Differential Power Analysis of the Picnic Signature Scheme

This work introduces the first differential side-channel analysis of the Picnic Signature Scheme, an alternate candidate in the ongoing competition for post-quantum cryptography by the National Institute of Standards and Technology (NIST). We present a successful side-channel analysis of the underlying multiparty implementation of the LowMC block cipher (MPC-LowMC) and show how side-channel information can be used to recover the entire secret key by exploiting two different parts of the algorithm. LowMC key recovery then allows to forge signatures for the calling Picnic post-quantum signature scheme. We target the NIST reference implementation executed on a FRDM-K66F development board. Key recovery succeeds with fewer than 1000 LowMC traces, which can be obtained from fewer than 30 observed Picnic signatures

Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities

The rise of quantum computers exposes vulnerabilities in current public key cryptographic protocols, necessitating the development of secure post-quantum (PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches, covering the constructional design, structural vulnerabilities, and offer security assessments, implementation evaluations, and a particular focus on side-channel attacks. We analyze global standardization processes, evaluate their metrics in relation to real-world applications, and primarily focus on standardized PQ schemes, selected additional signature competition candidates, and PQ-secure cutting-edge schemes beyond standardization. Finally, we present visions and potential future directions for a seamless transition to the PQ era

Side-Channel Analysis on Post-Quantum Cryptography Algorithms

The advancements of quantum computers brings us closer to the threat of our current asymmetric cryptography algorithms being broken by Shor\u27s Algorithm. NIST proposed a standardization effort in creating a new class of asymmetric cryptography named Post-Quantum Cryptography (PQC). These new algorithms will be resistant against both classical computers and sufficiently powerful quantum computers. Although the new algorithms seem mathematically secure, they can possibly be broken by a class of attacks known as side-channels attacks (SCA). Side-channel attacks involve exploiting the hardware that the algorithm runs on to figure out secret values that could break the security of the system. The third round of the PQC standardization put some emphasis on the algorithm\u27s ability to mitigate side-channel attacks. In this work, two candidate KEM algorithms Kyber and Saber are analyzed through a multi-platform setup. Both unprotected and protected implementations on Cortex-M4 microcontrollers through masking are analyzed using the test vector leakage assessment with an oscilloscope and a ChipWhisperer too

The PRIMA fringe sensor unit

The Fringe Sensor Unit (FSU) is the central element of the Phase Referenced Imaging and Micro-arcsecond Astrometry (PRIMA) dual-feed facility and provides fringe sensing for all observation modes, comprising off-axis fringe tracking, phase referenced imaging, and high-accuracy narrow-angle astrometry. It is installed at the Very Large Telescope Interferometer (VLTI) and successfully servoed the fringe tracking loop during the initial commissioning phase. Unique among interferometric beam combiners, the FSU uses spatial phase modulation in bulk optics to retrieve real-time estimates of fringe phase after spatial filtering. A R=20 spectrometer across the K-band makes the retrieval of the group delay signal possible. The FSU was integrated and aligned at the VLTI in summer 2008. It yields phase and group delay measurements at sampling rates up to 2 kHz, which are used to drive the fringe tracking control loop. During the first commissioning runs, the FSU was used to track the fringes of stars with K-band magnitudes as faint as m_K=9.0, using two VLTI Auxiliary Telescopes (AT) and baselines of up to 96 m. Fringe tracking using two Very Large Telescope (VLT) Unit Telescopes (UT) was demonstrated. During initial commissioning and combining stellar light with two ATs, the FSU showed its ability to improve the VLTI sensitivity in K-band by more than one magnitude towards fainter objects, which is of fundamental importance to achieve the scientific objectives of PRIMA.Comment: 19 pages, 23 figures. minor changes and language editing. this version equals the published articl

SNI-in-the-head: Protecting MPC-in-the-head Protocols against Side-channel Analysis

