Side-Channel Attacks on Post-Quantum Signature Schemes based on Multivariate Quadratic Equations

Park, Aesun; Shim, Kyung-Ah; Koo, Namhun; Han, Dong‐Guk

doi:10.46586/tches.v2018.i3.500-523

Cited by 27 publications

(15 citation statements)

References 13 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Indeed, in recent years, numerous side-channel attacks e.g. [18], [19], [20], [21], [22], [23], [24], [25], [26], [27], [28], [29] and fault attacks e.g. [30], [31], [32], [33], [34], [35], [36], [37], [5], [38] have been demonstrated by the research community on PQC schemes.…”

Section: Introductionmentioning

confidence: 99%

Signature Correction Attack on Dilithium Signature Scheme

Islam¹,

Mus²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

Motivated by the rise of quantum computers, existing public-key cryptosystems are expected to be replaced by post-quantum schemes in the next decade in billions of devices. To facilitate the transition, NIST is running a standardization process which is currently in its final Round. Only three digital signature schemes are left in the competition, among which Dilithium and Falcon are the ones based on lattices. Besides security and performance, significant attention has been given to resistance against implementation attacks that target side-channel leakage or fault injection response. Classical fault attacks on signature schemes make use of pairs of faulty and correct signatures to recover the secret key which only works on deterministic schemes. To counter such attacks, Dilithium offers a randomized version which makes each signature unique, even when signing identical messages.In this work, we introduce a novel Signature Correction Attack which not only applies to the deterministic version but also to the randomized version of Dilithium and is effective even on constant-time implementations using AVX2 instructions. The Signature Correction Attack exploits the mathematical structure of Dilithium to recover the secret key bits by using faulty signatures and the public-key. It can work for any fault mechanism which can induce single bitflips. For demonstration, we are using Rowhammer induced faults. Thus, our attack does not require any physical access or special privileges, and hence could be also implemented on shared cloud servers. Using Rowhammer attack, we inject bit flips into the secret key s1 of Dilithium, which results in incorrect signatures being generated by the singing algorithm. Since we can find the correct signature using our Signature Correction algorithm, we can use the difference between the correct and incorrect signatures to infer the location and value of the flipped bit without needing a correct and faulty pair. To quantify the reduction in the security level, we perform a thorough classical and quantum security analysis of Dilithium and successfully recover 1,851 bits out of 3,072 bits of secret key s1 for security level 2. Fully recovered bits are used to reduce the dimension of the lattice whereas partially recovered coefficients are used to to reduce the norm of the secret key coefficients. Further analysis for both primal and dual attacks shows that the lattice strength against quantum attackers is reduced from 2 128 to 2 81 while the strength against classical attackers is reduced from 2 141 to 2 89 . Hence, the Signature Correction Attack may be employed to achieve a practical attack on Dilithium (security level 2) as proposed in Round 3 of the NIST post-quantum standardization process.

show abstract

Section: Introductionmentioning

confidence: 99%

Signature Correction Attack on Dilithium Signature Scheme

Islam¹,

Mus²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Since then multiple side channels have been demonstrated, exploiting various effects, such as timing [1,11,14,15], power consumption [34], electromagnetic (EM) emanations [17,27,44], shared microarchitectural components [29,50], and even acoustic and photonic emanations [4,30,35,47]. These side channels pose a severe risk to the security of systems, and in particular to cryptographic implementations, and effective side channel attacks have been demonstrated against block and stream ciphers [31,45], public key systems, both traditional [22,41] and post quantum [43], cryptographic primitives implemented in real-world devices [5,24], and even non-cryptographic algorithms [8].…”

Section: Introductionmentioning

confidence: 99%

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Shelton¹,

Samwel²,

Batina³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Since their introduction over two decades ago, physical side-channel attacks have presented a serious security threat. While many ciphers' implementations employ masking techniques to protect against such attacks, they often leak secret information due to unintended interactions in the hardware. We present ROSITA, a code rewrite engine that uses a leakage emulator which we amended to correctly emulate the microarchitecture of a target system. We use ROSITA to automatically protect a masked implementation of AES and show the absence of exploitable leakage at only a 11% penalty to the performance.

show abstract

“…Yi and Li [37] proposed a fault attack and DPA on ASIC implementation of enTTS scheme in 2017. In 2018, Park et al [38] presented a correlation power analysis attack against the Rainbow and UOV schemes on an 8-bit AVR microcontroller that yields full secret key recoveries. In 2019, based on the work of Hashimoto et al, Krämer and Loiero [39] complemented the research on fault attacks of multivariate signature schemes.…”

Section: Introductionmentioning

confidence: 99%

Fuzzy Matching Template Attacks on Multivariate Cryptography: A Case Study

Huang

Zhao

et al. 2020

Discrete Dynamics in Nature and Society

View full text Add to dashboard Cite

Multivariate cryptography is one of the most promising candidates for post-quantum cryptography. Applying machine learning techniques in this paper, we experimentally investigate the side-channel security of the multivariate cryptosystems, which seriously threatens the hardware implementations of cryptographic systems. Generally, registers are required to store values of monomials and polynomials during the encryption of multivariate cryptosystems. Based on maximum-likelihood and fuzzy matching techniques, we propose a template-based least-square technique to efficiently exploit the side-channel leakage of registers. Using QUAD for a case study, which is a typical multivariate cryptosystem with provable security, we perform our attack against both serial and parallel QUAD implementations on field programmable gate array (FPGA). Experimental results show that our attacks on both serial and parallel implementations require only about 30 and 150 power traces, respectively, to successfully reveal the secret key with a success rate close to 100%. Finally, efficient and low-cost strategies are proposed to resist side-channel attacks.

show abstract

Side-Channel Attacks on Post-Quantum Signature Schemes based on Multivariate Quadratic Equations

Cited by 27 publications

References 13 publications

Signature Correction Attack on Dilithium Signature Scheme

Signature Correction Attack on Dilithium Signature Scheme

Rosita: Towards Automatic Elimination of Power-Analysis Leakage in Ciphers

Fuzzy Matching Template Attacks on Multivariate Cryptography: A Case Study

Contact Info

Product

Resources

About