ABSTRACT
While error correcting codes (ECC) have the potential to significantly reduce the failure probability of post-quantum schemes, they add an extra ECC decoding step to the algorithm. Even though this additional step does not compute directly on the secret key, it is susceptible to side-channel attacks. We show that if no precaution is taken, it is possible to use timing information to distinguish between ciphertexts that result in an error before decoding and ciphertexts that do not contain errors, due to the variable execution time of the ECC decoding algorithm. We demonstrate that this information can be used to break the IND-CCA security of post-quantum secure schemes by presenting an attack on two round 1 candidates to the NIST Post-Quantum Standardization Process: the Ring-LWE scheme LAC and the Mersenne prime scheme Ramstake. This attack recovers the full secret key using a limited number of timed decryption queries and is implemented on the reference and the optimized implementations of both submissions. It is able to retrieve LAC's secret key for all security levels in under 2 minutes using less than $2^16 $ decryption queries and Ramstake's secret key in under 2 minutes using approximately $2400$ decryption queries. The attack generalizes to other lattice-based schemes with ECC in which any side-channel information about the presence of errors is leaked during decoding.
- NIST Post-Quantum Cryptography Process, Round1. National Institute of Standards and Technology, 2017.Google Scholar
- D. Aggarwal, A. Joux, A. Prakash, and M. Santha. Mersenne-756839. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- D. Aggarwal, A. Joux, A. Prakash, and M. Santha. A New Public-Key Cryptosystem via Mersenne Numbers. In H. Shacham and A. Boldyreva, editors, Advances in Cryptology -- CRYPTO 2018, pages 459--482, Cham, 2018. Springer International Publishing.Google Scholar
- E. Alkim, L. Ducas, T. Pö ppelmann, and P. Schwabe. Post-quantum key exchange -- a New Hope. In USENIX Security 2016, 2016.Google Scholar
- H. Baan, S. Bhattacharya, O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.-L. Torre-Arce, and Z. Zhang. Round2: KEM and PKE based on GLWR. Cryptology ePrint Archive, Report 2017/1183, 2017.Google Scholar
- D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. van Vredendaal. NTRU Prime. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck, P. Schwabe, and D. Stehlé . CRYSTALS -- Kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634, 2017.Google Scholar
- R. C. Bose and D. K. Ray-Chaudhuri. On a class of error correcting binary group codes. Information and Control, 3(1):68--79, 1960.Google ScholarCross Ref
- S. Carre, A. Facon, S. Guilley, Lec'hvien, Matthieu, and A. Schaub. Cache-Timing Vulnerabilities of NIST PQC Competitors.Google Scholar
- J.-P. D'Anvers, A. Karmakar, S. S. Roy, and F. Vercauteren. Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM. In AFRICACRYPT 2018, pages 282--305, 2018.Google Scholar
- J.-P. D'Anvers, A. Karmakar, S. S. Roy, and F. Vercauteren. SABER. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- J.-P. D'Anvers, F. Vercauteren, and I. Verbauwhede. On the impact of decryption failures on the security of LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1089, 2018.Google Scholar
- J.-P. D'Anvers, F. Vercauteren, and I. Verbauwhede. The impact of error dependencies on Ring/Mod-LWE/LWR based schemes. Cryptology ePrint Archive, Report 2018/1172, 2018.Google Scholar
- T. Espitau, P.-A. Fouque, B. Gé rard, and M. Tibouchi. Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing Against strongSwan and Electromagnetic Emanations in Microcontrollers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS '17, pages 1857--1874, New York, NY, USA, 2017. ACM.Google ScholarDigital Library
- S. Fluhrer. Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085, 2016.Google Scholar
- T. Fritzmann, T. Pö ppelmann, and J. Sepulveda. Analysis of Error-Correcting Codes for Lattice-Based Key Exchange. In SAC 2018, pages 369--390, 2019.Google Scholar
- E. Fujisaki and T. Okamoto. Secure Integration of Asymmetric and Symmetric Encryption Schemes. Journal of Cryptology, 26(1):80--101, 1 2013.Google ScholarDigital Library
