Switzerland AG.

Keywords

Compiler optimizations
Constant-time code
Harvey’s butterflies
NTT
Ring-LWE
Side-channel attacks

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-07689-3_8

Cite this

Drucker, N., & Pelleg, T. (2022). Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In S. Dolev, A. Meisels, & J. Katz (Eds.), Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings (pp. 99-117). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13301 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-07689-3_8

Drucker, Nir ; Pelleg, Tomer. / Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings. editor / Shlomi Dolev ; Amnon Meisels ; Jonathan Katz. Springer Science and Business Media Deutschland GmbH, 2022. pp. 99-117 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8bfc25c7a44a47b4836b2fdf77acff92,

title = "Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies",

abstract = "Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time. We claim that relying on the compiler is risky and demonstrate how a simple code modification, na{\"i}ve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from 2 128 to 2 104.",

keywords = "Compiler optimizations, Constant-time code, Harvey{\textquoteright}s butterflies, NTT, Ring-LWE, Side-channel attacks",

author = "Nir Drucker and Tomer Pelleg",

note = "Publisher Copyright: {\textcopyright} 2022, Springer Nature Switzerland AG.; 6th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2022 ; Conference date: 30-06-2022 Through 01-07-2022",

year = "2022",

doi = "10.1007/978-3-031-07689-3\_8",

language = "English",

isbn = "9783031076886",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "99--117",

editor = "Shlomi Dolev and Amnon Meisels and Jonathan Katz",

booktitle = "Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings",

address = "Germany",

}

Drucker, N & Pelleg, T 2022, Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. in S Dolev, A Meisels & J Katz (eds), Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13301 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 99-117, 6th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2022, Beer Sheva, Israel, 30/06/22. https://doi.org/10.1007/978-3-031-07689-3_8

Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. / Drucker, Nir; Pelleg, Tomer.
Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings. ed. / Shlomi Dolev; Amnon Meisels; Jonathan Katz. Springer Science and Business Media Deutschland GmbH, 2022. p. 99-117 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13301 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

AU - Drucker, Nir

AU - Pelleg, Tomer

PY - 2022

Y1 - 2022

N2 - Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time. We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from 2 128 to 2 104.

AB - Harvey butterflies and their variants are core primitives in many optimized number-theoretic transform (NTT) implementations, such as those used by the HElib and SEAL homomorphic encryption libraries. However, these butterflies are not constant-time algorithms and may leak secret data when incorrectly implemented. Luckily for SEAL and HElib, the compilers optimize the code to run in constant-time. We claim that relying on the compiler is risky and demonstrate how a simple code modification, naïve compiler misuse, or even a malicious attacker that injects just a single compiler flag can cause leakage. This leakage can reduce the hardness of the ring learning with errors (R-LWE) instances used by these libraries, for example, from 2 128 to 2 104.

KW - Compiler optimizations

KW - Constant-time code

KW - Harvey’s butterflies

KW - NTT

KW - Ring-LWE

KW - Side-channel attacks

UR - https://www.scopus.com/pages/publications/85134168956

U2 - 10.1007/978-3-031-07689-3_8

DO - 10.1007/978-3-031-07689-3_8

M3 - Conference contribution

AN - SCOPUS:85134168956

SN - 9783031076886

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 99

EP - 117

BT - Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings

A2 - Dolev, Shlomi

A2 - Meisels, Amnon

A2 - Katz, Jonathan

PB - Springer Science and Business Media Deutschland GmbH

T2 - 6th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2022

Y2 - 30 June 2022 through 1 July 2022

ER -

Drucker N, Pelleg T. Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In Dolev S, Meisels A, Katz J, editors, Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 99-117. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-07689-3_8

Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this