1 Loop-Abort Faults on Lattice-Based Signature Schemes and Key Exchange Protocols
Thomas Espitau, Pierre-Alain Fouque, Benoˆıt Gerard,´ and Mehdi Tibouchi
!
Abstract—Although postquantum cryptography is of growing practical on improving the performance of lattice-based cryptogra- concern, not many works have been devoted to implementation security phy, and actual implementation results suggest that prop- issues related to postquantum schemes. erly optimized schemes may be competitive with, or even In this paper, we look in particular at fault attacks against imple- outperform, classical factoring and discrete logarithm-based mentations of lattice-based signatures and key exchange protocols. constructions1. For signature schemes, we are interested both in Fiat–Shamir type constructions (particularly BLISS, but also GLP, PASSSign, and Ring- The literature on the underlying number-theoretic prob- TESLA) and in hash-and-sign schemes (particularly the GPV-based lems of lattice-based cryptography is extensive (even scheme of Ducas–Prest–Lyubashevsky). For key exchange protocols, though concrete bit security is not nearly as well understood we study the implementations of NewHope, Frodo, and Kyber. These as for factoring and discrete logarithms). On the other hand, schemes form a representative sample of modern, practical lattice- there is currently a distinct lack of cryptanalytic results based signatures and key exchange protocols, and achieve a high level on the physical security of implementations of lattice-based of efficiency in both software and hardware. We present several fault schemes (or in fact, postquantum schemes in general! [66]). attacks against those schemes that recover the entire key recovery with It is well-known that physical attacks, particularly against only a few faulty executions (sometimes only one), show that those attacks can be mounted in practice based on concrete experiments in public-key schemes, are often simpler, easier to mount hardware, and discuss possible countermeasures against them. and more devastating than attacks targeting underlying hardness assumptions: it is often the case that a few bits Keywords: Fault Attacks, Digital Signatures, Postquantum Cryptogra- of leakage or a few fault injections can reveal an entire phy, Lattices. secret key (the well-known attacks from [7], [9] are typical examples). We therefore deem it important to investigate 1 INTRODUCTION how fault attacks may be leveraged to recover secret keys in the lattice-based setting, particularly against signature 1.1 Lattice-based cryptography schemes and key exchange protocols, as those primitives are Recent progress in quantum computation [17], the NSA probably the most likely to be deployed in a setting where advisory memorandum recommending the transition away fault attacks are relevant, and they have also received the from Suite B and to postquantum cryptography [51], as well most attention in terms of efficient implementations both in as the announcement of the NIST standardization process hardware and software. for postquantum cryptography [14] all suggest that research on postquantum schemes, which is already plentiful but 1.2 Implementations of lattice-based signatures mostly focused on theoretical constructions and asymptotic security, should increasingly take into account real-world Efficient signature schemes have been typically proved implementation issues. secure in the random oracle model, and can be roughly Among all flavors of postquantum cryptography, lattice- divided in two families: the hash-and-sign family (which based schemes occupy a position of particular interest, as includes schemes like FDH and PSS), as well as signa- they rely on well-studied problems and come with uniquely tures based on identification schemes, using the Fiat–Shamir strong security guarantees, such as worst-case to average- heuristic or a variant thereof. Efficient lattice-based signa- case reductions [58]. A number of works have also focused tures can also be divided along those lines, as observed for example in the survey of practical lattice-based digital • T. Espitau is a PhD student at Sorbonne Universit´es,UPMC, LIP6. signature schemes presented by O’Neill and Guneysu¨ at the E-mail: [email protected] NIST workshop on postquantum cryptography [40]. • P.