Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography - - PowerPoint PPT Presentation

novel side channel attacks
SMART_READER_LITE
LIVE PREVIEW

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography - - PowerPoint PPT Presentation

Jan 31, 2024 288 likes •886 views

Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography 2019.08.28 Bo-Yeon Sim 1 , , Jihoon Kwon 2 , Kyu Young Choi 2 , Jihoon Cho 2 , Aesun Park 3, , and Dong-Guk Han 1,3, 1 Department of Mathematics, Kookmin University,

slide-1
SLIDE 1
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 1

Novel Side-Channel Attacks

  • n Quasi-Cyclic Code-Based Cryptography

2019.08.28

Bo-Yeon Sim1,† , Jihoon Kwon2, Kyu Young Choi2, Jihoon Cho2, Aesun Park 3,†, and Dong-Guk Han1,3, †

1 Department of Mathematics, Kookmin University, Seoul, South Korea 2 Security Research Team, Samsung SDS, Inc., Seoul, South Korea 3 Department of Financial Information Security, Kookmin University, Seoul, South Korea † SICADA(Side Channel Analysis Design Academy) Laboratory

slide-2
SLIDE 2
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 2

  • 1. Related works

RSA, ECC

▣ PKC (Public Key Cryptosystem)

[1] Peter Williston Shor, “Algorithms for Quantum Computation: Discrete Logarithms and Factoring”, SFCS 1994, pp. 124-134, 1994.

Factoring and Discrete Logarithms

slide-3
SLIDE 3
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 3

  • 1. Related works

RSA, ECC

▣ PKC (Public Key Cryptosystem)

Quantum Computer

1994 Shor’s algorithm (for quantum computation) Factoring and Discrete Logarithms

[1] Peter Williston Shor, “Algorithms for Quantum Computation: Discrete Logarithms and Factoring”, SFCS 1994, pp. 124-134, 1994.

slide-4
SLIDE 4
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 4

  • 1. Related works

RSA, ECC Post-Quantum Cryptography

Code-based Lattice-based Hash-based Multivariate

▣ PKC (Public Key Cryptosystem)

Quantum Computer

1994 Shor’s algorithm (for quantum computation) Factoring and Discrete Logarithms

[1] Peter Williston Shor, “Algorithms for Quantum Computation: Discrete Logarithms and Factoring”, SFCS 1994, pp. 124-134, 1994.

Isogeny etc.

slide-5
SLIDE 5
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 5

  • 1. Related works

▣ PKC (Public Key Cryptosystem)

NIST First PQC Standardization Conference NIST Second PQC Standardization Conference

April 11-13, 2018 August 22-24, 2019

PQCrypto 2016

February 24-26, 2016

co-located with co-located with January 30, 2019 Second Round Candidates announced (26 algorithms)

Dec 20, 2016 Formal Call for Proposals PQCrypto 2018

slide-6
SLIDE 6
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 6

  • 1. Related works

Quantum Computer Post-Quantum Cryptography

Code-based Lattice-based Hash-based Multivariate

Goppa code Reed-Solomon codes MDPC codes LDPC codes QC code QC-LDPC code QC-MDPC code ⋯

Code

  • Quasi-Cyclic code for saving memory (small key sizes)

▣ PKC (Public Key Cryptosystem)

Isogeny etc.

slide-7
SLIDE 7
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 7

  • 1. Related works

▣ QC (Quasi-Cyclic) Code

 Circulant matrix  Quasi-Cyclic Matrix

𝐼0 𝐼1

𝑰 =

  • The top row (or the leftmost column) of a circulant matrix is the generator of the circulant matrix

