An Efficient Non-Profiled Side-Channel Attack on the CRYSTALS-Dilithium Post-Quantum Signature

Chen, Zhaohui; Karabulut, Emre; Aysu, Aydın; Ma, Yuan; Jing, Jiwu

doi:10.1109/iccd53106.2021.00094

Cited by 16 publications

(11 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, they believe that the attack goes beyond polynomial time. Subsequently, Chen et al (2021) proposed a conservative CPA method to reduce the key guessing space and a fast two-stage method to further reduce the guessing space for attacking polynomial multiplication operations. As a result, they were able to fully recover the private key using the conservative CPA method with only 157 power traces.…”

Section: Related Workmentioning

confidence: 99%

“…At present, of the attacks targeting polynomial multiplication of Dilithium, Chen et al 's attack (Chen et al 2021) performs best. However, due to the pre-charging mechanism of CMOS circuits in ARM platform, the Hamming weight model is selected as the power consumption model.…”

Section: Related Workmentioning

confidence: 99%

“…From Stefffen et al 's work (Steffen et al 2022), it can be seen that FPGA implementation of Dilithium has more parallel operations than the ARM implementation, such as keccak operation and parallel computation of multiple key coefficients, and it takes more time to attack it, so it is difficult to perform a complete analysis. The fast two-stage scheme of Chen et al 's work (Chen et al 2021) reduces the attack time, but the best key recovery can be achieved when the power trace used is 63 times that of the conservative CPA scheme, while the recovery of one key coefficient of the cs 1 in the attack of Steffen et al (2022) has used 1,000,000 electromagnetic traces, and the increase in the dataset of the fast two-stage scheme will be very significant, which is relatively high for the memory requirements of the computer. Hence, it is not practical to trade more traces for less time.…”

Section: Related Workmentioning

confidence: 99%

“…For software implementations, it is difficult to analyse the continuous numerical processing on the bus, so the Hamming weight of the targeted variable is often used as a leakage model (Chen et al 2021;Qiao et al 2023). For hardware implementations, it is possible to analyse the previous reference value of the operation by examining registers, hence the Hamming distance model is commonly used to model the power consumption generated by the targeted operation (Steffen et al 2022).…”

Section: Cpa On Polynomial Multiplicationmentioning

confidence: 99%

See 3 more Smart Citations

In-depth Correlation Power Analysis Attacks on a Hardware Implementation of CRYSTALS-Dilithium

Wang,

Gao,

Liu

et al. 2024

Cybersecurity

View full text Add to dashboard Cite

During the standardisation process of post-quantum cryptography, NIST encourages research on side-channel analysis for candidate schemes. As the recommended lattice signature scheme, CRYSTALS-Dilithium, when implemented on hardware, has seen limited research on side-channel analysis, and current attacks are incomplete or requires a substantial quantity of traces. Therefore, we conducted a more complete analysis to investigate the leakage of an FPGA implementation of CRYSTALS-Dilithium using the Correlation Power Analysis (CPA) method, where with a minimum of 70,000 traces partial private key coefficients can be recovered. Furthermore, we optimise the attack by extracting Point-of-Interests using known information due to parallelism (named CPA-PoI) and by iteratively utilising parallel leakages (named CPA-ITR). Our experimental results show that CPA-PoI reduces the number of traces by up to 16.67%, CPA-ITR by up to 25%, and both increase the number of recovered key coefficients by up to 55.17% and 93.10% using the same number of traces. They outperfom the CPA method. As a result, it suggests that the FPGA implementation of CRYSTALS-Dilithium is more vulnerable than thought before to side-channel analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Cpa On Polynomial Multiplicationmentioning

confidence: 99%

See 2 more Smart Citations

In-depth Correlation Power Analysis Attacks on a Hardware Implementation of CRYSTALS-Dilithium

Wang,

Gao,

Liu

et al. 2024

Cybersecurity

View full text Add to dashboard Cite

show abstract

“…For the final round, in addition to key selection criterion such as classical security, theoretical PQ security guarantees, implementation cost and performance; resistance against active and passive implementation attacks, one of the most important criteria [28]. Several authors have reported physical attacks on structured lattice-based schemes through exploitation of a number of side-channels such as power [1,11,31,33,35,37,50], electromagnetic emissions [18], cache timing [21,32] and induced faults [8,10,17,34,37,38,40,47,49].…”

Section: Introductionmentioning

confidence: 99%

An End-to-End Analysis of EMFI on Bit-sliced Post-Quantum Implementations

Singh¹,

Islam²,

Sunar³

et al. 2022

Preprint

View full text Add to dashboard Cite

Bit-slicing is a software implementation technique that treats an N-bit processor datapath as N parallel single-bit datapaths. The natural spatial redundancy of bit-sliced software can be used to build countermeasures against implementation attacks. While the merits of bit-slicing for side-channel countermeasures have been studied before, their application for protection of post-quantum algorithms against fault injection is still unexplored. We present an end-to-end analysis of the efficacy of bit-slicing to detect and thwart electromagnetic fault injection (EMFI) attacks on post-quantum cryptography (PQC). We study Dilithium, a digital signature finalist of the NIST PQC competition. We present a bit-slice-redundant design for the Number-Theoretic Transform (NTT), the most complex and compute-intensive component in Dilithium. We show a data-redundant countermeasure for NTT which offers two concurrent bits for every single bit in the original implementation. We then implement a full Dilithium signature sequence on a 667 MHz ARM Cortex-A9 processor integrated in a Xilinx Zynq SoC. We perform a detailed EM fault-injection parameter search to optimize the location, intensity and timing of injected EM pulses. We demonstrate that, under optimized fault injection parameters, about 10% of the injected faults become potentially exploitable. However, the bit-sliced NTT design is able to catch the majority of these potentially exploitable faults, even when the remainder of the Dilithium algorithm as well as the control flow is left unprotected. To our knowledge, this is the first demonstration of a bitslice-redundant design of Dilithium that offers distributed fault detection throughout the execution of the algorithm.

show abstract