-A. Fouque is a Full Professor at Univ Rennes and at Institut Universi- taire de France & IRISA. The Fiat–Shamir family is the most developed, with a E-mail: [email protected] number of schemes coming with concrete implementations • B. G´erardis with DGA.MI and is an Associate Researcher at IRISA. in software, and occasionally in hardware as well. Most E-mail: [email protected] • M. Tibouchi is a Distinguished Researcher at NTT Secure Platform 1. Usually, those efficient instantiations do not have parameters Laboratories. achieving high security under known reductions to worst-case prob- E-mail: [email protected] lems, but the existence of those reductions is usually seen as a good Manuscript received May 15, 2017. sign that the security assumptions themselves are sound. schemes in that family follow Lyubashevsky’s “Fiat–Shamir 1.4 Our contributions with aborts” paradigm [42], which uses rejection sam- In this paper, we initiate the study of fault attacks against pling to ensure that the underlying identification scheme lattice-based signatures and key exchange protocols, and achieves honest-verifier zero-knowledge. Among lattice- obtain attacks against all the practical schemes mentioned based schemes, the exemplar in that family is Lyuba- above. shevsky’s scheme from EUROCRYPT 2012 [43]. It is, how- ever, of limited efficiency, and had to be optimized to As noted previously, early lattice-based signature yield practical implementations. This was first carried out schemes with heuristic security have been broken using by Guneysu¨ et al., who described an optimized hardware standard attacks [32], [34], [52] but recent constructions implementation of it at CHES 2012 [37], and then to a larger including [20], [23], [33], [42], [43] are provably secure, extent by Ducas et al. in their scheme BLISS [20], which in- and cryptanalysis therefore requires a more powerful attack cludes a number of theoretical improvements and is the top- model. In this work we consider fault attacks. performing lattice-based signature. It was also implemented We present two attacks on signatures, both using a sim- in hardware by Poppelmann¨ et al. [62]. Other schemes in ilar type of faults which allows the attacker to cause a loop that family include Hoffstein et al.’s PASSSign [39], which inside the signature generation algorithm to abort early. Suc- incorporates ideas from NTRU, and Akleylek et al.’s Ring- cessful loop-abort faults have been described many times in TESLA [1], which boasts a tight security reduction. the literature, including against DSA [50] and pairing com- On the hash-and-sign side, there were a number of early putations [55], and in our attacks they can be used to recover proposals with heuristic security (and no actual security information about the private signing key. The underlying proofs), particularly GGH [35] and NTRUSign [38], but mathematical techniques used to actually recover the key, despite several attempts to patch them2 they turned out to however, are quite different in the two attacks. be insecure. A principled, provable approach to designing Our first attack applies to the schemes in the Fiat– lattice-based hash-and-sign signatures was first described Shamir family: we describe it against BLISS [20], [62], and by Gentry, Peikert, and Vaikuntanathan in [33], based on dis- show how it extends to GLP [37], PASSSign [39] and Ring- crete Gaussian sampling over lattices. The resulting scheme, TESLA [1]. In that attack, we inject a fault in the loop that GPV, is rather inefficient, even when using faster tech- generates the random “commitment value” y of the sigma niques for lattice Gaussian sampling [49]. However, Ducas, protocol associated with the Fiat–Shamir signature scheme. Lyubashevsky and Prest [23] later showed how it could be That commitment value is a random polynomial generated optimized and instantiated over NTRU lattices to achieve a coefficient by coefficient and an early loop abort causes it relatively efficient scheme with particularly short signature to have abnormally low degree, so that the protocol is no size. The DLP scheme is somewhat slower than BLISS in longer zero-knowledge. In fact, this will usually leak enough software, but still a good contender for practical lattice- information that a single faulty signature is enough to recover based signatures, and seemingly the only one in the hash- the entire signing key. More specifically, we show that the and-sign family. faulty signature can be used to construct a point that is very close to a vector in a suitable integer lattice of moderate dimension, and such that the difference is essentially (a 1.3 Implementations of lattice-based key exchange subset of) the signing key, which can thus be recovered In the last few years, very efficient lattice-based key ex- using lattice reduction. change protocols have been proposed at several security Our second attack targets the GPV-based hash-and-sign conferences [3], [10], [11], [57] and some of them have signature scheme of Ducas et al. [23]. In that case, we con- been field tested by Microsoft and Google as alternatives sider early loop abort faults against the discrete Gaussian to the prequantum key agreements in the TLS handshake sampling in the secret trapdoor lattice used in signature protocol. This has shown that lattice-based key exchange generation. The early loop abort causes the signature to be a protocols can be practical in many contexts and offer credi- linear combination of the last few rows of the secret lattice. ble alternatives to schemes like ECDH, incurring only a 50% A few faulty signatures can then be used to recover the span performance penalty or so compared to elliptic curves. of those rows and using the special structure of the lattice, The various lattice-based key exchange protocols have a we can then use lattice reduction to find one of the rows up similar structure, relying on Peikert’s reconciliation mech- to sign, which is enough to completely reconstruct the secret anism [57] that allows the two parties to recover the exact key. In practice, if we can cause loop aborts after up to m same secret even if they both have a noisy version of the iterations, we find that m + 2 faulty signatures are enough for common secret. They mostly differ on the underlying lattice full key recovery with high probability. assumptions they are based on. Similarly to the signature In addition, we also describe loop-abort fault attacks on setting, one can in particular distinguish between ring- three protocols that represent the state of the art for lattice- based constructions, like NewHope [3], and constructions based key exchange, namely NewHope [3], Frodo [10] and using standard lattices, like Frodo [10]. The recent scheme Kyber [12]. Although those schemes have a completely Kyber [12], relying on so-called module lattices, is in some different overall structure than the signature schemes men- sense a middle ground between those two approaches. tioned above, they also involve the sampling of random Gaussian secrets coefficient by coefficient during each ex- 2. There is a provably secure scheme due to Aguilar et al. [48] ecution of the protocol. Injecting a fault that causes this that claims to “seal the leak on NTRUSign”, but it actually turns the construction into a Fiat–Shamir type scheme, using rejection sampling random sampling loop to abort early causes abnormally a` la Lyubashevsky. “low-dimensional” secrets to be generated, and this yields
2 a key recovery attack very similar to the one we mount on exchange settings (against NewHope, Frodo and Kyber). BLISS and other Fiat–Shamir signatures. Our discussion of the practical implementations of the faults All of our attacks are supported by extensive mathe- we consider has also been revised and improved; in par- matical simulations in Sage [65]. We also take a close look ticular, the fault simulation on LEON3 compiled code is at the concrete software and hardware implementations of a novel contribution, as is the practical attack on the AVR the schemes above, and discuss the concrete feasibility of microcontroller. injecting the required loop-abort faults in practice. We find the attacks to be highly realistic. Moreover, we demonstrate 1.6 Applicability to NIST-submitted variants of the tar- the practicality of those attacks (taking NewHope as an get schemes example) in two ways against two types of platforms: Many of the schemes we consider in this paper have been • first, we successfully carry out a simulation of our submitted to the NIST postquantum standardization ef- fault attack against the emulated execution of ac- fort [14] in a slightly modified form. tual compiled code for the 32-bit SPARC processor In particular, the NIST-submitted versions of NewHope, LEON3, using a readily available fault simulation Frodo and Kyber are presented as key encapsulation mech- tool for that architecture; anisms (KEMs) instead of key-exchange protocols in the • second, we concretely carry out those faults with usual sense. Key exchange then corresponds to key genera- clock glitches against an 8-bit AVR XMEGA micro- tion for one party and key encapsulation for the other. That controller, using the power analysis and fault attack modification of the overall structure of the schemes does not testing board ChipWhisperer-Lite [53]. significantly affect the actual operations carried out as part Finally, we discuss several possible countermeasures to pro- of those schemes, and in particular our attacks apply to the tect against our attacks. KEM versions with essentially no change. Regarding signatures, none of the schemes discussed 1.5 Related