Single trace analysis on constant time CDT sampler and its countermeasure

Suhri Kim, Seokhie Hong

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

The Gaussian sampler is an integral part in lattice-based cryptography as it has a direct connection to security and efficiency. Although it is theoretically secure to use the Gaussian sampler, the security of its implementation is an open issue. Therefore, researchers have started to investigate the security of the Gaussian sampler against side-channel attacks. Since the performance of the Gaussian sampler directly affects the performance of the overall cryptosystem, countermeasures considering only timing attacks are applied in the literature. In this paper, we propose the first single trace power analysis attack on a constant-time cumulative distribution table (CDT) sampler used in lattice-based cryptosystems. From our analysis, we were able to recover every sampled value in the key generation stage, so that the secret key is recovered by the Gaussian elimination. By applying our attack to the candidates submitted to the National Institute of Standards and Technology (NIST), we were able to recover over 99% of the secret keys. Additionally, we propose a countermeasure based on a look-up table. To validate the efficiency of our countermeasure, we implemented it in Lizard and measure its performance. We demonstrated that the proposed countermeasure does not degrade the performance.

Original languageEnglish
Article number1809
JournalApplied Sciences (Switzerland)
Volume8
Issue number10
DOIs
Publication statusPublished - 2018 Oct 3

Keywords

  • CDT sampling
  • Gaussian sampling
  • Lattice-based cryptography
  • Post-quantum cryptography
  • Side-channel attack
  • Single trace analysis

ASJC Scopus subject areas

  • Materials Science(all)
  • Instrumentation
  • Engineering(all)
  • Process Chemistry and Technology
  • Computer Science Applications
  • Fluid Flow and Transfer Processes

Fingerprint Dive into the research topics of 'Single trace analysis on constant time CDT sampler and its countermeasure'. Together they form a unique fingerprint.

  • Cite this