Assessing the Feasibility of Single Trace Power Analysis of Frodo

Bos, Joppe W.; Friedberger, Simon; Martinoli, Marco; Oswald, Elisabeth; Stam, Martijn

doi:10.1007/978-3-030-10970-7_10

Cited by 16 publications

(25 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The ongoing standardization process and anticipated deployment of lattice-based cryptography raises an important question: How resilient are lattices to side-channel attacks or other forms of side information? While there are numerous works addressing this question for specific cryptosystems (See [2,9,17,18,32,33] for side channel attacks targeting lattice-based NIST candidates), these works use rather ad-hoc methods to reconstruct the secret key, requiring new techniques and algorithms to be developed for each setting. For example, the work of [9] uses brute-force methods for a portion of the attack, while [7] exploits linear regression techniques.…”

Section: Introductionmentioning

confidence: 99%

“…While there are numerous works addressing this question for specific cryptosystems (See [2,9,17,18,32,33] for side channel attacks targeting lattice-based NIST candidates), these works use rather ad-hoc methods to reconstruct the secret key, requiring new techniques and algorithms to be developed for each setting. For example, the work of [9] uses brute-force methods for a portion of the attack, while [7] exploits linear regression techniques. Moreover, ad-hoc methods do not allow (1) to take advantage of decades worth of research and (2) optimization of standard lattice attacks.…”

Section: Introductionmentioning

confidence: 99%

“…Our main example (Sect. 6.1) revisits the side channel information obtained from the first side-channel attack of [9] against Frodo. In that article, it was concluded that a divide-and-conquer side-channel template attack would not lead to a meaningful attack using standard combinatorial search for reconstruction of the secret.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We propose a framework for cryptanalysis of lattice-based schemes, when side information-in the form of "hints"-about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

LWE with Side Information: Attacks and Concrete Security Estimation

Dachman-Soled

Ducas

Gong

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Aysu et al [5] mounted horizontal DPA attacks on the hardware implementations of NewHope and FrodoKEM, extracting secret keys with a success rate of over 99% using a single trace. Bos et al [11] extended this attack considering ring-less LWE-based constructions by utilizing a single-trace template attack and reported the experimental results for a Frodo key-exchange protocol, which was later updated to FrodoKEM. More DPA attacks targeting the multiplications of the decryption phase in lattice-based PKE can be found in [37], [44], [45].…”

Section: A Related Workmentioning

confidence: 99%

“…While attacking the encapsulation phase of KEM, it is only possible to use a single trace, as it encrypts a random secret message every time. Several research works were aimed at recovering random secret messages using a single trace [2], [5], [11]; however, the studies based on vulnerabilities of the message encoding operation in the encapsulation phase presented limitedly [2].…”

Section: A Related Workmentioning

confidence: 99%

Single-Trace Attacks on Message Encoding in Lattice-Based KEMs

et al. 2020

View full text Add to dashboard Cite

In this paper, we propose single-trace side-channel attacks against lattice-based key encapsulation mechanisms (KEMs) that are the third-round candidates of the national institute of standards and technology (NIST) standardization project. Specifically, we analyze the message encoding operation in the encapsulation phase of lattice-based KEMs to obtain an ephemeral session key. We conclude that a singletrace leakage implies a whole key recovery: the experimental results realized on a ChipWhisperer UFO STM32F3 target board achieve a success rate of 100% for CRYSTALS-KYBER and SABER regardless of an optimization level and those greater than 79% for FrodoKEM. We further demonstrate that the proposed attack methodologies are not restricted to the above algorithms but are widely applicable to other NIST post-quantum cryptography (PQC) candidates, including NTRU Prime and NTRU. INDEX TERMS Key encapsulation mechanism, lattice-based cryptography, message encoding, sidechannel attack, single-trace attack.

show abstract

More Practical Single-Trace Attacks on the Number Theoretic Transform

Pessl

Primas

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Assessing the Feasibility of Single Trace Power Analysis of Frodo

Cited by 16 publications

References 16 publications

LWE with Side Information: Attacks and Concrete Security Estimation

LWE with Side Information: Attacks and Concrete Security Estimation

Single-Trace Attacks on Message Encoding in Lattice-Based KEMs

More Practical Single-Trace Attacks on the Number Theoretic Transform

Contact Info

Product

Resources

About