Abstract
Post-Quantum Cryptography (PQC) is currently receiving significant interest, as the construction of a practical quantum computer capable of executing Shor’s algorithm is expected in the near-to-medium future. Lattice-based PQC algorithms are among the most promising candidates discussed today, due to their performance and versatility. In this paper, we demonstrate fault sensitivity analysis (FSA) of circuit blocks used in lattice-based cryptographic implementations and a representative complete post-quantum algorithm. FSA correlates the sensitivity of the algorithm’s circuit implementation to faults with the processed data and recovers parts of the used secret key. In contrast to other types of fault attacks, FSA makes limited assumptions about the precision of fault injections and is therefore accessible even to poorly-equipped adversaries. We investigate traditional FSA based on simple models as well as its more advanced variants using templates with different construction procedures and aggregation functions, and systematically explore the conditions under which the analysis is successful. To the best of our knowledge, this is the most complex cryptographic implementation so far broken by FSA, and the first such PQC implementation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Despite recently not being included among the second round of the NIST standardization process, we selected Lotus as example of complete algorithm, because it uses (although with different parameters) all the basic blocks (vector/matrix operation, threshold as decoding function, hash functions and the Fujisaki-Okamoto transform) that constitute the foundation of several lattice-based schemes, thus it is representative of several submission still in the competition.
- 2.
We also used the Zero-model and a model where sensitivity depends on the magnitude of the key but we did not obtained successful results.
References
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The em side-channel(s). In: CHES 2002, pp. 29–45 (2003)
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing - STOC 1996, Association for Computing Machinery (ACM) (1996)
Alkim, E., et al.: Newhope - algorithm specifications and supporting documentation (2018)
Arribas, V., De Cnudde, T., Sijacic, D.: Glitch-resistant masking schemes as countermeasure against fault sensitivity Analysis. In: FDTC (2018)
Baan, H., et al.: Round2: KEM and PKE based on GLWR. Cryptology ePrint Archive, Report 2017/1183 (2017)
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)
Bindel, N., Buchmann, J., Krämer, J.: Lattice-based signature schemes and their sensitivity to fault attacks. Cryptology ePrint Archive, Report 2016/415 (2016)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)
Bos, J., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. Cryptology ePrint Archive, Report 2016/659
Cayrel, P.-L., El Yousfi Alaoui, S.M., Hoffmann, G., Meziani, M., Niebuhr, R.: Recent progress in code-based cryptography. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 21–32. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23141-4_3
Endo, S., Li, Y., Homma, N., Sakiyama, K., Ohta, K., Aoki, T.: An efficient countermeasure against fault sensitivity analysis using configurable delay blocks. In: 2012 DFTC. IEEE, September 2012
Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based fiat-shamir and hash-and-sign signatures. Cryptology ePrint Archive, Report 2016/449 (2016)
Ghalaty, N.F., Aysu, A., Schaumont, P.: Analyzing and eliminating the causes of fault sensitivity analysis. In: Proceedings of the Conference on Design, Automation & Test in Europe, DATE 2014, European Design and Automation Association, Leuven, Belgium, pp. 204:1–204:6 (2014)
Howe, J., Pöppelmann, T., O’neill, M., O’sullivan, E., Güneysu, T.: Practical lattice-based digital signature schemes. ACM Trans. Embed. Comput. Syst. 14(3), 1–24 (2015)
Kamal, A.A., Youssef, A.M.: Fault analysis of the NTRUSign digital signature scheme. Crypt. Commun. 4(2), 131–144 (2012)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO, pp. 388–397 (1999)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO, pp. 104–113 (1996)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Li, Q., Zhou, F., Wu, N., Yasir: An efficient countermeasure against fault sensitivity analysis using hybrid parallel s-boxes. In: Proceedings of The World Congress on Engineering and Computer Science 2017, Lecture Notes in Engineering and Computer Science, Newswood Limited, October 2017
Li, Y., Ohta, K., Sakiyama, K.: Revisit fault sensitivity analysis on WDDL-AES. In: 2011 IEEE HOST. IEEE, June 2011
Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 320–334. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_22
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Liu, D., Li, N., Kim, J., Nepal, S.: Compact-LWE: enabling practically lightweight public key encryption for leveled IoT device authentication. Cryptology ePrint Archive, Report 2017/685 (2017)
Liu, Y.-K., Lyubashevsky, V., Micciancio, D.: On bounded distance decoding for general lattices. In: Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, pp. 450–461 (2006)
Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_10
Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_2
Melzani, F., Palomba, A.: Enhancing fault sensitivity analysis through templates. In: HOST 2013, Austin, TX, USA, 2–3 June 2013, pp. 25–28 (2013)
Daniele, M., Oded, R.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Moradi, A., Mischke, O., Paar, C., Li, Y., Ohta, K., Sakiyama, K.: On the power of fault sensitivity analysis and collision side-channel attacks in a combined setting. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 292–311. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_20
Morioka, S., Satoh, A.: An optimized s-box circuit architecture for low power AES design. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 172–186. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_14
Paillier, P.: Evaluating differential fault analysis of unknown cryptosystems. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 235–244. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_19
Pereira, C.C.F., Puodzius, C., Barreto, P.S.L.M.: Shorter hash-based signatures. J. Syst. Softw. 116, 95–100 (2016)
Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: LOTUS: algorithm specifications and supporting documentation (2018)
Regev, O.: The learning with errors problem. In: Proceedings of 25th IEEE Annual Conference on Computational Complexity (CCC) (2010)
Saarinen, M.-J.O.: Hila5: on reliability, reconciliation, and error correction for ring-LWE encryption. Cryptology ePrint Archive, Report 2017/424 (2017)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science. Institute of Electrical & Electronics Engineers (IEEE) (1994)
Tiri, K., Verbauwhede, I.: A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: DATE (2004)
Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the Advanced Encryption Standard using a single fault. In: Workshop in Information Security Theory and Practice, pp. 224–233 (2011)
Valencia, F., Oder, T., Guneysu, T., Regazzoni, F.: Exploring the vulnerability of R-LWE encryption to fault attacks. In: CS2 Workshop at HiPEAC2018 Conference, Manchester, United Kingdom, 22–24 January 2018 (2018)
Acknowlegments
This work has been partly funded by European Union Horizon 2020 research and innovation programme under SAFEcrypto project (grant agreement No 644729) and by the Swiss National Science Foundation (project No P1TIP2_181305).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Valencia, F., Polian, I., Regazzoni, F. (2019). Fault Sensitivity Analysis of Lattice-Based Post-Quantum Cryptographic Components. In: Pnevmatikatos, D., Pelcat, M., Jung, M. (eds) Embedded Computer Systems: Architectures, Modeling, and Simulation. SAMOS 2019. Lecture Notes in Computer Science(), vol 11733. Springer, Cham. https://doi.org/10.1007/978-3-030-27562-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-27562-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-27561-7
Online ISBN: 978-3-030-27562-4
eBook Packages: Computer ScienceComputer Science (R0)