Attack on LAC Key Exchange in Misuse Situation

Greuet, Aurélien; Montoya, Simon; Renault, Guénaël

doi:10.1007/978-3-030-65411-5_27

Cited by 12 publications

(1 citation statement)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…69 schemes were passed into Round 1, 26 were able to get into Round 2 and currently there are seven finalists and eight alternate candidates in Round 3 expected to be completed by the end on 2021. Similar schemes were merged together and some were attacked by the cryptographic community and were taken out of the competition [4], [5], [6], [7], [8], [9], [10], [11], [12]. There are five categories based on the underlying hard problems: lattice-based, code-based, hash-based, isogeny-based and multivariate schemes.…”

Section: Introductionmentioning

confidence: 99%

Signature Correction Attack on Dilithium Signature Scheme

Islam¹,

Mus²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

Motivated by the rise of quantum computers, existing public-key cryptosystems are expected to be replaced by post-quantum schemes in the next decade in billions of devices. To facilitate the transition, NIST is running a standardization process which is currently in its final Round. Only three digital signature schemes are left in the competition, among which Dilithium and Falcon are the ones based on lattices. Besides security and performance, significant attention has been given to resistance against implementation attacks that target side-channel leakage or fault injection response. Classical fault attacks on signature schemes make use of pairs of faulty and correct signatures to recover the secret key which only works on deterministic schemes. To counter such attacks, Dilithium offers a randomized version which makes each signature unique, even when signing identical messages.In this work, we introduce a novel Signature Correction Attack which not only applies to the deterministic version but also to the randomized version of Dilithium and is effective even on constant-time implementations using AVX2 instructions. The Signature Correction Attack exploits the mathematical structure of Dilithium to recover the secret key bits by using faulty signatures and the public-key. It can work for any fault mechanism which can induce single bitflips. For demonstration, we are using Rowhammer induced faults. Thus, our attack does not require any physical access or special privileges, and hence could be also implemented on shared cloud servers. Using Rowhammer attack, we inject bit flips into the secret key s1 of Dilithium, which results in incorrect signatures being generated by the singing algorithm. Since we can find the correct signature using our Signature Correction algorithm, we can use the difference between the correct and incorrect signatures to infer the location and value of the flipped bit without needing a correct and faulty pair. To quantify the reduction in the security level, we perform a thorough classical and quantum security analysis of Dilithium and successfully recover 1,851 bits out of 3,072 bits of secret key s1 for security level 2. Fully recovered bits are used to reduce the dimension of the lattice whereas partially recovered coefficients are used to to reduce the norm of the secret key coefficients. Further analysis for both primal and dual attacks shows that the lattice strength against quantum attackers is reduced from 2 128 to 2 81 while the strength against classical attackers is reduced from 2 141 to 2 89 . Hence, the Signature Correction Attack may be employed to achieve a practical attack on Dilithium (security level 2) as proposed in Round 3 of the NIST post-quantum standardization process.

show abstract