FALCON Down: Breaking FALCON Post-Quantum Signature Scheme through Side-Channel Attacks

Karabulut, Emre; Aysu, Aydın

doi:10.1109/dac18074.2021.9586131

Cited by 26 publications

(22 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…FALCON was side channel attacked by measuring electromagnetic radiation created by the FFT inside the sampler which uses the floating point unit. Such that the attacker could reconstruct the private key after only 10k measurements [19]. Therefor another fork af falcon, zalcon was introduced which ditches the FPA (also good for other iot devices) and uses NTT instead of FTT [20].…”

Section: Falcon and Dilithiummentioning

confidence: 99%

See 1 more Smart Citation

Quantum-resistant digital signatures schemes for low-power IoT

Hattenbach

2021

Preprint

View full text Add to dashboard Cite

Quantum computers are on the horizon to get to a sufficient size that will then be able to break pretty much all the encryption and signature schemes we currently use. This is the case for human interface devices as well as for IoT nodes. In this paper i am comparing some signature schemes currently in the process of standardization by the NIST. After explaining the underlying basis on why some schemes are different in some aspects compared to others i will evaluate which currently available implementations are better suited for usage in IoT usecases. We will come to further focus on the most promising schemes FALCON and Dilithium, which differ in one signifiant aspect that makes FALCON worse for signing but very good for verification purposes.

show abstract

Section: Falcon and Dilithiummentioning

confidence: 99%

“…However this NTT seems to be even more vulnerable to this attack. [19] A fix for this vulnerability though could be to introduce a masking s.t. power consumption etc.…”

Section: Falcon and Dilithiummentioning

confidence: 99%

Quantum-resistant digital signatures schemes for low-power IoT

Hattenbach

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…However, DLP does so at the cost of a slow signing algorithm, whereas FALCON, while fast, suffers from a very complex signing algorithm that is hard to implement, poorly suited for parallelization and difficult to protect against side-channel attacks. On the last point, both schemes have been shown to suffer from potential vulnerabilities with respect to side-channel leakage [18,27], and even though the most recent implementation of FALCON appears to be protected against timing attacks [40,24], countermeasures against stronger side-channel attacks like DPA seem difficult to achieve. FALCON is also limited to NTRU lattices over power-of-two cyclotomic fields, which limits its flexibility in terms of parameter selection.…”

Section: Introductionmentioning

confidence: 99%

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Espitau

Fouque

Gérard

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This work describes the MITAKA signature scheme: a new hash-and-sign signature scheme over NTRU lattices which can be seen as a variant of NIST finalist FALCON. It achieves comparable efficiency but is considerably simpler, online/offline, and easier to parallelize and protect against sidechannels, thus offering significant advantages from an implementation standpoint. It is also much more versatile in terms of parameter selection.We obtain this signature scheme by replacing the FFO lattice Gaussian sampler in FALCON by the "hybrid" sampler of Ducas and Prest, for which we carry out a detailed and corrected security analysis. In principle, such a change can result in a substantial security loss, but we show that this loss can be largely mitigated using new techniques in key generation that allow us to construct much higher quality lattice trapdoors for the hybrid sampler relatively cheaply. This new approach can also be instantiated on a wide variety of base fields, in contrast with FALCON's restriction to power-of-two cyclotomics.We also introduce a new lattice Gaussian sampler with the same quality and efficiency, but which is moreover compatible with the integral matrix Gram root technique of Ducas et al., allowing us to avoid floating point arithmetic. This makes it possible to realize the same signature scheme as MITAKA efficiently on platforms with poor support for floating point numbers.Finally, we describe a provably secure masking of MITAKA. More precisely, we introduce novel gadgets that allow provable masking at any order at much lower cost than previous masking techniques for Gaussian sampling-based signature schemes, for cheap and dependable side-channel protection.7 Sometimes, this is also seen as a bounded distance decoding problem, BDD, but with large enough decoding bound that there are exponentially many solutions, instead of a unique one as is typically the case in the traditional formulation of BDD. 8 Other techniques have been proposed that avoid Gaussian distributions, as in [34], but they tend not to be competitive. Authors Suppressed Due to Excessive LengthAlgorithm 5: Integer arithmetic ring Gaussian sampler Input: a matrix B ∈ R 2×2 such that BU û = B = BUu, where û = [u]p ∈ 1 p R, a center c ∈ R 2 , and parameters r, s > 0. Result: z with distribution negligibly far from D L (B),c,rs . 1 Precomputed: Σp = s 2 I − B B t and A ← IntGram(p 2 (Σp − I)) / * AA t = p 2 (Σp − I) * / 2 p ← Algorithm 6(p, A) / * p ∼ D R 2 ,r 2 Σp * / 3 ĉ ← B −1 (c − p) 4 z ← Algorithm 4(û, ĉ, s) / * z ∼ D L (U û),ĉ,s * / 5 return z = Bz Algorithm 6: Offline sampler Input: An integer p > 0, a matrix A ∈ R 2×m . Result: p ∈ R 2 with distribution negligibly far from D R 2 ,r 2 Σ , where Σ = 1 p 2 AA t + I.1 Precomputed: integers r > ηε(R 2 ) and L such that Lr ηε(Λ(A) ⊥ ). 2 x ← ( 0 Lr ) m 3 p ← 1 pL Ax 4 p ← p r 5 return p.

show abstract

“…While the Gaussian sampling algorithms used in Falcon were subject to timing attacks [BHLY16, EFGT17, PBY17, FKT + 20] and countermeasures were designed [HPRR20] accordingly, concrete power attacks threatening Falcon implementations have only been performed in [KA21]. Moreover, this attack targets a subroutine of the algorithm and focuses on the recovery of values encoded in floating points.…”

Section: Introductionmentioning

confidence: 99%

The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Guerreau

Martinelli

Ricosset

et al. 2022

TCHES

View full text Add to dashboard Cite

FALCON is a very efficient and compact lattice-based signature finalist of the NIST’s Post-Quantum standardization campaign. This work assesses Falcon’s sidechannel resistance by analyzing two vulnerabilities, namely the pre-image computation and the trapdoor sampling. The first attack is an improvement of Karabulut and Aysu (DAC 2021). It overcomes several difficulties inherent to the structure of the stored key like the Fourier representation and directly recovers the key with a limited number of traces and a reduced complexity. The main part of this paper is dedicated to our second attack: we show that a simple power analysis during the signature execution could provide the exact value of the output of a subroutine called the base sampler. This intermediate value does not directly lead to the secret and we had toadapt the so-called hidden parallelepiped attack initially introduced by Nguyen and Regev in Eurocrypt 2006 and reused by Ducas and Nguyen in Asiacrypt 2012. We extensively quantify the resources for our attacks and experimentally demonstrate them with FALCON’s reference implementation on the ELMO simulator (McCann, Oswald and Whitnall USENIX 2017) and on a ChipWhisperer Lite with STM32F3 target (ARM Cortex M4).These new attacks highlight the need for side-channel protection for one of the three finalists of NIST’s standardization campaign by pointing out the vulnerable parts and quantifying the resources of the attacks.

show abstract

FALCON Down: Breaking FALCON Post-Quantum Signature Scheme through Side-Channel Attacks

Cited by 26 publications

References 17 publications

Quantum-resistant digital signatures schemes for low-power IoT

Quantum-resistant digital signatures schemes for low-power IoT

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Contact Info

Product

Resources

About