Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Attack Methodology
Case 1
Case 2
Experimental Results
Experimental Setup
Fault Injection Results
Conclusion
References

Exploiting Determinism in Lattice-based Signatures

Profile image of Prasanna RaviPrasanna Ravi

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

https://doi.org/10.1145/3321705.3329821
visibility

description

14 pages

link

1 file

Abstract

In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. In particular, we extend the practicality of skip-addition fault attacks through exploitation of determinism in certain variants of Dilithium (Deterministic variant) and qTESLA signature scheme (originally submitted deterministic version), which are two leading candidates for the NIST standardization of post-quantum cryptography. We show that single targeted faults injected in the signing procedure allow to recover an important portion of the secret key. Though faults injected in the signing procedure do not recover all the secret key elements, we propose a novel forgery algorithm that allows the attacker to sign any given message with only the extracted portion of the secret key. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4 microcontroller. We also show that our attacks break two well known countermeasures known to protect against skip-addition fault attacks. We further propose an efficient mitigation strategy against our attack that exponentially increases the attacker's complexity at almost zero increase in computational complexity. CCS CONCEPTS • Security and privacy → Digital signatures; Hardware attacks and countermeasures; Side-channel analysis and countermeasures; Embedded systems security.

Figures (15)
Algorithm 1: Dilithium Signature scheme
Algorithm 1: Dilithium Signature scheme
Proof: The algorithm in Figure 2, given below, illustrates this claim. The correctness of the algorithm follows immediately from Lemma 2.1 and Lemma 5.2. Lemma 5.2 ([19]). Letr € Zg andh,h’ € {0,1}. IFUHg(h, 7, @) = UHg(h’,r, a), thenh = h’.
Proof: The algorithm in Figure 2, given below, illustrates this claim. The correctness of the algorithm follows immediately from Lemma 2.1 and Lemma 5.2. Lemma 5.2 ([19]). Letr € Zg andh,h’ € {0,1}. IFUHg(h, 7, @) = UHg(h’,r, a), thenh = h’.
Table 1: Fault simulation results for our skip-addition fault attack on the various recommended parameter sets of Dilithium. Results were obtained over 10° runs of the signing procedure. the knowledge of to. In the following we first show that UHg func- tion could be inverted to produce the correct hint. In particular UHg(h,r, @), given q, a, r € Zg and HBg(u + r, a), is invertible on hif ||ulloo < a/2. Lemma 5.1 summarizes this fact. the failure probability of our forgery signing procedure. We ran our forgery algorithm for a total of 278 times while not obtaining a single invalid signature. This along with its increased signing rate leads us to hypothesize if our forgery algorithm can be used as an alternative signing procedure for Dilithium. Concrete estimation of its error-probability and security of the generated signatures is left for future work.
Table 1: Fault simulation results for our skip-addition fault attack on the various recommended parameter sets of Dilithium. Results were obtained over 10° runs of the signing procedure. the knowledge of to. In the following we first show that UHg func- tion could be inverted to produce the correct hint. In particular UHg(h,r, @), given q, a, r € Zg and HBg(u + r, a), is invertible on hif ||ulloo < a/2. Lemma 5.1 summarizes this fact. the failure probability of our forgery signing procedure. We ran our forgery algorithm for a total of 278 times while not obtaining a single invalid signature. This along with its increased signing rate leads us to hypothesize if our forgery algorithm can be used as an alternative signing procedure for Dilithium. Concrete estimation of its error-probability and security of the generated signatures is left for future work.
4Code is available online on https://github.com/jameshoweee/dilithium_forgery
4Code is available online on https://github.com/jameshoweee/dilithium_forgery
For our experiments, we target the reference implementation of Dilithium taken from the pqm4 library, a benchmarking and testing framework for POC schemes on the ARM Cortex-M4 family of mi- crocontrollers [17]. We ported its reference implementation to the STM32F4DISCOVERY board (DUT) housing the STM32F407, ARM Cortex-M4 microcontroller. Our implementation (compiled with -03 -mthumb -mcpu=cortex-m4 -mf loat-abi=hard -mfpu=fpv4-sp-d16) runs at a clock frequency of 24 MHz. We use the ST-LINK/v2.1 add-on board for USART communication with our DUT. We used the OpenOCD framework for flash configuration and on-chip hardware debugging with the aid of the GNU debug- ger for ARM (arm-none-eabi-gdb). We use Electromagnetic Fault injection (EMFI) to inject faults into our device.
