LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled, Dana; Ducas, Léo; Gong, Huijing; Rossi, Mélissa

doi:10.1007/978-3-030-56880-1_12

Cited by 90 publications

(86 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, it would be interesting to implement our correction of [BPO + 20] to investigate the final performance to compare the results with other approaches. Additionally, it would be interesting to investigate improvements or generalizations of the framework provided in [DDGR20] to reduce the number of required approximate linear equations. A good understanding of the cost of retrieving the full secret could help to bound the amount of side-channel leakage an attacker would be allowed to obtain in a realistic scenario.…”

Section: Discussionmentioning

confidence: 99%

“…This compression prohibits gaining exact equations in the secret in our case, which diminishes the information we retrieved from the oracle. To counter this, we show that we can still retrieve approximate equations in the secret key which, combined with the leaky-LWE framework of Dachman-Soled et al [DDGR20], allows to effectively retrieve the secret key.…”

Section: Attackmentioning

confidence: 99%

“…Solving Mod-LWE using (approximate) equations Dachman-Soled et al [DDGR20] introduced a tool to estimate the security of an LWE sample in the presence of linear hints about the secret. We can use this framework to include our exact or approximate linear equations and estimate the remaining cost of retrieving the secret.…”

Section: Generic Key Recovery From Decryption Failure Oraclesmentioning

confidence: 99%

“…For Kyber512 or Kyber768 with compression, we are expecting to find an approximate equation with 2qlog 2 (2 dv ) ≈ 2 13.7 queries, where 2 dv is the number of values E can take and 2q again the cost to find a collision. The cost of the remaining security can be calculated by [DDGR20] and is graphically presented in Figure 4. All in all, the number of queries and remaining computational effort for Kyber768 is still high.…”

Section: Collision Attackmentioning

confidence: 99%

See 3 more Smart Citations

Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography

Bhasin

D’Anvers

Heinz

et al. 2021

TCHES

View full text Add to dashboard Cite

In this work, we are concerned with the hardening of post-quantum key encapsulation mechanisms (KEM) against side-channel attacks, with a focus on the comparison operation required for the Fujisaki-Okamoto (FO) transform. We identify critical vulnerabilities in two proposals for masked comparison and successfully attack the masked comparison algorithms from TCHES 2018 and TCHES 2020. To do so, we use first-order side-channel attacks and show that the advertised security properties do not hold. Additionally, we break the higher-order secured masked comparison from TCHES 2020 using a collision attack, which does not require side-channel information. To enable implementers to spot such flaws in the implementation or underlying algorithms, we propose a framework that is designed to test the re-encryption step of the FO transform for information leakage. Our framework relies on a specifically parametrized t-test and would have identified the previously mentioned flaws in the masked comparison. Our framework can be used to test both the comparison itself and the full decapsulation implementation.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Attackmentioning

confidence: 99%

Section: Generic Key Recovery From Decryption Failure Oraclesmentioning

confidence: 99%

Section: Collision Attackmentioning

confidence: 99%

See 2 more Smart Citations

Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography

Bhasin

D’Anvers

Heinz

et al. 2021

TCHES

View full text Add to dashboard Cite

show abstract

“…Recently, Dachman-Soled et al [DDGR20] showed how such probabilities (soft information) can be incorporated into a lattice-reduction approach. There, however, it is important that the probabilities are somewhat reliable.…”

Section: Future Workmentioning

confidence: 99%

Fault Attacks on CCA-secure Lattice KEMs

Pessl

Prokop

2021

TCHES

View full text Add to dashboard Cite

NIST’s post-quantum standardization effort very recently entered its final round. This makes studying the implementation-security aspect of the remaining candidates an increasingly important task, as such analyses can aid in the final selection process and enable appropriately secure wider deployment after standardization. However, lattice-based key-encapsulation mechanisms (KEMs), which are prominently represented among the finalists, have thus far received little attention when it comes to fault attacks.Interestingly, many of these KEMs exhibit structural similarities. They can be seen as variants of the encryption scheme of Lyubashevsky, Peikert, and Rosen, and employ the Fujisaki-Okamoto transform (FO) to achieve CCA2 security. The latter involves re-encrypting a decrypted plaintext and testing the ciphertexts for equivalence. This corresponds to the classic countermeasure of computing the inverse operation and hence prevents many fault attacks.In this work, we show that despite this inherent protection, practical fault attacks are still possible. We present an attack that requires a single instruction-skipping fault in the decoding process, which is run as part of the decapsulation. After observing if this fault actually changed the outcome (effective fault) or if the correct result is still returned (ineffective fault), we can set up a linear inequality involving the key coefficients. After gathering enough of these inequalities by faulting many decapsulations, we can solve for the key using a bespoke statistical solving approach. As our attack only requires distinguishing effective from ineffective faults, various detection-based countermeasures, including many forms of double execution, can be bypassed.We apply this attack to Kyber and NewHope, both of which belong to the aforementioned class of schemes. Using fault simulations, we show that, e.g., 6,500 faulty decapsulations are required for full key recovery on Kyber512. To demonstrate practicality, we use clock glitches to attack Kyber running on a Cortex M4. As we argue that other schemes of this class, such as Saber, might also be susceptible, the presented attack clearly shows that one cannot rely on the FO transform’s fault deterrence and that proper countermeasures are still needed.

show abstract

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We propose a framework for cryptanalysis of lattice-based schemes, when side information-in the form of "hints"-about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks.

show abstract

LWE with Side Information: Attacks and Concrete Security Estimation

Cited by 90 publications

References 23 publications

Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography

Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography

Fault Attacks on CCA-secure Lattice KEMs

LWE with Side Information: Attacks and Concrete Security Estimation

Contact Info

Product

Resources

About