8 research outputs found
A Side-Channel Assisted Cryptanalytic Attack Against QcBits
International audienceQcBits is a code-based public key algorithm based on a problem thought to be resistant to quantum computer attacks. It is a constant-time implementation for a quasi-cyclic moderate density parity check (QC-MDPC) Niederreiter encryption scheme, and has excellent performance and small key sizes. In this paper, we present a key recovery attack against QcBits. We first used differential power analysis (DPA) against the syndrome computation of the decoding algorithm to recover partial information about one half of the private key. We then used the recovered information to set up a system of noisy binary linear equations. Solving this system of equations gave us the entire key. Finally, we propose a simple but effective countermeasure against the power analysis used during the syndrome calculation
Side-channel Information Leakage of the Syndrome Computation in Code-Based Cryptography (Work in progress)
International audienc
Efficient BIKE Hardware Design with Constant-Time Decoder
BIKE (Bit-flipping Key Encapsulation) is a promising candidate running
in the NIST Post-Quantum Cryptography Standardization process. It is a code-based
cryptosystem that enjoys a simple definition, well-understood underlying security,
and interesting performance. The most critical step in this cryptosystem consists
of correcting errors in a QC-MDPC linear code. The BIKE team proposed variants
of the Bit-Flipping Decoder for this step for Round 1 and 2 of the standardization
process. In this paper, we propose an alternative decoder which is more friendly to
hardware implementations, leading to a latency-area performance comparable to the
literature while introducing power side channel resilience. We also show that our
design can accelerate all key generation, encapsulation and decapsulation operations
using very few common logic building blocks
Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security
This survey is on forward-looking, emerging security concerns in post-quantum
era, i.e., the implementation attacks for 2022 winners of NIST post-quantum
cryptography (PQC) competition and thus the visions, insights, and discussions
can be used as a step forward towards scrutinizing the new standards for
applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The
rapid advances in quantum computing have brought immense opportunities for
scientific discovery and technological progress; however, it poses a major risk
to today's security since advanced quantum computers are believed to break all
traditional public-key cryptographic algorithms. This has led to active
research on PQC algorithms that are believed to be secure against classical and
powerful quantum computers. However, algorithmic security is unfortunately
insufficient, and many cryptographic algorithms are vulnerable to side-channel
attacks (SCA), where an attacker passively or actively gets side-channel data
to compromise the security properties that are assumed to be safe
theoretically. In this survey, we explore such imminent threats and their
countermeasures with respect to PQC. We provide the respective, latest
advancements in PQC research, as well as assessments and providing visions on
the different types of SCAs
Faster Constant-Time Decoder for MDPC Codes and Applications to BIKE KEM
BIKE is a code-based key encapsulation mechanism (KEM) that was recently selected as an alternate candidate by the NISTâs standardization process on post-quantum cryptography. This KEM is based on the Niederreiter scheme instantiated with QC-MDPC codes, and it uses the BGF decoder for key decapsulation. We discovered important limitations of BGF that we describe in detail, and then we propose a new decoding algorithm for QC-MDPC codes called PickyFix. Our decoder uses two auxiliary iterations that are significantly different from previous approaches and we show how they can be implemented efficiently. We analyze our decoder with respect to both its error correction capacity and its performance in practice. When compared to BGF, our constant-time implementation of PickyFix achieves speedups of 1.18, 1.29, and 1.47 for the security levels 128, 192 and 256, respectively
SIKE Channels
We present new side-channel attacks on SIKE, the isogeny-based candidate in the NIST PQC competition. Previous works had shown that SIKE is vulnerable to differential power analysis and pointed to coordinate randomization as an effective countermeasure. We show that coordinate randomization alone is not sufficient, as SIKE is vulnerable to a class of attacks similar to refined power analysis in elliptic curve cryptography, named zero-value attacks. We describe and confirm in the lab two such attacks leading to full key recovery, and analyze their countermeasures
Sécurité étendue de la cryptographie fondée sur les réseaux euclidiens
