[Resource Topic] 2023/1931: Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?

Resource Attacks and cryptanalysis
#1

Welcome to the resource topic for 2023/1931

Title:
Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?

Authors: Ruize Wang, Kalle Ngo, Joel Gärtner, Elena Dubrova

Abstract:

We present a side-channel attack on CRYSTALS-Dilithium, a post-quantum secure digital signature scheme, with two variants of post-processing. The side-channel attack exploits information leakage in the secret key unpacking procedure of the signing algorithm to recover the coefficients of the polynomials in the secret key vectors {\bf s}_1 and {\bf s}_2 by profiled deep learning-assisted power analysis. In the first variant, one half of the coefficients of {\bf s}_1 and {\bf s}_2 is recovered by power analysis and the rest is derived by solving a system of linear equations based on {\bf t} = {\bf A}{\bf s}_1 + {\bf s}_2, where {\bf A} and {\bf t} are parts of the public key. This case assumes knowledge of the least significant bits of the vector {\bf t}, {\bf t}_0. The second variant waives this requirement. However, to succeed, it needs a larger portion of {\bf s}_1 to be recovered by power analysis. The remainder of {\bf s}_1 is obtained by lattice reduction. Once the full {\bf s}_1 is recovered, all the other information necessary for generating valid signatures can be trivially derived from the public key. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The profiling stage (trace capture and neural network training) takes less than 10 hours. In the attack assuming that {\bf t}_0 is known, the probability of successfully recovering the full vector {\bf s}_1 from a single trace captured from a different from profiling device is non-negligible (9%). The success rate approaches 100% if multiple traces are available for the attack. Our results demonstrate the necessity of protecting the secret key of CRYSTALS-Dilithium from single-trace attacks and call for a reassessment of the role of compression of the public key vector {\bf t} in the security of CRYSTALS-Dilithium implementations.

ePrint: https://eprint.iacr.org/2023/1931

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .