scholarly journals Will You Cross the Threshold for Me?

2021 ◽  
pp. 722-761
Author(s):  
Prasanna Ravi ◽  
Martianus Frederic Ezerman ◽  
Shivam Bhasin ◽  
Anupam Chattopadhyay ◽  
Sujoy Sinha Roy
Keyword(s):  
Experimental Validation ◽  
Side Channel ◽  
Secret Key ◽  
Intermediate Variable ◽  
Side Channels ◽  
Different Types ◽  
Protection Strategies ◽  
Standardization Process ◽  
Post Quantum Cryptography ◽  
Decryption Oracle

In this work, we propose generic and novel side-channel assisted chosenciphertext attacks on NTRU-based key encapsulation mechanisms (KEMs). These KEMs are IND-CCA secure, that is, they are secure in the chosen-ciphertext model. Our attacks involve the construction of malformed ciphertexts. When decapsulated by the target device, these ciphertexts ensure that a targeted intermediate variable becomes very closely related to the secret key. An attacker, who can obtain information about the secret-dependent variable through side-channels, can subsequently recover the full secret key. We propose several novel CCAs which can be carried through by using side-channel leakage from the decapsulation procedure. The attacks instantiate three different types of oracles, namely a plaintext-checking oracle, a decryptionfailure oracle, and a full-decryption oracle, and are applicable to two NTRU-based schemes, which are NTRU and NTRU Prime. The two schemes are candidates in the ongoing NIST standardization process for post-quantum cryptography. We perform experimental validation of the attacks on optimized and unprotected implementations of NTRU-based schemes, taken from the open-source pqm4 library, using the EM-based side-channel on the 32-bit ARM Cortex-M4 microcontroller. All of our proposed attacks are capable of recovering the full secret key in only a few thousand chosen ciphertext queries on all parameter sets of NTRU and NTRU Prime. Our attacks, therefore, stress on the need for concrete side-channel protection strategies for NTRUbased KEMs.

scholarly journals Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs

2020 ◽  
pp. 307-335 ◽  
Author(s):  
Prasanna Ravi ◽  
Sujoy Sinha Roy ◽  
Anupam Chattopadhyay ◽  
Shivam Bhasin
Keyword(s):  
Experimental Validation ◽  
Error Correcting Codes ◽  
Public Key ◽  
Side Channel ◽  
Public Key Encryption ◽  
Side Channel Attacks ◽  
Key Recovery ◽  
Binary Information ◽  
Channel Information ◽  
Standardization Process

In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM) secure in the chosen ciphertext model (IND-CCA security). We show that the EM side-channel information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary information about the output of decryption, typically concealed within IND-CCA secure PKE/KEMs, thereby enabling our attacks. Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) enabling us to distinguish based on the value/validity of decrypted codewords. We also identified similar vulnerabilities in the Fujisaki-Okamoto transform which leaks information about decrypted messages applicable to schemes that do not use ECC. We subsequently exploit these vulnerabilities to demonstrate practical attacks applicable to six CCA-secure lattice-based PKE/KEMs competing in the second round of the NIST standardization process. We perform experimental validation of our attacks on implementations taken from the open-source pqm4 library, running on the ARM Cortex-M4 microcontroller. Our attacks lead to complete key-recovery in a matter of minutes on all the targeted schemes, thus showing the effectiveness of our attack.

scholarly journals Practical Analysis of Sending or Not-Sending Twin-Field Quantum Key Distribution with Frequency Side Channels

2021 ◽  
Vol 11 (20) ◽  
pp. 9560
Author(s):  
Yi-Fei Lu ◽  
Mu-Sheng Jiang ◽  
Yang Wang ◽  
Xiao-Xu Zhang ◽  
Fan Liu ◽  
...  
Keyword(s):  
Quantum Key Distribution ◽  
Key Distribution ◽  
Practical Implementation ◽  
Side Channel ◽  
Secret Key ◽  
Side Channel Attack ◽  
Long Distance ◽  
Side Channels ◽  
The Subject ◽  
Distance Limit

