International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Key Recovery from Gram--Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices

Authors:
Pierre-Alain Fouque , IRISA and Université Rennes 1
Paul Kirchner , IRISA and Université Rennes 1
Mehdi Tibouchi , NTT Corporation
Alexandre Wallet , NTT Corporation
Yang Yu , IRISA, Université Rennes 1, and CNRS
Download:
DOI: 10.1007/978-3-030-45727-3_2 (login may be required)
Search ePrint
Search Google
Conference: EUROCRYPT 2020
Abstract: In this paper, we initiate the study of side-channel leakage in hash-and-sign lattice-based signatures, with particular emphasis on the two efficient implementations of the original GPV lattice-trapdoor paradigm for signatures, namely NIST second-round candidate Falcon and its simpler predecessor DLP. Both of these schemes implement the GPV signature scheme over NTRU lattices, achieving great speed-ups over the general lattice case. Our results are mainly threefold. First, we identify a specific source of side-channel leakage in most implementations of those schemes, namely, the one-dimensional Gaussian sampling steps within lattice Gaussian sampling. It turns out that the implementations of these steps often leak the Gram--Schmidt norms of the secret lattice basis. Second, we elucidate the link between this leakage and the secret key, by showing that the entire secret key can be efficiently reconstructed solely from those Gram--Schmidt norms. The result makes heavy use of the algebraic structure of the corresponding schemes, which work over a power-of-two cyclotomic field. Third, we concretely demonstrate the side-channel attack against DLP (but not Falcon due to the different structures of the two schemes). The challenge is that timing information only provides an approximation of the Gram--Schmidt norms, so our algebraic recovery technique needs to be combined with pruned tree search in order to apply it to approximate values. Experimentally, we show that around $2^{35}$ DLP traces are enough to reconstruct the entire key with good probability.
Video from EUROCRYPT 2020
BibTeX
@inproceedings{eurocrypt-2020-30202,
  title={Key Recovery from Gram--Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices},
  booktitle={39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings},
  series={Lecture Notes in Computer Science},
  publisher={Springer},
  keywords={Cryptanalysis;Lattice-Based Cryptography;NTRU;Lattice Gaussian Sampling;Timing Attacks;Algebraic Number Theory},
  volume={12105},
  doi={10.1007/978-3-030-45727-3_2},
  author={Pierre-Alain Fouque and Paul Kirchner and Mehdi Tibouchi and Alexandre Wallet and Yang Yu},
  year=2020
}