Practical Public Template Attacks on CRYSTALS-Dilithium With Randomness Leakages

Abstract

Side-channel security has become a significant concern in the NIST post-quantum cryptography standardization process. The lattice-based CRYSTALS-Dilithium (abbr. Dilithium) becomes the primary signature standard algorithm recommended by NIST for most use cases in July 2022 due to its excellent performance in security and efficiency. Compared to Dilithium’s rich theoretical security analysis results, the side-channel security of its physical implementations needs to be further explored. In 2021, Liu et al. proposed a two-stage randomness leakage attack against Dilithium, in which only one randomness bit with a probability <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$&gt; 0.5$ </tex-math></inline-formula> per signature is enough to recover the private key. However, they only carried out proof-of-concept experiments on “research-oriented” reference implementation of polynomial addition. Whether this method applies to complete real-world implementations of Dilithium is unknown. In this paper, we put this randomness leakage attack into real-world and recover the private key of unprotected and masked Dilithium on Arm Cortex-M4 processor using non-profiled power analysis attacks. Since randomness is introduced in the signing process, it is challenging to recover the randomness bit of Dilithium with high success rate in only one trace. Inspired by Liu et al., we propose a new non-profiled attack called Public Template Attack (PTA), a template-attack-like method that builds templates using public information. With PTA, we recover the randomness bit of unprotected and masked Dilithium with a success rate of 95% and 62% in one power trace, respectively. To demonstrate practicality, we perform practical power analysis attacks against different security levels of round 3 unprotected and masked Dilithium on STM32F405 microprocessor. Using 10,000 traces, the private key of unprotected Dilithium2 is recovered in 0.5 hours with an ordinary PC desktop. Our attack is 240 times faster than the state-of-the-art non-profiled attack. Moreover, the private key of masked Dilithium2 is recovered using 680,000 traces in 38 hours. To the best of our knowledge, we are the first to successfully attack masked Dilithium using non-profiled attacks.