Bounding the Cache-Side-Channel Leakage of Lattice-Based Signature Schemes Using Program Semantics

We study masking countermeasures for side-channel attacks against signature schemes constructed from the MPC-in-the-head paradigm, specifically when the MPC protocol uses preprocessing. This class of signature schemes includes Picnic, an alternate candidate in the third round of the NIST post-quantum standardization project. The only previously known approach to masking MPC-in-the-head signatures suffers from interoperability issues and increased signature sizes. Further, we present a new attack to demonstrate that known countermeasures are not sufficient when the MPC protocol uses a preprocessing phase, as in Picnic3.We overcome these challenges by showing how to mask the underlying zero-knowledge proof system due to Katz–Kolesnikov–Wang (CCS 2018) for any masking order, and by formally proving that our approach meets the standard security notions of non-interference for masking countermeasures. As a case study, we apply our masking technique to Picnic. We then implement different masked versions of Picnic signing providing first order protection for the ARM Cortex M4 platform, and quantify the overhead of these different masking approaches. We carefully analyze the side-channel risk of hashing operations, and give optimizations that reduce the CPU cost of protecting hashing in Picnic by a factor of five. The performance penalties of the masking countermeasures ranged from 1.8 to 5.5, depending on the degree of masking applied to hash function invocations.

Download Full-text

Side-Channel Attacks on Post-Quantum Signature Schemes based on Multivariate Quadratic Equations

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i3.500-523 ◽

2018 ◽

pp. 500-523 ◽

Cited By ~ 2

Author(s):

Aesun Park ◽

Kyung-Ah Shim ◽

Namhun Koo ◽

Dong-Guk Han

Keyword(s):

Simple Structure ◽

Single Layer ◽

Quantum Signature ◽

Side Channel ◽

Secret Key ◽

Key Recovery ◽

Signature Schemes ◽

Quadratic Equations ◽

Affine Maps ◽

Equivalent Keys

In this paper, we investigate the security of Rainbow and Unbalanced Oil-and-Vinegar (UOV) signature schemes based on multivariate quadratic equations, which is one of the most promising alternatives for post-quantum signature schemes, against side-channel attacks. We describe correlation power analysis (CPA) on the schemes that yield full secret key recoveries. First, we identify a secret leakage of secret affine maps S and T during matrix-vector products in signing when Rainbow is implemented with equivalent keys rather than random affine maps for optimal implementations. In this case, the simple structure of the equivalent keys leads to the retrieval of the entire secret affine map T. Next, we extend the full secret key recovery to the general case using random affine maps via a hybrid attack: after recovering S by performing CPA, we recover T by mounting algebraic key recovery attacks. We demonstrate how this leakage on Rainbow can be practically exploited on an 8-bit AVR microcontroller using CPA. Consequently, our CPA can be applied to Rainbow-like multi-layered schemes regardless of the use of the simple-structured equivalent keys and UOV-like single layer schemes with the implementations using the equivalent keys of the simple structure. This is the first result on the security of multivariate quadratic equations-based signature schemes using only CPA. Our result can be applied to Rainbow-like multi-layered schemes and UOV-like single layer schemes submitted to NIST for Post-Quantum Cryptography Standardization.

Download Full-text

CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.171-191 ◽

2018 ◽

pp. 171-191 ◽

Cited By ~ 3

Author(s):

Fergus Dall ◽

Gabrielle De Micheli ◽

Thomas Eisenbarth ◽

Daniel Genkin ◽

Nadia Heninger ◽

...

Keyword(s):

Secure Computation ◽

Side Channel ◽

Zero Knowledge ◽

Signature Schemes ◽

Number Problem ◽

Trusted Hardware ◽

Hidden Number Problem ◽

Cache Attacks ◽

Zero Knowledge Proof

Intel Software Guard Extensions (SGX) allows users to perform secure computation on platforms that run untrusted software. To validate that the computation is correctly initialized and that it executes on trusted hardware, SGX supports attestation providers that can vouch for the user’s computation. Communication with these attestation providers is based on the Extended Privacy ID (EPID) protocol, which not only validates the computation but is also designed to maintain the user’s privacy. In particular, EPID is designed to ensure that the attestation provider is unable to identify the host on which the computation executes. In this work we investigate the security of the Intel implementation of the EPID protocol. We identify an implementation weakness that leaks information via a cache side channel. We show that a malicious attestation provider can use the leaked information to break the unlinkability guarantees of EPID. We analyze the leaked information using a lattice-based approach for solving the hidden number problem, which we adapt to the zero-knowledge proof in the EPID scheme, extending prior attacks on signature schemes.

