scholarly journals High-Speed Masking for Polynomial Comparison in Lattice-based KEMs

2020 ◽  
pp. 483-507
Author(s):  
Florian Bache ◽  
Clara Paglialonga ◽  
Tobias Oder ◽  
Tobias Schneider ◽  
Tim Güneysu
Keyword(s):  
High Speed ◽  
Practical Implementation ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Embedded Devices ◽  
Test Methodology ◽  
Standardization Process ◽  
Prime Modulus ◽  
Evaluation Platform ◽  
Target Platform

With the NIST post-quantum standardization competition entering the second round, the interest in practical implementation results of the remaining NIST candidates is steadily growing. Especially implementations on embedded devices are often not protected against side-channel attacks, such as differential power analysis. In this regard, the application of countermeasures against side-channel attacks to candidates of the NIST standardization process is still an understudied topic. Our work aims to contribute to the NIST competition by enabling a more realistic judgment of the overhead cost introduced by side-channel countermeasures that are applied to lattice-based KEMs that achieve CCA-security based on the Fujisaki-Okamoto transform. We present a novel higher-order masking scheme that enables an efficient comparison of polynomials as previous techniques based on arithmetic-to-Boolean conversions renders this (generally inexpensive) component extremely expensive in the masked case. Our approach has linear complexity in the number of shares compared to quadratic complexity of previous contributions and it applies to lattice based schemes with prime modulus. It comes with a proof in the probing model and an efficient implementation on an ARM Cortex-M4F microcontroller which was defined as a preferred evaluation platform for embedded implementations by NIST. Our algorithm can be executed in only 1.5-2.2 milliseconds on the target platform (depending on the masking order) and is therefore well suited even for lightweight applications. While in previous work, practical side-channel experiments were conducted using only 5,000 - 100,000 power traces, we confirm the absence of first-order leakage in this work by collecting 1 million power traces and applying the t-test methodology.

Effect of side channel attacks on RSA embedded devices

2007 ◽  
Author(s):  
Santosh Ghosh ◽  
Monjur Alam ◽  
Dipanwita Roy Chowdhury ◽  
Indranil Sen Gupta
Keyword(s):  
Side Channel ◽  
Side Channel Attacks ◽  
Embedded Devices

scholarly journals Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

2020 ◽  
pp. 307-335 ◽  
Author(s):  
Prasanna Ravi ◽  
Sujoy Sinha Roy ◽  
Anupam Chattopadhyay ◽  
Shivam Bhasin
Keyword(s):  
Experimental Validation ◽  
Error Correcting Codes ◽  
Public Key ◽  
Side Channel ◽  
Public Key Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Binary Information ◽  
Channel Information ◽  
Standardization Process

In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to distinguish based on the value/validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subsequently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack.

scholarly journals High Order Masking of Look-up Tables with Common Shares

2018 ◽  
pp. 40-72 ◽  
Author(s):  
Jean-Sébastien Coron ◽  
Franck Rondepierre ◽  
Rina Zeitoun
Keyword(s):  
High Order ◽  
Practical Implementation ◽  
Side Channel ◽  
Side Channel Attacks ◽  
The Third ◽  
Look Up Table ◽  
Reasonable Number ◽  
Speed Up ◽  
The Common

Masking is an effective countermeasure against side-channel attacks. In this paper, we improve the efficiency of the high-order masking of look-up tables countermeasure introduced at Eurocrypt 2014, based on a combination of three techniques, and still with a proof of security in the Ishai-Sahai-Wagner (ISW) probing model. The first technique consists in proving security under the stronger t-SNI definition, which enables to use n = t+1 shares instead of n = 2t+1 against t-th order attacks. The second technique consists in progressively incrementing the number of shares within the countermeasure, from a single share to n, thereby reducing the complexity of the countermeasure. The third technique consists in adapting the common shares approach introduced by Coron et al. at CHES 2016, so that half of a randomized look-up table can be pre-computed for multiple SBoxes. We show that our techniques perform well in practice. In theory, the combination of the three techniques should lead to a factor 10.7 improvement in efficiency, for a large number of shares. For a practical implementation with a reasonable number of shares, we get a 4.8 speed-up factor for AES.