MPC-in-the-head based protocols have recently gained much popularity and are at the brink of seeing widespread usage. With such widespread use come the spectres of implementation issues and implementation attacks such as side-channel attacks. We show that implementations of protocols implementing the MPC-in-the-head paradigm are vulnerable to side-channel attacks. As a case study, we choose the ZKBoo-protocol of Giacomelli, Madsen, and Orlandi (USENIX 2016) and show that even a single leaked value is sufficient to break the security of the protocol. To show that this attack is not just a theoretical vulnerability, we apply differential power analysis to show the vulnerabilities via a simulation. In order to remedy this situation, we extend and generalize the ZKBooprotocol by making use of the notion of strong non-interference of Barthe et al. (CCS 2016). To apply this notion to ZKBoo, we construct novel versions of strongly non-interfering gadgets that balance the randomness across the different branches evenly. Finally, we show that each circuit can be decomposed into branches using only these balanced strongly noninterfering gadgets. This allows us to construct a version of ZKBoo, called (n + 1)-ZKBoo which is secure against side-channel attacks with limited overhead in both signature-size and running time. Furthermore, (n + 1)-ZKBoo is scalable to the desired security against adversarial probes. We experimentally confirm that the attacks successful against ZKBoo no longer work on (n + 1)-ZKBoo. Moreover, we present an extensive performance analysis and quantify the overhead of our scheme using a practical implementation

AIM: Symmetric Primitive for Shorter Signatures with Stronger Security (Full Version)

Post-quantum signature schemes based on the MPC-in-the-Head (MPCitH) paradigm are recently attracting significant attention as their security solely depends on the one-wayness of the underlying primitive, providing diversity for the hardness assumption in post-quantum cryptography. Recent MPCitH-friendly ciphers have been designed using simple algebraic S-boxes operating on a large field in order to improve the performance of the resulting signature schemes. Due to their simple algebraic structures, their security against algebraic attacks should be comprehensively studied. In this paper, we refine algebraic cryptanalysis of power mapping based S-boxes over binary extension fields, and cryptographic primitives based on such S-boxes. In particular, for the Gröbner basis attack over $\mathbb{F}_2$, we experimentally show that the exact number of Boolean quadratic equations obtained from the underlying S-boxes is critical to correctly estimate the theoretic complexity based on the degree of regularity. Similarly, it turns out that the XL attack might be faster when all possible quadratic equations are found and used from the S-boxes. This refined cryptanalysis leads to more precise algebraic analysis of cryptographic primitives based on algebraic S-boxes. Considering the refined algebraic cryptanalysis, we propose a new one-way function, dubbed $\mathsf{AIM}$, as an MPCitH-friendly symmetric primitive with high resistance to algebraic attacks. The security of $\mathsf{AIM}$ is comprehensively analyzed with respect to algebraic, statistical, quantum, and generic attacks. $\mathsf{AIM}$ is combined with the BN++ proof system, yielding a new signature scheme, dubbed $\mathsf{AIMer}$. Our implementation shows that $\mathsf{AIMer}$ outperforms existing signature schemes based on symmetric primitives in terms of signature size and signing time

Shorter Signatures Based on Tailor-Made Minimalist Symmetric-Key Crypto

Signature schemes based on the MPC-in-the-head approach (MPCitH) have either been designed by taking a proof system and selecting a suitable symmetric-key primitive (Picnic, CCS16), or starting with an existing primitive such as AES and trying to find the most suitable proof system (BBQ, SAC19 or Banquet, PKC21). In this work we do both: we improve certain symmetric-key primitives to better fit existing signature schemes, and we also propose a new signature scheme that combines a new, minimalist one-way function with changes to a proof system to make their combination even more efficient. Our concrete results are as follows. First, we show how to provably remove the need to include the key schedule of block ciphers. This simplifies schemes like Picnic and it also leads to the fastest and smallest AES-based signatures, where we achieve signature sizes of around 10.8 to 14.2 KB using AES-128, on average 10% shorter than Banquet and 15% faster. Second, we investigate a variant of AES with larger S-boxes we call LSAES, for which we argue that it is likely to be at least as strong as AES, further reducing the size of AES-based signatures to 9.9 KB. Finally, we present a new signature scheme, Rainier, combining a new one-way function called Rain with a Banquet-like proof system. To the best of our knowledge, it is the first MPCitH-based signature scheme which can produce signatures that are less than 5 KB in size; it also outperforms previous Picnic and Banquet instances in all performance metrics

BBQ: Using AES in Picnic Signatures

This works studies the use of the AES block-cipher for Picnic-style signatures, which work in the multiparty-computation-in-the-head model. It applies advancements to arithmetic circuits for the computation of the AES S-box over multiparty computation in the preprocessing model to obtain an improvement of signature sizes of 40\% on average compared to using binary circuits for AES-128, AES-192 and AES-256 in combination with previous techniques. This work also discusses other methods for the computation of the S-box and provides insights into the reaches and limits of the multiparty-computation-in-the-head paradigm