Timing Attacks on Error Correcting Codes in Post-Quantum Schemes

D’Anvers, Jan-Pieter; Tiepelt, Marcel; Vercauteren, Fréderik; Verbauwhede, Ingrid

doi:10.1145/3338467.3358948

Cited by 42 publications

(34 citation statements)

References 15 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, care is needed to ensure that this design does not lead to security vulnerabilities. During the first round of the NIST standardization process, several authors published attacks on LAC that reduced its security to below the required levels [34,35,36,37]. These included chosen-ciphertext attacks that worked by artificially increasing the decryption failure rate and side-channel attacks that exploit non-constant-time implementations of the error-correction procedures in LAC.…”

Section: Lacmentioning

confidence: 99%

Status report on the second round of the NIST post-quantum cryptography standardization process

Moody¹,

Alagic²,

Apon³

et al. 2020

View full text Add to dashboard Cite

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.

show abstract

Section: Lacmentioning

confidence: 99%

Status report on the second round of the NIST post-quantum cryptography standardization process

Moody¹,

Alagic²,

Apon³

et al. 2020

View full text Add to dashboard Cite

show abstract

“…While the aforementioned attacks primarily targeted IND-CPA secure schemes, Bauer et al [BGRR19] also suggested utilizing side-channel information to instantiate plaintext checking oracles and also performed preliminary experiments using EM side-channel information to argue their case. More concretely, D'Anvers et al [DTVV19] demonstrated use of timing leakage information to perform chosen ciphertext attacks over the IND-CCA secure LAC KEM and also stated the possibility of using other side-channels to perform chosen ciphertext attacks. In this work, we extend and generalize the idea of side-channels being used as efficient plaintext checking oracles by demonstrating practical EM-side channel assisted key recovery attacks applicable to six IND-CCA secure LWE/LWR based PKE/KEMs.…”

Section: Chosen Ciphertext Attacks On Lwe/lwr Based Schemesmentioning

confidence: 99%

“…However, this is only true in a classical black box setting since any cryptographic algorithm implemented on a real-device leaks information about intermediate values through side-channels such as timing, power consumption or Electromagnetic (EM) emanation. In fact, D'Anvers in [DTVV19] showed that difference in the execution times of variable-time error correcting procedures can be used to distinguish validity of decrypted output codewords with very high probability. They utilized this timing vulnerability as a plaintext checking oracle to demonstrate practical chosen ciphertext attacks over IND-CCA secure KEMs LAC [LLZ + 18] and RAMSTAKE [Sze17].…”

Section: Introductionmentioning

confidence: 99%

Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

Ravi

Roy

Chattopadhyay

et al. 2020

TCHES

View full text Add to dashboard Cite

In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to distinguish based on the value/validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subsequently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack.

show abstract

“…Silverman and Whyte [49] presented a timing attack against NTRUEncrypt, which was based on a variation in the number of hash calls in decryption. Timing leakage information about error-correcting codes in a decoding algorithm allows extracting an entire secret key of LAC [16]. Park and Han [38] reported an SPA attack against the decryption of the ring-LWE encryption scheme performed on an AVR processor.…”

Section: A Related Workmentioning

confidence: 99%

Single-Trace Attacks on Message Encoding in Lattice-Based KEMs

et al. 2020

View full text Add to dashboard Cite

In this paper, we propose single-trace side-channel attacks against lattice-based key encapsulation mechanisms (KEMs) that are the third-round candidates of the national institute of standards and technology (NIST) standardization project. Specifically, we analyze the message encoding operation in the encapsulation phase of lattice-based KEMs to obtain an ephemeral session key. We conclude that a singletrace leakage implies a whole key recovery: the experimental results realized on a ChipWhisperer UFO STM32F3 target board achieve a success rate of 100% for CRYSTALS-KYBER and SABER regardless of an optimization level and those greater than 79% for FrodoKEM. We further demonstrate that the proposed attack methodologies are not restricted to the above algorithms but are widely applicable to other NIST post-quantum cryptography (PQC) candidates, including NTRU Prime and NTRU. INDEX TERMS Key encapsulation mechanism, lattice-based cryptography, message encoding, sidechannel attack, single-trace attack.

show abstract

Timing Attacks on Error Correcting Codes in Post-Quantum Schemes

Cited by 42 publications

References 15 publications

Status report on the second round of the NIST post-quantum cryptography standardization process

Status report on the second round of the NIST post-quantum cryptography standardization process

Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

Single-Trace Attacks on Message Encoding in Lattice-Based KEMs

Contact Info

Product

Resources

About