work in this paper (BLISS, Lyubashevsky’s scheme, Ring-TESLA, To the best of our knowledge, the first previous work on PASSSign and the DLP scheme of Ducas, Lyubashevsky and fault attacks against lattice-based signatures, and in par- Prest) have been submitted to the NIST effort. However, ticular the only one mentioned in the survey of Taha and NIST candidate qTESLA [2] is a slight variant of Ring- Eisenbarth [66], is the fault analysis work of Kamal and TESLA, and our attack extends in a straightforward way. Youssef on NTRUSign [41]. It is, however, of limited interest One should simply pay attention to the fact that the random- y since NTRUSign is known to be broken [24], [52]; it also ness is generated as a deterministic function of the mes- suffers from a very low probability of success. sage; since that deterministic function involves sampling y In 2016, concurrently with our work, Bindel, Buchmann each coefficient of one by one, loop-abort faults apply and Kramer¨ [8] described various fault attacks against Fiat– similarly. On a related note, NIST candidate Dilithium [22] Shamir type signature schemes. Most of the attacks, how- can be seen as a modified version of BLISS, using module ever, are either in a relatively contrived model (targeting key lattices instead of ideal lattices (and, again, a deterministic y generation), or require unrealistically many faults and are generation for ). As a result, just as what happens for Frodo arguably straightforward (bypassing rejection sampling in and Kyber, our attack may extend or not depending on the signature generation or size/correctness checks in signature direction in which the matrix of coefficients is filled as part y verification). One attack described in the paper can be seen of the generation of . as posing a serious threat, namely the one in [8, §IV-B], but PASSSign does not appear to have a counterpart sub- it amounts to a weaker variant of our Fiat–Shamir attack, mitted to NIST, and Lyubashevsky’s scheme is conceptually using simple linear algebra rather than lattice reduction. related to most submissions, but the low-level behavior is As a result, it requires several hundred faulty signatures, usual different. On the hash-and-sign side, the closest NIST whereas our attack needs only one. candidate to DLP is Falcon [30]. However, although the Another interesting concurrent work is the recent cache main idea of constructing a hash-and-sign signature using attack against BLISS of Groot Bruinderink et al. [36]. It uses Gaussian sampling on an NTRU lattice is the same, Falcon cache side-channels to extract information about the coef- uses a tree-shaped recursive algorithm for lattice sampling ficients of the commitment polynomial y, and then lattice instead of a linear loop. Due to this modified structure, our reduction to recover the signing key based on that side- attack does not apply directly to that scheme. channel information. In that sense, it is similar to our Fiat– Shamir attack. However, since the nature of the information 2 DESCRIPTIONOFTHELATTICE-BASEDSIGNA- is quite different than in our setting, the mathematical TUREANDKEYEXCHANGESCHEMES techniques are also quite different. In particular, again, in contrast with our fault attack, that cache attack requires 2.1 Notation many signatures for a successful key recovery. Further side- For any integer q, we identify the elements of the ring Zq channel attacks on BLISS, including the works of Pessl et with the integers in [−q/2, q/2). Vectors are considered as al. [60] and Espitau et al. [26], have similar limitations. column vectors and are written in bold lower case letters; A preliminary version of this paper has been published matrices are denoted by upper case letters. We use both the P 2 1/2 at SAC 2016 in [25]. We extend this version by attacking a `2 Euclidean norm of vectors, kvk2 = ( i vi ) , and their larger number of signature schemes (GLP, PASSSign, Ring- `∞-norm, kvk∞ = maxi |vi|. In ring-based schemes, ring TESLA), and generalizing our original attacks to the key elements (which can be seen as polynomials) are identified
3 with their vectors of coefficients, and hence also denoted by leaks no information about the secret basis is what makes bold lower case letters. it possible to prove security). The actual scheme of Ducas– The Gaussian distribution with standard deviation σ ∈ Lyubashevsky–Prest, described in Figure2, uses a lattice of 2 R and center c ∈ R at x ∈ R, is defined by ρc,σ(x) = the same form as NTRU: L = {(y, z) ∈ R | y + z · h = 0}, −(x−c)2 h g/f mod q exp 2 and more generally in higher dimension by where the public key is again a ratio of small, 2σ n −(x−c)2 sparse polynomials in R = Z[x]/(x + 1). The use of such ρ (x) = exp 2 and when c = 0, by ρ (x). c,σ 2σ σ a lattice yields a very compact representation of the keys The discrete Gaussian distribution over Z centered at 0 and makes it possible to compress the signature as well is defined by Dσ(x) = ρσ(x)/ρσ(Z) (or DZ,σ) and more m m m by publishing only the second component of the sampled generally over Z by Dσ (x) = ρσ(x)/ρσ(Z ), where m P vector v. As a result, this hash-and-sign scheme is very ρσ(Z ) = m ρσ(x). x∈Z space efficient (even more than BLISS). However, the use of lattice Gaussian sampling makes signature generation 2.2 Description of BLISS significantly slower than BLISS at similar security levels. The BLISS signature scheme [20] is possibly the most ef- ficient lattice-based signature scheme so far. It has been 2.4 Description of NewHope implemented in both software [21] and hardware [62], and The NewHope [3] key exchange protocol is one of the boasts performance numbers comparable to classical fac- highest-profile key exchange protocols from lattices, and toring and discrete-logarithm based schemes. BLISS can has been awarded the 2016 Internet Defense Prize at the be seen as a ring-based optimization of the earlier lattice- USENIX Security conference. It is based on the so-called based scheme of Lyubashevsky [43], sharing the same “Fiat– Peikert tweak and can be seen as a variant of the scheme of Shamir with aborts” structure [42]. One can give a simplified Ding et al. [18]. NewHope improves upon earlier schemes description of the scheme as follows: the public key is an in various ways. On the one hand the authors proposed a = s /s mod q NTRU-like ratio of the form q 2 1 , where the a refined analysis of the failure probability of the key s , s ∈ R = [x]/(xn + 1) signing key polynomials 1 2 Z are exchange and its resistance towards quantum adversaries. µ small and sparse. To sign a message , one first generates On the other hand, various tweaks were introduced in the y , y ∈ R commitment values 1 2 with normally distributed design of the scheme: like Peikert, the authors use the KEM c coefficients, and then computes a hash of the message framework, defined by the algorithms (Setup, Gen, Encaps, µ u = −a y + y mod q together with q 1 2 . The signature is Decaps); after a successful protocol run both parties share (c, z , z ) z = y + s c then the triple 1 2 , with i i i , and there an ephemeral secret key that can be used to protect further z is rejection sampling to ensure that the distribution of i communication: the reconciliation allows both parties to is independent of the secret key. Verification is possible derive the session key from an approximately matching u = −a z + z mod q because q 1 2 . The real BLISS scheme, pseudorandom ring element. On Alice’s side, this element described in full in Figure1, includes several optimizations can be written as u · s = a · s0 · s + e0 · s and on Bob’s side: on top of the above description. In particular, to improve the v = b · s0 + e00 = a · s · s0 + e · s0 + e00, where s, s0 are repetition rate, it targets a bimodal Gaussian distribution for the respective secrets of Alice and Bob, taken as element in z the i’s, so there is a random sign flip in their definition. the convolution ring R. The full outline of the NewHope In addition, to reduce key size, the signature element z2 † protocol is given in Figure3. is actually transmitted in compressed form z2, and accord- ingly, the hash input includes only a compressed version of 2.5 Description of Frodo u. These various optimizations are essentially irrelevant for our purposes. The second key exchange scheme we consider has been introduced by Bos et al. at CCS 2016 [10]. This scheme is a practical demonstration of an efficient lattice scheme 2.3 Description of the GPV-based scheme of [23] based on the hardness of LWE (in contrast with NewHope, The second signature scheme we consider is the one pro- which relies on the hardness of the Ring-LWE problem). Its posed by Ducas, Lyubashevsky and Prest at ASIACRYPT performance has been evaluated in a “real-world” setting by 2014 [23]. It is an optimization using NTRU lattices of the benchmarking its implementation within the TLS protocol, GPV hash-and-sign signature scheme of Gentry, Peikert and when coupled with ECDSA certificates. As in NewHope Vaikuntanathan [33], and has been implemented in software key exchange, the reconciliation elements can be written by Prest [63]. As in GPV, the signing key is a “good” basis as B0 · S = S0 · A · S + E0 · S and V = S0 · B + E00 = of a certain lattice L (with short, almost orthogonal vectors), S0 ·A·S+S0 ·E+E00 for Alice and Bob, but in contrast with and the public key is a “bad” basis of the same lattice (with NewHope, the secrets are no longer elements of a ring, but longer vectors and a large orthogonality defect). To sign a vectors of integers. The full outline of the Frodo protocol is message µ, one simply hashes it to obtain a vector c in the given in Figure4. ambient space of L, and uses the good, secret basis to sample v ∈ L according to a discrete Gaussian distribution of small 3 ATTACK ON FIAT–SHAMIR TYPE LATTICE-BASED variance supported on L and centered at c. That vector v is the signature; it is, in particular, a lattice point very close SIGNATURES to c. That property can be checked using the bad, public The first fault attack that we consider targets the lattice- basis, but that basis is too large to sample such close vectors based signature schemes of Fiat–Shamir type, and specifi- (this, combined with the fact that the discrete Gaussian cally the generation of the random “commitment” element
4 1: function KEYGEN() n µ, pk = a sk = S 2: sample f, g ∈ R = [x]/(x + 1), uniformly with dδ1ne 1: function SIGN( 1, ) Z n n 2: y ← D y ← D coefficients in {±1}, dδ2ne coefficients in {±2} and other 1 Z,σ, 2 Z,σ equal to zero 3: u = ζ · a1 · y1 + y2 mod 2q T T c ← H(bue mod p, µ) 3: S = (s1, s2) ← (f, 2g + 1) 4: d 2 b 4: if Nκ(S) ≥ C · 5 · (dδ1ne + 4dδ2ne) · κ then restart 5: choose a random bit z ← y + (−1)bs c 5: aq = (2g + 1)/f mod q (restart if f is not invertible) 6: 1 1 1 z ← y + (−1)bs c 6: return (pk = a1, sk = S) where a1 = 2aq mod 2q 7: 2 2 2 7: end function 8: rejection sampling: restart to step 2 except with proba- 2 2 bility 1/ M exp(−kSck/(2σ )) cosh(hz, Sci/σ † † 1: function VERIFY(µ, pk = a1, (z1, z2, c)) 9: z2 ← (bued − bu − z2ed) mod p d † † 2: if k(z1, 2 · z2)k2 > B2 then reject 10: return (z1, z2, c) d † 3: if k(z1, 2 · z2)k∞ > B∞ then reject 11: end function † 4: accept iff c = H(bζ · a1 · z1 + ζ · q · ced + z2 mod p, µ) 5: end function
Fig. 1. Description of the BLISS signature scheme. The random oracle H takes its values in the set of polynomials in R with 0/1 coefficients and Hamming weight exactly κ, for some small constant κ. The value ζ is defined as ζ · (q − 2) = 1 mod 2q. The authors of [20] propose four different sets of parameters with security levels at least 128 bits. The interesting parameters for us are: n = 512, q = 12289, σ ∈ {215, 107, 250, 271}, (δ1, δ2) ∈ {(0.3, 0), (0.42, 0.03), (0.45, 0.06)} and κ ∈ {23, 30, 39}. We refer to the original paper for other parameters and for the definition of notation like Nκ and b·ed, as they are not relevant for our attack. The underlined instruction (Step 2 in SIGN) is where we introduce our faults.
n, q 1: function KEYGEN( ) 1: function GAUSSIANSAMPLER(B, σ, c) . bi (resp. bei) denote n n p 2: f ← D , g ← D . σ0 = 1.17 q/2n σ0 σ0 √ the rows of B (resp. of its Gram–Schmidt matrix Be ) 3: if k(g, −f)k2 > σ then restart . σ = 1.17 q 2: v ← 0 q¯f q¯g 4: if f¯f+g¯g , f¯f+g¯g 2 > σ then restart 3: for i = 2n down to 1 do 5: 0 2 using the extended Euclidean algorithm, compute 4: c ← hc, beii/kbeik2 ρ , ρ ∈ R R ,R ∈ ρ · f = R mod xn + 1 0 f g and f g Z s.t. f f 5: σ ← σ/kbeik2 ρ · g = R mod xn + 1 and g g 6: r ← D ,σ0,c0 gcd(R ,R ) 6= 1 gcd(R , q) 6= 1 Z 6: if f g or f then restart 7: c ← c − rbi and v ← v + rbi 7: using the extended Euclidean algorithm, compute u, v ∈ 8: end for Z s.t. u · Rf + v · Rg = 1 9: return v . v sampled according to the lattice Gaussian F ← qvρ , G ← −quρ 8: g f distribution DL,σ,c 9: repeat 10: end function j F·¯f+G·¯f m 10: k ← f¯f+g¯g ∈ R 11: F ← F − k · f, G ← G − k · g 1: function SIGN(µ, sk = B) n 12: until k=0 2: c ← H(µ) ∈ Zq −1 13: h ← g · f mod q 3: (y, z) ← (c, 0) − GAUSSIANSAMPLER(B, σ, (c, 0)) ! 4: . y, z are short and satisfy y + z · h = c mod q Mg −Mf 2n×2n 14: B ← ∈ Z . short lattice basis 5: return z M −M G F 6: end function 15: return sk = B, pk = h 16: end function 1: function VERIFY(µ, pk = h, z) √ 2: accept iff kzk2 + kH(µ) − z · hk2 ≤ σ 2n 3: end function
n Fig. 2. Description of the GPV-based signature scheme of Ducas–Lyubashevsky–Prest. The random oracle H takes its values in Zq . We denote ¯ n Pn−1 i ¯ Pn−1 i by f 7→ f the conjugation involution of R = Z[x]/(x + 1), i.e. for f = i=0 fix , f = f0 − i=1 fn−ix . Ma represents the matrix of the multiplication by a in the polynomial basis of R, which is skew-circulant of dimension n. For 128 bits of security, the authors of [23] recommend the p parameters n = 256 and q ≈ 210. The constant 1.17 is an approximation of e/2. The underlined step (the main loop in GAUSSIANSAMPLER) is where we introduce our faults.