For our experiments, we target the reference implementation of Dilithium taken from the pqm4 library, a benchmarking and testing framework for POC schemes on the ARM Cortex-M4 family of mi- crocontrollers [17]. We ported its reference implementation to the STM32F4DISCOVERY board (DUT) housing the STM32F407, ARM Cortex-M4 microcontroller. Our implementation (compiled with -03 -mthumb -mcpu=cortex-m4 -mf loat-abi=hard -mfpu=fpv4-sp-d16) runs at a clock frequency of 24 MHz. We use the ST-LINK/v2.1 add-on board for USART communication with our DUT. We used the OpenOCD framework for flash configuration and on-chip hardware debugging with the aid of the GNU debug- ger for ARM (arm-none-eabi-gdb). We use Electromagnetic Fault injection (EMFI) to inject faults into our device.
Figure 3: (a) Hand-made probe used for our EMFI setup (b) Probe placed over the DUT
Figure 3: (a) Hand-made probe used for our EMFI setup (b) Probe placed over the DUT
The first two variants are based on the order of the operands within the addition operation while the result of addition in both the variants is overwritten into the same variable as one of the operands. But, the third variant is based on storing the result into a new variable different from the operands. While we demonstrate our attack against all the three variants, it is important to note that Variant-2 and 3 were proposed as concrete countermeasures against the skip-addition attack in a number of works [8, 9].
The first two variants are based on the order of the operands within the addition operation while the result of addition in both the variants is overwritten into the same variable as one of the operands. But, the third variant is based on storing the result into a new variable different from the operands. While we demonstrate our attack against all the three variants, it is important to note that Variant-2 and 3 were proposed as concrete countermeasures against the skip-addition attack in a number of works [8, 9].
Figure 7: Code snippet: C-Code of Variant-3, Result is stored in a new variable compared to that of the operands
Figure 7: Code snippet: C-Code of Variant-3, Result is stored in a new variable compared to that of the operands
Figure 8: First order Pattern Recognition (a) Identification of multiple iterations of signing procedure on EM trace (b) Zoomed in view of multiple iterations (c) Identifying repeat- ing patterns in a single iteration and mapping them to the corresponding operations in the reference implementation
Figure 8: First order Pattern Recognition (a) Identification of multiple iterations of signing procedure on EM trace (b) Zoomed in view of multiple iterations (c) Identifying repeat- ing patterns in a single iteration and mapping them to the corresponding operations in the reference implementation
Rg = Zq{X]/[X” + 1] with n > 1024. Refer Alg.6 for a brief al- gorithmic level description of the qIESLA signature scheme. As stated earlier!, our attacks only apply the deterministic variant of qTESLA and since its updated specification is a probabilistic one and hence is inherently protected against our attacks.
Rg = Zq{X]/[X” + 1] with n > 1024. Refer Alg.6 for a brief al- gorithmic level description of the qIESLA signature scheme. As stated earlier!, our attacks only apply the deterministic variant of qTESLA and since its updated specification is a probabilistic one and hence is inherently protected against our attacks.
Figure 9: NTT operation on a polynomial x with degree 8 dependency between elements of the input and the output of the NTT transform. We leverage over this property, which we refer to as the diffusion property of the NTT operation to ensure that the fault injected in the addition operation for one element is propagated uniformly to all the elements in the signature component z. This further ensures that the resulting faulty signatures are rejected by the signing procedure with very high probability.
Figure 9: NTT operation on a polynomial x with degree 8 dependency between elements of the input and the output of the NTT transform. We leverage over this property, which we refer to as the diffusion property of the NTT operation to ensure that the fault injected in the addition operation for one element is propagated uniformly to all the elements in the signature component z. This further ensures that the resulting faulty signatures are rejected by the signing procedure with very high probability.
Algorithm 6: qTESLA Signature scheme obtained through an inverse NTT operation. The NTT operation in itself is a bijective mapping from one polynomial to another in the same operating ring. An input sequence p with n elements (Po, .--,Pn—1) is mapped to its representation p in the NTT domain as where j € [0, n—1] and w being the n'" root of unity in the operating ring Zg.
Algorithm 6: qTESLA Signature scheme obtained through an inverse NTT operation. The NTT operation in itself is a bijective mapping from one polynomial to another in the same operating ring. An input sequence p with n elements (Po, .--,Pn—1) is mapped to its representation p in the NTT domain as where j € [0, n—1] and w being the n'" root of unity in the operating ring Zg.

