Single-Trace Attacks on Keccak

Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. With the proposed design, we achieved a cycle count of K:214k/E:298k/D:313k for Kyber and K:233k/E:312k/D:351k for Saber with NIST Level III parameter sets. For the same parameter sets, the masking overhead for the first-order secure decapsulation operation including randomness generation is a factor of 4.48 for Kyber (D:1403k)and 2.60 for Saber (D:915k).

Section: Horizontal Attacks On Masked Implementationsmentioning

confidence: 99%

Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography

Fritzmann

Beirendonck

Roy

et al. 2021

“…When adapting the factor graph to the situation where two NTT coefficients are stored within the same word, one could make use of a strategy that is already used in the single-trace attack on 32-bit implementations on Keccak in [KPP20]. There, the authors use a clustering approach to represent one 32-bit word as two halfwords in the factor graph, not because the algorithmic description of Keccak requires it, but because BP runs into serious runtime issues when performing message passing for 32-bit variable nodes.…”

Section: Application To Other Implementationsmentioning

confidence: 99%

Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber

Hamburg

Hermelink

Primas

et al. 2021

Self Cite

Single-trace attacks are a considerable threat to implementations of classic public-key schemes, and their implications on newer lattice-based schemes are still not well understood. Two recent works have presented successful single-trace attacks targeting the Number Theoretic Transform (NTT), which is at the heart of many lattice-based schemes. However, these attacks either require a quite powerful side-channel adversary or are restricted to specific scenarios such as the encryption of ephemeral secrets. It is still an open question if such attacks can be performed by simpler adversaries while targeting more common public-key scenarios. In this paper, we answer this question positively. First, we present a method for crafting ring/module-LWE ciphertexts that result in sparse polynomials at the input of inverse NTT computations, independent of the used private key. We then demonstrate how this sparseness can be incorporated into a side-channel attack, thereby significantly improving noise resistance of the attack compared to previous works. The effectiveness of our attack is shown on the use-case of CCA2 secure Kyber k-module-LWE, where k ∈ {2, 3, 4}. Our k-trace attack on the long-term secret can handle noise up to a σ ≤ 1.2 in the noisy Hamming weight leakage model, also for masked implementations. A 2k-trace variant for Kyber1024 even allows noise σ ≤ 2.2 also in the masked case, with more traces allowing us to recover keys up to σ ≤ 2.7. Single-trace attack variants have a noise tolerance depending on the Kyber parameter set, ranging from σ ≤ 0.5 to σ ≤ 0.7. As a comparison, similar previous attacks in the masked setting were only successful with σ ≤ 0.5.

“…As shown in Sections 5.4 and 6 this optimization gives significant performance gains, so we see this as a reasonable trade-off. Recent work by Kannwischer et al [KPP20] describes single-trace attacks on the unprotected XKCP Keccak implementation. These attacks use a single trace recorded during the computation of y = SHAKE(sk||x) and aim to recover all of a secret key sk, or part of y.…”

Section: Implementation Security Optionsmentioning

confidence: 99%

“…These attacks use a single trace recorded during the computation of y = SHAKE(sk||x) and aim to recover all of a secret key sk, or part of y. While single-trace attacks could threaten some of the unprotected hash calls in our optimized implementation (e.g., when deriving the per-party or per-MPC instance seeds), the results of [KPP20] do not extend to the M4, and the length constraints on sk, x, and y in our application. Future work may improve single-trace attacks, and in that case the conclusion of [KPP20] is that lightweight countermeasures will provide effective mitigation.…”

Section: Implementation Security Optionsmentioning

confidence: 99%

Side-Channel Protections for Picnic Signatures

Aranha

Berndt

Eisenbarth

et al. 2021

We study masking countermeasures for side-channel attacks against signature schemes constructed from the MPC-in-the-head paradigm, specifically when the MPC protocol uses preprocessing. This class of signature schemes includes Picnic, an alternate candidate in the third round of the NIST post-quantum standardization project. The only previously known approach to masking MPC-in-the-head signatures suffers from interoperability issues and increased signature sizes. Further, we present a new attack to demonstrate that known countermeasures are not sufficient when the MPC protocol uses a preprocessing phase, as in Picnic3.We overcome these challenges by showing how to mask the underlying zero-knowledge proof system due to Katz–Kolesnikov–Wang (CCS 2018) for any masking order, and by formally proving that our approach meets the standard security notions of non-interference for masking countermeasures. As a case study, we apply our masking technique to Picnic. We then implement different masked versions of Picnic signing providing first order protection for the ARM Cortex M4 platform, and quantify the overhead of these different masking approaches. We carefully analyze the side-channel risk of hashing operations, and give optimizations that reduce the CPU cost of protecting hashing in Picnic by a factor of five. The performance penalties of the masking countermeasures ranged from 1.8 to 5.5, depending on the degree of masking applied to hash function invocations.