5.3 Template Attack on the Binomial Sampling Function
5.3.4 Mitigation
A parallel implementation of the Hamming weight function, calculating four Hamming weight at once, can not only speed up the performance but also increase the noise in the
power leakage, which making the ‘single trace’ attack more difficult. However, with a higher resolution oscilloscope and a localized EM measurement, an attacker may still be able to identify the secrets and perform the attack. A masking countermeasure is pro
posed in [16]. However, if an attacker can identify the two shares with a single trace, the masking scheme may fail as a countermeasure. A better way is to apply the shuffling countermeasure by randomizing the sequence of the sampling operation. The shuffling countermeasure should be secure against the singletrace attack as long as the sequence is unknown to the attacker.
Chapter 6 Concolusion
The sidechannel characteristics of the NIST PQC candidates are becoming more and more important since the report form NIST stated that the performance will play more of a role in the later selection process. It is important to investigate whether the implementations are secure against sidechannel attacks.
In this work, we analyzed the design of the NewHope cryptosystem, and identified the modules that may be the targets of sidechannel analysis. We then showed that it is possi
ble to extract the secret information generated by the Binomial Sampling Function. First, the NICV leakage assessment tool is used to confirm and identify leakages during the sam
pling operation. Then, we implemented different types of template attacks, and achieve a single trace attack on an ARM CortexM4 microprocessor with a 100% success rate.
The result shows that the straightforward implementation of the NewHope cryptosystem is vulnerable to sidechannel analysis. While this work focuses on the implementation of NewHope, some other RingLWE based encryption schemes also use the same method to sample from the binomial distribution. Therefore, the attack may also apply to other RingLWE based candidates with similar implementation.
References
[1] G. Alagic, G. Alagic, J. AlperinSheriff, D. Apon, D. Cooper, Q. Dang, Y.K. Liu, C. Miller, D. Moody, R. Peralta, et al. Status Report on the First Round of the NIST PostQuantum Cryptography Standardization Process. US Department of Com
merce, National Institute of Standards and Technology, 2019.
[2] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Newhope without reconcilia
tion. IACR Cryptology ePrint Archive, 2016:1157, 2016.
[3] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Postquantum key exchange—
a new hope. In 25th{USENIX} Security Symposium ({USENIX} Security 16), pages 327–343, 2016.
[4] C. Archambeau, E. Peeters, F.X. Standaert, and J.J. Quisquater. Template attacks in principal subspaces. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 1–14. Springer, 2006.
[5] A. Bauer, H. Gilbert, G. Renault, and M. Rossi. Assessment of the keyreuse re
silience of newhope. In Cryptographers'Track at the RSA Conference, pages 272–
292. Springer, 2019.
[6] S. Bhasin, J.L. Danger, S. Guilley, and Z. Najm. Nicv: normalized interclass vari
ance for detection of sidechannel leakage. In 2014 International Symposium on Electromagnetic Compatibility, Tokyo, pages 310–313. IEEE, 2014.
[7] S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 13–28. Springer, 2002.
[8] L. Chen, L. Chen, S. Jordan, Y.K. Liu, D. Moody, R. Peralta, R. Perlner, and D. SmithTone. Report on postquantum cryptography. US Department of Com
merce, National Institute of Standards and Technology, 2016.
[9] O. Choudary and M. G. Kuhn. Efficient template attacks. In International Confer
ence on Smart Card Research and Advanced Applications, pages 253–270. Springer, 2013.
[10] C. Clavier, D. Marion, and A. Wurcker. Simple power analysis on aes key expansion revisited. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 279–297. Springer, 2014.
[11] B. J. Gilbert Goodwill, J. Jaffe, P. Rohatgi, et al. A testing methodology for side
channel resistance validation. In NIST noninvasive attack testing workshop, vol
ume 7, pages 115–136, 2011.
[12] M. J. Kannwischer, J. Rijneveld, P. Schwabe, and K. Stoffelen. PQM4: Post
quantum crypto library for the ARM CortexM4. https://github.com/mupq/
pqm4.
[13] P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Annual International Cryptology Conference, pages 388–397. Springer, 1999.
[14] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 1–23. Springer, 2010.
[15] S. Mangard, E. Oswald, and T. Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008.
[16] T. Oder, T. Schneider, T. Pöppelmann, and T. Güneysu. Practical cca2secure and masked ringlwe implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 142–174, 2018.
[17] C. O'Flynn and Z. Chen. Synchronous sampling and clock recovery of internal oscillators for side channel analysis and fault injection. Journal of Cryptographic Engineering, 5(1):53–69, 2015.
[18] C. O'Flynn and Z. D. Chen. Chipwhisperer: An opensource platform for hard
ware embedded security research. In International Workshop on Constructive Side
Channel Analysis and Secure Design, pages 243–260. Springer, 2014.
[19] A. Park and D.G. Han. Chosen ciphertext simple power analysis on software 8bit implementation of ringlwe encryption. In 2016 IEEE Asian HardwareOriented Security and Trust (AsianHOST), pages 1–6. IEEE, 2016.
[20] T. Poppelmann, E. Alkim, R. Avanzi, J. Bos, L. Ducas, A. de la Piedra, P. Schwabe, and D. Stebila. Newhope. NIST submissions, 2017.
[21] R. Primas, P. Pessl, and S. Mangard. Singletrace sidechannel attacks on masked latticebased encryption. In International Conference on Cryptographic Hardware and Embedded Systems, pages 513–533. Springer, 2017.
[22] O. Regev. On lattices, learning with errors, random linear codes, and cryptography.
Journal of the ACM (JACM), 56(6):34, 2009.
[23] M.J. O. Saarinen. Arithmetic coding and blinding countermeasures for ringlwe.
IACR Cryptology ePrint Archive, 2016:276, 2016.