ABSTRACT
This paper reveals a new side-channel leakage of Microsoft SEAL homomorphic encryption library. The proposed attack exploits the leakage of ternary value assignments made during the Number Theoretic Transform (NTT) sub-routine. Notably, the attack can steal the secret key coefficients from a single power/electromagnetic measurement trace. To achieve high accuracy with a single-trace, we build a novel machine-learning based side-channel profiler. Moreover, we implement a defense based on random delay insertion based defense mechanism to mitigate the shown leakage. The results on an ARM Cortex-M4F processor show that our attack extracts secret key coefficients with 98.3% accuracy and random delay insertion defense does not reduce the success rate of our attack.
- F. Aydin, A. Aysu, M. Tiwari, A. Gerstlauer, and M. Orshansky. 2021. Horizontal Side-Channel Vulnerabilities of Post-Quantum Key Exchange and Encapsulation Protocols. ACM Transactions on Embedded Computing Systems, Vol. 20, 6 (2021), 1--22. https://doi.org/10.1145/3476799Google ScholarDigital Library
- F. Aydin, E. Karabulut, S. Potluri, E. Alkim, and A. Aysu. 2022. RevEAL: Single-Trace Side-Channel Leakage of the SEAL Homomorphic Encryption Library. In 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE). 99--117. https://doi.org/10.23919/DATE54114.2022.9774724Google Scholar
- F. Boemer, Y. Lao, R. Cammarota, and C. Wierzynski. 2019. nGraph-HE: a graph compiler for deep learning on homomorphically encrypted data. In Proceedings of the 16th ACM International Conference on Computing Frontiers. 3--13.Google Scholar
- E. Brier, C. Clavier, and F. Olivier. 2004. Correlation power analysis with a leakage model. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES). 16--29.Google Scholar
- D. Campbell, R.A. Dunne, and N. A. Campbell. 1997. On The Pairing Of The Softmax Activation And Cross--Entropy Penalty Functions And The Derivation Of The Softmax Activation Function. In Australian Conference on Neural Networks. 181--185.Google Scholar
- J.H. Cheon, A. Kim, M. Kim, and Y. Song. 2017. Homomorphic Encryption for Arithmetic of Approximate Numbers. In International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT). 409--437.Google Scholar
- J.W. Cooley and J. W. Tukey. 1965. An algorithm for the machine calculation of complex Fourier series. Mathematics of Computation 19(90). , 297--301 pages.Google ScholarCross Ref
- J.-S. Coron and I. Kizhvatov. 2009. An efficient method for random delay generation in embedded software. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES). 156--170.Google Scholar
- J.-S. Coron and I. Kizhvatov. 2010. Analysis and Improvement of the Random Delay Countermeasure of CHES 2009. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES). 95--109.Google Scholar
- N. Drucker and T. Pelleg. 2022. Timing Leakage Analysis of Non-constant-time NTT Implementations with Harvey Butterflies. In International Symposium on Cyber Security, Cryptology, and Machine Learning (CSCML). 99--117.Google Scholar
- J. Fan and F. Vercauteren. 2012. Somewhat Practical Fully Homomorphic Encryption. IACR Cryptology ePrint Archive, Report 2012/144.Google Scholar
- W.M. Gentleman, G. Sande, and P. Rohatgi. 1966. Fast fourier transforms: for fun and profit. In In Fall Joint Computer Conference (AFIPS). 563--578.Google Scholar
- C. Gentry. 2009. Fully Homomorphic Encryption Using Ideal Lattices. In Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing. 169--178.Google ScholarDigital Library
- S. Halevi and S. Shoup. 2014. Algorithms in HElib. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference. 554--571.Google Scholar
- W.-L. Huang, J.-P. Chen, and B.-Y. Yang. 2019. Power analysis on NTRU Prime. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), Vol. 2019, 1 (2019), 123--151. https://doi.org/10.13154/tches.v2020.i1.123--151Google ScholarCross Ref
- I. T. Jolliffe. 2002. Principal Component Analysis. Springer New York, NY, 1--488.Google Scholar
- P. Kashyap, F. Aydin, S. Potluri, P. Franzon, and A. Aysu. 2020. 2Deep: Enhancing side-channel attacks on lattice-based key-exchange. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), Vol. 40, 6 (2020), 1217--1229. https://doi.org/10.1109/TCAD.2020.3038701Google ScholarCross Ref
- I. Kim, T. Lee, J. Han, B. Sim, and D. Han. 2020. Novel single-trace ML profiling attacks on NIST 3 round candidate Dilithium. IACR Cryptol. ePrint Arch., Report 2020/1383.Google Scholar
- J. Kim, S. Picek, A. Henuser, S. Bhasin, and A. Hanjalic. 2019. Make some noise. Unleashing the power of convolutional neural networks for profiled side-channel analysis. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), Vol. 2019, 3 (2019), 148--178. https://doi.org/10.13154/tches.v2019.i3.148--179Google ScholarCross Ref
- Q. Li, Z. Huang, W. Lu, C. Hong, H. Qu, H. He, and W. Zhang. 2020. HomoPAI: A secure collaborative machine learning platform based on homomorphic encryption. In 2020 IEEE 36th International Conference on Data Engineering. 1713--1713.Google Scholar
- V. Nair and G.E. Hinton. 2010. Rectified linear units improve restricted Boltzmann machines. In International Conference on Machine Learning (ICML). 807--814.Google Scholar
- D. Natarajan and W. Dai. 2021. SEAL-Embedded: A Homomorphic Encryption Library for the Internet of Things. IACR Transactions on Cryptographic Hardware and Embedded Systems 3 (July 2021), 756--779.Google Scholar
- P. Pessl and R. Primas. 2019. More practical single-trace attacks on the number theoretic transform. In International Conference on Cryptology and Information Security in Latin America (LATINCRYPT). 130--149.Google Scholar
- Y. Polyakov, K. Rohloff, G. W. Ryan, and D. Cousins. 2022. PALASIDE lattice crypto library. https://gitlab.com/palisade/palisade-release/blob/master/doc/palisade_manual.pdf.Google Scholar
- R. Primas, P. Pessl, and S. Mangard. 2017. Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES). 513--533.Google Scholar
- P. Ravi, R. Poussier, S. Bhasin, and A. Chattopadhyay. 2020a. On configurable SCA countermeasures against single trace attacks for the NTT. 123--146.Google Scholar
- P. Ravi, S. Roy, A. Chattopadhyay, and S. Bhasin. 2020b. Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), Vol. 2020, 3 (2020), 307--335. https://doi.org/10.13154/tches.v2020.i3.307--335Google ScholarCross Ref
- W. Wei X. Zheng, A. Wang. 2013. First-order collision attack on protected NTRU cryptosystem. Microprocessors & Microsystems , Vol. 37, 6--7 (2013), 601--609. ioGoogle ScholarDigital Library
Index Terms
- Exposing Side-Channel Leakage of SEAL Homomorphic Encryption Library
Recommendations
Side-channel plaintext-recovery attacks on leakage-resilient encryption
DATE '17: Proceedings of the Conference on Design, Automation & Test in EuropeDifferential power analysis (DPA) is a powerful tool to extract the key of a cryptographic implementation from observing its power consumption during the en-/decryption of many different inputs. Therefore, cryptographic schemes based on frequent re-...
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityModern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...
Side-channel leakage aware instruction scheduling
CS2 '17: Proceedings of the Fourth Workshop on Cryptography and Security in Computing SystemsSpeed-optimized side-channel protected software implementations of block ciphers are important for the security of embedded IoT devices based on general-purpose microcontrollers. The recent work of Schwabe et al. published at SAC 2016 introduced a bit-...
Comments