Related papers

Side-Channel Attacks on BLISS Lattice-Based Signatures
Pierre-alain Fouque

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017

In this paper, we investigate the security of the BLISS lattice-based signature scheme, one of the most promising candidates for postquantum-secure signatures, against side-channel attacks. Several works have been devoted to its efficient implementation on various platforms, from desktop CPUs to microcontrollers and FPGAs, and more recent papers have also considered its security against certain types of physical attacks, notably fault injection and cache attacks. We turn to more traditional side-channel analysis, and describe several attacks that can yield a full key recovery. We first identify a serious source of leakage in the rejection sampling algorithm used during signature generation. Existing implementations of that rejection sampling step, which is essential for security, actually leak the "relative norm" of the secret key. We show how an extension of an algorithm due to Howgrave-Graham and Szydlo can be used to recover the key from that relative norm, at least when the absolute norm is easy to factor (which happens for a significant fraction of secret keys). We describe how this leakage can be exploited in practice both on an embedded device (an 8-bit AVR microcontroller) using electromagnetic analysis (EMA), and a desktop computer (recent Intel CPU running Linux) using branch tracing. The latter attack has been mounted against the open source VPN software strongSwan. We also show that other parts of the BLISS signing algorithm can leak secrets not just for a subset of secret keys, but for 100% of them. The BLISS Gaussian sampling algorithm in strongSwan is intrinsically variable time. This would be hard to exploit using a noisy source of leakage like EMA, but branch tracing allows to recover the entire randomness and hence the key: we show that a single execution of the strongSwan signature algorithm is actually sufficient for full key recovery. We also describe a more traditional side-channel attack on the sparse polynomial multiplications carried out in BLISS: classically, multiplications can be attacked using Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

View PDFchevron_right
Compact and provably secure lattice-based signatures in hardware
Maire O'Neill

2017 IEEE International Symposium on Circuits and Systems (ISCAS)

Lattice-based cryptography is a quantum-safe alternative to existing classical asymmetric cryptography, such as RSA and ECC, which may be vulnerable to future attacks in the event of the creation of a viable quantum computer. The efficiency of lattice-based cryptography has improved over recent years, but there has been relatively little investigation into hardware designs of digital signature schemes. In this paper, the first hardware design of the provably secure Ring-LWE digital signature scheme, Ring-TESLA, is presented, targeting a Xilinx Spartan-6 FPGA. The results better compactness of all previous lattice-based digital signature schemes in hardware, and can achieve between 104-785 signatures and 102-776 verifications per second.

