Abstract

In this work, we consider the ring- and module- variants of the LWE problem and investigate cold boot attacks on cryptographic schemes based on these problems, wherein an attacker is faced with the problem of recovering a scheme’s secret key from a noisy version of that key. The leakage resilience of cryptography based on the learning with errors (LWE) problem has been studied before, but there are only limited results considering the parameters observed in cold boot attack scenarios. There are two main encodings for storing ring- and module-LWE keys, and, as we show, the performance of cold boot attacks can be highly sensitive to the exact encoding used. The first encoding stores polynomial coefficients directly in memory. The second encoding performs a number theoretic transform (NTT) before storing the key, a commonly used method leading to more efficient implementations. We first give estimates for a cold boot attack complexity on the first encoding method based on standard algorithms; this analysis confirms that this encoding method is vulnerable to cold boot attacks only at very low bit-flip rates. We then show that, for the second encoding method, the structure introduced by using an NTT is exploitable in the cold boot setting: we develop a bespoke attack strategy that is much cheaper than our estimates for the first encoding when considering module-LWE keys. For example, at a 1% bit-flip rate (which corresponds roughly to what can be achieved in practice for cold boot attacks when applying cooling), a cold boot attack on Kyber KEM parameters has a cost of 243 operations when the second, NTT-based encoding is used for key storage, compared to 270 operations with the first encoding. On the other hand, in the case of the ring-LWE-based KEM, New Hope, the cold boot attack complexities are similar for both encoding methods.

Highlights

  • One of the attractive features of the Learning with Errors problem (LWE) [Reg05] is its “leakage resilience” [DGK+10, BG10, BL14] which roughly states that the difficulty of the problem deteriorates only gradually as information about the secret is leaked

  • Many systems proposed for practical use are based on the related ring-LWE problem (RLWE) [LPR13a] and module-LWE problem (MLWE) [LS15]

  • The Kyber specification [SAB+17] directly specifies the secret key in the frequency domain. This implementation detail dramatically alters the landscape for cold boot attacks on RLWE/MLWE-based schemes that specify the use of an number theoretic transform (NTT): a cold boot attacker is confronted with the problem of “decoding a noisy NTT”, i.e. recovering the input to an NTT given a noisy output

Read more

Summary

Introduction

One of the attractive features of the Learning with Errors problem (LWE) [Reg05] is its “leakage resilience” [DGK+10, BG10, BL14] which roughly states that the difficulty of the problem deteriorates only gradually as information about the secret is leaked. The Kyber specification [SAB+17] directly specifies the secret key in the frequency domain This implementation detail dramatically alters the landscape for cold boot attacks on RLWE/MLWE-based schemes that specify the use of an NTT: a cold boot attacker is confronted with the problem of “decoding a noisy NTT”, i.e. recovering the input to an NTT given a noisy output. While our attack in principle applies to all RLWE/MLWE schemes using the NTT and storing secret keys in the frequency domain, we use a running example of the default Kyber parameters [SAB+17] for concreteness. We consider there an alternative approach to solving the cold boot problem based on Blahut’s Theorem and the Berlekamp-Massey algorithm [Mas69] This approach succeeds when the bit-flip rate is low and where the secret key is guaranteed to have low Hamming weight when compared to the ring dimension. If the secret has Hamming weight w and an attacker has access to 2w consecutive clean components of the secret, the full secret can be derived at a trivial cost

Discussion
Preliminaries
LWE definitions
Minimal binary signed digit representation
Lattices
Leakage resilience for Kyber’s parameters
Cold boot NTT decoding problem
Divide and conquer
Perform the two folding steps:
Extending a solution
Lattice formulation
A guessing strategy
BDD on NTT lattices
Kyber KEM
New Hope KEM
Linear complexity
Attack description
Cold boot scenario
Future directions for linear complexity attacks
Meet in the middle attack analysis
Locality sensitive hashing
Findings
Arora-Ge attacks

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.