- O. Garcia-Morchon, Z. Zhang, S. Bhattacharya, R. Rietman, L. Tolhuizen, J.-L. Torre-Arce, H. Baan, M.-J. O. Saarinen, S. Fluhrer, T. Laarhoven, and R. Player. Round2. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- L. Groot Bruinderink, A. Hü lsing, T. Lange, and Y. Yarom. Flush, Gauss, and Reload -- A Cache Attack on the BLISS Lattice-Based Signature Scheme. In B. Gierlichs and A. Y. Poschmann, editors, Cryptographic Hardware and Embedded Systems -- CHES 2016, pages 323--345, Berlin, Heidelberg, 2016. Springer Berlin Heidelberg.Google Scholar
- M. Hamburg. Three Bears. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- A. Hocquenghem. Codes correcteurs d'erreurs (in French). Chiffers, 2:147--156, 1959.Google Scholar
- D. Hofheinz, K. Hö velmanns, and E. Kiltz. A Modular Analysis of the Fujisaki-Okamoto Transformation. Cryptology ePrint Archive, Report 2017/604, 2017.Google Scholar
- P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference, pages 104--113. Springer, 1996.Google ScholarDigital Library
- X. Lu, Y. Liu, D. Jia, H. Xue, J. He, and Z. Zhang. LAC. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- X. Lu, Y. Liu, D. Jia, H. Xue, J. He, Z. Zhang, Z. Liu, Z. Yang, H. Yang, B. Li, and W. Kunpeng. LAC. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- X. Lu, Y. Liu, D. Jia, H. Xue, J. He, Z. Zhang, Z. Liu, Z. Yang, H. Yang, B. Li, and W. Kunpeng. LAC: NIST Second PQC Standardization Conference Presentation, 2019.Google Scholar
- V. Lyubashevsky, C. Peikert, and O. Regev. On Ideal Lattices and Learning with Errors over Rings. In EUROCRYPT. 2010.Google Scholar
- M. Naehrig, E. Alkim, J. Bos, L. Ducas, K. Easterbrook, B. LaMacchia, P. Longa, I. Mironov, V. Nikolaenko, C. Peikert, A. Raghunathan, and D. Stebila. FrodoKEM. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- M. Naehrig, E. Alkim, J. Bos, L. Ducas, K. Easterbrook, B. LaMacchia, P. Longa, I. Mironov, V. Nikolaenko, C. Peikert, A. Raghunathan, and D. Stebila. FrodoKEM. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- T. Poppelmann, A. Erdem, R. Avanzi, J. Bos, L. Ducas, A. de la Piedra, P. Schwabe, D. Stebila, M. R. Albrecht, E. Orsini, V. Osheter, K. G. Paterson, G. Peer, and N. P. Smart. NewHope. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- P. Schwabe, R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck, G. Seiler, and D. Stehle. Crystals-Kyber. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
- M. Seo, J. H. Park, D. H. Lee, S. Kim, and S.-J. Lee. Emblem and R.Emblem. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- N. P. Smart, M. R. Albrecht, Y. Lindell, E. Orsini, V. Osheter, K. Paterson, and G. Peer. LIMA. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- A. Szepieniec. Ramstake. Technical report, National Institute of Standards and Technology, 2017.Google Scholar
- M. Walters and S. S. Roy. Constant-time BCH Error-Correcting Code. Cryptology ePrint Archive, Report 2019/155, 2019.Google Scholar
- Z. Zhang, C. Chen, J. Hoffstein, W. Whyte, J. M. Schanck, A. Hulsing, J. Rijneveld, P. Schwabe, and O. Danba. NTRU. Technical report, National Institute of Standards and Technology, Post-Quantum Standardization Process Round 2, 2019.Google Scholar
Index Terms
- Timing Attacks on Error Correcting Codes in Post-Quantum Schemes
Recommendations
Post-Quantum Lattice-Based Cryptography Implementations: A Survey
The advent of quantum computing threatens to break many classical cryptographic schemes, leading to innovations in public key cryptography that focus on post-quantum cryptography primitives and protocols resistant to quantum computing threats. Lattice-...
Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityThis paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK+ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction ...
Compact Ring Signatures with Post-Quantum Security in Standard Model
Information Security and CryptologyAbstractRing signatures allow a ring member to produce signatures on behalf of all ring users but remain anonymous. At PKC 2022, Chatterjee et al. defined post-quantum ring signatures with post-quantum anonymity and post-quantum blind-unforgeability. ...
Comments