research-article

Exploiting Determinism in Lattice-based Signatures: Practical Fault Attacks on pqm4 Implementations of NIST Candidates

Authors:

Mahabir Prasad Jhanwar,

Anupam Chattopadhyay,

Shivam BhasinAuthors Info & Claims

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Pages 427 - 440

https://doi.org/10.1145/3321705.3329821

Published: 02 July 2019 Publication History

Abstract

In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. In particular, we extend the practicality of skip-addition fault attacks through exploitation of determinism in Dilithium and qTESLA signature schemes, which are two leading candidates for the NIST standardization of post-quantum cryptography. We show that single targeted faults injected in the signing procedure allow to recover an important portion of the secret key. Though faults injected in the signing procedure do not recover all the secret key elements, we propose a novel forgery algorithm that allows the attacker to sign any given message with only the extracted portion of the secret key. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4 microcontroller. We also show that our attacks break two well known countermeasures known to protect against skip-addition fault attacks. We further propose an efficient mitigation strategy against our attack that exponentially increases the attacker's complexity at almost zero increase in computational complexity.

References

[1]

Sedat Akleylek, Nina Bindel, Johannes Buchmann, Juliane Kramer, and Giorgia Azzurra Marson. 2016. An efficient lattice-based signature scheme with provably secure instantiation. In International Conference on Cryptology in Africa. Springer, 44--60.

Digital Library

[2]

Christopher Ambrose, Joppe W Bos, Björn Fay, Marc Joye, Manfred Lochter, and Bruce Murray. 2018. Differential attacks on deterministic signatures. In Cryptographers' Track at the RSA Conference. Springer, 339--353.

[3]

Shi Bai and Steven D Galbraith. 2014. An Improved Compression Technique for Signatures Based on Learning with Errors. In CT-RSA, Vol. 8366. 28--47.

[4]

Rami Barends, Julian Kelly, Anthony Megrant, Andrzej Veitia, Daniel Sank, Evan Jeffrey, Ted C White, Josh Mutus, Austin G Fowler, Brooks Campbell, et al. 2014. Superconducting quantum circuits at the surface code threshold for fault tolerance. Nature, Vol. 508, 7497 (2014), 500--503.

[5]

Alessandro Barenghi and Gerardo Pelosi. 2016. A note on fault attacks against deterministic signature schemes (short paper). In International Workshop on Security. Springer, 182--192.

[6]

Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering, Vol. 2, 2 (2012), 77--89.

[7]

Nina Bindel, Sedat Akleylek, Erdem Alkim, Paulo S. L. M. Barreto, Johannes Buchmann, Edward Eaton, Gus Gutoski, Juliane Kramer, Patrick Longa, Harun Polat, Jefferson E. Ricardini, and Gustavo Zanon. 2017. qTESLA. Technical Report. National Institute of Standards and Technology. available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.

[8]

Nina Bindel, Johannes Buchmann, and Juliane Kramer. 2016. Lattice-based signature schemes and their sensitivity to fault attacks. In Fault Diagnosis and Tolerance in Cryptography (FDTC), 2016 Workshop on. IEEE, 63--77.

[9]

Nina Bindel, Juliane Kramer, and Johannes Schreiber. 2017. Special session: hampering fault attacks against lattice-based signature schemes-countermeasures and their efficiency. In Hardware/Software Codesign and System Synthesis (CODES+ISSS), 2017 International Conference on. IEEE, 1--3.

Digital Library

[10]

Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom. 2016. Flush, Gauss, and Reload--a cache attack on the BLISS lattice-based signature scheme. In International Conference on Cryptographic Hardware and Embedded Systems. Springer, 323--345.

[11]

Leon Groot Bruinderink and Peter Pessl. 2018. Differential Fault Attacks on Deterministic Lattice Signatures. IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2018, 3 (2018). https://eprint.iacr.org/2018/355.pdf.

[12]

Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. 2013. Lattice signatures and bimodal Gaussians. In Advances in Cryptology--CRYPTO 2013. Springer, 40--56.

[13]

Thomas Espitau, Pierre-Alain Fouque, Beno^it Gérard, and Mehdi Tibouchi. 2016. Loop-abort faults on lattice-based Fiat-Shamir and hash-and-sign signatures. In International Conference on Selected Areas in Cryptography. Springer, 140--158.

[14]

Thomas Espitau, Pierre-Alain Fouque, Beno^it Gérard, and Mehdi Tibouchi. 2017. Side-channel attacks on BLISS lattice-based signatures: Exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1857--1874.

Digital Library

[15]

Thomas Espitau, Pierre-Alain Fouque, Benoit Gerard, and Mehdi Tibouchi. 2018. Loop-Abort Faults on Lattice-Based Signatures and Key Exchange Protocols. IEEE Trans. Comput. (2018).

[16]

Tim Güneysu, Vadim Lyubashevsky, and Thomas Pöppelmann. 2012. Practical lattice-based cryptography: A signature scheme for embedded systems. In International Conference on Cryptographic Hardware and Embedded Systems. Springer, 530--547.

Digital Library

[17]

Matthias J. Kannwischer, Joost Rijneveld, Peter Schwabe, and Ko Stoffelen. {n. d.}. PQM4: Post-quantum crypto library for the ARM Cortex-M4. https://github.com/mupq/pqm4.

[18]

Vadim Lyubashevsky. 2009. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 598--616.

Digital Library

[19]

Vadim Lyubashevsky, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Peter Schwabe, Gregor Seiler, and Damien Stehle. 2017. CRYSTALS-Dilithium. Technical Report. National Institute of Standards and Technology. available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.

[20]

Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2013. On Ideal Lattices and Learning with Errors over Rings. J. ACM, Vol. 60, 6 (2013), 43.

Digital Library

[21]

Daniele Micciancio. 2007. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. computational complexity, Vol. 16, 4 (2007), 365--411.

Digital Library

[22]

National Institute of Standards and Technology. 2016. Post-Quantum Crypto Project. http://csrc.nist.gov/groups/ST/post-quantum-crypto/.

[23]

National Institute of Standards and Technology. 2019. Round 2 Submissions, Post-Quantum Cryptography. Technical Report. available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions.

[24]

NIST. 2016. Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process. https://csrc.nist.gov/csrc/media/projects/post-quantum-cryptography/documents/call-for-proposals-final-dec-2016.pdf .

[25]

Peter Pessl. 2016. Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In INDOCRYPT 2016. Springer, 153--170.

[26]

Peter Pessl, Leon Groot Bruinderink, and Yuval Yarom. 2017. To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1843--1855.

Digital Library

[27]

Thomas Pornin. 2013. Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA). Technical Report.

[28]

Prasanna Ravi, Debapriya Basu Roy, Shivam Bhasin, Anupam Chattopadhyay, and Debdeep Mukhopadhyay. 2019. Number "Not Used" Once-Practical Fault Attack on pqm4 Implementations of NIST Candidates. In International Workshop on Constructive Side-Channel Analysis and Secure Design. Springer, 232--250.

Digital Library

[29]

Lionel Riviere, Zakaria Najm, Pablo Rauzy, Jean-Luc Danger, Julien Bringer, and Laurent Sauvage. 2015. High precision fault injections on the instruction cache of ARMv7-M architectures. arXiv preprint arXiv:1510.01537 (2015).

[30]

Elena Trichina and Roman Korkikyan. 2010. Multi fault laser attacks on protected CRT-RSA. In Fault Diagnosis and Tolerance in Cryptography (FDTC), 2010 Workshop on. IEEE, 75--86.

Digital Library

Cited By

Khalimov GKotukh YKolisnyk MKhalimova SSievierinov OKorobchynskyi M(2025)Digital Signature Scheme Based on Linear EquationsAdvances in Information and Communication10.1007/978-3-031-84460-7_46(711-728)Online publication date: 7-Mar-2025
https://doi.org/10.1007/978-3-031-84460-7_46
Wang HGao YLiu YZhang QZhou Y(2024)In-depth Correlation Power Analysis Attacks on a Hardware Implementation of CRYSTALS-DilithiumCybersecurity10.1186/s42400-024-00209-97:1Online publication date: 3-Jun-2024
https://doi.org/10.1186/s42400-024-00209-9
Ravi PChattopadhyay AD’Anvers JBaksi A(2024)Side-channel and Fault-injection attacks over Lattice-based Post-quantum Schemes (Kyber, Dilithium): Survey and New ResultsACM Transactions on Embedded Computing Systems10.1145/360317023:2(1-54)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3603170
Show More Cited By

Recommendations

Lattice-based deniable ring signatures

In cryptography, a ring signature is anonymous as it hides the signer's identity among other users. When generating the signature, the users are arranged as a ring. Compared with group signatures, a ring signature scheme needs no group manager or ...
Lattice-based certificateless encryption scheme

Certificateless public key cryptography (CL-PKC) can solve the problems of certificate management in a public key infrastructure (PKI) and of key escrows in identity-based public key cryptography (ID-PKC). In CL-PKC, the key generation center (KGC) does ...
A Differential Fault Attack Against Deterministic Falcon Signatures
Smart Card Research and Advanced Applications
Abstract
We describe a fault attack against the deterministic variant of the $F A L C O N$ signature scheme. It is the first fault attack that exploits specific properties of deterministic $F A L C O N$ . The attack works under a very relaxed and realistic single fault ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

July 2019

708 pages

ISBN:9781450367523

DOI:10.1145/3321705

General Chairs:
Steven Galbraith
University of Auckland, New Zealand
,
Giovanni Russello
University of Auckland, New Zealand
,
Willy Susilo
University of Wollongong, Australia
,
Program Chairs:
Dieter Gollmann
Hamburg University of Technology, Germany & Nanyang Technological University, Singapore
,
Engin Kirda
Northeastern University, USA
,
Zhenkai Liang
National University of Singapore, Singapore

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Asia CCS '19

Sponsor:

SIGSAC

Asia CCS '19: ACM Asia Conference on Computer and Communications Security

July 9 - 12, 2019

Auckland, New Zealand

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
343
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khalimov GKotukh YKolisnyk MKhalimova SSievierinov OKorobchynskyi M(2025)Digital Signature Scheme Based on Linear EquationsAdvances in Information and Communication10.1007/978-3-031-84460-7_46(711-728)Online publication date: 7-Mar-2025
https://doi.org/10.1007/978-3-031-84460-7_46
Wang HGao YLiu YZhang QZhou Y(2024)In-depth Correlation Power Analysis Attacks on a Hardware Implementation of CRYSTALS-DilithiumCybersecurity10.1186/s42400-024-00209-97:1Online publication date: 3-Jun-2024
https://doi.org/10.1186/s42400-024-00209-9
Ravi PChattopadhyay AD’Anvers JBaksi A(2024)Side-channel and Fault-injection attacks over Lattice-based Post-quantum Schemes (Kyber, Dilithium): Survey and New ResultsACM Transactions on Embedded Computing Systems10.1145/360317023:2(1-54)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3603170
Khalimov GKotukh YKolisnyk MKhalimova SSievierinov OVolkov O(2024)SIGNLINE: Digital Signature Scheme Based on Linear Equations Cryptosystem2024 4th International Conference on Electrical, Computer, Communications and Mechatronics Engineering (ICECCME)10.1109/ICECCME62383.2024.10796704(1-9)Online publication date: 4-Nov-2024
https://doi.org/10.1109/ICECCME62383.2024.10796704
Jendral SMattsson JDubrova E(2024)A Single-Trace Fault Injection Attack on Hedged Module Lattice Digital Signature Algorithm (ML-DSA)2024 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)10.1109/FDTC64268.2024.00013(34-43)Online publication date: 4-Sep-2024
https://doi.org/10.1109/FDTC64268.2024.00013
Baseri YChouhan VGhorbani AChow A(2024)Evaluation framework for quantum security risk assessment: A comprehensive strategy for quantum-safe transitionComputers & Security10.1016/j.cose.2024.104272(104272)Online publication date: Dec-2024
https://doi.org/10.1016/j.cose.2024.104272
Baseri YChouhan VHafid A(2024)Navigating quantum security risks in networked environments: A comprehensive study of quantum-safe network protocolsComputers & Security10.1016/j.cose.2024.103883(103883)Online publication date: May-2024
https://doi.org/10.1016/j.cose.2024.103883
Khalid AKundi D(2024)Post-Quantum Cryptographic AcceleratorsHandbook of Computer Architecture10.1007/978-981-97-9314-3_8(237-275)Online publication date: 21-Dec-2024
https://doi.org/10.1007/978-981-97-9314-3_8
Singh RIslam SSunar BSchaumont P(2023)Analysis of EM Fault Injection on Bit-sliced Number Theoretic Transform Software in DilithiumACM Transactions on Embedded Computing Systems10.1145/3583757Online publication date: 31-Mar-2023
https://dl.acm.org/doi/10.1145/3583757
Basak Chowdhury AMahapatra ASoni DKarri R(2023)Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature SchemesIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.315974942:2(384-396)Online publication date: Feb-2023
https://doi.org/10.1109/TCAD.2022.3159749
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten