Skip to main content
SpringerLink
Log in

Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2016 (INDOCRYPT 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10095))

Included in the following conference series:

Abstract

Implementation security for lattice-based cryptography is still a vastly unexplored field. At CHES 2016, the very first side-channel attack on a lattice-based signature scheme was presented. Later, shuffling was proposed as an inexpensive means to protect the Gaussian sampling component against such attacks. However, the concrete effectiveness of this countermeasure has never been evaluated.

We change that by presenting an in-depth analysis of the shuffling countermeasure. Our analysis consists of two main parts. First, we perform a side-channel attack on a Gaussian sampler implementation. We combine templates with a recovery of data-dependent branches, which are inherent to samplers. We show that an adversary can realistically recover some samples with very high confidence.

Second, we present a new attack against the shuffling countermeasure in context of Gaussian sampling and lattice-based signatures. We do not attack the shuffling algorithm as such, but exploit differing distributions of certain variables. We give a broad analysis of our attack by considering multiple modeled SCA adversaries.

We show that a simple version of shuffling is not an effective countermeasure. With our attack, a profiled SCA adversary can recover the key by observing only 7 000 signatures. A second version of this countermeasure, which uses Gaussian convolution in conjunction with shuffling twice, can increase side-channel security and the number of required signatures significantly. Here, roughly 285 000 observations are needed for a successful attack. Yet, this number is still practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    These numbers assume recoverability of bit b for each signature (cf. Sect. 5.3).

  2. 2.

    The constants \(\zeta , d, p\) are used for compression purposes. For details, see [7].

  3. 3.

    Further sampler architectures are discussed in the full version of [10].

  4. 4.

    The design files of this development board are available online [24].

References

  1. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, Berkeley (2016)

    Google Scholar 

  2. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: SP 2015, pp. 553–570. IEEE Computer Society (2015)

    Google Scholar 

  3. Braithwaite, M.: Experimenting with post-quantum cryptography, July 2016. https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

  4. Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43414-7_20

    Chapter  Google Scholar 

  5. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). doi:10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  6. Chen, L., Jordan, S., Liu, Y.-K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: NISTIR 8105 DRAFT, Report on Post Quantum Cryptography, February 2016. http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf

  7. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_3

    Chapter  Google Scholar 

  8. Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  9. Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006). doi:10.1007/11894063_2

    Chapter  Google Scholar 

  10. Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53140-2_16

    Chapter  Google Scholar 

  11. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33027-8_31

    Chapter  Google Scholar 

  12. Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_1

    Chapter  Google Scholar 

  13. Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, vol. 2, 3rd edn., pp. 145–146. Addison-Wesley, Salt Lake (1998). Chap. 3

    Google Scholar 

  14. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

  15. Moradi, A., Hinterwälder, G.: Side-channel security analysis of ultra-low-power FRAM-based MCUs. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2015. LNCS, vol. 9064, pp. 239–254. Springer, Heidelberg (2015). doi:10.1007/978-3-319-21476-4_16

    Chapter  Google Scholar 

  16. NSA/IAD. CNSA Suite and Quantum Computing FAQ, January 2016. https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

  17. Oder, T., Pöppelmann, T., Güneysu, T.: Beyond ECDSA and RSA: lattice-based digital signatures on constrained devices. In: DAC 2014, pp. 110:1–110:6. ACM (2014)

    Google Scholar 

  18. Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44709-3_20

    Google Scholar 

  19. Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on 8-Bit ATxmega microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 346–365. Springer, Heidelberg (2015). doi:10.1007/978-3-319-22174-8_19

    Chapter  Google Scholar 

  20. Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete gaussian sampling. Cryptology ePrint Archive, Report 2014/591 (2014). http://eprint.iacr.org/2014/591

  21. Saarinen, M.-J.O.: Arithmetic coding and blinding countermeasures for lattice signatures: engineering a side-channel resistant post-quantum signature scheme with compact signatures. Cryptology ePrint Archive, Report 2016/276 (2016). http://eprint.iacr.org/2016/276

  22. Schneier, B.: NSA plans for a post-quantum world, August 2015. https://www.schneier.com/blog/archives/2015/08/nsa_plans_for_a.html

  23. strongSwan. strongSwan 5.2.2 Released (2015). https://www.strongswan.org/blog/2015/01/05/strongswan-5.2.2-released.html

  24. Texas Instruments. MSP432P401R LaunchPad. http://www.ti.com/tool/msp-exp432p401r

Download references

Acknowledgements

This work has been supported by the Austrian Research Promotion Agency (FFG) under grant number 845589 (SCALAS). We would also like to thank Leon Groot Bruinderink for his valuable input.

Author information

Authors and Affiliations

  1. IAIK, Graz University of Technology, Graz, Austria

    Peter Pessl

Authors
  1. Peter Pessl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Pessl .

Editor information

Editors and Affiliations

  1. University of Haifa , Haifa, Israel

    Orr Dunkelman

  2. Indraprashtha Institute of Information Technology (IIIT-D), New Delhi, India

    Somitra Kumar Sanadhya

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Pessl, P. (2016). Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures. In: Dunkelman, O., Sanadhya, S. (eds) Progress in Cryptology – INDOCRYPT 2016. INDOCRYPT 2016. Lecture Notes in Computer Science(), vol 10095. Springer, Cham. https://doi.org/10.1007/978-3-319-49890-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49890-4_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49889-8

  • Online ISBN: 978-3-319-49890-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation