Eindhoven University of Technology MASTER Towards post-quantum bitcoin side-channel analysis of bimodal lattice signatures Groot Bruinderink, L. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Towards Post-Quantum Bitcoin Side-Channel Analysis of Bimodal Lattice Signatures Leon Groot Bruinderink Email: [email protected] Student-ID: 0682427 A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Industrial and Applied Mathematics Supervisors: prof.dr. Tanja Lange (TU/e) dr. Andreas H¨ulsing(TU/e) dr. Lodewijk Bonebakker (ING) January 2016 Acknowledgements This thesis is the result of many months of work, both at my internship company ING and university TU/e. Before we rush into the contents of this thesis, I would like to take a moment to thank the people who made it possible. First of all, I would like to thank Tanja Lange (TU/e) and Lodewijk Bonebakker (ING) for supervising this project and introducing me to the fascinating aspects of their work. I am very grateful for the freedom and guidance they offered me throughout this period. Second, I would like to thank my other TU/e supervisor Andreas H¨ulsing. It was always possible for me to ask questions and discuss my thesis. When I was stuck, he inspired me to continue my search for answers. I would also like to thank these three people, together with Jan Draisma, to take part in my graduation committee. I am also very thankful to Daniel J. Bernstein for attending the meetings with Tanja and Andreas, and for sharing his knowledge. Also thanks to Thijs Laarhoven and Benne de Weger for discussing the unknowns of this thesis. Last but not least, I would like to thank my girlfriend, my family and friends for their personal support and trust, during this period and all the years before. It was never hard to clear my head and just enjoy spending time with them. Abstract In this thesis, we investigate Bitcoin's long term vision for the cryptographic protocols it relies on. The biggest threat in the near future is a large quantum computer, able to forge the digital signatures used by Bitcoin to secure transactions. When a large quantum computer arises, Bitcoin has to switch to post-quantum cryptography, in which Bimodal Lattice Signatures (BLISS) seem most promising to use. However, it is unclear if these signatures are vulnerable to side-channel attacks, which are mountable on actual implementations. An important step in BLISS is sampling a discrete-Gaussian-distributed integer, which is not straightforward to do. We investigated two sampling algorithms most used in practice, which both rely on table look-ups. We show that both methods are vulnerable to cache-attacks, leading to extraction of the secret key. We provide experimental results as verification. This means we need to re-invent ways to sample a discrete Gaussian, or implement current methods more securely, before the scheme is ready for implementation in the real-world. ii Contents List of Algorithms3 List of Tables 4 List of Figures5 1 Introduction6 1.1 Motivation......................................6 1.2 Our Contributions..................................7 1.3 Roadmap.......................................7 2 The Security of the Blockchain8 2.1 Introduction to Bitcoin................................8 2.2 One-Way Functions and Hash-Functions......................8 2.3 Proof-of-Work and Hash-Chaining.........................9 2.4 Double Spending and 51% Computational Security................ 10 2.5 Adjustments for Post-Quantum Security...................... 10 2.6 Conclusion...................................... 11 3 Digital Signature Schemes 12 3.1 Public-Key Cryptography.............................. 12 3.2 Properties of Digital Signature Schemes...................... 12 3.3 RSA Signatures.................................... 14 3.4 Elliptic Curve Signatures.............................. 15 3.5 Factorization and Discrete Log with Shor's Algorithm.............. 17 4 Hash-Based Signature Schemes 18 4.1 One-Time Signature Schemes............................ 18 4.2 Merkle Signature Schemes.............................. 19 4.3 Practicality Issues.................................. 23 5 Introduction to Lattices 24 5.1 Notations....................................... 24 5.2 Definitions and Bases................................ 24 5.3 Lattice Basis Reduction............................... 27 5.4 Hard Lattice-Problems................................ 28 5.5 A First Attempt of Lattice-Based Signatures................... 31 6 Lattice-Based Signatures In Practice 33 6.1 More Hard Lattice Problems: SIS and LWE.................... 33 6.2 BLISS: Bimodal Lattice Signature Scheme..................... 34 6.3 Gaussian Sampling.................................. 36 6.3.1 The Discrete Gaussian Distribution.................... 36 6.3.2 Rejection Sampling.............................. 37 6.3.3 Cumulative Distribution Table....................... 37 6.4 Lattice Implementations Via NTRU Lattices................... 38 1 6.5 Parameter Suggestions For BLISS......................... 39 7 Side-Channel Attacks 40 7.1 Introduction...................................... 40 7.2 Timing Attacks.................................... 40 7.3 Cache-Attacks.................................... 40 7.4 Countermeasures................................... 45 8 Cache-Attacks on BLISS 46 8.1 Intuition behind the Cache-Attacks......................... 46 8.2 Cache-Attack Model................................. 48 8.3 Cache-Attack 1: CDT Sampling........................... 48 8.3.1 Modified CDT Sampling with Acceleration Table............. 48 8.3.2 Cache-Attack Weaknesses.......................... 50 8.3.3 Exploiting the Weakness........................... 51 8.3.4 Extracting the Secret Key.......................... 53 8.3.5 Complexity Analysis............................. 55 8.4 Cache-Attack 2: Rejection Sampling........................ 56 8.4.1 Modified Rejection Sampling with Exponential Table........... 56 8.4.2 Cache-Attack Weakness and Exploitation................. 57 8.4.3 Extracting the Secret Key.......................... 58 8.4.4 Complexity Analysis............................. 59 8.5 Experiments...................................... 59 8.6 Countermeasures................................... 60 8.7 A Short Note on Timing Attacks.......................... 61 9 Summary 62 9.1 Conclusions...................................... 62 9.2 Future Work..................................... 63 Bibliography 64 Appendix 66 A Cache Weaknesses for Suggested Parameter Sets 66 2 List of Algorithms 1 RSA Key Generation................................. 14 2 RSA Signing..................................... 14 3 RSA Verification................................... 14 4 Elliptic Curve Key Generation........................... 16 5 Elliptic Curve DSA Signing............................. 16 6 Elliptic Curve DSA Verification........................... 16 7 LOTSS Key Generation............................... 18 8 LOTSS Signing.................................... 18 9 LOTSS Verification.................................. 19 10 Merkle Key Generation............................... 19 11 Merkle Signing.................................... 20 12 Merkle Verification.................................. 22 13 LLL Lattice Basis Reduction............................ 28 14 GGH Key Generation................................ 31 15 GGH Signing..................................... 31 16 GGH Verification................................... 31 17 BLISS Key Generation................................ 34 18 BLISS Signing.................................... 35 19 BLISS Verification.................................. 35 20 Basic Rejection Sampling.............................. 37 21 CDT Sampling.................................... 38 22 Square-and-Multiply Algorithm........................... 40 23 CDT Sampling with Acceleration Table...................... 50 24 Cache-Attack on BLISS with CDT Sampling................... 55 25 Rejection Sampling with Exponential Table.................... 57 26 Cache-Attack on BLISS with Rejection sampling................. 59 3 List of Tables 1 Parameter Suggestions for BLISS.......................... 39 2 Visualization of Intersection Weakness....................... 51 3 Visualization of Jump Weakness.......................... 51 4 Experimental Results Cache-Attacks on BLISS.................. 60 5 Table of Cache-Line Analysis BLISS-0....................... 67 6 Cache Weaknesses for BLISS-0........................... 68 7 Table of Cache-Line Analysis BLISS-I......................