The twin-field quantum key distribution (TF-QKD) and its variants can overcome the fundamental rate-distance limit of QKD. However, their physical implementations with the side channels remain the subject of further research. We test the side channel of a type of external intensity modulation that applies a Mach–Zehnder-type electro-optical intensity modulator, which shows the distinguishability of the signal and decoy states in the frequency domain. Based on this security loophole, we propose a side-channel attack, named the passive frequency-shift attack, on the imperfect implementation of the sending or not-sending (SNS) TF-QKD protocol. We analyze the performance of the SNS protocol with the actively odd-parity pairing (AOPP) method under the side-channel attack by giving the formula of the upper bound of the real secret key rate and comparing it with the lower bound of the secret key rate under Alice and Bob’s estimation. The simulation results quantitatively show the effectiveness of the attack on the imperfect devices at a long distance. Our results emphasize the importance of practical security at the light source and might provide a valuable reference for device selection in the practical implementation of the SNS protocol.

scholarly journals Analysis and Comparison of Table-based Arithmetic to Boolean Masking

2021 ◽  
pp. 275-297
Author(s):  
Michiel Van Beirendonck ◽  
Jan-Pieter D’Anvers ◽  
Ingrid Verbauwhede
Keyword(s):  
Power Analysis ◽  
Experimental Validation ◽  
Side Channel ◽  
Signature Schemes ◽  
Intermediate Variable ◽  
Conversion Algorithm ◽  
Memory Footprint ◽  
Protection Mechanisms ◽  
The Cost ◽  
Additional Memory

Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.

scholarly journals Cold Boot Attacks on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism

2020 ◽  
Vol 11 (1) ◽  
pp. 193
Author(s):  
Ricardo Villanueva-Polanco ◽  
Eduardo Angulo-Madrid
Keyword(s):  
Success Rates ◽  
Secret Key ◽  
Enumeration Algorithm ◽  
Key Recovery ◽  
Recovery Algorithm ◽  
Key Encapsulation Mechanism ◽  
Standardization Process ◽  
Overall Performance ◽  
Post Quantum Cryptography ◽  
First Time

This research paper evaluates the feasibility of cold boot attacks on the Supersingular Isogeny Key Encapsulation (SIKE) mechanism. This key encapsulation mechanism has been included in the list of alternate candidates of the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization Process. To the best of our knowledge, this is the first time this scheme is assessed in the cold boot attacks setting. In particular, our evaluation is focused on the reference implementation of this scheme. Furthermore, we present a dedicated key-recovery algorithm for SIKE in this setting and show that the key recovery algorithm works for all the parameter sets recommended for this scheme. Moreover, we compute the success rates of our key recovery algorithm through simulations and show the key recovery algorithm may reconstruct the SIKE secret key for any SIKE parameters for a fixed and small α=0.001 (the probability of a 0 to 1 bit-flipping) and varying values for β (the probability of a 1 to 0 bit-flipping) in the set {0.001,0.01,…,0.1}. Additionally, we show how to integrate a quantum key enumeration algorithm with our key-recovery algorithm to improve its overall performance.

scholarly journals Outlier Detection at the Parcel-Level in Wheat and Rapeseed Crops Using Multispectral and SAR Time Series

2021 ◽  
Vol 13 (5) ◽  
pp. 956
Author(s):  
Florian Mouret ◽  
Mohanad Albughdadi ◽  
Sylvie Duthoit ◽  
Denis Kouamé ◽  
Guillaume Rieu ◽  
...  
Keyword(s):  
Outlier Detection ◽  
Experimental Validation ◽  
Vegetation Index ◽  
Normalized Difference Vegetation Index ◽  
Multispectral Images ◽  
Vegetation Indexes ◽  
Crop Development ◽  
Different Types ◽  
Selection Of ◽  
Sentinel 2

This paper studies the detection of anomalous crop development at the parcel-level based on an unsupervised outlier detection technique. The experimental validation is conducted on rapeseed and wheat parcels located in Beauce (France). The proposed methodology consists of four sequential steps: (1) preprocessing of synthetic aperture radar (SAR) and multispectral images acquired using Sentinel-1 and Sentinel-2 satellites, (2) extraction of SAR and multispectral pixel-level features, (3) computation of parcel-level features using zonal statistics and (4) outlier detection. The different types of anomalies that can affect the studied crops are analyzed and described. The different factors that can influence the outlier detection results are investigated with a particular attention devoted to the synergy between Sentinel-1 and Sentinel-2 data. Overall, the best performance is obtained when using jointly a selection of Sentinel-1 and Sentinel-2 features with the isolation forest algorithm. The selected features are co-polarized (VV) and cross-polarized (VH) backscattering coefficients for Sentinel-1 and five Vegetation Indexes for Sentinel-2 (among us, the Normalized Difference Vegetation Index and two variants of the Normalized Difference Water). When using these features with an outlier ratio of 10%, the percentage of detected true positives (i.e., crop anomalies) is equal to 94.1% for rapeseed parcels and 95.5% for wheat parcels.

scholarly journals Online Template Attacks: Revisited

2021 ◽  
pp. 28-59
Author(s):  
Alejandro Cabrera Aldaya ◽  
Billy Bob Brumley
Keyword(s):  
Power Consumption ◽  
Elliptic Curve ◽  
Side Channel ◽  
Powerful Technique ◽  
Leakage Model ◽  
On Demand ◽  
Side Channels ◽  
Generic Framework ◽  
Template Attacks ◽  
Elliptic Curve Scalar Multiplication

An online template attack (OTA) is a powerful technique previously used to attack elliptic curve scalar multiplication algorithms. This attack has only been analyzed in the realm of power consumption and EM side channels, where the signals leak related to the value being processed. However, microarchitecture signals have no such feature, invalidating some assumptions from previous OTA works.In this paper, we revisit previous OTA descriptions, proposing a generic framework and evaluation metrics for any side-channel signal. Our analysis reveals OTA features not previously considered, increasing its application scenarios and requiring a fresh countermeasure analysis to prevent it.In this regard, we demonstrate that OTAs can work in the backward direction, allowing to mount an augmented projective coordinates attack with respect to the proposal by Naccache, Smart and Stern (Eurocrypt 2004). This demonstrates that randomizing the initial targeted algorithm state does not prevent the attack as believed in previous works.We analyze three libraries libgcrypt, mbedTLS, and wolfSSL using two microarchitecture side channels. For the libgcrypt case, we target its EdDSA implementation using Curve25519 twist curve. We obtain similar results for mbedTLS and wolfSSL with curve secp256r1. For each library, we execute extensive attack instances that are able to recover the complete scalar in all cases using a single trace.This work demonstrates that microarchitecture online template attacks are also very powerful in this scenario, recovering secret information without knowing a leakage model. This highlights the importance of developing secure-by-default implementations, instead of fix-on-demand ones.

scholarly journals Analysis of security of post-quantum algorithm of Rainbow electronic signature against potential attacks

Radiotekhnika ◽  
2021 ◽  
pp. 85-93
Author(s):  
G.А. Maleeva
Keyword(s):  
Quantum Algorithm ◽  
Public Key Cryptography ◽  
Transformation Method ◽  
Accurate Estimate ◽  
Signature Scheme ◽  
Secret Key ◽  
Mathematical Basis ◽  
Electronic Signature ◽  
Post Quantum Cryptography ◽  
Band Separation

Multidimensional public key cryptography is a candidate for post-quantum cryptography, and it makes it possible  to generate particularly short signatures and quick verification. The Rainbow signature scheme proposed by J. Dean and D. Schmidt is such a multidimensional cryptosystem and it is considered to be protected against all known attacks. The need for research on Rainbow ES is justified by the fact that there is a need to develop and adopt a post-quantum national securities standard, and that in the process of the US NIST competition on the mathematical basis of cryptographic transformation method Rainbow, promising results. Therefore, it is considered important to take them into account and use them in Ukraine. The Rainbow signature scheme can be implemented simply and efficiently using linear algebra methods over a small finite field and, in particular, creates shorter signatures than those used in RSA and other post-quantum signatures [1]. In the 2nd round of NIST PQC, protected sets of Rainbow parameters are offered and several attacks on them are analyzed [1]. When comparing ES, preference is given to ES algorithms that have been selected according to unconditional criteria, as well as those that have better indicators for integral conditional criteria, because such a technique is more rational. In particular, the Rainbow-Band-Separation (RBS) attack [2] is the best known Rainbow attack with a certain set of parameters and is important. The Rainbow-Band-Separation attack restores the Rainbow secret key by solving certain systems of quadratic equations, and its complexity is measured by a well-known measure called the degree of regularity. However, as a rule, the degree of regularity is greater than the degree of solution in experiments, and it is impossible to obtain an accurate estimate. The paper proposes a new indicator of the complexity of the Rainbow-Band-Separation attack using  F4 algorithm, which gives a more accurate estimate compared to the indicator that uses the degree of regularity. The aim of the work is a comparative analysis of ES based on MQ-transformations on the criterion of stability-complexity and an attempt to understand the security of Rainbow against RBS attack using F4.

Evaluation of (power) side-channels in cryptographic implementations

2019 ◽  
Vol 61 (1) ◽  
pp. 15-28
Author(s):  
Florian Bache ◽  
Christina Plump ◽  
Jonas Wloka ◽  
Tim Güneysu ◽  
Rolf Drechsler
Keyword(s):  
Evaluation System ◽  
Evaluation Process ◽  
Physical Reality ◽  
Evaluation Framework ◽  
Side Channel ◽  
Side Channel Attacks ◽  
Side Channels ◽  
Efficient Data ◽  
Attack Surface ◽  
The Internet Of Things

Abstract Side-channel attacks enable powerful adversarial strategies against cryptographic devices and encounter an ever-growing attack surface in today’s world of digitalization and the internet of things. While the employment of provably secure side-channel countermeasures like masking have become increasingly popular in recent years, great care must be taken when implementing these in actual devices. The reasons for this are two-fold: The models on which these countermeasures rely do not fully capture the physical reality and compliance with the requirements of the countermeasures is non-trivial in complex implementations. Therefore, it is imperative to validate the SCA-security of concrete instantiations of cryptographic devices using measurements on the actual device. In this article we propose a side-channel evaluation framework that combines an efficient data acquisition process with state-of-the-art confidence interval based leakage assessment. Our approach allows a sound assessment of the potential susceptibility of cryptographic implementations to side-channel attacks and is robust against noise in the evaluation system. We illustrate the steps in the evaluation process by applying them to a protected implementation of AES.

scholarly journals A Comprehensive Study of the Key Enumeration Problem

Entropy ◽  
2019 ◽  
Vol 21 (10) ◽  
pp. 972 ◽  
Author(s):  
Ricardo Villanueva-Polanco
Keyword(s):  
Main Memory ◽  
Side Channel ◽  
Secret Key ◽  
Side Channel Attack ◽  
Enumeration Algorithm ◽  
Key Recovery ◽  
Recovery Algorithm ◽  
Enumeration Problem ◽  
Enumeration Algorithms ◽  
Recovery Problem

In this paper, we will study the key enumeration problem, which is connected to the key recovery problem posed in the cold boot attack setting. In this setting, an attacker with physical access to a computer may obtain noisy data of a cryptographic secret key of a cryptographic scheme from main memory via this data remanence attack. Therefore, the attacker would need a key-recovery algorithm to reconstruct the secret key from its noisy version. We will first describe this attack setting and then pose the problem of key recovery in a general way and establish a connection between the key recovery problem and the key enumeration problem. The latter problem has already been studied in the side-channel attack literature, where, for example, the attacker might procure scoring information for each byte of an Advanced Encryption Standard (AES) key from a side-channel attack and then want to efficiently enumerate and test a large number of complete 16-byte candidates until the correct key is found. After establishing such a connection between the key recovery problem and the key enumeration problem, we will present a comprehensive review of the most outstanding key enumeration algorithms to tackle the latter problem, for example, an optimal key enumeration algorithm (OKEA) and several nonoptimal key enumeration algorithms. Also, we will propose variants to some of them and make a comparison of them, highlighting their strengths and weaknesses.

Sign in / Sign up

Export Citation Format

Share Document