Download Full-text

Analysis and Comparison of Table-based Arithmetic to Boolean Masking

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i3.275-297 ◽

2021 ◽

pp. 275-297

Author(s):

Michiel Van Beirendonck ◽

Jan-Pieter D’Anvers ◽

Ingrid Verbauwhede

Keyword(s):

Power Analysis ◽

Experimental Validation ◽

Side Channel ◽

Signature Schemes ◽

Intermediate Variable ◽

Conversion Algorithm ◽

Memory Footprint ◽

Protection Mechanisms ◽

The Cost ◽

Additional Memory

Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.

Download Full-text

Guessing Bits: Improved Lattice Attacks on (EC)DSA with Nonce Leakage

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2022.i1.391-413 ◽

2021 ◽

pp. 391-413

Author(s):

Chao Sun ◽

Thomas Espitau ◽

Mehdi Tibouchi ◽

Masayuki Abe

Keyword(s):

State Of The Art ◽

Lattice Reduction ◽

Side Channel ◽

Secret Key ◽

Signature Schemes ◽

The Core ◽

The Past ◽

Bounded Distance ◽

Parameter Ranges ◽

Lattice Construction

The lattice reduction attack on (EC)DSA (and other Schnorr-like signature schemes) with partially known nonces, originally due to Howgrave-Graham and Smart, has been at the core of many concrete cryptanalytic works, side-channel based or otherwise, in the past 20 years. The attack itself has seen limited development, however: improved analyses have been carried out, and the use of stronger lattice reduction algorithms has pushed the range of practically vulnerable parameters further, but the lattice construction based on the signatures and known nonce bits remain the same.In this paper, we propose a new idea to improve the attack based on the same data in exchange for additional computation: carry out an exhaustive search on some bits of the secret key. This turns the problem from a single bounded distance decoding (BDD) instance in a certain lattice to multiple BDD instances in a fixed lattice of larger volume but with the same bound (making the BDD problem substantially easier). Furthermore, the fact that the lattice is fixed lets us use batch/preprocessing variants of BDD solvers that are far more efficient than repeated lattice reductions on non-preprocessed lattices of the same size. As a result, our analysis suggests that our technique is competitive or outperforms the state of the art for parameter ranges corresponding to the limit of what is achievable using lattice attacks so far (around 2-bit leakage on 160-bit groups, or 3-bit leakage on 256-bit groups).We also show that variants of this idea can also be applied to bits of the nonces (leading to a similar improvement) or to filtering signature data (leading to a data-time trade-off for the lattice attack). Finally, we use our technique to obtain an improved exploitation of the TPM–FAIL dataset similar to what was achieved in the Minerva attack.

Download Full-text

Leakage-Resilient Outsourced Revocable Certificateless Signature with a Cloud Revocation Server

Information Technology And Control ◽

10.5755/j01.itc.49.4.25927 ◽

2020 ◽

Vol 49 (4) ◽

pp. 464-481

Author(s):

Yuh–Min Tseng ◽

Jui-Di Wu ◽

Sen-Shan Huang ◽

Tung-Tso Tsai

Keyword(s):

Public Key Cryptography ◽

Public Key ◽

Side Channel ◽

Key Generation ◽

Side Channel Attacks ◽

Signature Schemes ◽

Certificateless Cryptography ◽

Secret Keys ◽

Leakage Resilient ◽

Certificateless Signature

Certificateless public-key system (CL-PKS) is a significant public-key cryptography and it solves both the key escrow and certificate management problems. Outsourced revocable certificateless public-key system (ORCL-PKS) with a cloud revocation server (CRS) not only provides a revocation mechanism, but also further outsources the revocation functionality to the CRS to reduce the computational burden of the key generation center (KGC). Recently, side-channel attacks have threatened some existing conventional cryptography (including CL-PKS). Indeed, adversaries can apply side-channel attacks to derive fractional constituents of private (or secret) keys to damage the security of these cryptographic protocols (or schemes). To withstand such attacks, leakage-resilient cryptography is an attractive approach. However, little research concerns with leakage-resilient certificateless cryptography. In this paper, the first leakage-resilient outsourced revocable certificateless signature (LR-ORCLS) scheme is presented. The proposed scheme allows adversaries to continually derive fractional constituents of private (or secret) keys and possesses overall unbounded leakage property. In the generic bilinear group (GBG) model, our scheme is shown to be existential unforgeable against adversaries. Finally, the comparisons between the proposed scheme and the previous revocable certificateless signature schemes are provided to demonstrate the merits of the proposed scheme.

Download Full-text