View PDFchevron_right
BEARZ Attack FALCON: Implementation Attacks with Countermeasures on the FALCON Signature Scheme
Maire O'Neill

2019

Post-quantum cryptography is an important and growing area of research due to the threat of quantum computers, as recognised by the National Institute of Standards and Technology (NIST) recent call for standardisation. FALCON is a lattice-based signature candidate submitted to NIST, which has good performance but lacks in research with respect to implementation attacks and resistance. This research proposes the first fault attack analysis of FALCON and finds its lattice trapdoor sampler is as vulnerable to fault attacks as the GPV sampler used in alternative signature schemes. We simulate the post-processing component of this fault attack and achieve a 100% success rate at retrieving the private-key. This research then proposes an evaluation of countermeasures to prevent this fault attack and timing attacks of FALCON. We provide cost evaluations on the overheads of the proposed countermeasures which shows that FALCON has only up to 30% deterioration in performance of its key generation, and only 5% in signing, compared to runtimes without countermeasures.

View PDFchevron_right
Number “Not Used” Once - Practical Fault Attack on pqm4 Implementations of NIST Candidates
Prasanna Ravi

Constructive Side-Channel Analysis and Secure Design

In this paper, we demonstrate practical fault attacks over a number of lattice-based schemes, in particular NewHope, Kyber, Frodo, Dilithium which are based on the hardness of the Learning with Errors (LWE) problem. One of the common traits of all the considered LWE schemes is the use of nonces as domain separators to sample the secret components of the LWE instance. We show that simple faults targeting the usage of nonce can result in a nonce-reuse scenario which allows key recovery and message recovery attacks. To the best of our knowledge, we propose the first practical fault attack on lattice-based Key encapsulation schemes secure in the CCA model. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations of the aforementioned schemes taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4. We use the instruction skip fault model, which is very practical and popular in microcontroller based implementations. Our attack requires to inject a very few number of faults (numbering less than 10 for recommended parameter sets) and can be repeated with a 100% accuracy with our Electromagnetic fault injection setup.

View PDFchevron_right
Error Detection Schemes Assessed on FPGA for Multipliers in Lattice-Based Key Encapsulation Mechanisms in Post-Quantum Cryptography
Mehran Mozaffari Kermani

Advances in quantum computing have brought the need for developing public-key cryptosystems secure against attacks potentially enabled by quantum computers. In late 2017, the National Institute of Standards and Technology (NIST) launched a project to standardize one or more quantum computer-resistant public-key cryptographic algorithms. Among the main post-quantum algorithm classes, lattice-based cryptography is believed to be quantum-resistant. The standardization efforts including that of the NIST which will be concluded in 2022-2024 also affirm the importance of such algorithms. In this work, we propose error detection schemes for lattice-based key encapsulation mechanisms (KEMs). As our case study, we apply such schemes to the hardware accelerators for three post-quantum cryptographic algorithms that have advanced to the third round of the NIST PQC standardization process, i.e., FrodoKEM, Saber, and NTRU. The merit of the proposed schemes is that they can be applied to other applications and cryptographic algorithms that use multiplications in their hardware accelerators. The schemes proposed in this paper are based on recomputing with shifted, negated, and scaled operands. Moreover, we implement our fault detection schemes on field-programmable gate array (FPGA) family Kintex Ultrascale+ device xcku5p-sfvb784-1LV-i to benchmark the overheads induced and the performance degradation of the proposed approaches when added to the original architectures. The results show acceptable overhead and high error coverage for all three studied NIST PQC finalists.

View PDFchevron_right
Number "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes
Prasanna Ravi

IACR Cryptol. ePrint Arch., 2018

This paper proposes a simple single bit flip fault attack applicable to several LWE (Learning With Errors Problem) based lattice based schemes like KYBER, NEWHOPE, DILITHIUM and FRODO which were submitted as proposals for the NIST call for standardization of post quantum cryptography. We have identified a vulnerability in the usage of nonce, during generation of secret and error components in the key generation procedure. Our fault attack, based on a practical bit flip model (single bit flip to very few bit flips for proposed parameter instantiations) enables us to retrieve the secret key from the public key in a trivial manner. We fault the nonce in order to maliciously use the same nonce to generate both the secret and error components which turns the LWE instance into an exactly defined set of linear equations from which the secret can be trivially solved for using Gaussian elimination.

