The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Guerreau, Morgane; Martinelli, Ange; Ricosset, Thomas; Rossi, Mélissa

doi:10.46586/tches.v2022.i3.141-164

Cited by 13 publications

(7 citation statements)

References 13 publications

(43 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When performing all calculations, this difference turns into some small integer factor (in practice, the largest value obtained is (7)) of polynomials at the lowest level of recursion. If the difference occurs in the polynomial z 0 , then, according to formula (11), the situation δ 0 ≠0, δ 1 =0 arises, which is a necessary condition for the operation of formula (12) and the implementation of the attack.…”

Section: Discussion Of Results Of Investigating the Effect Of Floatin...mentioning

confidence: 99%

“…It has been shown that it is possible to protect against this attack with the help of the correct implementation of calculations. But in [11], a new attack on the implementation was proposed, which made it possible to recover the secret base using power analysis. The conditions for this attack were improved in work [12].…”

Section: Literature Review and Problem Statementmentioning

confidence: 99%

“…, . s s Substituting (10) into the expression for h, we get: z z δ = -, expression (11) implies expression (8), which had to be proved.…”

Section: S S H C S S H C S S H S S H C C S S S H S H S S H S Smentioning

confidence: 99%

See 2 more Smart Citations

Determining the effect of a floating point on the Falcon digital signature algorithm security

Potii,

Kachko,

Kandii

et al. 2024

EEJET

View full text Add to dashboard Cite

The object of research is digital signatures. The Falcon digital signature scheme is one of the finalists in the NIST post-quantum cryptography competition. Its distinctive feature is the use of floating-point arithmetic. However, floating-point arithmetic has so-called rounding noise, which accumulates during computations and in some cases may lead to significant changes in the processed values. The work considers the problem of using rounding noise to build attacks on implementation. The main result of the study is a novel attack on implementation, which enables the secret key recovery. This attack differs from existing attacks in using two separately secure implementations with different computation orders. As a result of the analysis, the conditions under which secret key recovery is possible were revealed. The attack requires 300,000 signatures and two implementations to recover key. The probability of successful attack ranges from 70 % to 76 %. This probability is explained by the structure of the Gaussian sampling algorithm used in the Falcon digital signature. At the same time, a necessary condition for conducting an attack is identical seed during signature generation. This condition makes the attack more theoretical than practical since the correct implementation of the Falcon makes probability of two identical seeds negligible. However, the possible usage of floating-point noise shows potential existence of additional attack vectors for the Falcon that should be covered in security models. The results could be used in the construction of digital signature security models and their implementation in existing information and communication systems

show abstract

Section: Discussion Of Results Of Investigating the Effect Of Floatin...mentioning

confidence: 99%

Section: Literature Review and Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

Determining the effect of a floating point on the Falcon digital signature algorithm security

Potii,

Kachko,

Kandii

et al. 2024

EEJET

View full text Add to dashboard Cite

show abstract

“…Besides, a masked implementation of the Gaussian sampler is provided in [EFG + 22]. Recently, Guerreau et al [GMRR22] proposed a simple power analysis attack on Falcon and a related light countermeasure, and their work was further improved in [ZLYW23], which provides more potential sources of leakage and reduces the number of required traces by new algorithms.…”

Section: Related Workmentioning

confidence: 99%

“…In [KA21], Karabulut and Aysu first performed an EM attack on such computation in Falcon, whose method in their setting can recover the secret key with a few thousand measured traces. Their attack was later improved by Guerreau et al [GMRR22], which reduces the guess space complexity from 2 27 to only 2 11 . However, the protection of the pre-image vector computation in Falcon has so far seldom been discussed.…”

Section: Related Workmentioning

confidence: 99%

Masking Floating-Point Number Multiplication and Addition of Falcon

Chen,

Chen

2024

TCHES

View full text Add to dashboard Cite

In this paper, we provide the first masking scheme for floating-point number multiplication and addition to defend against recent side-channel attacks on Falcon’s pre-image vector computation. Our approach involves a masked nonzero check gadget that securely identifies whether a shared value is zero. This gadget can be utilized for various computations such as rounding the mantissa, computing the sticky bit, checking the equality of two values, and normalizing a number. To support the masked floating-point number addition, we also developed a masked shift and a masked normalization gadget. Our masking design provides both first- and higherorder mask protection, and we demonstrate the theoretical security by proving the (Strong)-Non-Interference properties in the probing model. To evaluate the performance of our approach, we implemented unmasked, first-order, and second-order algorithms on an Arm Cortex-M4 processor, providing cycle counts and the number of random bytes used. We also report the time for one complete signing process with our countermeasure on an Intel-Core CPU. In addition, we assessed the practical security of our approach by conducting the test vector leakage assessment (TVLA) to validate the effectiveness of our protection. Specifically, our TVLA experiment results for second-order masking passed the test in 100,000 measured traces.

show abstract

Improved Power Analysis Attacks on Falcon

Zhang

Lin

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Cited by 13 publications

References 13 publications

Determining the effect of a floating point on the Falcon digital signature algorithm security

Determining the effect of a floating point on the Falcon digital signature algorithm security

Masking Floating-Point Number Multiplication and Addition of Falcon

Improved Power Analysis Attacks on Falcon

Contact Info

Product

Resources

About