⋙ 1 ⋙ 2 ⋙ 3 ⋙ 4

slide-8
SLIDE 8
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 8

  • 1. Related works

▣ QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

=

𝐼0 ⋅ 𝑑0

×

𝑑0

𝑑1

𝐼0 𝐼1

𝑰 ⋅ 𝒅⊺ =

× + ×

𝐼1 ⋅ 𝑑1

slide-9
SLIDE 9
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 9

  • 1. Related works

1 1 1 1 1 1 1 1 1 1

▣ QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

1 2 3 4 𝐼0

×

𝑑0

2014 Timing Attack (Simple Power Analysis)

slide-10
SLIDE 10
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 10

  • 1. Related works

1 1 1 1 1 1 1 1 1 1

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

1 2 3 4 𝐼0

×

𝑑0

2014 Timing Attack (Simple Power Analysis) 2016 Constant-Time Implementation

slide-11
SLIDE 11
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 11

  • 1. Related works

*

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

×

* *

= +

𝐼0 𝑑0

𝑑0 ⋘ 𝟐 ⊺ 𝑑0 ⋘ 𝟓 ⊺

 Syndrome computation 𝑰 ⋅ 𝒅⊺

Calculated by Constant-Time Multiplication 1 1 1 1 1 1 1 1 1 1 1 2 3 4 ⋘ ⋘

1-bit

* ∈ {0,1}

slide-12
SLIDE 12
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 12

  • 1. Related works

1 1 1 1 1

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

8-bit

𝑠

×

𝐼0 𝑑0

𝑠 − 1

𝒔-bit

slide-13
SLIDE 13
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 13

  • 1. Related works

** 1 1 1 1 1

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

8-bit 𝑠 − 1

⋯ 𝒆 ⋯ 𝑠

×

** 𝐼0 𝑑0

=

𝑑0 ⋘ 𝒆 ⊺

+ ⋯

** ∈ 0,1 8

slide-14
SLIDE 14
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 14

  • 1. Related works

𝑺

16-byte rotate <<

𝑺

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

𝑑0 ⋘ 𝒆 ⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝟑𝟖 = 128-bit  16-byte unrotated rotated 𝒆𝟖

slide-15
SLIDE 15
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 15

  • 1. Related works

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺

16-byte rotate <<

𝑺

unrotated rotated 𝒆𝟖 = 𝟐 𝟑𝟖 = 128-bit  16-byte & 0𝑦00 ⋯ 00 & 0𝑦𝑔𝑔 ⋯ 𝑔𝑔

𝑑0 ⋘ 𝒆 ⊺

𝒆𝟖

slide-16
SLIDE 16
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 16

  • 1. Related works

𝒆𝟖 = 𝟐

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝟑𝟕 = 64-bit  8-byte

𝑺

16-byte rotate <<

𝑺

unrotated rotated

𝑺

8-byte rotate <<

𝑺

unrotated rotated 𝒆𝟕 = 𝟐 & 0𝑦00 ⋯ 00 & 0𝑦𝑔𝑔 ⋯ 𝑔𝑔

𝑑0 ⋘ 𝒆 ⊺

𝒆𝟕

slide-17
SLIDE 17
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 17

  • 1. Related works

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝟑𝟔 = 32-bit  4-byte

𝑺

16-byte rotate <<

𝑺

unrotated rotated 𝒆𝟖 = 𝟐 unrotated rotated 𝒆𝟕 = 𝟐

𝑺

4-byte rotate <<

𝑺

unrotated rotated 𝒆𝟔 = 𝟐 & 0𝑦00 ⋯ 00 & 0𝑦𝑔𝑔 ⋯ 𝑔𝑔

𝑑0 ⋘ 𝒆 ⊺

𝒆𝟔

𝑺

8-byte rotate <<

𝑺

slide-18
SLIDE 18
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 18

  • 1. Related works

𝑺

4-byte rotate <<

𝑺 𝑺

8-byte rotate <<

𝑺

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝟑𝟓 = 16-bit  2-byte

𝑺

16-byte rotate <<

𝑺

unrotated rotated 𝒆𝟖 = 𝟐 unrotated rotated 𝒆𝟕 = 𝟐 unrotated rotated 𝒆𝟔 = 𝟐

𝑺

2-byte rotate <<

𝑺

unrotated rotated 𝒆𝟓 = 𝟏 & 0𝑦00 ⋯ 00 & 0𝑦𝑔𝑔 ⋯ 𝑔𝑔

𝑑0 ⋘ 𝒆 ⊺

𝒆𝟓

slide-19
SLIDE 19
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 19

  • 1. Related works

𝑺

4-byte rotate <<

𝑺 𝑺

8-byte rotate <<

𝑺 𝑺

2-byte rotate <<

𝑺

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝟑𝟒 = 8-bit  1-byte

𝑺

16-byte rotate <<

𝑺

unrotated rotated 𝒆𝟖 = 𝟐 unrotated rotated 𝒆𝟕 = 𝟐 unrotated rotated 𝒆𝟔 = 𝟐 unrotated rotated 𝒆𝟓 = 𝟏