View PDFchevron_right
Walnutdsa: A Quantum-Resistant Digital Signature Algorithm
Derek Atkins

2017

In 2005 I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux introduced E-Multiplication, a quantum-resistant, group-theoretic, one-way function which can be used as a basis for many different cryptographic applications. To date, all analysis and attacks on E-Multiplication have been exponential in their runtime and all have been readily addressed and defeated. This paper introduces WalnutDSA, a new E-Multiplication-based public-key digital signature method that provides very efficient verification, allowing low-powered and constrained devices to quickly and inexpensively validate digital signatures (e.g., a certificate or authentication). This paper presents an in-depth discussion of the construction of the digital signature algorithm, analyzes the security of the scheme, provides a proof of security under EUF-CMA, and discusses the practical results from implementations on several constrained devices. With the implementation of parameters that defeat all known attacks, WalnutDSA is c...

View PDFchevron_right
Efficient Post-Quantum Undeniable Signature on 64-Bit ARM
Jesse Mauck

Selected Areas in Cryptography – SAC 2017, 2017

We present a full-fledged, highly-optimized, constant-time software for post-quantum supersingular isogeny-based undeniable signature (SIUS) on the ARMv8 platforms providing 83-and 110-bit quantum security levels. To the best of our knowledge, this work is the first empirical implementation of isogeny-based quantum-resistant undeniable signature presented to date. The proposed software is developed on the top of our optimized handwritten ARMv8 assembly arithmetic library and benchmarked on a variety of platforms. The entire protocol runs less than a second on Huawei Nexus smart phone, providing 83-bit quantum security level. Moreover, our signature and public key sizes are 25% smaller than the original SIUS scheme. We remark that the SIUS protocol, similar to other isogeny-based schemes, suffers from the excessive number of operations, affecting its overall performance. Nonetheless, its significantly smaller key and signature sizes make it a promising candidate for post-quantum cryptography.

View PDFchevron_right
An Efficient Non-Profiled Side-Channel Attack on the CRYSTALS-Dilithium Post-Quantum Signature
Emre Karabulut

2021 IEEE 39th International Conference on Computer Design (ICCD), 2021

Post-quantum digital signature is a critical primitive of computer security in the era of quantum hegemony. As a finalist of the post-quantum cryptography standardization process, the theoretical security of the CRYSTALS-Dilithium (Dilithium) signature scheme has been quantified to withstand classical and quantum cryptanalysis. However, there is an inherent power sidechannel information leakage in its implementation instance due to the physical characteristics of hardware. This work proposes an efficient non-profiled Correlation Power Analysis (CPA) strategy on Dilithium to recover the secret key by targeting the underlying polynomial multiplication arithmetic. We first develop a conservative scheme with a reduced key guess space, which can extract a secret key coefficient with a 99.99% confidence using 157 power traces of the reference Dilithium implementation. However, this scheme suffers from the computational overhead caused by the large modulus in Dilithium signature. To further accelerate the CPA run-time, we propose a fast two-stage scheme that selects a smaller search space and then resolves false positives. We finally construct a hybrid scheme that combines the advantages of both schemes. Real-world experiment on the power measurement data shows that our hybrid scheme improves the attack's execution time by 7.77×.

View PDFchevron_right
A Survey of Lattice Attack on Digital Signature Algorithm
Bholanath Roy

SSRN Electronic Journal, 2018

Lattice-based cryptography is the use of conjectured hard problems on point lattices in 𝑹 𝒏 as the foundation for secure cryptographic systems. The Digital Signature Algorithm (DSA) computes a modular exponentiation with a per-message ephemeral secret. This involves a sequence of modulo square and multiply operations which, if known, leaks few bits of per-message ephemeral secret key which can be used in lattice based attack to obtain the DSA private key. This work surveys most of the major developments in lattice based attack on DSA with their pros and cons.

