Assessing the Feasibility of Single Trace Power Analysis of Frodo

Joppe W. Bos; Simon Friedberger; Marco Martinoli; Elisabeth Oswald; Martijn Stam

doi:10.1007/978-3-030-10970-7_10

Assessing the Feasibility of Single Trace Power Analysis of Frodo

Joppe W. Bos^*, Simon Friedberger, Marco Martinoli, Elisabeth Oswald, Martijn Stam

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al.Â (HOST’18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions. Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.’s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al.Â we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.

Original language	English
Title of host publication	Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers
Editors	Carlos Cid, Michael J. Jacobson
Publisher	Springer Verlag
Pages	216-234
Number of pages	19
ISBN (Print)	9783030109691
DOIs	https://doi.org/10.1007/978-3-030-10970-7_10
Publication status	Published - 2019
Event	25th International Conference on Selected Areas in Cryptography, SAC 2018 - Calgary, Canada Duration: 15 Aug 2018 → 17 Aug 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11349 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	25th International Conference on Selected Areas in Cryptography, SAC 2018
Country/Territory	Canada
City	Calgary
Period	15/08/18 → 17/08/18

Bibliographical note

Funding Information:
The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme Marie Sk lodowska-Curie ITN ECRYPT-NET (Project Reference 643161) and Horizon 2020 project PQCRYPTO (Project Reference 645622). Furthermore, Elisabeth Oswald was partially funded by H2020 grant SEAL (Project Reference 725042). We thank the authors of ELMO for their kind help, comments and feedback.

Publisher Copyright:
© 2019, Springer Nature Switzerland AG.

Keywords

Frodo
Lattices
LWE
Side-channel analysis
Template attacks

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-10970-7_10

Cite this

Bos, J. W., Friedberger, S., Martinoli, M., Oswald, E., & Stam, M. (2019). Assessing the Feasibility of Single Trace Power Analysis of Frodo. In C. Cid, & M. J. Jacobson (Eds.), Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers (pp. 216-234). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11349 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-10970-7_10

Bos, Joppe W. ; Friedberger, Simon ; Martinoli, Marco et al. / Assessing the Feasibility of Single Trace Power Analysis of Frodo. Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers. editor / Carlos Cid ; Michael J. Jacobson. Springer Verlag, 2019. pp. 216-234 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6610f796b78b4777b1aadbc1a3811b0c,

title = "Assessing the Feasibility of Single Trace Power Analysis of Frodo",

abstract = "Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al.{\^A} (HOST{\textquoteright}18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions. Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.{\textquoteright}s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al.{\^A} we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.",

keywords = "Frodo, Lattices, LWE, Side-channel analysis, Template attacks",

author = "Bos, {Joppe W.} and Simon Friedberger and Marco Martinoli and Elisabeth Oswald and Martijn Stam",

note = "Funding Information: The research leading to these results has received funding from the European Union{\textquoteright}s Horizon 2020 research and innovation programme Marie Sk lodowska-Curie ITN ECRYPT-NET (Project Reference 643161) and Horizon 2020 project PQCRYPTO (Project Reference 645622). Furthermore, Elisabeth Oswald was partially funded by H2020 grant SEAL (Project Reference 725042). We thank the authors of ELMO for their kind help, comments and feedback. Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; 25th International Conference on Selected Areas in Cryptography, SAC 2018 ; Conference date: 15-08-2018 Through 17-08-2018",

year = "2019",

doi = "10.1007/978-3-030-10970-7_10",

language = "English",

isbn = "9783030109691",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "216--234",

editor = "Carlos Cid and Jacobson, {Michael J.}",

booktitle = "Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers",

}

Bos, JW, Friedberger, S, Martinoli, M, Oswald, E & Stam, M 2019, Assessing the Feasibility of Single Trace Power Analysis of Frodo. in C Cid & MJ Jacobson (eds), Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11349 LNCS, Springer Verlag, pp. 216-234, 25th International Conference on Selected Areas in Cryptography, SAC 2018, Calgary, Canada, 15/08/18. https://doi.org/10.1007/978-3-030-10970-7_10

Assessing the Feasibility of Single Trace Power Analysis of Frodo. / Bos, Joppe W.; Friedberger, Simon; Martinoli, Marco et al.
Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers. ed. / Carlos Cid; Michael J. Jacobson. Springer Verlag, 2019. p. 216-234 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11349 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Assessing the Feasibility of Single Trace Power Analysis of Frodo

AU - Bos, Joppe W.

AU - Friedberger, Simon

AU - Martinoli, Marco

AU - Oswald, Elisabeth

AU - Stam, Martijn

N1 - Funding Information: The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme Marie Sk lodowska-Curie ITN ECRYPT-NET (Project Reference 643161) and Horizon 2020 project PQCRYPTO (Project Reference 645622). Furthermore, Elisabeth Oswald was partially funded by H2020 grant SEAL (Project Reference 725042). We thank the authors of ELMO for their kind help, comments and feedback. Publisher Copyright: © 2019, Springer Nature Switzerland AG.

PY - 2019

Y1 - 2019

N2 - Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al.Â (HOST’18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions. Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.’s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al.Â we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.

AB - Lattice-based schemes are among the most promising post-quantum schemes, yet the effect of both parameter and implementation choices on their side-channel resilience is still poorly understood. Aysu et al.Â (HOST’18) recently investigated single-trace attacks against the core lattice operation, namely multiplication between a public matrix and a “small” secret vector, in the context of a hardware implementation. We complement this work by considering single-trace attacks against software implementations of “ring-less” LWE-based constructions. Specifically, we target Frodo, one of the submissions to the standardisation process of NIST, when implemented on an (emulated) ARM Cortex M0 processor. We confirm Aysu et al.’s observation that a standard divide-and-conquer attack is insufficient and instead we resort to a sequential, extend-and-prune approach. In contrast to Aysu et al.Â we find that, in our setting where the power model is far from being as clear as theirs, both profiling and less aggressive pruning are needed to obtain reasonable key recovery rates for SNRs of practical relevance. Our work drives home the message that parameter selection for LWE schemes is a double-edged sword: the schemes that are deemed most secure against (black-box) lattice attacks can provide the least security when considering side-channels. Finally, we suggest some easy countermeasures that thwart standard extend-and-prune attacks.

KW - Frodo

KW - Lattices

KW - LWE

KW - Side-channel analysis

KW - Template attacks

UR - http://www.scopus.com/inward/record.url?scp=85060739393&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-10970-7_10

DO - 10.1007/978-3-030-10970-7_10

M3 - Conference contribution

AN - SCOPUS:85060739393

SN - 9783030109691

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 216

EP - 234

BT - Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers

A2 - Cid, Carlos

A2 - Jacobson, Michael J.

PB - Springer Verlag

T2 - 25th International Conference on Selected Areas in Cryptography, SAC 2018

Y2 - 15 August 2018 through 17 August 2018

ER -

Bos JW, Friedberger S, Martinoli M, Oswald E, Stam M. Assessing the Feasibility of Single Trace Power Analysis of Frodo. In Cid C, Jacobson MJ, editors, Selected Areas in Cryptography – SAC 2018 - 25th International Conference, Revised Selected Papers. Springer Verlag. 2019. p. 216-234. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-10970-7_10

Assessing the Feasibility of Single Trace Power Analysis of Frodo

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this