𝑺

1-byte rotate <<

𝑺

unrotated rotated 𝒆𝟒 = 𝟐 & 0𝑦00 ⋯ 00 & 0𝑦𝑔𝑔 ⋯ 𝑔𝑔

𝑑0 ⋘ 𝒆 ⊺

𝒆𝟒

slide-20
SLIDE 20
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 20

  • 1. Related works

𝑺

4-byte rotate <<

𝑺 𝑺

8-byte rotate <<

𝑺 𝑺

2-byte rotate <<

𝑺 𝑺

1-byte rotate <<

𝑺

𝒆𝟖 = 𝟐 𝒆𝟕 = 𝟐 𝒆𝟔 = 𝟐 𝒆𝟓 = 𝟏 𝒆𝟒 = 𝟐

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

8-bit word

𝟏 ⋅ 𝟑𝟑 + 𝟐 ⋅ 𝟑𝟐 + 𝟏 ⋅ 𝟑𝟏 = 2-bit

𝑺

16-byte rotate <<

𝑺

unrotated rotated unrotated rotated unrotated rotated unrotated rotated unrotated rotated

𝑑0 ⋘ 𝒆 ⊺

< 8-bit 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 2-bit rotate <<

slide-21
SLIDE 21
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 21

  • 1. Related works

𝑺

4-byte rotate <<

𝑺 𝑺

8-byte rotate <<

𝑺 𝑺

2-byte rotate <<

𝑺 𝑺

1-byte rotate <<

𝑺

𝒆𝟖 = 𝟐 𝒆𝟕 = 𝟐 𝒆𝟔 = 𝟐 𝒆𝟓 = 𝟏 𝒆𝟒 = 𝟐

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

8-bit word

𝟏 ⋅ 𝟑𝟑 + 𝟐 ⋅ 𝟑𝟐 + 𝟏 ⋅ 𝟑𝟏 = 2-bit

𝑺

16-byte rotate <<

𝑺

unrotated rotated unrotated rotated unrotated rotated unrotated rotated unrotated rotated 2-bit left shift | 6-bit right shift

𝑑0 ⋘ 𝒆 ⊺

< 8-bit 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 2-bit rotate <<

slide-22
SLIDE 22
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 22

  • 1. Related works

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation Syndrome computation 𝑰 ⋅ 𝒅⊺

▣ Side-Channel Attacks on QC Code-Based Cryptography

slide-23
SLIDE 23
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 23

  • 1. Related works

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation Syndrome computation 𝑰 ⋅ 𝒅⊺

▣ Motivations and Contributions

Limitation: It could not completely recover accurate secret indices, requiring further solving linear equations to obtain entire secret information Is there no method allows to recover accurate secret indices using only side-channel information?

slide-24
SLIDE 24
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 24

  • 1. Related works

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation Syndrome computation 𝑰 ⋅ 𝒅⊺

▣ Motivations and Contributions

Limitation: It could not completely recover accurate secret indices, requiring further solving linear equations to obtain entire secret information Is there no method allows to recover accurate secret indices using only side-channel information? Enhanced Multiple-Trace Attack which can recover accurate secret indices using only side-channel information

slide-25
SLIDE 25
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 25

  • 1. Related works

▣ Motivations and Contributions

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation 2017 Codeword Randomization (Masking) Syndrome computation 𝑰 ⋅ 𝒅⊺ Systems use ephemeral key pairs

  • r
slide-26
SLIDE 26
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 26

  • 1. Related works

▣ Motivations and Contributions

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation 2017 Codeword Randomization (Masking) Syndrome computation 𝑰 ⋅ 𝒅⊺ Systems use ephemeral key pairs

Constraint : Cannot use multiple traces

  • r

Is it impossible to attack using only a single trace?

slide-27
SLIDE 27
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 27

  • 1. Related works

▣ Motivations and Contributions

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation 2017 Codeword Randomization (Masking) Syndrome computation 𝑰 ⋅ 𝒅⊺ Systems use ephemeral key pairs

  • r

Novel Single-Trace Attack on QC Code-Based Cryptography Using Masked Constant-Time Multiplication Constraint : Cannot use multiple traces Is it impossible to attack using only a single trace?

slide-28
SLIDE 28
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 28

  • 1. Related works

▣ Contributions

Enhanced Multiple-Trace Attack on QC Code-Based Cryptography Using Constant-Time Multiplication Novel Single-Trace Attack on QC Code-Based Cryptography Using Masked Constant-Time Multiplication BIKE LEDAcrypt

Constant-Time Multiplication Use the ephemeral key pairs Codeword Randomization (Masking)

It is insecure against our multiple-trace attack It is insecure against our single-trace attack It is insecure against our single-trace attack

slide-29
SLIDE 29
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 29

  • 2. Multiple-Trace Attack

𝑺

4-byte rotate <<

𝑺 𝑺

8-byte rotate <<

𝑺 𝑺

2-byte rotate <<

𝑺 𝑺

1-byte rotate <<

𝑺 𝑺

16-byte rotate <<

𝑺

2-bit rotate << 𝒆𝟖 = 𝟐 𝒆𝟕 = 𝟐 𝒆𝟔 = 𝟐 𝒆𝟓 = 𝟏 𝒆𝟒 = 𝟐

▣ Constant-Time Multiplication for QC (Quasi-Cyclic) Code

 Syndrome computation 𝑰 ⋅ 𝒅⊺

8-bit word

unrotated rotated unrotated rotated unrotated rotated unrotated rotated unrotated rotated 2-bit left shift | 6-bit right shift

Word unit rotation Bit rotation

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

< 8-bit multiples of 8

𝑑0 ⋘ 𝒆 ⊺

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐}

slide-30
SLIDE 30
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 30

  • 2. Multiple-Trace Attack

Bit rotation Word unit rotation

▣ Multiple-Trace Attack on Constant-Time Multiplication

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 = 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 = 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪𝟗−𝑴)|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

Correlation Occurring Position Correlation Power Analysis

8-bit word

slide-31
SLIDE 31
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 31

  • 2. Multiple-Trace Attack

𝟑𝟖 bit rotate

𝒆𝟖

𝟑𝟕 bit rotate

𝒆𝟕

𝟑𝟔 bit rotate

𝒆𝟔

𝟑𝟓 bit rotate

𝒆𝟓

𝟑𝟒 bit rotate

𝒆𝟒

Last 3-bit

𝒆𝟑𝒆𝟐𝒆𝟏

▣ Experiment

 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑, 𝒆𝒋 ∈ {𝟏, 𝟐} Word unit rotation Bit rotation

8-bit word

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐 𝒔𝒇𝒕𝒗𝒎𝒖 = (≪(𝟗−𝑴))|(≫𝑴)

slide-32
SLIDE 32
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 32

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

slide-33
SLIDE 33
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 33

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 1.

𝑺

16-byte rotate <<

𝑺

Property 1. 𝒆 = (𝟏𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

Unrotated value is chosen

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-34
SLIDE 34
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 34

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 1.

𝑺

16-byte rotate <<

𝑺

Property 1. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient

𝒆 = (𝟏𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺 is loaded and saved

L S L 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-35
SLIDE 35
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 35

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 1.

𝑺

16-byte rotate <<

𝑺

Property 1. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient

𝒆 = (𝟏𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺 is loaded and saved

L S L 𝑺

16-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

Rotated value is chosen

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-36
SLIDE 36
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 36

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 1.

𝑺

16-byte rotate <<

𝑺

Property 1. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient

𝒆 = (𝟏𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺 is loaded and saved

L S L 𝑺

16-byte rotate <<

𝑺 Absolute Correlation Coefficient

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺 is only loaded

L L S 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-37
SLIDE 37
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 37

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 2. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient 𝑺

16-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

𝑺

8-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗+1 𝑒𝑗

L L S

Rotated value is chosen

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-38
SLIDE 38
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 38

  • 2. Multiple-Trace Attack

𝑺

8-byte rotate <<

𝑺

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 2. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient 𝑺

16-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗+1

L L S L S L Absolute Correlation Coefficient

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑

different

𝑒𝑗

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-39
SLIDE 39
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 39

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 2. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient 𝑺

4-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗+1

L L S 𝑺

2-byte rotate <<

𝑺

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗

Unrotated value is chosen

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-40
SLIDE 40
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 40

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

Property 2. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

8-bit word Absolute Correlation Coefficient

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗+1

L S L Absolute Correlation Coefficient

𝒆 = (𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏)𝟑 𝑒𝑗

same

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗 𝑺

4-byte rotate <<

𝑺 L L S 𝑺

2-byte rotate <<

𝑺

slide-41
SLIDE 41
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 41

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

8-bit word

 Step 1. Find the most significant bit 𝒆𝟖 based on Property 1 𝒆𝟖

𝑺 is only loaded in the first operation Power consumption related to 𝑺 does not occurs sequentially twice in the first operation part

