Zero-Value Filtering for Accelerating Non-Profiled Side-Channel Attack on Incomplete NTT-Based Implementations of Lattice-Based Cryptography

• Published in: IEEE transactions on information forensics and security Vol. 19; pp. 3353 - 3365
• Main Authors: Tosun, Tolun, Savas, Erkay
• Format: Journal Article
• Language: English
• Published: New York IEEE 2024; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Algorithms; Coefficients; Correlation; correlation power analysis; Cryptography; Crystal lattices; crystals dilithium; crystals kyber; Digital signatures; Filtering; Filtration; Hypotheses; multivariate mutual information analysis; Polynomials; Post-quantum cryptography; Power demand; Quantum computing; Rings (mathematics); Run time (computers); side-channel attack; Side-channel attacks
• ISSN: 1556-6013; 1556-6021
• DOI: 10.1109/TIFS.2024.3359890

Lattice-based cryptographic schemes such as Crystals-Kyber and Dilithium are post-quantum algorithms selected to be standardized by NIST as they are considered to be secure against quantum computing attacks. The multiplication in polynomial rings is the most time-consuming operation in many lattice-based cryptographic schemes, which is also subject to side-channel attacks. While NTT-based polynomial multiplication is almost a norm in a wide range of implementations, a relatively new method, incomplete NTT is preferred to accelerate lattice-based cryptography, especially on some computing platforms that feature special instructions. In this paper, we present a novel, efficient and non-profiled power/EM side-channel attack targeting polynomial multiplication based on the incomplete NTT algorithm. We apply the attack on the Crystals-Dilithium signature algorithm and Crystals-Kyber KEM. We demonstrate that the method accelerates attack run-time when compared to the existing approaches. While a conventional non-profiled side-channel attack tests a much larger hypothesis set because it needs to predict two coefficients of secret polynomials together, we propose a much faster zero-value filtering attack (ZV-FA), which reduces the size of the hypothesis set by targeting the coefficients individually. We also propose an effective and efficient validation and correction technique employing the inverse NTT to estimate and modify the mispredicted coefficients. Our experimental results show that we can achieve a speed-up of <inline-formula> <tex-math notation="LaTeX">{1915}\times </tex-math></inline-formula>over brute-force.