in the underlying sigma protocols, which is denoted by y the attack against BLISS in particular, but it works against in our descriptions. That element consists of one or several the other Fiat–Shamir type schemes (GLP, PASSSign and polynomials generated coefficient by coefficient, and the Ring-TESLA) with almost no changes: see the Appendix for idea of the attack is to introduce a fault in that random details. sampling to obtain a polynomial of abnormally small de- In BLISS, the commitment element actually consists of gree, in which case signatures will leak information about two polynomials (y1, y2), and it suffices to attack y1. In- the private signing key. For simplicity’s sake, we introduce tuitively, y1 should mask the secret key element s1 in the 5 the element y1 is actually a low-degree polynomial. If the Alice Bob degree is low enough, we will see that this reveals the whole secret key right away, from a single faulty signature! $ 256 seed ← {0, 1} Indeed, suppose that we can obtain a faulty signature a ← SHAKE-128(seed) obtained by forcing a termination of the loop for sam- n 0 0 00 n pling y after the m-th iteration, with m n. Then, the s, e ← ψ16 s , e , e ← ψ16 1 (b, seed) resulting polynomial y1 is of degree at most m − 1. As b ← a · s + e −−−−−−−→ a ← SHAKE-128(seed) part of the faulty signature, we get the pair (c, z1) with b u ← a · s0 + e0 z1 = (−1) s1c + y1. Without loss of generality, we may b = 0 v ← b · s0 + e00 assume that (we will recover the whole secret key only up to sign, but in BLISS, (s , s ) and (−s , −s ) are clearly (u, r) 1 2 1 2 v0 ← u · s ←−−−− r ←$ HelpRec(v) equivalent secret keys). Moreover, with high probability, 0 c is invertible: if we heuristically assume that c behaves ν ← Rec(v , r) ν ← Rec(v, r) like a random element of the ring in terms of invertibility µ ← SHA3-256(ν) µ ← SHA3-256(ν) (which is well verified in practice), c should be invertible with probability about (1 − 1/q)n, which is over 95% for all Fig. 3. Description of the NewHope scheme. The security parameters proposed BLISS parameters. We thus get an equation of the given are q = 12289 < 214, n = 1024. The REC and HELPREC form: subprocedures are encoding and decoding functions between bits and coordinates in a small dimension lattice, as fully analyzed in [3]. Note m−1 modq −1 −1 X −1 i that. computations are taken c z1 − s1 ≡ c y1 ≡ y1,ic x (mod q) (1) i=0
−1 Thus, the vector v = c z1 is very close to the sublattice Alice Bob n −1 i of Z generated by wi = c x mod q for i = 0, . . . , m − 1 n seed ←$ U({0, 1}s) and qZ , and the difference should be s1. n A ← Gen(seed) The previous lattice is of full rank in Z , so the di- mension is too large to apply lattice reduction directly. S, E ← χ( n×n¯ ) S0, E0, E00 ←$ χ( m¯ ×n) Zq Zq However, the relation given by equation (1) also holds for (B, seed) all subsets of indices. More precisely, let J be a subset of B ← A · S + E −−−−−−−→ A ← Gen(seed) n J {0, . . . , n − 1} of cardinality `, and ϕJ : Z → Z be the B0 ← S0 · A + E0 projection (uj)0≤j