𝒆𝟖 = 𝟐

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

slide-42
SLIDE 42
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 42

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Word Unit Rotation

8-bit word

 Step 2. Find from 𝒆𝟕 to 𝒆𝟒 based on Property 2

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target 𝑺 ∈𝑺𝒃𝒐𝒆𝒑𝒏 𝟏,𝟐 𝟗

same different different different

power consumption related to 𝑺 occurs sequentially twice in the ___ iteration

𝒆𝟕 𝒆𝟔 𝒆𝟓 𝒆𝟒 𝒆𝟓 = 𝟏 𝒆𝟕 = 𝟐 𝒆𝟔 = 𝟐 𝒆𝟒 = 𝟐

slide-43
SLIDE 43
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 43

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Bit Rotation

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪(𝟗−𝑴))|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

slide-44
SLIDE 44
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 44

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on the Bit Rotation

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪(𝟗−𝑴))|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

  • Guess the 𝑴 value from 0 to 7

and calculate Pearson’s correlation coefficient between traces and 𝒔𝒇𝒕𝒗𝒎𝒖 values

50 traces are sufficient

slide-45
SLIDE 45
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 45

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on Constant-Time Multiplication

Correlation Occurring Position Correlation Power Analysis We can accurately recover all secret indices regardless of word size and security level

(We described the experiment results on a 32-bit processor in Appendix B)

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑

slide-46
SLIDE 46
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 46

  • 2. Multiple-Trace Attack

▣ Multiple-Trace Attack on Constant-Time Multiplication

2016 Constant-Time Implementation 2014 Timing Attack (Simple Power Analysis) 2017 Differential Power Analysis on Constant-Time Implementation Syndrome computation 𝑰 ⋅ 𝒅⊺

Enhanced Multiple-Trace Attack which can accurately recover secret indices regardless of word size and security level It is not feasible on 64-bit processor Limitation: It could not completely recover accurate secret indices, requiring further solving linear equations to obtain entire secret information

8-bit 16-bit 32-bit 64-bit 80-bit security 0.4 seconds 15 seconds 16 hours ≈ 530 years 128-bit security 2 seconds 4 minutes ≈ 7 days ≈ 790,000 years

slide-47
SLIDE 47
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 47

  • 3. Single-Trace Attack

Bit rotation Word unit rotation

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 = 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 = 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

▣ Single-Trace Attack on Constant-Time Multiplication

Key Bit-dependent Attack Simple Power Analysis 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪𝟗−𝑴)|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

8-bit word 𝒏𝒃𝒕𝒍 = ቊ𝟏𝒚𝟏𝟏 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝟏𝒚𝒈𝒈 , 𝒋𝒈 𝒆𝒋 = 𝟐

slide-48
SLIDE 48
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 48

  • 3. Single-Trace Attack

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐

▣ Single-Trace Attack on the Word Unit Rotation

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

Property 3. 𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 = 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 = 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐 PoIs

slide-49
SLIDE 49
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 49

  • 3. Single-Trace Attack

▣ Single-Trace Attack on the Word Unit Rotation

8-bit word

𝒔𝒇𝒕𝒗𝒎𝒖 = ቊ 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 = 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝒈𝒈 ⊕ 𝒗𝒐𝒔𝒑𝒖𝒃𝒖𝒇𝒆 & 𝟏𝒚𝟏𝟏 = 𝒔𝒑𝒖𝒃𝒖𝒇𝒆 , 𝒋𝒈 𝒆𝒋 = 𝟐  𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑, 𝒆𝒋 ∈ {𝟏, 𝟐} : 675 ~ 695 points

𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

𝑛𝑏𝑡𝑙 ¬𝑛𝑏𝑡𝑙 Key Bit-dependent Property

slide-50
SLIDE 50
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 50

  • 3. Single-Trace Attack

▣ Single-Trace Attack on the Word Unit Rotation

233 = 11101001 2 169 = 10101001 2 201 = 11001001 2  𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑, 𝒆𝒋 ∈ {𝟏, 𝟐}  𝑿 = 𝟗 𝒏𝒃𝒕𝒍 = ቊ𝟏𝒚𝟏𝟏 , 𝒋𝒈 𝒆𝒋 = 𝟏 𝟏𝒚𝒈𝒈 , 𝒋𝒈 𝒆𝒋 = 𝟐

  • K-means clustering
  • Fuzzy k-means clustering
  • EM (Expectation-maximization)

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

slide-51
SLIDE 51
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 51

  • 3. Single-Trace Attack

▣ Single-Trace Attack on the Bit Rotation

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪𝟗−𝑴)|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

