Generic side-channel attacks on cca-secure lattice-based pke and kems

被引:28
作者
Ravi P. [1 ,2 ]
Roy S.S. [3 ]
Chattopadhyay A. [1 ,2 ]
Bhasin S. [1 ]
机构
[1] Temasek Laboratories, Nanyang Technological University
[2] School of Computer Science and Engineering, Nanyang Technological University
[3] School of Computer Science, University of Birmingham
来源
IACR Transactions on Cryptographic Hardware and Embedded Systems | 2020年 / 2020卷 / 03期
关键词
Chosen Ciphertext Attack; EM-based side-channel attack; Key Encapsulation Mechanism; Lattice-based cryptography; LWE/LWR; Public Key Encryption;
D O I
10.13154/tches.v2020.i3.307-335
中图分类号
学科分类号
摘要
In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to dis-tinguish based on the value/ validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subse-quently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack. © 2020, Ruhr-University of Bochum. All rights reserved.
引用
收藏
页码:307 / 335
页数:28
相关论文
共 51 条
[1]  
Alkim Erdem, Ducas Leo, Poppelmann Thomas, Schwabe Peter, Post-Quantum Key Exchange-A New Hope, USENIX Security Symposium, pp. 327-343, (2016)
[2]  
Baan Hayo, Bhattacharya Sauvik, Fluhrer Scott, Garcia-Morchon Oscar, Laarhoven Thijs, Rietman Ronald, Saarinen Markku-Juhani O., Tolhuizen Ludo, Zhang Zhenfei, Round5: Compact and fast post-quantum public-key encryption, Cryptology ePrint Archive, (2019)
[3]  
Bos Joppe, Costello Craig, Ducas Leo, Mironov Ilya, Naehrig Michael, Nikolaenko Valeria, Raghunathan Ananth, Stebila Douglas, Frodo: Take off the ring! practical, quantum-secure key exchange from LWE, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006-1018, (2016)
[4]  
Bos Joppe W, Costello Craig, Naehrig Michael, Stebila Douglas, Post-quantum key exchange for the TLS protocol from the ring learning with errors problem, Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, (2015)
[5]  
Baetu Ciprian, Betul Durak F, Huguenin-Dumittan Lois, Talayhan Abdullah, Vaudenay Serge, Misuse attacks on post-quantum cryptosystems, Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 747-776, (2019)
[6]  
Bos Joppe, Ducas Leo, Kiltz Eike, Lepoint Tancrede, Lyubashevsky Vadim, Schanck John M., Schwabe Peter, Seiler Gregor, Stehle Damien, Crystals – kyber: a cca-secure module-lattice-based kem, Cryptology ePrint Archive, (2017)
[7]  
Bos Joppe, Ducas Leo, Kiltz Eike, Lepoint Tancrede, Lyubashevsky Vadim, Schanck John M, Schwabe Peter, Seiler Gregor, Stehle Damien, Crystals-kyber: a cca-secure module-lattice-based kem, 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 353-367, (2018)
[8]  
Bauer Aurelie, Gilbert Henri, Renault Guenael, Rossi Melissa, Assessment of the key-reuse resilience of newhope, Cryptographers’ Track at the RSA Conference, pp. 272-292, (2019)
[9]  
Botros Leon, Kannwischer Matthias J., Schwabe Peter, Memory-efficient high-speed implementation of kyber on cortex-m4, Progress in Cryptology-AFRICACRYPT 2019-11th International Conference on Cryptology in Africa, pp. 209-228, (2019)
[10]  
Bleichenbacher Daniel, Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs# 1, Annual International Cryptology Conference, pp. 1-12, (1998)
123456