View PDFchevron_right

References (30)

  1. Sedat Akleylek, Nina Bindel, Johannes Buchmann, Juliane Krämer, and Gior- gia Azzurra Marson. 2016. An efficient lattice-based signature scheme with provably secure instantiation. In International Conference on Cryptology in Africa. Springer, 44-60.
  2. Christopher Ambrose, Joppe W Bos, Björn Fay, Marc Joye, Manfred and Bruce Murray. 2018. Differential attacks on deterministic signatures. In Cryptographers' Track at the RSA Conference. Springer, 339-353.
  3. Shi Bai and Steven D Galbraith. 2014. An Improved Compression Technique for Signatures Based on Learning with Errors.. In CT-RSA, Vol. 8366. 28-47.
  4. Rami Barends, Julian Kelly, Anthony Megrant, Andrzej Veitia, Daniel Sank, Evan Jeffrey, Ted C White, Josh Mutus, Austin G Fowler, Brooks Campbell, et al. 2014. Superconducting quantum circuits at the surface code threshold for fault toler- ance. Nature 508, 7497 (2014), 500-503.
  5. Alessandro Barenghi and Gerardo Pelosi. 2016. A note on fault attacks against deterministic signature schemes (short paper). In International Workshop on Security. Springer, 182-192.
  6. Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering 2, 2 (2012), 77-89.
  7. Nina Bindel, Sedat Akleylek, Erdem Alkim, Paulo S. L. M. Barreto, Johannes Buchmann, Edward Eaton, Gus Gutoski, Juliane Kramer, Patrick Longa, Harun Polat, Jefferson E. Ricardini, and Gustavo Zanon. 2017. qTESLA. Technical Report. National Institute of Standards and Technology. available at https: //csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.
  8. Nina Bindel, Johannes Buchmann, and Juliane Krämer. 2016. Lattice-based signature schemes and their sensitivity to fault attacks. In Fault Diagnosis and Tolerance in Cryptography (FDTC), 2016 Workshop on. IEEE, 63-77.
  9. Nina Bindel, Juliane Kramer, and Johannes Schreiber. 2017. Special session: hampering fault attacks against lattice-based signature schemes-countermeasures and their efficiency. In Hardware/Software Codesign and System Synthesis (CODES+ ISSS), 2017 International Conference on. IEEE, 1-3.
  10. Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom. 2016. Flush, Gauss, and Reload-a cache attack on the BLISS lattice-based signature scheme. In International Conference on Cryptographic Hardware and Embedded Systems. Springer, 323-345.
  11. Leon Groot Bruinderink and Peter Pessl. 2018. Differential Fault Attacks on Deterministic Lattice Signatures. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018, 3 (2018). https://eprint.iacr.org/2018/355.pdf.
  12. Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. 2013. Lattice signatures and bimodal Gaussians. In Advances in Cryptology-CRYPTO 2013. Springer, 40-56.
  13. Thomas Espitau, Pierre-Alain Fouque, Benoît Gérard, and Mehdi Tibouchi. 2016. Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. In International Conference on Selected Areas in Cryptography. Springer, 140-158.
  14. Thomas Espitau, Pierre-Alain Fouque, Benoît Gérard, and Mehdi Tibouchi. 2017. Side-channel attacks on BLISS lattice-based signatures: Exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1857-1874.
  15. Thomas Espitau, Pierre-Alain Fouque, Benoit Gerard, and Mehdi Tibouchi. 2018. Loop-Abort Faults on Lattice-Based Signatures and Key Exchange Protocols. IEEE Trans. Comput. (2018).
  16. Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann. 2012. Practical lattice-based cryptography: A signature scheme for embedded systems. In Inter- national Conference on Cryptographic Hardware and Embedded Systems. Springer, 530-547.
  17. Matthias J. Kannwischer, Joost Rijneveld, Peter Schwabe, and Ko Stoffelen. [n. d.]. PQM4: Post-quantum crypto library for the ARM Cortex-M4. https: //github.com/mupq/pqm4.
  18. Vadim Lyubashevsky. 2009. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 598-616.
  19. Vadim Lyubashevsky, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Peter Schwabe, Gregor Seiler, and Damien Stehle. 2017. CRYSTALS-Dilithium. Technical Report. National Institute of Standards and Technology. available at https://csrc.nist. gov/projects/post-quantum-cryptography/round-1-submissions.
  20. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2013. On Ideal Lattices and Learning with Errors over Rings. J. ACM 60, 6 (2013), 43.
  21. Daniele Micciancio. 2007. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. computational complexity 16, 4 (2007), 365-411.
  22. National Institute of Standards and Technology. 2016. Post-Quantum Crypto Project. http://csrc.nist.gov/groups/ST/post-quantum-crypto/.
  23. National Institute of Standards and Technology. 2019. Round 2 Submissions, Post-Quantum Cryptography. Technical Report. available at https://csrc.nist.gov/ projects/post-quantum-cryptography/round-2-submissions.
  24. NIST. 2016. Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process. https: //csrc.nist.gov/csrc/media/projects/post-quantum-cryptography/documents/ call-for-proposals-final-dec-2016.pdf.
  25. Peter Pessl. 2016. Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In INDOCRYPT 2016. Springer, 153-170.
  26. Peter Pessl, Leon Groot Bruinderink, and Yuval Yarom. 2017. To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1843-1855.
  27. Thomas Pornin. 2013. Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA). Technical Report.
  28. Prasanna Ravi, Debapriya Basu Roy, Shivam Bhasin, Anupam Chattopadhyay, and Debdeep Mukhopadhyay. 2019. Number "Not Used" Once-Practical Fault Attack on pqm4 Implementations of NIST Candidates. In International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 232-250.
  29. Lionel Riviere, Zakaria Najm, Pablo Rauzy, Jean-Luc Danger, Julien Bringer, and Laurent Sauvage. 2015. High precision fault injections on the instruction cache of ARMv7-M architectures. arXiv preprint arXiv:1510.01537 (2015).
  30. Elena Trichina and Roman Korkikyan. 2010. Multi fault laser attacks on pro- tected CRT-RSA. In Fault Diagnosis and Tolerance in Cryptography (FDTC), 2010 Workshop on. IEEE, 75-86.