Bit rotate Left shift Right shift SPA 8-bit word Single bit shift instructions (8 − 𝑀) times ((8 − 𝑀) clock cycles) 𝑀 times (𝑀 clock cycles) O 16-bit word Single bit shift instructions (8 − 𝑀) times ((8 − 𝑀) clock cycles) 𝑀 times (𝑀 clock cycles) O

slide-52
SLIDE 52
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 52

  • 3. Single-Trace Attack

𝟐𝟐𝟐𝟏𝟐𝟏𝟏𝟐 𝟑 𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟏 𝟑 𝟐𝟐𝟐𝟏𝟐𝟏𝟐𝟐 𝟑 𝟐𝟐𝟐𝟏𝟐𝟐𝟏𝟏 𝟑 𝟐𝟐𝟐𝟏𝟐𝟐𝟏𝟐 𝟑 𝟐𝟐𝟐𝟏𝟐𝟐𝟐𝟏 𝟑 𝟐𝟐𝟐𝟏𝟐𝟐𝟐𝟐 𝟑 𝟐𝟐𝟐𝟏𝟐𝟏𝟏𝟏 𝟑

▣ Single-Trace Attack on the Bit Rotation

1 2 3 4 5 6 7 1 2 3 4 5 6 1 2 3 4 5 1 2 3 4 1 2 3 1 2 1

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

slide-53
SLIDE 53
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 53

  • 3. Single-Trace Attack

▣ Single-Trace Attack on the Bit Rotation

8-bit word 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑,𝒆𝒋 ∈ {𝟏,𝟐} target

𝒔𝒇𝒕𝒗𝒎𝒖 = (≪𝟗−𝑴)|(≫𝑴) 0 ≤ 𝑴 = 𝒆𝟑𝒆𝟐𝒆𝟏 𝟑 < 8

Bit rotate Left shift Right shift SPA 8-bit word Single bit shift instructions (8 − 𝑀) times ((8 − 𝑀) clock cycles) 𝑀 times (𝑀 clock cycles) O 16-bit word Single bit shift instructions (8 − 𝑀) times ((8 − 𝑀) clock cycles) 𝑀 times (𝑀 clock cycles) O 32-bit word Multiple bit shift instructions (ex. barrel shifter) One clock One clock X 64-bit word Multiple bit shift instructions (ex. barrel shifter) One clock One clock X  In the cases of 32-bit and 64-bit, we need to solve linear equations to find accurate indices

slide-54
SLIDE 54
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 54

  • 3. Single-Trace Attack

▣ Single-Trace Attack on Constant-Time Multiplication

We can accurately recover all secret indices if processor provides single bit shift instructions

(We described the experiment results on a 32-bit processor in Section 5 and Appendix B)

Even if processor does not provide single bit shift instructions, we can extract substantial parts of secret indices Key Bit-dependent Attack Simple Power Analysis 𝒆 = 𝒆𝟖𝒆𝟕𝒆𝟔𝒆𝟓𝒆𝟒𝒆𝟑𝒆𝟐𝒆𝟏 𝟑

slide-55
SLIDE 55
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 55

  • 4. Case Study: NIST PQC Standardization

Code

BIKE LEDAcrypt RQC HQC ROLLO Classic McElice

▣ Case Study: NIST Round 2 Code-Based Cryptography

 BIKE

  • QC-MDPC

 LEDAcrypt

  • QC-LDPC

BIKE LEDAcrypt

Constant-Time Multiplication Use the ephemeral key pairs Codeword Randomization (Masking)

slide-56
SLIDE 56
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 56

  • 4. Case Study: NIST PQC Standardization

▣ Case Study: NIST Round 2 Code-Based Cryptography

 BIKE

  • QC-MDPC

 LEDAcrypt

  • QC-LDPC

𝐼 𝐼𝑅

slide-57
SLIDE 57
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 57

Enhanced Multiple-Trace Attack on QC Code-Based Cryptography Using Constant-Time Multiplication BIKE LEDAcrypt

Constant-Time Multiplication Use the ephemeral key pairs Codeword Randomization (Masking)

It is insecure against our multiple-trace attack It is insecure against our single-trace attack It is insecure against our single-trace attack Novel Single-Trace Attack on QC Code-Based Cryptography Using Masked Constant-Time Multiplication

▣ Conclusion

slide-58
SLIDE 58
  • 2019. 08. 28 Novel Side-Channel Attacks on Quasi-Cyclic Code-Based Cryptography

Side Channel Analysis Design Academy 58