Mitigation

A parallel implementation of the Hamming weight function, calculating four Hamming weight at once, can not only speed up the performance but also increase the noise in the

power leakage, which making the ‘single trace’ attack more difficult. However, with a higher resolution oscilloscope and a localized EM measurement, an attacker may still be able to identify the secrets and perform the attack. A masking countermeasure is pro­

posed in [16]. However, if an attacker can identify the two shares with a single trace, the masking scheme may fail as a countermeasure. A better way is to apply the shuffling countermeasure by randomizing the sequence of the sampling operation. The shuffling countermeasure should be secure against the single­trace attack as long as the sequence is unknown to the attacker.

Chapter 6 Concolusion

The side­channel characteristics of the NIST PQC candidates are becoming more and more important since the report form NIST stated that the performance will play more of a role in the later selection process. It is important to investigate whether the implementations are secure against side­channel attacks.

In this work, we analyzed the design of the NewHope cryptosystem, and identified the modules that may be the targets of side­channel analysis. We then showed that it is possi­

ble to extract the secret information generated by the Binomial Sampling Function. First, the NICV leakage assessment tool is used to confirm and identify leakages during the sam­

pling operation. Then, we implemented different types of template attacks, and achieve a single trace attack on an ARM Cortex­M4 microprocessor with a 100% success rate.

The result shows that the straightforward implementation of the NewHope cryptosystem is vulnerable to side­channel analysis. While this work focuses on the implementation of NewHope, some other Ring­LWE based encryption schemes also use the same method to sample from the binomial distribution. Therefore, the attack may also apply to other Ring­LWE based candidates with similar implementation.

References

[1] G. Alagic, G. Alagic, J. Alperin­Sheriff, D. Apon, D. Cooper, Q. Dang, Y.­K. Liu, C. Miller, D. Moody, R. Peralta, et al. Status Report on the First Round of the NIST Post­Quantum Cryptography Standardization Process. US Department of Com­

merce, National Institute of Standards and Technology, 2019.

[2] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Newhope without reconcilia­

tion. IACR Cryptology ePrint Archive, 2016:1157, 2016.

[3] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Post­quantum key exchange—

a new hope. In 25th{USENIX} Security Symposium ({USENIX} Security 16), pages 327–343, 2016.

[4] C. Archambeau, E. Peeters, F.­X. Standaert, and J.­J. Quisquater. Template attacks in principal subspaces. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 1–14. Springer, 2006.

[5] A. Bauer, H. Gilbert, G. Renault, and M. Rossi. Assessment of the key­reuse re­

silience of newhope. In Cryptographers＇Track at the RSA Conference, pages 272–

292. Springer, 2019.

[6] S. Bhasin, J.­L. Danger, S. Guilley, and Z. Najm. Nicv: normalized inter­class vari­

ance for detection of side­channel leakage. In 2014 International Symposium on Electromagnetic Compatibility, Tokyo, pages 310–313. IEEE, 2014.

[7] S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 13–28. Springer, 2002.

[8] L. Chen, L. Chen, S. Jordan, Y.­K. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith­Tone. Report on post­quantum cryptography. US Department of Com­

merce, National Institute of Standards and Technology, 2016.

[9] O. Choudary and M. G. Kuhn. Efficient template attacks. In International Confer­

ence on Smart Card Research and Advanced Applications, pages 253–270. Springer, 2013.

[10] C. Clavier, D. Marion, and A. Wurcker. Simple power analysis on aes key expansion revisited. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 279–297. Springer, 2014.

[11] B. J. Gilbert Goodwill, J. Jaffe, P. Rohatgi, et al. A testing methodology for side­

channel resistance validation. In NIST non­invasive attack testing workshop, vol­

ume 7, pages 115–136, 2011.

[12] M. J. Kannwischer, J. Rijneveld, P. Schwabe, and K. Stoffelen. PQM4: Post­

quantum crypto library for the ARM Cortex­M4. https://github.com/mupq/

pqm4.

[13] P. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Annual International Cryptology Conference, pages 388–397. Springer, 1999.

[14] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 1–23. Springer, 2010.

[15] S. Mangard, E. Oswald, and T. Popp. Power analysis attacks: Revealing the secrets of smart cards, volume 31. Springer Science & Business Media, 2008.

[16] T. Oder, T. Schneider, T. Pöppelmann, and T. Güneysu. Practical cca2­secure and masked ring­lwe implementation. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 142–174, 2018.

[17] C. O＇Flynn and Z. Chen. Synchronous sampling and clock recovery of internal oscillators for side channel analysis and fault injection. Journal of Cryptographic Engineering, 5(1):53–69, 2015.

[18] C. O＇Flynn and Z. D. Chen. Chipwhisperer: An open­source platform for hard­

ware embedded security research. In International Workshop on Constructive Side­

Channel Analysis and Secure Design, pages 243–260. Springer, 2014.

[19] A. Park and D.­G. Han. Chosen ciphertext simple power analysis on software 8­bit implementation of ring­lwe encryption. In 2016 IEEE Asian Hardware­Oriented Security and Trust (AsianHOST), pages 1–6. IEEE, 2016.

[20] T. Poppelmann, E. Alkim, R. Avanzi, J. Bos, L. Ducas, A. de la Piedra, P. Schwabe, and D. Stebila. Newhope. NIST submissions, 2017.

[21] R. Primas, P. Pessl, and S. Mangard. Single­trace side­channel attacks on masked lattice­based encryption. In International Conference on Cryptographic Hardware and Embedded Systems, pages 513–533. Springer, 2017.

[22] O. Regev. On lattices, learning with errors, random linear codes, and cryptography.

Journal of the ACM (JACM), 56(6):34, 2009.

[23] M.­J. O. Saarinen. Arithmetic coding and blinding countermeasures for ring­lwe.

IACR Cryptology ePrint Archive, 2016:276, 2016.