Analyzing the Shuffling Side-Channel Countermeasure for - PowerPoint PPT Presentation

S C I E N C E P A S S I O N T E C H N O L O G Y Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures Peter Pessl IAIK, Graz University of Technology, Austria Indocrypt 2016, December 12 www.iaik.tugraz.at

www.iaik.tugraz.at A ECC S R Accurate depiction of quantum computing Credit: The Binding of Isaac: Rebirth by Edmund McMillen Pessl 2 Indocrypt 2016, December 12

www.iaik.tugraz.at Introduction Lattice-based cryptography is a promising candidate for PQ Efficient schemes and implementations Implementation security neglected this far very first attack on lattice-based signatures at CHES 2016 Shuffling proposed as a possible countermeasure protect Gaussian samplers ...but no analysis given Pessl 3 Indocrypt 2016, December 12

www.iaik.tugraz.at Our contribution In-depth analysis of shuffling in context of lattice-based signatures Side-channel analysis of a Gaussian sampler implementation New attack on shuffling - unshuffling and key recovery exploit properties of intermediates Show that shuffling can be effective but only if done right Pessl 4 Indocrypt 2016, December 12

www.iaik.tugraz.at BLISS - Bimodal Lattice Signatures [DDLL13] BLISS - Bimodal Lattice Signature Scheme Ducas, Durmus, Lepoint, Lyubashevsky (CRYPTO 2013) Works over ring R q = Z q [ x ] / � x n + 1 � n = 512 polynomials a , b , ab = aB , nega-cyclic rotations Discrete Gaussians D σ ( x ) Pessl 5 Indocrypt 2016, December 12

www.iaik.tugraz.at BLISS - Bimodal Lattice Signatures [DDLL13] Input: Message µ , public key A = ( a 1 , q − 2 ) , private key S = ( s 1 , s 2 ) Output: A signature ( z 1 , z † 2 , c ) 1: y 1 ← D n σ , y 2 ← D n σ 2: u = ζ · a 1 y 1 + y 2 mod 2 q 3: c = H ( ⌊ u ⌉ d mod p || µ ) 4: Sample a uniformly random bit b 5: z 1 = y 1 + ( − 1 ) b s 1 c 6: z 2 = y 2 + ( − 1 ) b s 2 c 7: Continue with some probability f ( Sc , z ) , restart otherwise 8: return ( z 1 , z † 2 = ( ⌊ u ⌉ d − ⌊ u − z 2 ⌉ d ) , c ) Pessl 6 Indocrypt 2016, December 12

www.iaik.tugraz.at Efficient Gaussian Sampling [PDG14] Gaussian convolution: sample twice from a smaller distribution √ (1) σ ′ = σ/ (2) y ′ , y ′′ ← D σ ′ (3) y = ky ′ + y ′′ 1 + k 2 CDT sampling: precompute T [ y ] = P ( x < y | x ← D + σ ) (1) r ← [ 0 , 1 ) (2) return T [ y ] ≤ r < T [ y + 1 ] (binary search) Guide tables: Speed up binary search (1) sample first byte of r (2) lookup range in table Pessl 7 Indocrypt 2016, December 12

www.iaik.tugraz.at A Cache Attack on BLISS [GBHLY16] Partial recovery of the noise vector y 1 Equation: z ji = y ji + ( − 1 ) b j � s 1 , c ji � Filter equations with z ji = y ji = ⇒ � s 1 , c ji � = 0 gather n = 512 equations over multiple signatures into L Solve s 1 L = 0 error correction using a lattice reduction Pessl 8 Indocrypt 2016, December 12

www.iaik.tugraz.at Shuffling as a Countermeasure Protecting samplers appears to be difficult no inherently constant runtime samplers, data-dependent branches Idea: sample y , then shuffle it breaks connection between sampling time and index simple implementation, low overhead Previously proposed [RRVV14, Saa16] ...but no security analysis thus far Pessl 9 Indocrypt 2016, December 12

www.iaik.tugraz.at Shuffling Variants Single-Stage Shuffling y ′ ← D n σ , y = Shuffle ( y ′ ) Two-Stage Shuffling [Saa16] shuffling twice, combine with [PDG14] y ′ , y ′′ ← D n σ ′ , y = k · Shuffle ( y ′ ) + Shuffle( y ”) Pessl 10 Indocrypt 2016, December 12

www.iaik.tugraz.at How much do Samplers leak? Split-Sampler [PDG14] sampling from small distribution D σ ′ two classified samples to recover y ARM Cortex M4F (TI MSP432) EM measurement on core-voltage regulation SPA-like attack (single trace) Pessl 11 Indocrypt 2016, December 12

www.iaik.tugraz.at Recovering the Control Flow Recover the steps in the binary search Record a reference trace for all possible jumps match using mean of squared error Perfect accuracy T 1 [ i ] > r 1 60 T 1 [ i ] < r 1 40 20 0 350 400 450 500 Clock cycle Pessl 12 Indocrypt 2016, December 12

www.iaik.tugraz.at Recover the Sampled Value Control flow alone not sufficient guide tables → initial range for binary search Use template attacks templates for all values and possible flows Success highly dependent on nr. of comparisons in binary search Pessl 13 Indocrypt 2016, December 12

www.iaik.tugraz.at SCA Results 0.3 0.08 Occurence rate Occurence rate 0.06 0.2 0.04 0.1 0.02 0 0 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 Maximum classi - cation probability Maximum classi - cation probability No comparison 1 comparison Success rate with > 1 comparison: 99 . 9 % Pessl 14 Indocrypt 2016, December 12

www.iaik.tugraz.at Modeled Adversaries A1 - perfect adversary knows all sampled values evaluate theoretical limits of shuffling A2 - profiled SCA adversary recovers all samples requiring 2 or more comparisons | sample | > 47, 1.5% A3 - non-profiled SCA adversary samples that are uniquely determined by control flow | sample | > 54, 0.5% Pessl 15 Indocrypt 2016, December 12

www.iaik.tugraz.at An Attack on Shuffling Re-assign samples to index assumption: shuffling is leak-free Observation in z 1 = y 1 + ( − 1 ) b s 1 c y ← D n σ , σ = 215 s 1 , c more or less sparse, small coefficients Pessl 16 Indocrypt 2016, December 12

www.iaik.tugraz.at Coefficient-wise Distributions # 10 -3 0.2 2 0.15 D < ( y ) X sc 0.1 1 0.05 0 0 -15 -10 -5 0 5 10 15 -1000 -500 0 500 1000 s 1 c y Distribution of s 1 c Distribution of y : D σ Pessl 17 Indocrypt 2016, December 12

www.iaik.tugraz.at An Attack on Shuffling # 10 -3 2 z 1 = y 1 + ( − 1 ) b s 1 c ≈ y 1 D < ( y ) 1 Given a y , check for proximity to all z i ∈ z if only one z i close : z i − y = ( − 1 ) b � s 1 , c i � 0 -1000 -500 0 500 1000 Success for large | z i | , | y | (tail of D σ ) y Pessl 18 Indocrypt 2016, December 12

www.iaik.tugraz.at Key Recovery Keep only highly probable equations (P > 0 . 99) Key recovery: similar to Groot Bruinderink et al. [GBHLY16] gather equations z ji = y ji + ( − 1 ) b j � s 1 , c ji � b recoverable with SCA: n = 512 equations b not recoverable: filter z ji = y ji (factor 6.6) Pessl 19 Indocrypt 2016, December 12

www.iaik.tugraz.at Results - Single Stage Number of required signatures increases only slightly A2, A3: classifiable samples in the tail of D σ ... which is where the matching works A1 A2 A3 no shuffling 1 4 400 (29 000) 36 000 (239 000) single-stage 40 (264) 7 000 (46 000) 46 000 (301 000) Pessl 20 Indocrypt 2016, December 12

www.iaik.tugraz.at Adaptation to Two-Stage Shuffling y = k · Shuffle ( y ′ ) + Shuffle( y ”) 0.03 1. z 1 = k y ′ + y ′′ + ( − 1 ) b s 1 c ≈ k y ′ 0.02 D < 0 ( y ) 0.01 match z 1 and k y ′ 2. z i − ky ′ = y ′′ + ( − 1 ) b � s 1 , c i � ≈ y ′′ 0 -50 0 50 y match z 1 − ky ′ and y ′′ 0.2 0.15 X sc 0.1 0.05 0 -15 -10 -5 0 5 10 15 s 1 c Pessl 21 Indocrypt 2016, December 12

www.iaik.tugraz.at Results on Two-Stage Shuffling Number of required signatures increases drastically need to match twice, lower difference of std. dev. Small difference between A1 and A2 ”matcheable” samples are in the tail, where A2 can detect them A1 A2 A3 no shuffling 1 4 400 (29 000) 36 000 (239 000) single-stage 40 (264) 7 000 (46 000) 46 000 (301 000) two-stage 260 000 (1 550 000) 285 000 (1 880 000) 575 000 (3 800 000) Pessl 22 Indocrypt 2016, December 12

www.iaik.tugraz.at Conclusion Shuffling once is pointless Shuffling twice increases signature requirements drastically effective countermeasure, but still circumventable different splittings and more stages might be more effective Generic analysis with simplifications no leakage from shuffling as such, from PRNG, from additions etc. further reduces signature count Pessl 23 Indocrypt 2016, December 12

S C I E N C E P A S S I O N T E C H N O L O G Y Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based Signatures Peter Pessl IAIK, Graz University of Technology, Austria Indocrypt 2016, December 12 www.iaik.tugraz.at