More Practical Single-Trace Attacks on the Number Theoretic Transform

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Single-trace side-channel attacks are a considerable threat to implementations of classic public-key schemes. For lattice-based cryptography, however, this class of attacks is much less understood, and only a small number of previous works show attacks. Primas et al., for instance, present a single-trace attack on the Number Theoretic Transform (NTT), which is at the heart of many efficient lattice-based schemes.
They, however, attack a variable-time implementation and also require a rather powerful side-channel adversary capable of creating close to a million multivariate templates. Thus, it was an open question if such an attack can be made practical while also targeting state-of-the-art constant-time implementations.
In this paper, we answer this question positively. First, we introduce several improvements to the usage of belief propagation, which underlies the attack. And second, we change the target to encryption instead of decryption; this limits attacks to the recovery of the transmitted symmetric key, but in turn, increases attack performance. All this then allows successful attacks even when switching to univariate Hamming-weight templates. We evaluate the performance and noise resistance of our attack using simulations, but also target a real device. Concretely, we successfully attack an assembly-optimized constant-time Kyber implementation running on an ARM Cortex M4 microcontroller while requiring the construction of only 213 templates.
Original languageEnglish
Title of host publicationProgress in Cryptology – LATINCRYPT 2019
Subtitle of host publication6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings
PublisherSpringer
ISBN (Electronic)1611-3349
ISBN (Print)978-3-030-30529-1
Publication statusPublished - 2019
EventLatincrypt 2019 - Santiago de Chile, Chile
Duration: 2 Oct 20194 Oct 2019

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume11774
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceLatincrypt 2019
CountryChile
CitySantiago de Chile
Period2/10/194/10/19

Fingerprint

Cryptography
Mathematical transformations
Microcontrollers
Recovery
Side channel attack

Cite this

Peßl, P., & Primas, R. (2019). More Practical Single-Trace Attacks on the Number Theoretic Transform. In Progress in Cryptology – LATINCRYPT 2019: 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings (Lecture Notes in Computer Science; Vol. 11774). Springer.

More Practical Single-Trace Attacks on the Number Theoretic Transform. / Peßl, Peter; Primas, Robert.

Progress in Cryptology – LATINCRYPT 2019: 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings. Springer, 2019. (Lecture Notes in Computer Science; Vol. 11774).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Peßl, P & Primas, R 2019, More Practical Single-Trace Attacks on the Number Theoretic Transform. in Progress in Cryptology – LATINCRYPT 2019: 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11774, Springer, Latincrypt 2019, Santiago de Chile, Chile, 2/10/19.
Peßl P, Primas R. More Practical Single-Trace Attacks on the Number Theoretic Transform. In Progress in Cryptology – LATINCRYPT 2019: 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings. Springer. 2019. (Lecture Notes in Computer Science).
Peßl, Peter ; Primas, Robert. / More Practical Single-Trace Attacks on the Number Theoretic Transform. Progress in Cryptology – LATINCRYPT 2019: 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2–4, 2019, Proceedings. Springer, 2019. (Lecture Notes in Computer Science).
@inproceedings{e7fb8170338b48f6b11082f672e0fcc8,
title = "More Practical Single-Trace Attacks on the Number Theoretic Transform",
abstract = "Single-trace side-channel attacks are a considerable threat to implementations of classic public-key schemes. For lattice-based cryptography, however, this class of attacks is much less understood, and only a small number of previous works show attacks. Primas et al., for instance, present a single-trace attack on the Number Theoretic Transform (NTT), which is at the heart of many efficient lattice-based schemes.They, however, attack a variable-time implementation and also require a rather powerful side-channel adversary capable of creating close to a million multivariate templates. Thus, it was an open question if such an attack can be made practical while also targeting state-of-the-art constant-time implementations.In this paper, we answer this question positively. First, we introduce several improvements to the usage of belief propagation, which underlies the attack. And second, we change the target to encryption instead of decryption; this limits attacks to the recovery of the transmitted symmetric key, but in turn, increases attack performance. All this then allows successful attacks even when switching to univariate Hamming-weight templates. We evaluate the performance and noise resistance of our attack using simulations, but also target a real device. Concretely, we successfully attack an assembly-optimized constant-time Kyber implementation running on an ARM Cortex M4 microcontroller while requiring the construction of only 213 templates.",
author = "Peter Pe{\ss}l and Robert Primas",
year = "2019",
language = "English",
isbn = "978-3-030-30529-1",
series = "Lecture Notes in Computer Science",
publisher = "Springer",
booktitle = "Progress in Cryptology – LATINCRYPT 2019",

}

TY - GEN

T1 - More Practical Single-Trace Attacks on the Number Theoretic Transform

AU - Peßl, Peter

AU - Primas, Robert

PY - 2019

Y1 - 2019

N2 - Single-trace side-channel attacks are a considerable threat to implementations of classic public-key schemes. For lattice-based cryptography, however, this class of attacks is much less understood, and only a small number of previous works show attacks. Primas et al., for instance, present a single-trace attack on the Number Theoretic Transform (NTT), which is at the heart of many efficient lattice-based schemes.They, however, attack a variable-time implementation and also require a rather powerful side-channel adversary capable of creating close to a million multivariate templates. Thus, it was an open question if such an attack can be made practical while also targeting state-of-the-art constant-time implementations.In this paper, we answer this question positively. First, we introduce several improvements to the usage of belief propagation, which underlies the attack. And second, we change the target to encryption instead of decryption; this limits attacks to the recovery of the transmitted symmetric key, but in turn, increases attack performance. All this then allows successful attacks even when switching to univariate Hamming-weight templates. We evaluate the performance and noise resistance of our attack using simulations, but also target a real device. Concretely, we successfully attack an assembly-optimized constant-time Kyber implementation running on an ARM Cortex M4 microcontroller while requiring the construction of only 213 templates.

AB - Single-trace side-channel attacks are a considerable threat to implementations of classic public-key schemes. For lattice-based cryptography, however, this class of attacks is much less understood, and only a small number of previous works show attacks. Primas et al., for instance, present a single-trace attack on the Number Theoretic Transform (NTT), which is at the heart of many efficient lattice-based schemes.They, however, attack a variable-time implementation and also require a rather powerful side-channel adversary capable of creating close to a million multivariate templates. Thus, it was an open question if such an attack can be made practical while also targeting state-of-the-art constant-time implementations.In this paper, we answer this question positively. First, we introduce several improvements to the usage of belief propagation, which underlies the attack. And second, we change the target to encryption instead of decryption; this limits attacks to the recovery of the transmitted symmetric key, but in turn, increases attack performance. All this then allows successful attacks even when switching to univariate Hamming-weight templates. We evaluate the performance and noise resistance of our attack using simulations, but also target a real device. Concretely, we successfully attack an assembly-optimized constant-time Kyber implementation running on an ARM Cortex M4 microcontroller while requiring the construction of only 213 templates.

M3 - Conference contribution

SN - 978-3-030-30529-1

T3 - Lecture Notes in Computer Science

BT - Progress in Cryptology – LATINCRYPT 2019

PB - Springer

ER -