Skip to main content
SpringerLink
Log in

More Practical Single-Trace Attacks on the Number Theoretic Transform

  • Conference paper
  • First Online:
Book cover Progress in Cryptology – LATINCRYPT 2019 (LATINCRYPT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11774))

Abstract

Single-trace side-channel attacks are a considerable threat to implementations of classic public-key schemes. For lattice-based cryptography, however, this class of attacks is much less understood, and only a small number of previous works show attacks. Primas et al., for instance, present a single-trace attack on the Number Theoretic Transform (NTT), which is at the heart of many efficient lattice-based schemes.

They, however, attack a variable-time implementation and also require a rather powerful side-channel adversary capable of creating close to a million multivariate templates. Thus, it was an open question if such an attack can be made practical while also targeting state-of-the-art constant-time implementations.

In this paper, we answer this question positively. First, we introduce several improvements to the usage of belief propagation, which underlies the attack. And second, we change the target to encryption instead of decryption; this limits attacks to the recovery of the transmitted symmetric key, but in turn, increases attack performance. All this then allows successful attacks even when switching to univariate Hamming-weight templates. We evaluate the performance and noise resistance of our attack using simulations, but also target a real device. Concretely, we successfully attack an assembly-optimized constant-time Kyber implementation running on an ARM Cortex M4 microcontroller while requiring the construction of only 213 templates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    At least when using a simple error distribution, such as centered binomials.

  2. 2.

    The new parameter set also requires some minor modifications to the NTT, such as different constants and omission of the last butterfly layer.

  3. 3.

    Here, the NTT is defined to include the scaling required to compute products in \(\mathbb {Z} _q[x]/\langle x^n + 1 \rangle \) instead of \(\mathbb {Z} _q[x]/\langle x^n - 1 \rangle \). We point to [6] for further details.

  4. 4.

    Aysu et al. [7] do also run their attack for the RLWE-based scheme NewHope [2]. However, their attacked implementation uses schoolbook multiplication instead of the NTT, resulting in a drastically increased runtime.

  5. 5.

    They target the original LPR scheme, which has very similar encryption and decryption routines.

  6. 6.

    Shortly after the initial publication of this paper, the Kyber implementation in PQM4 was updated. For reference, we used the version found at https://github.com/mupq/pqm4/releases/tag/Round1.

References

  1. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    Chapter  Google Scholar 

  2. Alkim, E., et al.: NewHope (2017). https://newhopecrypto.org/. Submission to [21]

  3. Alkim, E., et al.: FrodoKEM (2017). https://frodokem.org/. Submission to [21]

  4. Alkim, E., Jakubeit, P., Schwabe, P.: NewHope on ARM Cortex-M. In: Carlet, C., Hasan, M.A., Saraswat, V. (eds.) SPACE 2016. LNCS, vol. 10076, pp. 332–349. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49445-6_19

    Chapter  Google Scholar 

  5. Alperin-Sheriff, J.: Programmable hardware, microcontrollers and vector instructions. Post on the NIST PQC-forum (2018). https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/_0mDoyry1Ao/Tt7yHpjSDgAJ

  6. Avanzi, R., et al.: CRYSTALS-Kyber (2017). https://pq-crystals.org/kyber. Submission to [21]

  7. Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: HOST, pp. 81–88. IEEE Computer Society (2018)

    Google Scholar 

  8. Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 354–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_12

    Chapter  Google Scholar 

  9. Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_28

    Chapter  Google Scholar 

  10. Bindel, N., et al.: qTESLA (2017). https://qtesla.org. Submission to [21]

  11. Bos, J.W., Friedberger, S., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of frodo. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_10

    Chapter  Google Scholar 

  12. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  13. de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Efficient software implementation of ring-LWE encryption. In: DATE, pp. 339–344. ACM (2015)

    Google Scholar 

  14. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  15. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: PQM4: post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4

  16. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)

    Article  MathSciNet  Google Scholar 

  17. Lyubashevsky, V., et al.: CRYSTALS-Dilithium (2017). https://pq-crystals.org/dilithium. Submission to [21]

  18. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  19. MacKay, D.J.C.: Information Theory, Inference, and Learning Algorithms. Cambridge University Press, Cambridge (2003)

    MATH  Google Scholar 

  20. NewAE: CW308T-STM32F. https://wiki.newae.com/CW308T-STM32F

  21. NIST: Post-quantum cryptography standardization. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization

  22. Oder, T., Schneider, T., Pöppelmann, T., Güneysu, T.: Practical CCA2-secure and masked ring-LWE implementation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 142–174 (2018)

    Google Scholar 

  23. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    Chapter  Google Scholar 

  24. Reparaz, O., de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Additively homomorphic ring-LWE masking. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 233–244. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_15

    Chapter  Google Scholar 

  25. Reparaz, O., Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: A masked ring-LWE implementation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 683–702. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_34

    Chapter  Google Scholar 

  26. Saarinen, M.O.: Arithmetic coding and blinding countermeasures for lattice signatures - engineering a side-channel resistant post-quantum signature scheme with compact signatures. J. Cryptographic Eng. 8(1), 71–84 (2018)

    Article  Google Scholar 

  27. Storkey, A.J.: Generalised propagation for fast fourier transforms with partial or missing data. In: NIPS, pp. 433–440. MIT Press (2003)

    Google Scholar 

  28. Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15

    Chapter  Google Scholar 

  29. Yedidia, J.S.: Sparse factor graph representations of Reed-Solomon and related codes. In: Algebraic Coding Theory and Information Theory. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 68, pp. 91–98. DIMACS/AMS (2003). http://www.merl.com/publications/docs/TR2003-135.pdf

  30. Yedidia, J.S., Freeman, W.T., Weiss, Y.: Generalized belief propagation. In: NIPS, pp. 689–695. MIT Press (2000)

    Google Scholar 

Download references

Acknowledgements

This work has been supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia, and via the project ESPRESSO, which is funded by the province of Styria and the Business Promotion Agencies of Styria and Carinthia.

Author information

Authors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Peter Pessl & Robert Primas

Authors
  1. Peter Pessl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robert Primas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Pessl .

Editor information

Editors and Affiliations

  1. Radboud University Nijmegen, Nijmegen, The Netherlands

    Peter Schwabe

  2. Universidad de Santiago de Chile, Santiago, Chile

    Nicolas Thériault

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pessl, P., Primas, R. (2019). More Practical Single-Trace Attacks on the Number Theoretic Transform. In: Schwabe, P., Thériault, N. (eds) Progress in Cryptology – LATINCRYPT 2019. LATINCRYPT 2019. Lecture Notes in Computer Science(), vol 11774. Springer, Cham. https://doi.org/10.1007/978-3-030-30530-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30530-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30529-1

  • Online ISBN: 978-3-030-30530-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation