23 research outputs found
Side-channel Assisted Existential Forgery Attack on Dilithium - A NIST PQC candidate
The recent lattice-based signature scheme Dilithium, submitted as part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) package, is one of a number of strong candidates submitted for the NIST standardisation process of post-quantum cryptography. The Dilithium signature scheme is based on the Fiat-Shamir paradigm and can be seen as a variant of the Bai-Galbraith scheme (BG) combined with several improvements from previous ancestor lattice-based schemes like GLP and BLISS signature schemes. One of the main features of Dilithium is the compressed public-key, which is a rounded version of the LWE instance. This implies that Dilithium is not breakable with the knowledge of only the secret or the error of the LWE instance, unlike its ancestor lattice-based signature schemes. In this paper, we investigate the security of Dilithium against a combination of side-channel and classical attacks. Side-channel attacks on schoolbook and optimised polynomial multiplication algorithms in the signing procedure are shown to extract the secret component of the LWE instance, which is just one among the multiple components of the secret-key of Dilithium. We then propose an alternative signing procedure, through which it is possible to forge signatures with only the extracted portion of the secret-key, without requiring the knowledge of all its elements. Thus showing that Dilithium too breaks on just knowing the secret portion of the LWE instance, similar to previous lattice-based schemes
Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security
This survey is on forward-looking, emerging security concerns in post-quantum
era, i.e., the implementation attacks for 2022 winners of NIST post-quantum
cryptography (PQC) competition and thus the visions, insights, and discussions
can be used as a step forward towards scrutinizing the new standards for
applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The
rapid advances in quantum computing have brought immense opportunities for
scientific discovery and technological progress; however, it poses a major risk
to today's security since advanced quantum computers are believed to break all
traditional public-key cryptographic algorithms. This has led to active
research on PQC algorithms that are believed to be secure against classical and
powerful quantum computers. However, algorithmic security is unfortunately
insufficient, and many cryptographic algorithms are vulnerable to side-channel
attacks (SCA), where an attacker passively or actively gets side-channel data
to compromise the security properties that are assumed to be safe
theoretically. In this survey, we explore such imminent threats and their
countermeasures with respect to PQC. We provide the respective, latest
advancements in PQC research, as well as assessments and providing visions on
the different types of SCAs
Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?
We present a side-channel attack on CRYSTALS-Dilithium, a post-quantum secure digital signature scheme, with two variants of post-processing. The side-channel attack exploits information leakage in the secret key unpacking procedure of the signing algorithm to recover the coefficients of the polynomials in the secret key vectors and by profiled deep learning-assisted power analysis. In the first variant, one half of the coefficients of and is recovered by power analysis and the rest is derived by solving a system of linear equations based on , where and are parts of the public key. This case assumes knowledge of the least significant bits of the vector , . The second variant waives this requirement. However, to succeed, it needs a larger portion of to be recovered by power analysis. The remainder of is obtained by lattice reduction. Once the full is recovered, all the other information necessary for generating valid signatures can be trivially derived from the public key. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The profiling stage (trace capture and neural network training) takes less than 10 hours. In the attack assuming that is known, the probability of successfully recovering the full vector from a single trace captured from a different from profiling device is non-negligible (9%). The success rate approaches 100% if multiple traces are available for the attack. Our results demonstrate the necessity of protecting the secret key of CRYSTALS-Dilithium from single-trace attacks and call for a reassessment of the role of compression of the public key vector in the security of CRYSTALS-Dilithium implementations
Retrofitting Post-Quantum Cryptography in Internet Protocols:A Case Study of DNSSEC
Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms by PQC alternatives, but need to evaluate if they meet the requirements of the Internet protocols that rely on them. In this paper we provide a case study, analyzing the impact of PQC on the Domain Name System (DNS) and its Security Extensions (DNSSEC). In its main role, DNS translates human-readable domain names to IP addresses and DNSSEC guarantees message integrity and authenticity. DNSSEC is particularly challenging to transition to PQC, since DNSSEC and its underlying transport protocols require small signatures and keys and efficient validation. We evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC. We show that three algorithms, partially, meet DNSSEC’s requirements but also show where and how we would still need to adapt DNSSEC. Thus, our research lays the foundation for making DNSSEC, and protocols with similar constraints ready for PQC
Protecting Dilithium against Leakage: Revisited Sensitivity Analysis and Improved Implementations
CRYSTALS-Dilithium has been selected by the NIST as the new stan-
dard for post-quantum digital signatures. In this work, we revisit the side-channel
countermeasures of Dilithium in three directions. First, we improve its sensitivity
analysis by classifying intermediate computations according to their physical security
requirements. Second, we provide improved gadgets dedicated to Dilithium, taking
advantage of recent advances in masking conversion algorithms. Third, we combine
these contributions and report performance for side-channel protected Dilithium
implementations. Our benchmarking results additionally put forward that the ran-
domized version of Dilithium can lead to significantly more efficient implementations
(than its deterministic version) when side-channel attacks are a concern
From MLWE to RLWE: A Differential Fault Attack on Randomized & Deterministic Dilithium
The post-quantum digital signature scheme CRYSTALS-Dilithium has
been recently selected by the NIST for standardization. Implementing CRYSTALS-Dilithium, and other post-quantum cryptography schemes, on embedded devices raises a new set of challenges, including ones related to performance in terms of speed and memory requirements, but also related to side-channel and fault injection attacks security. In this work, we investigated the latter and describe a differential fault attack on the randomized and deterministic versions of CRYSTALS-Dilithium. Notably, the attack requires a few instructions skips and is able to reduce the MLWE problem that Dilithium is based on to a smaller RLWE problem which can be practically solved with lattice reduction techniques. Accordingly, we demonstrated key recoveries using hints extracted on the secret keys from the same faulted signatures using the LWE with side-information framework introduced by Dachman-Soled et al. at CRYPTO’20. As a final contribution, we proposed algorithmic countermeasures against this attack and in particular showed that the second one can be parameterized to only induce a negligible overhead over the signature generation
Profiling Side-Channel Attacks on Dilithium: A Small Bit-Fiddling Leak Breaks It All
We present an end-to-end (equivalent) key recovery attack on the Dilithium lattice-based signature scheme, one of the top contenders in the NIST postquantum cryptography competition. The attack is based on a small side-channel leakage we identified in a bit unpacking procedure inside Dilithium signature generation. We then combine machine-learning based profiling with various algorithmic techniques, including least squares regression and integer linear programming, in order to leverage this small leakage into essentially full key recovery: we manage to recover, from a moderate number of side-channel traces, enough information to sign arbitrary messages. We confirm the practicality of our technique using concrete experiments against the ARM Cortext-M4 implementation of Dilithium, and verify that our attack is robust to real-world conditions such as noisy power measurements.
This attack appears difficult to protect against reliably without strong side-channel countermeasures such as masking of the entire signing algorithm, and underscores the necessity of implementing such countermeasures despite their known high cost
Fault Attacks Sensitivity of Public Parameters in the Dilithium Verification
This paper presents a comprehensive analysis of the verification
algorithm of the CRYSTALS-Dilithium, focusing on a C reference
implementation. Limited research has been conducted on its susceptibility
to fault attacks, despite its critical role in ensuring the scheme’s security.
To fill this gap, we investigate three distinct fault models - randomizing
faults, zeroizing faults, and skipping faults - to identify vulnerabilities
within the verification process. Based on our analysis, we propose a
methodology for forging CRYSTALS-Dilithium signatures without knowledge
of the secret key. Instead, we leverage specific types of faults during
the verification phase and some properties about public parameters to
make these signatures accepted. Additionally, we compared different attack
scenarios after identifying sensitive operations within the verification
algorithm. The most effective requires potentially fewer fault injections
than targeting the verification check itself. Finally, we introduce a set of
countermeasures designed to thwart all the identified scenarios rendering
the verification algorithm intrinsically resistant to the presented attacks
Single-Trace Side-Channel Attacks on ω-Small Polynomial Sampling: With Applications to NTRU, NTRU Prime, and CRYSTALS-DILITHIUM
This paper proposes a new single-trace side-channel attack on lattice-based post-quantum protocols. We target the ω-small polynomial sampling of NTRU, NTRU Prime, and CRYSTALS-DILITHIUM algorithm implementations (which are NIST Round-3 finalists and alternative candidates), and we demonstrate the vulnerabilities of their sub-routines to a power-based side-channel attack. Specifically, we reveal that the sorting implementation in NTRU/NTRU Prime and the shuffling in CRYSTALS-DILITHIUM\u27s ω-small polynomial sampling process leaks information about the ‘-1’, \u270’, or ’+1\u27 assignments made to the coefficients. We further demonstrate that these assignments can be found within a single power measurement and that revealing them allows secret and session key recovery for NTRU/NTRU Prime, while reducing the challenge polynomial\u27s entropy for CRYSTALS-DILITHIUM. We execute our proposed attacks on an ARM Cortex-M4 microcontroller running the reference software submissions from NIST Round-3 software packages. The results show that our attacks can extract coefficients with a success rate of 99.78% for NTRU and NTRU Prime, reducing the search space to 2^41 or below. For CRYSTALS-DILITHIUM, our attack recovers the coefficients’ signs with over 99.99% success, reducing rejected challenge polynomials’ entropy between 39 to 60 bits. Our work informs the proposers about the single-trace vulnerabilities of their software and urges them to develop single-trace resilient software for low-cost microcontrollers
Breaking and Protecting the Crystal: Side-Channel Analysis of Dilithium in Hardware
The lattice-based CRYSTALS-Dilithium signature scheme has been selected for standardization by the NIST. As part of the selection process, a large number of implementations for platforms like x86, ARM Cortex-M4, or – on the hardware side – Xilinx Artix-7 have been presented and discussed by experts. While software implementations have been subject to side-channel analysis with several attacks being published, an analysis of Dilithium hardware implementations and their peculiarities has not taken place. With this work, we aim to fill this gap, presenting an analysis of vulnerable operations and practically showing a successful profiled Simple Power Analysis (SPA) and a Correlation Power Analysis (CPA) on a recent hardware implementation by Beckwith et al. Our SPA attack requires 700 000 profiling traces and targets the first Number-Theoretic Transform (NTT) stage. After finishing profiling, we can identify pairs of coefficients with 1 101 traces. The full CPA attack finds secret coefficients with as low as 66 000 traces. In response, we present specific countermeasures and show that they effectively prevent both attacks