Machine-Learning Side-Channel Attacks on the GALACTICS Constant-Time Implementation of BLISS

Due to the advancing development of quantum computers, practical attacks on conventional public-key cryptography may become feasible in the next few decades. To address this risk, post-quantum schemes that are assumed to be secure against quantum attacks are being developed. Lattice-based algorithms are promising replacements for conventional schemes, with BLISS being one of the earliest post-quantum signature schemes in this family. However, required subroutines such as Gaussian sampling have been demonstrated to be a risk for the security of BLISS, since implementing Gaussian sampling both efficient and secure with respect to physical attacks is challenging. This paper presents three related power side-channel attacks on GALACTICS, the latest constant-time implementation of BLISS. All attacks are based on power side-channel leakages we identified in the Gaussian sampling and signing algorithm of GALACTICS. To run the attacks, a profiling phase on a device identical to the device under attack is required to train machine learning classifiers. In the attack phase, the leakages of GALACTICS enable the trained classifiers to predict sensitive internal information with high accuracy. We demonstrate the practicality of the attacks by running GALACTICS on a Cortex-M4 and provide proof-of-concept data and implementation for all our attacks.

[1]  Fatemeh Ganji,et al.  Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[2]  Ron Steinfeld,et al.  FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers , 2020, IEEE Transactions on Computers.

[3]  E. Dubrova,et al.  How Deep Learning Helps Compromising USIM , 2020, CARDIS.

[4]  Jihoon Cho,et al.  Single-Trace Attacks on Message Encoding in Lattice-Based KEMs , 2020, IEEE Access.

[5]  Mehdi Tibouchi,et al.  One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips , 2020, IACR Cryptol. ePrint Arch..

[6]  Yang Yu,et al.  Integral Matrix Gram Root and Lattice Gaussian Sampling Without Floats , 2020, IACR Cryptol. ePrint Arch..

[7]  Mehdi Tibouchi,et al.  GALACTICS: Gaussian Sampling for Lattice-Based Constant- Time Implementation of Cryptographic Signatures, Revisited , 2019, IACR Cryptol. ePrint Arch..

[8]  Zhenfei Zhang,et al.  Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU , 2019 .

[9]  Alan Hanjalic,et al.  Make Some Noise: Unleashing the Power of Convolutional Neural Networks for Profiled Side-channel Analysis , 2019, IACR Cryptol. ePrint Arch..

[10]  Tim Güneysu,et al.  Evaluation of Lattice-Based Signature Schemes in Embedded Systems , 2018, 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[11]  Thomas P. Hayes,et al.  Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers , 2018, CCS.

[12]  Seokhie Hong,et al.  Single trace analysis on constant time CDT sampler and its countermeasure , 2018 .

[13]  Markku-Juhani O. Saarinen Arithmetic coding and blinding countermeasures for lattice signatures , 2018, Journal of Cryptographic Engineering.

[14]  Mehdi Tibouchi,et al.  Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers , 2017, CCS.

[15]  Yuval Yarom,et al.  To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures , 2017, IACR Cryptol. ePrint Arch..

[16]  Daniele Micciancio,et al.  Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time , 2017, CRYPTO.

[17]  Ingrid Verbauwhede,et al.  Dude, is my code constant time? , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[18]  FrodoKEM Learning With Errors Key Encapsulation Algorithm , 2017 .

[19]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[20]  Peter Pessl,et al.  Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures , 2016, INDOCRYPT.

[21]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[22]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[24]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[25]  Emmanuel Prouff,et al.  Masking against Side-Channel Attacks: A Formal Security Proof , 2013, EUROCRYPT.

[26]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[27]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[28]  Stefan Mangard,et al.  Template Attacks on Masking - Resistance Is Futile , 2007, CT-RSA.

[29]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[30]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[31]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[32]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[33]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[34]  L. Devroye Non-Uniform Random Variate Generation , 1986 .

[35]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .