Abstract
The Gaussian sampler is an integral part in lattice-based cryptography as it has a direct connection to security and efficiency. Although it is theoretically secure to use the Gaussian sampler, the security of its implementation is an open issue. Therefore, researchers have started to investigate the security of the Gaussian sampler against side-channel attacks. Since the performance of the Gaussian sampler directly affects the performance of the overall cryptosystem, countermeasures considering only timing attacks are applied in the literature. In this paper, we propose the first single trace power analysis attack on a constant-time cumulative distribution table (CDT) sampler used in lattice-based cryptosystems. From our analysis, we were able to recover every sampled value in the key generation stage, so that the secret key is recovered by the Gaussian elimination. By applying our attack to the candidates submitted to the National Institute of Standards and Technology (NIST), we were able to recover over 99% of the secret keys. Additionally, we propose a countermeasure based on a look-up table. To validate the efficiency of our countermeasure, we implemented it in Lizard and measure its performance. We demonstrated that the proposed countermeasure does not degrade the performance.
| Original language | English |
|---|---|
| Article number | 1809 |
| Journal | Applied Sciences (Switzerland) |
| Volume | 8 |
| Issue number | 10 |
| DOIs | |
| Publication status | Published - 2018 Oct 3 |
Keywords
- CDT sampling
- Gaussian sampling
- Lattice-based cryptography
- Post-quantum cryptography
- Side-channel attack
- Single trace analysis
ASJC Scopus subject areas
- Materials Science(all)
- Instrumentation
- Engineering(all)
- Process Chemistry and Technology
- Computer Science Applications
- Fluid Flow and Transfer Processes