Related papers

Loop abort Faults on Lattice-Based Fiat-Shamir & Hash'n Sign signatures
Pierre-alain Fouque

IACR Cryptol. ePrint Arch., 2016

As the advent of general-purpose quantum computers appears to be drawing closer, agencies and advisory bodies have started recommending that we prepare the transition away from factoring and discrete logarithm-based cryptography, and towards postquantum secure constructions, such as lattice-based schemes. Almost all primitives of classical cryptography (and more!) can be realized with lattices, and the efficiency of primitives like encryption and signatures has gradually improved to the point that key sizes are competitive with RSA at similar security levels, and fast performance can be achieved both in software and hardware. However, little research has been conducted on physical attacks targeting concrete implementations of postquantum cryptography in general and lattice-based schemes in particular , and such research is essential if lattices are going to replace RSA and elliptic curves in our devices and smart cards. In this paper, we look in particular at fault attacks against s...

View PDFchevron_right
Loop-Abort Faults on Lattice-Based Fiat-Shamir and Hash-and-Sign Signatures
Pierre-alain Fouque

Lecture Notes in Computer Science, 2017

Although postquantum cryptography is of growing practical concern, not many works have been devoted to implementation security issues related to postquantum schemes. In this paper, we look in particular at fault attacks against implementations of lattice-based signature schemes, looking both at Fiat-Shamir type constructions (particularly BLISS, but also GLP, PASSSing and Ring-TESLA) and at hash-and-sign schemes (particularly the GPVbased scheme of Ducas-Prest-Lyubashevsky). These schemes include essentially all practical lattice-based signatures, and achieve the best efficiency to date in both software and hardware. We present several fault attacks against those schemes yielding a full key recovery with only a few or even a single faulty signature, and discuss possible countermeasures to protect against these attacks.