Lattice-based cryptography is considered as a quantum-safe alternative for the replacement of currently deployed schemes based on RSA and discrete logarithm on prime fields or elliptic curves. It offers strong theoretical security guarantees, a large array of achievable primitives, and a competitive level of efficiency. Nowadays, in the context of the NIST post-quantum standardization process, future standards may ultimately be chosen and several new lattice-based schemes are high-profile candidates. The cryptographic research has been encouraged to analyze lattice-based cryptosystems, with a particular focus on practical aspects. This thesis is rooted in this effort.In addition to black-box cryptanalysis with classical computing resources, we investigate the extended security of these new lattice-based cryptosystems, employing a broad spectrum of attack models, e.g. quantum, misuse, timing or physical attacks. Accounting that these models have already been applied to a large variety of pre-quantum asymmetric and symmetric schemes before, we concentrate our efforts on leveraging and addressing the new features introduced by lattice structures. Our contribution is twofold: defensive, i.e. countermeasures for implementations of lattice-based schemes and offensive, i.e. cryptanalysis.On the defensive side, in view of the numerous recent timing and physical attacks, we wear our designerâs hat and investigate algorithmic protections. We introduce some new algorithmic and mathematical tools to construct provable algorithmic countermeasures in order to systematically prevent all timing and physical attacks. We thus participate in the actual provable protection of the GLP, BLISS, qTesla and Falcon lattice-based signatures schemes.On the offensive side, we estimate the applicability and complexity of novel attacks leveraging the lack of perfect correctness introduced in certain lattice-based encryption schemes to improve their performance. We show that such a compromise may enable decryption failures attacks in a misuse or quantum model. We finally introduce an algorithmic cryptanalysis tool that assesses the security of the mathematical problem underlying lattice-based schemes when partial knowledge of the secret is available. The usefulness of this new framework is demonstrated with the improvement and automation of several known classical, decryption-failure, and side-channel attacks.La cryptographie fondeÌe sur les reÌseaux euclidiens repreÌsente une alternative prometteuse aÌ la cryptographie asymeÌtrique utiliseÌe actuellement, en raison de sa reÌsistance preÌsumeÌe aÌ un ordinateur quantique universel. Cette nouvelle famille de scheÌmas asymeÌtriques dispose de plusieurs atouts parmi lesquels de fortes garanties theÌoriques de seÌcuriteÌ, un large choix de primitives et, pour certains de ses repreÌsentants, des performances comparables aux standards actuels. Une campagne de standardisation post-quantique organiseÌe par le NIST est en cours et plusieurs scheÌmas utilisant des reÌseaux euclidiens font partie des favoris. La communauteÌ scientifique a eÌteÌ encourageÌe aÌ les analyser car ils pourraient aÌ lâavenir eÌtre implanteÌs dans tous nos systeÌmes. Lâobjectif de cette theÌse est de contribuer aÌ cet effort.Nous eÌtudions la seÌcuriteÌ de ces nouveaux cryptosysteÌmes non seulement au sens de leur reÌsistance aÌ la cryptanalyse en âboiÌte noireâ aÌ lâaide de moyens de calcul classiques, mais aussi selon un spectre plus large de modeÌles de seÌcuriteÌ, comme les attaques quantiques, les attaques supposant des failles dâutilisation, ou encore les attaques par canaux auxiliaires. Ces diffeÌrents types dâattaques ont deÌjaÌ eÌteÌ largement formaliseÌs et eÌtudieÌs par le passeÌ pour des scheÌmas asymeÌtriques et symeÌtriques preÌ-quantiques. Dans ce meÌmoire, nous analysons leur application aux nouvelles structures induites par les reÌseaux euclidiens. Notre travail est diviseÌ en deux parties compleÌmentaires : les contremesures et les attaques.La premieÌre partie regroupe nos contributions aÌ lâeffort actuel de conception de nouvelles protections algorithmiques afin de reÌpondre aux nombreuses publications reÌcentes dâattaques par canaux auxiliaires. Les travaux reÌaliseÌs en eÌquipe auxquels nous avons pris part on abouti aÌ lâintroduction de nouveaux outils matheÌmatiques pour construire des contre-mesures algorithmiques, appuyeÌes sur des preuves formelles, qui permettent de preÌvenir systeÌmatiquement les attaques physiques et par analyse de temps dâexeÌcution. Nous avons ainsi participeÌ aÌ la protection de plusieurs scheÌmas de signature fondeÌs sur les reÌseaux euclidiens comme GLP, BLISS, qTesla ou encore Falcon.Dans une seconde partie consacreÌe aÌ la cryptanalyse, nous eÌtudions dans un premier temps de nouvelles attaques qui tirent parti du fait que certains scheÌmas de chiffrement aÌ cleÌ publique ou dâeÌtablissement de cleÌ peuvent eÌchouer avec une faible probabiliteÌ. Ces eÌchecs sont effectivement faiblement correÌleÌs au secret. Notre travail a permis dâexhiber des attaques dites « par eÌchec de deÌchiffrement » dans des modeÌles de failles dâutilisation ou des modeÌles quantiques. Nous avons dâautre part introduit un outil algorithmique de cryptanalyse permettant dâestimer la seÌcuriteÌ du probleÌme matheÌmatique sous-jacent lorsquâune information partielle sur le secret est donneÌe. Cet outil sâest aveÌreÌ utile pour automatiser et ameÌliorer plusieurs attaques connues comme des attaques par eÌchec de deÌchiffrement, des attaques classiques ou encore des attaques par canaux auxiliaires