scholarly journals FourQ on embedded devices with strong countermeasures against side-channel attacks

2018 ◽  
pp. 1-1 ◽  
Author(s):  
Zhe Liu ◽  
Patrick Longa ◽  
Geovandro Pereira ◽  
Oscar Reparaz ◽  
Hwajeong Seo
Keyword(s):  
Side Channel ◽  
Side Channel Attacks ◽  
Embedded Devices

A New Side-Channel Attack on Reduction of RSA-CRT Montgomery Method Based

2020 ◽  
pp. 2150038
Author(s):  
S. Kaedi ◽  
M. A. Doostari ◽  
M. B. Ghaznavi-Ghoushchi ◽  
H. Yusefi
Keyword(s):  
High Speed ◽  
Side Channel ◽  
Side Channel Attack ◽  
Side Channel Attacks ◽  
Montgomery Multiplication ◽  
Running Time ◽  
Low Area ◽  
Rsa Algorithm ◽  
Implementation Problems ◽  
First Time

RSA-CRT is one of the most common algorithms in the digital signature. Several side-channel attacks have been presented on the implementation of RSA-CRT. One of the most important side-channel attacks on RSA-CRT is Modular Reduction on Equidistant Data (MRED). The implementation of RSA-CRT has too many challenges in the multiplications when the key size is too long (e.g. 2048 bits). Montgomery multiplication is one of the common methods for executing the RSA multiplication, which has many implementation problems and side-channel leakage challenges. This article first implements an RSA-CRT algorithm based on the Montgomery multiplication with the high-speed and low area hardware. The implementation is named RSA-CRT-MMB (Montgomery Method Based). Next, a new power analysis side-channel attack on RSA-CRT-MMB is presented. We name our attack MRED on MMB. The attack utilizes new side-channel leakage information about the CRT reduction algorithm implemented by the MMB, for the first time. The previous articles do not investigate the MRED attack on Montgomery multiplication in RSA-CRT. Finally, a new countermeasure is presented to prevent the MREDM attack. The countermeasure does not have any overload in the hardware area or running time of the RSA algorithm. The correctness of our scheme, the 2048-bit RSA-CRT-MMB, is investigated by the implementation of the scheme on the SASEBO-W board in our DPA laboratory. The total running time of 2048-bit RSA is 250[Formula: see text]ms and the RSA algorithm occupies only 23% of LUT slice on Spartan-6 FPGA. The proposed countermeasures are also verified by practical experiments.

scholarly journals Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction

2020 ◽  
pp. 6-42
Author(s):  
Chun Guo ◽  
Olivier Pereira ◽  
Thomas Peters ◽  
François-Xavier Standaert
Keyword(s):  
Low Energy ◽  
Side Channel ◽  
Authenticated Encryption ◽  
Side Channel Attacks ◽  
Leakage Resistance ◽  
Encryption And Decryption ◽  
Encryption Schemes ◽  
Energy Leakage ◽  
Standardization Process ◽  
Tweakable Block Cipher

The ongoing NIST lightweight cryptography standardization process highlights the importance of resistance to side-channel attacks, which has renewed the interest for Authenticated Encryption schemes (AEs) with light(er)-weight sidechannel secure implementations. To address this challenge, our first contribution is to investigate the leakage-resistance of a generic duplex-based stream cipher. When the capacity of the duplex is of c bits, we prove the classical bound, i.e., ≈ 2c/2, under an assumption of non-invertible leakage. Based on this, we propose a new 1-pass AE mode TETSponge, which carefully combines a tweakable block cipher that must have strong protections against side-channel attacks and is scarcely used, and a duplex-style permutation that only needs weak side-channel protections and is used to frugally process the message and associated data. It offers: (i) provable integrity (resp. confidentiality) guarantees in the presence of leakage during both encryption and decryption (resp. encryption only), (ii) some level of nonce misuse robustness. We conclude that TETSponge is an appealing option for the implementation of low-energy AE in settings where side-channel attacks are a concern. We also provides the first rigorous methodology for the leakage-resistance of sponge/duplex-based AEs based on a minimal non-invertibility assumption on leakages, which leads to various insights on designs and implementations.

Sign in / Sign up

Export Citation Format

Share Document