View PDFchevron_right
Side-channel and Fault-injection attacks over Lattice-based Post-quantum Schemes (Kyber, Dilithium): Survey and New Results
Prasanna Ravi

ACM Transactions on Embedded Computing Systems

In this work, we present a systematic study of Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA) on structured lattice-based schemes, with main focus on Kyber Key Encapsulation Mechanism (KEM) and Dilithium signature scheme, which are leading candidates in the NIST standardization process for Post-Quantum Cryptography (PQC). Through our study, we attempt to understand the underlying similarities and differences between the existing attacks, while classify them into different categories. Given the wide-variety of reported attacks, simultaneous protection against all the attacks requires to implement customized protections/countermeasures for both Kyber and Dilithium. We therefore present a range of customized countermeasures, capable of providing defences/mitigations against existing SCA/FIA, and incorporate several SCA and FIA countermeasures within a single design of Kyber and Dilithium. Among the several countermeasures discussed in this work, we present novel counterme...

View PDFchevron_right
Loop-Abort Faults on Lattice-Based Signatures and Key Exchange Protocols
Pierre-alain Fouque

IEEE Transactions on Computers, 2018

Although postquantum cryptography is of growing practical concern, not many works have been devoted to implementation security issues related to postquantum schemes. In this paper, we look in particular at fault attacks against implementations of lattice-based signatures and key exchange protocols. For signature schemes, we are interested both in Fiat-Shamir type constructions (particularly BLISS, but also GLP, PASSSign, and Ring-TESLA) and in hash-and-sign schemes (particularly the GPV-based scheme of Ducas-Prest-Lyubashevsky). For key exchange protocols, we study the implementations of NewHope, Frodo, and Kyber. These schemes form a representative sample of modern, practical latticebased signatures and key exchange protocols, and achieve a high level of efficiency in both software and hardware. We present several fault attacks against those schemes that recover the entire key recovery with only a few faulty executions (sometimes only one), show that those attacks can be mounted in practice based on concrete experiments in hardware, and discuss possible countermeasures against them.

View PDFchevron_right
Side-channel Assisted Existential Forgery Attack on Dilithium - A NIST PQC candidate
Prasanna Ravi

IACR Cryptol. ePrint Arch., 2018

The recent lattice-based signature scheme Dilithium, submitted as part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) package, is one of a number of strong candidates submitted for the NIST standardization process of post-quantum cryptography. The Dilithium signature scheme is based on the Fiat-Shamir paradigm and can be seen as a variant of the Bai-Galbraith scheme (BG) combined with several improvements from previous ancestor lattice-based schemes like GLP and BLISS signature schemes. One of the main features of Dilithium is the compressed public-key, which is a rounded version of the LWE instance. This implies that Dilithium is not breakable with the knowledge of only the secret or the error of the LWE instance, unlike its ancestor lattice-based signature schemes. In this paper, we investigate the security of Dilithium against a combination of side-channel and classical attacks. Side-channel attacks on schoolbook and optimised polynomial multiplication algorithms in...

View PDFchevron_right

Cited by

Side-channel and Fault-injection attacks over Lattice-based Post-quantum Schemes (Kyber, Dilithium): Survey and New Results
Prasanna Ravi

ACM Transactions on Embedded Computing Systems

In this work, we present a systematic study of Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA) on structured lattice-based schemes, with main focus on Kyber Key Encapsulation Mechanism (KEM) and Dilithium signature scheme, which are leading candidates in the NIST standardization process for Post-Quantum Cryptography (PQC). Through our study, we attempt to understand the underlying similarities and differences between the existing attacks, while classify them into different categories. Given the wide-variety of reported attacks, simultaneous protection against all the attacks requires to implement customized protections/countermeasures for both Kyber and Dilithium. We therefore present a range of customized countermeasures, capable of providing defences/mitigations against existing SCA/FIA, and incorporate several SCA and FIA countermeasures within a single design of Kyber and Dilithium. Among the several countermeasures discussed in this work, we present novel counterme...

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved