Number “Not Used” Once - Practical Fault Attack on pqm4 Implementations of NIST Candidates

Ravi, Prasanna; Roy, Debapriya Basu; Bhasin, Shivam; Chattopadhyay, Anupam; Mukhopadhyay, Debdeep

doi:10.1007/978-3-030-16350-1_13

Cited by 31 publications

(31 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The ongoing standardization process and anticipated deployment of lattice-based cryptography raises an important question: How resilient are lattices to side-channel attacks or other forms of side information? While there are numerous works addressing this question for specific cryptosystems (See [2,9,17,18,32,33] for side channel attacks targeting lattice-based NIST candidates), these works use rather ad-hoc methods to reconstruct the secret key, requiring new techniques and algorithms to be developed for each setting. For example, the work of [9] uses brute-force methods for a portion of the attack, while [7] exploits linear regression techniques.…”

Section: Introductionmentioning

confidence: 99%

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We propose a framework for cryptanalysis of lattice-based schemes, when side information-in the form of "hints"-about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks.

show abstract

Section: Introductionmentioning

confidence: 99%

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Final key derivation now uses SHAKE256 instead of SHA3-256. During the second round, a new fault attack forcing nonce reuse was discovered, affecting several lattice schemes, including KYBER [22]. Recent theoretical work has placed MLWE on stronger footing by providing a very tight reduction from ring LWE to module LWE [23].…”

Section: Crystals-kybermentioning

confidence: 99%

“…The Frodo team added a parameter set for security category 5 during the second round. Certain pseudorandomness expansion procedures were moved to the key generation function, apparently avoiding the aforementioned fault attack of [22]. In addition, the Fujisaki-Okamoto transform was somewhat simplified based on new theory results on QROM security.…”

Section: Frodokemmentioning

confidence: 99%

See 1 more Smart Citation

Status report on the second round of the NIST post-quantum cryptography standardization process

Moody¹,

Alagic²,

Apon³

et al. 2020

View full text Add to dashboard Cite

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.

show abstract

“…Blindel et al [4] have also applied fault attacks on lattice based signature schemes namely BLISS, ring-TESLA and GLP. Ravi et al [38] have presented fault attacks on lattice based schemes NewHope, Kyber, Frodo and Dilithium. This research is based on hardware faults like electromagnetic fault injections and clock glitches.…”

Section: Introductionmentioning

confidence: 99%

QuantumHammer

Mus

Islam

Sunar

2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Post-quantum schemes are expected to replace existing public-key schemes within a decade in billions of devices. To facilitate the transition, the US National Institute for Standards and Technology (NIST) is running a standardization process. Multivariate signatures is one of the main categories in NIST's post-quantum cryptography competition. Among the four candidates in this category, the LUOV and Rainbow schemes are based on the Oil and Vinegar scheme, first introduced in 1997 which has withstood over two decades of cryptanalysis. Beyond mathematical security and efficiency, security against side-channel attacks is a major concern in the competition. The current sentiment is that post-quantum schemes may be more resistant to fault-injection attacks due to their large key sizes and the lack of algebraic structure. We show that this is not true. We introduce a novel hybrid attack, QuantumHammer, and demonstrate it on the constant-time implementation of LUOV currently in Round 2 of the NIST post-quantum competition. The QuantumHammer attack is a combination of two attacks, a bittracing attack enabled via Rowhammer fault injection and a divide and conquer attack that uses bit-tracing as an oracle. Using bittracing, an attacker with access to faulty signatures collected using Rowhammer attack, can recover secret key bits albeit slowly. We employ a divide and conquer attack which exploits the structure in the key generation part of LUOV and solves the system of equations for the secret key more efficiently with few key bits recovered via bit-tracing. We have demonstrated the first successful in-the-wild attack on LUOV recovering all 11K key bits with less than 4 hours of an active Rowhammer attack. The post-processing part is highly parallel and thus can be trivially sped up using modest resources. QuantumHammer does not make any unrealistic assumptions, only requires software co-location (no physical access), and therefore can be used to target shared cloud servers or in other sandboxed environments.

show abstract

Number “Not Used” Once - Practical Fault Attack on pqm4 Implementations of NIST Candidates

Cited by 31 publications

References 19 publications

LWE with Side Information: Attacks and Concrete Security Estimation

LWE with Side Information: Attacks and Concrete Security Estimation

Status report on the second round of the NIST post-quantum cryptography standardization process

QuantumHammer

Contact Info

Product

Resources

About