Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography

In this work, we are concerned with the hardening of post-quantum key encapsulation mechanisms (KEM) against side-channel attacks, with a focus on the comparison operation required for the Fujisaki-Okamoto (FO) transform. We identify critical vulnerabilities in two proposals for masked comparison and successfully attack the masked comparison algorithms from TCHES 2018 and TCHES 2020. To do so, we use first-order side-channel attacks and show that the advertised security properties do not hold. Additionally, we break the higher-order secured masked comparison from TCHES 2020 using a collision attack, which does not require side-channel information. To enable implementers to spot such flaws in the implementation or underlying algorithms, we propose a framework that is designed to test the re-encryption step of the FO transform for information leakage. Our framework relies on a specifically parametrized t-test and would have identified the previously mentioned flaws in the masked comparison. Our framework can be used to test both the comparison itself and the full decapsulation implementation.

[1]  Tim Güneysu,et al.  Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto , 2019, Public Key Cryptography.

[2]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[3]  Dana Dachman-Soled,et al.  LWE with Side Information: Attacks and Concrete Security Estimation , 2020, IACR Cryptol. ePrint Arch..

[4]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[5]  OkamotoTatsuaki,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 2013 .

[6]  Alexander Nilsson,et al.  A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM , 2020, IACR Cryptol. ePrint Arch..

[7]  Scott R. Fluhrer,et al.  Cryptanalysis of ring-LWE based key exchange with key share reuse , 2016, IACR Cryptol. ePrint Arch..

[8]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[9]  Sujoy Sinha Roy,et al.  Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[10]  Tim Güneysu,et al.  High-Speed Masking for Polynomial Comparison in Lattice-based KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[11]  Paul Zbinden,et al.  Defeating NewHope with a Single Trace , 2020, PQCrypto.

[12]  Ingrid Verbauwhede,et al.  A Side-Channel-Resistant Implementation of SABER , 2021, IACR Cryptol. ePrint Arch..

[13]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[14]  Frederik Vercauteren,et al.  Timing Attacks on Error Correcting Codes in Post-Quantum Schemes , 2019, TIS@CCS.