Single-Trace Attacks on Message Encoding in Lattice-Based KEMs

In this article, we propose single-trace side-channel attacks against lattice-based key encapsulation mechanisms (KEMs) that are the third-round candidates of the national institute of standards and technology (NIST) standardization project. Specifically, we analyze the message encoding operation in the encapsulation phase of lattice-based KEMs to obtain an ephemeral session key. We conclude that a single-trace leakage implies a whole key recovery: the experimental results realized on a ChipWhisperer UFO STM32F3 target board achieve a success rate of 100% for <inline-formula> <tex-math notation="LaTeX">$\mathsf {CRYSTALS-KYBER}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\mathsf {SABER}$ </tex-math></inline-formula> regardless of an optimization level and those greater than 79% for <inline-formula> <tex-math notation="LaTeX">$\mathsf {FrodoKEM}$ </tex-math></inline-formula>. We further demonstrate that the proposed attack methodologies are not restricted to the above algorithms but are widely applicable to other NIST post-quantum cryptography (PQC) candidates, including <inline-formula> <tex-math notation="LaTeX">$\mathsf {NTRU Prime}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$\mathsf {NTRU}$ </tex-math></inline-formula>.

[1]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[2]  Wei-Lun Huang,et al.  Power Analysis on NTRU Prime , 2019, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[3]  Paul Zbinden,et al.  Defeating NewHope with a Single Trace , 2020, PQCrypto.

[4]  Sujoy Sinha Roy,et al.  Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[5]  Tanja Lange,et al.  NTRU Prime: Reducing Attack Surface at Low Cost , 2017, SAC.

[6]  Tim Güneysu,et al.  Practical CCA2-Secure and Masked Ring-LWE Implementation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[7]  Óscar García-Morchón,et al.  Round5: Compact and Fast Post-Quantum Public-Key Encryption , 2019, IACR Cryptol. ePrint Arch..

[8]  Takashi Yamakawa,et al.  Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[9]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[10]  Christof Paar,et al.  Templates vs. Stochastic Methods , 2006, CHES.

[11]  Joos Vandewalle,et al.  Machine learning in side-channel analysis: a first study , 2011, Journal of Cryptographic Engineering.

[12]  Michele Mosca,et al.  Cybersecurity in an Era with Quantum Computers: Will We Be Ready? , 2017, IEEE Security & Privacy.

[13]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[14]  Olivier Markowitch,et al.  Side channel attack: an approach based on machine learning , 2011 .

[15]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[16]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[17]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[18]  Dong-Guk Han,et al.  Chosen ciphertext Simple Power Analysis on software 8-bit implementation of ring-LWE encryption , 2016, 2016 IEEE Asian Hardware-Oriented Security and Trust (AsianHOST).

[19]  Y. Anzai,et al.  Pattern Recognition & Machine Learning , 2016 .

[20]  Ronen Feldman,et al.  The Data Mining and Knowledge Discovery Handbook , 2005 .

[21]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[22]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[23]  Elisabeth Oswald,et al.  Assessing the Feasibility of Single Trace Power Analysis of Frodo , 2018, IACR Cryptol. ePrint Arch..

[24]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[25]  William Whyte,et al.  Timing Attacks on NTRUEncrypt Via Variation in the Number of Hash Calls , 2007, CT-RSA.

[26]  Robert Primas,et al.  More Practical Single-Trace Attacks on the Number Theoretic Transform , 2019, IACR Cryptol. ePrint Arch..

[27]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[28]  Kerstin Lemke-Rust,et al.  Efficient Template Attacks Based on Probabilistic Multi-class Support Vector Machines , 2012, CARDIS.

[29]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[30]  Andreas Ibing,et al.  Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations , 2013, CARDIS.

[31]  Dooho Choi,et al.  Countermeasures against Power Analysis Attacks for the NTRU Public Key Cryptosystem , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[32]  Lior Rokach,et al.  Clustering Methods , 2005, The Data Mining and Knowledge Discovery Handbook.

[33]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[34]  Ingrid Verbauwhede,et al.  Power analysis on NTRU implementations for RFIDs: First results , 2008 .

[35]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[36]  Frederik Vercauteren,et al.  Timing Attacks on Error Correcting Codes in Post-Quantum Schemes , 2019, TIS@CCS.

[37]  Larry D. Hostetler,et al.  The estimation of the gradient of a density function, with applications in pattern recognition , 1975, IEEE Trans. Inf. Theory.

[38]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[39]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[40]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[41]  Andreas Gerstlauer,et al.  Horizontal side-channel vulnerabilities of post-quantum key exchange protocols , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[42]  Jung Hee Cheon,et al.  Lizard: Cut off the Tail! // Practical Post-Quantum Public-Key Encryption from LWE and LWR , 2018, IACR Cryptol. ePrint Arch..

[43]  Frederik Vercauteren,et al.  Masking ring-LWE , 2016, Journal of Cryptographic Engineering.

[44]  Sujoy Sinha Roy,et al.  Drop by Drop you break the rock - Exploiting generic vulnerabilities in Lattice-based PKE/KEMs using EM-based Physical Attacks , 2020, IACR Cryptol. ePrint Arch..

[45]  Jung Hee Cheon,et al.  RLizard: Post-Quantum Key Encapsulation Mechanism for IoT Devices , 2019, IEEE Access.

[46]  Frederik Vercauteren,et al.  Additively Homomorphic Ring-LWE Masking , 2016, PQCrypto.

[47]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[48]  B. Ripley,et al.  Pattern Recognition , 1968, Nature.