NIST Post-Quantum Cryptography Standardization Research Articles

Post-Quantum Delegated Proof of Luck for Blockchain Consensus Algorithm

The advancements in quantum computing and the potential for polynomial-time solutions to traditional public key cryptography (i.e., Rivest–Shamir–Adleman (RSA) and elliptic-curve cryptography (ECC)) using Shor’s algorithm pose a serious threat to the security of pre-quantum blockchain technologies. This paper proposes an efficient quantum-safe blockchain that incorporates new quantum-safe consensus algorithms. We integrate post-quantum signature schemes into the blockchain’s transaction signing and verification processes to enhance resistance against quantum attacks. Specifically, we employ the Falcon signature scheme, which was selected during the NIST post-quantum cryptography (PQC) standardization process. Although the integration of the post-quantum signature scheme results in a reduction in the blockchain’s transactions per second (TPSs), we introduce efficient approaches to mitigate this performance degradation. Our proposed post-quantum delegated proof of luck (PQ-DPoL) combines a proof of luck (PoL) mechanism with a delegated approach, ensuring quantum resistance, energy efficiency, and fairness in block generation. Experimental results demonstrate that while post-quantum cryptographic algorithms like Falcon introduce larger signature sizes and slower processing times, the PQ-DPoL algorithm effectively balances security and performance, providing a viable solution for secure blockchain operations in a post-quantum era.

Enabling PERK and other MPC-in-the-Head Signatures on Resource-Constrained Devices

One category of the digital signatures submitted to the NIST Post-Quantum Cryptography Standardization Process for Additional Digital Signature Schemes comprises proposals constructed leveraging the MPC-in-the-Head (MPCitH) paradigm. Typically, this framework is characterized by the computation and storage in sequence of large data structures both in signing and verification algorithms, resulting in heavy memory consumption. While some research on the efficiency of these schemes on high-performance machines has been done, studying their performance and optimization on resource-constrained ones still needs to be explored. In this work, we aim to address this gap by (1) introducing a general method to reduce the memory footprint of MPCitH schemes and analyzing its application to several MPCitH proposed schemes in the NIST Standardization Process. Additionally, (2) we conduct a detailed examination of potential memory optimizations in PERK, resulting in a streamlined version of the signing and verification algorithms with a reduced memory footprint ranging from 22 to 85 KB, down from the original 0.3 to 6 MB. Finally, (3) we introduce the first implementation of PERK tailored for Arm Cortex M4 alongside extensive experiments and comparisons against reference implementations.

Polynomial equation in algebraic attack on NTRU-HPS and NTRU-HRSS

NTRU is a lattice-based public-key cryptosystem designed by Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman in 1996. NTRU published on Algorithmic Number Theory Symposium (ANTS) in 1998. The ANTS’98 NTRU became the IEEE standard for public key cryptographic techniques based on hard problems over lattices in 2008. NTRU was later redeveloped by NTRU Inc. since 2018 and became one of the finalists in round 3 of the PQC (Post-Quantum Cryptography) standardization process organized by NIST in 2020. There are two types of NTRU algorithms proposed by NTRU Inc., which are classified based on parameter determination, NTRU-HPS (Hoffstein, Pipher, Silverman) and NTRU-HRSS (Hulsing, Rijnveld, Schanck, Schwabe). Algebraic attacks on ANTS’98 NTRU had previously been carried out in 2009 and 2012. In this paper, algebraic attack is performed on the renewed NTRU submitted to the third round of NIST PQC standardization in 2020. This study aims to obtain system of polynomial equations representing plaintext bits of NTRU-HPS and NTRU-HRSS which can be used to find the private key in the next study. As a result, some polynomial equations with unknown variables were obtained.

Improved Attacks on LowMC with Algebraic Techniques

The LowMC family of SPN block cipher proposed by Albrecht et al. was designed specifically for MPC-/FHE-/ZKP-friendly use cases. It is especially used as the underlying block cipher of PICNIC, one of the alternate third-round candidate digital signature algorithms for NIST post-quantum cryptography standardization. The security of PICNIC is highly related to the difficulty of recovering the secret key of LowMC from a given plaintext/ciphertext pair, which raises new challenges for security evaluation under extremely low data complexity.In this paper, we improve the attacks on LowMC under low data complexity, i.e. 1 or 2 chosen plaintext/ciphertext pairs. For the difference enumeration attack with 2 chosen plaintexts, we propose new algebraic methods to better exploit the nonlinear relation inside the introduced variables based on the attack framework proposed by Liu et al. at ASIACRYPT 2022. With this technique, we significantly extend the number of attack rounds for LowMC with partial nonlinear layers and improve the success probability from around 0.5 to over 0.9. The security margin of some instances can be reduced to only 3/4 rounds. For the key-recovery attack using a single plaintext, we adopt a different linearization strategy to reduce the huge memory consumption caused by the polynomial methods for solving multivariate equation systems. The memory complexity reduces drastically for all 5-/6-round LowMC instances with full nonlinear layers at the sacrifice of a small factor of time complexity. For 5-round LowMC instances with a block size of 129, the memory complexity decreases from 286.46 bits to 248.18 bits while the time complexity even slightly reduces. Our results indicate that the security for different instances of LowMC under extremely low data complexity still needs further exploration.

Fast and Clean: Auditable high-performance assembly via constraint solving

Handwritten assembly is a widely used tool in the development of highperformance cryptography: By providing full control over instruction selection, instruction scheduling, and register allocation, highest performance can be unlocked. On the flip side, developing handwritten assembly is not only time-consuming, but the artifacts produced also tend to be difficult to review and maintain – threatening their suitability for use in practice.In this work, we present SLOTHY (Super (Lazy) Optimization of Tricky Handwritten assemblY), a framework for the automated superoptimization of assembly with respect to instruction scheduling, register allocation, and loop optimization (software pipelining): With SLOTHY, the developer controls and focuses on algorithm and instruction selection, providing a readable “base” implementation in assembly, while SLOTHY automatically finds optimal and traceable instruction scheduling and register allocation strategies with respect to a model of the target (micro)architecture.We demonstrate the flexibility of SLOTHY by instantiating it with models of the Cortex-M55, Cortex-M85, Cortex-A55 and Cortex-A72microarchitectures, implementing the Armv8.1-M+Helium and AArch64+Neon architectures. We use the resulting tools to optimize three workloads: First, for Cortex-M55 and Cortex-M85, a radix-4 complex Fast Fourier Transform (FFT) in fixed-point and floating-point arithmetic, fundamental in Digital Signal Processing. Second, on Cortex-M55, Cortex-M85, Cortex-A55 and Cortex-A72, the instances of the Number Theoretic Transform (NTT) underlying CRYSTALS-Kyber and CRYSTALS-Dilithium, two recently announced winners of the NIST Post-Quantum Cryptography standardization project. Third, for Cortex-A55, the scalar multiplication for the elliptic curve key exchange X25519. The SLOTHY-optimized code matches or beats the performance of prior art in all cases, while maintaining compactness and readability.

High-performance and Configurable SW/HW Co-design of Post-quantum Signature CRYSTALS-Dilithium

CRYSTALS-Dilithium is a lattice-based post-quantum digital signature scheme that is resistant to attacks by quantum computers and has been selected to be standardized in the NIST post-quantum cryptography (PQC) standardization process. However, the speed performance and design flexibility of the Dilithium still need to be evaluated. This article presents a high-performance software/hardware co-design of CRYSTALS-Dilithium based on the NIST PQC round-3 parameters. High-speed pipelined hardware modules for NTT/INTT, point-wise multiplication/addition, and for SHAKE are included in the design to accelerate the time-consuming operations in Dilithium. All hardware modules are parameterized, thus allowing full support of runtime configuration to increase versatility. Moreover, the proposed software/hardware architecture and tight operating workflows reduce the data transmission overhead between the processor and other hardware modules. The hardware accelerator is implemented with a reconfigurable logic on FPGA and is integrated with the high-performance ARM Cortex-A9 processor in the Xilinx Zynq Architecture. We measure the performance of the software/hardware system for Dilithium in NIST security levels 2, 3, and 5. Compared to pure software implementations, we achieve 8.7–12.5 times speedup in Key generation, 6.3–7.3 times speedup in Sign, and 9.1–12.2 times speedup in Verify operations.

High-Speed Hardware Architectures and FPGA Benchmarking of CRYSTALS-Kyber, NTRU, and Saber

Post-Quantum Cryptography (PQC) has emerged as a response of the cryptographic community to the danger of attacks performed using quantum computers. All PQC schemes can be implemented in software and hardware using conventional (non-quantum) computing systems. PQC is the biggest revolution in cryptography since the invention of public-key schemes in the mid-1970 s. Lattice-based key exchange schemes have emerged as leading candidates in the NIST PQC standardization process due to their relatively short public keys and ciphertexts. This paper presents novel high-speed hardware architectures for four lattice-based Key Encapsulation Mechanisms (KEMs) representing three NIST PQC finalists: NTRU (with two distinct variants, NTRU-HPS and NTRU-HRSS), CRYSTALS-Kyber, and Saber. We benchmark these candidates in terms of their performance and resource utilization in today's FPGAs. Our best architectures outperform the best designs from other groups reported to date in terms of the area-time product by factors ranging from 1.01 to 2.88, depending on the algorithm and security level. Additionally, our study demonstrates that CRYSTALS-Kyber and Saber have very similar hardware performance. Both outperform NTRU in terms of execution time by a factor 36-62 for key generation and 3-7 for decapsulation, assuming the same security level.

Practical Public Template Attacks on CRYSTALS-Dilithium With Randomness Leakages

Side-channel security has become a significant concern in the NIST post-quantum cryptography standardization process. The lattice-based CRYSTALS-Dilithium (abbr. Dilithium) becomes the primary signature standard algorithm recommended by NIST for most use cases in July 2022 due to its excellent performance in security and efficiency. Compared to Dilithium’s rich theoretical security analysis results, the side-channel security of its physical implementations needs to be further explored. In 2021, Liu et al. proposed a two-stage randomness leakage attack against Dilithium, in which only one randomness bit with a probability <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$&gt; 0.5$ </tex-math></inline-formula> per signature is enough to recover the private key. However, they only carried out proof-of-concept experiments on “research-oriented” reference implementation of polynomial addition. Whether this method applies to complete real-world implementations of Dilithium is unknown. In this paper, we put this randomness leakage attack into real-world and recover the private key of unprotected and masked Dilithium on Arm Cortex-M4 processor using non-profiled power analysis attacks. Since randomness is introduced in the signing process, it is challenging to recover the randomness bit of Dilithium with high success rate in only one trace. Inspired by Liu et al., we propose a new non-profiled attack called Public Template Attack (PTA), a template-attack-like method that builds templates using public information. With PTA, we recover the randomness bit of unprotected and masked Dilithium with a success rate of 95% and 62% in one power trace, respectively. To demonstrate practicality, we perform practical power analysis attacks against different security levels of round 3 unprotected and masked Dilithium on STM32F405 microprocessor. Using 10,000 traces, the private key of unprotected Dilithium2 is recovered in 0.5 hours with an ordinary PC desktop. Our attack is 240 times faster than the state-of-the-art non-profiled attack. Moreover, the private key of masked Dilithium2 is recovered using 680,000 traces in 38 hours. To the best of our knowledge, we are the first to successfully attack masked Dilithium using non-profiled attacks.

Engineering Practical Rank-Code-Based Cryptographic Schemes on Embedded Hardware. A Case Study on ROLLO

In this paper, we investigate the practical performance of rank-code based cryptography on FPGA platforms by presenting a case study on the quantum-safe KEM scheme based on LRPC codes called ROLLO, which was among NIST post-quantum cryptography standardization round-2 candidates. Specifically, we present an FPGA implementation of the encapsulation and decapsulation operations of the ROLLO KEM scheme with some variations to the original specification. The design is fully parameterized, using code-generation scripts to support a wide range of parameter choices for security levels specified in ROLLO. At the core of the ROLLO hardware, we presented a generic approach for hardware-based Gaussian elimination, which can process both non-singular and singular matrices. Previous works on hardware-based Gaussian elimination can only process non-singular ones. However, a plethora of cryptosystems, for instance, quantum-safe key encapsulation mechanisms based on rank-metric codes, ROLLO and RQC, which are among NIST post-quantum cryptography standardization round-2 candidates, require performing Gaussian elimination for random matrices regardless of the singularity. To the best of our knowledge, this work is the first hardware implementation for rank-code-based cryptographic schemes. The experimental results suggest rank-code-based schemes can be highly efficient.

Information- and Coding-Theoretic Analysis of the RLWE/MLWE Channel

Several cryptosystems based on the Ring Learning with Errors (RLWE) problem have been proposed within the NIST post-quantum cryptography standardization process, e.g., NewHope. Furthermore, there are systems like Kyber which are based on the closely related MLWE assumption. Both previously mentioned schemes result in a non-zero decryption failure rate (DFR). The combination of encryption and decryption for these kinds of algorithms can be interpreted as data transmission over a noisy channel. To the best of our knowledge this paper is the first work that analyzes the capacity of this channel. We show how to modify the encryption schemes such that the input alphabets of the corresponding channels are increased. In particular, we present lower bounds on their capacities which show that the transmission rate can be significantly increased compared to standard proposals in the literature. Furthermore, under the common assumption of stochastically independent coefficient failures, we give lower bounds on achievable rates based on both the Gilbert-Varshamov bound and concrete code constructions using BCH codes. By means of our constructions, we can either increase the total bitrate (by a factor of 1.84 for Kyber and by factor of 7 for NewHope) while guaranteeing the same DFR or for the same bitrate, we can significantly reduce the DFR for all schemes considered in this work (e.g., for NewHope from 2−216 to 2−12769).

KaratSaber: New Speed Records for Saber Polynomial Multiplication using Efficient Karatsuba FPGA Architecture

SABER is a round 3 candidate in the NIST Post-Quantum Cryptography Standardization process. Polynomial convolution is one of the most computationally intensive operation in Saber Key Encapsulation Mechanism, that can be performed through widely explored algorithms like the schoolbook polynomial multiplication algorithm (SPMA) and Number Theoretic Transform (NTT). While SPMA multiplier has a slow latency performance, the NTT-based multiplier usually requires large hardware. In this work, we propose KaratSaber, an optimized Karatsuba polynomial multiplier architecture with a balanced hardware efficiency (throughput-per-slice, TPS) compared to NTT and SPMA based designs. KaratSaber employs several techniques for an efficient design: a parallel grid input technique for efficient pre-processing stage in Karatsuba-based polynomial multiplier, a novel instruction code result-mapping technique catering the negacyclic operations improves the post-processing stage efficiency, a double multiplicand shifter-based multiplier doubles the throughput at the multiplication stage. Combining these three techniques, the proposed KaratSaber architecture is 7.47 <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\times$</tex-math></inline-formula> faster compared to the state-of-the-art SPMA Saber architecture at the expense of 4.96 <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\times$</tex-math></inline-formula> additional hardware resources; making KaratSaber 46.04% more area-time efficient. When compared to LWRPro, a recent Karatsuba Saber architecture, KaratSaber architecture achieves a 2.11 <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\times$</tex-math></inline-formula> higher throughput by only utilizing 1.92 <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\times$</tex-math></inline-formula> additional hardware; thus gaining a 10.44% improvement in area-time efficiency

Post-quantum cryptographic algorithm identification using machine learning

This research presents a study on the identification of post-quantum cryptography algorithms through machine learning techniques. Plain text files were encoded by four post-quantum algorithms, participating in NIST's post-quantum cryptography standardization contest, in ECB mode. The resulting cryptograms were submitted to the NIST Statistical Test Suite to enable the creation of metadata files. These files provide information for six data mining algorithms to identify the cryptographic algorithm used for encryption. Identification performance was evaluated in samples of different sizes. The successful identification of each machine learning algorithm is higher than a probabilistic bid, with hit rates ranging between 73 and 100%.

Time-Memory Trade-Offs for Saber+ on Memory-Constrained RISC-V Platform

Saber is a module-lattice-based key encapsulation scheme that has been selected as a finalist in the NIST Post-Quantum Cryptography standardization project. As Saber computes on considerably large matrices and vectors of polynomials, its efficient implementation on memory-constrained IoT devices is very challenging. In this paper, we present an implementation of Saber with a minor tweak to the original Saber protocol for achieving reduced memory consumption and better performance. We call this tweaked implementation ‘Saber+’, and the difference compared to Saber is that we use different generation methods of public matrix <inline-formula><tex-math notation="LaTeX">$\boldsymbol{A}$</tex-math></inline-formula> and secret vector <inline-formula><tex-math notation="LaTeX">$\boldsymbol{s}$</tex-math></inline-formula> for memory optimization. Our highly optimized software implementation of Saber+ on a memory-constrained RISC-V platform achieves 48% performance improvement compared with the best state-of-the-art memory-optimized implementation of original Saber. Specifically, we present various memory and performance optimizations for Saber+ on a memory-constrained RISC-V microcontroller, with merely 16KB of memory available. We utilize the Number Theoretic Transform (NTT) to speed up the polynomial multiplication in Saber+. For optimizing cycle counts and memory consumption during NTT, we carefully compare the efficiency of the complete and incomplete-NTTs, with platform-specific optimization. We implement 4-layers merging in the complete-NTT and 3-layers merging in the 6-layer incomplete-NTT. An improved on-the-fly generation strategy of the public matrix and secret vector in Saber+ results in low memory footprint. Furthermore, by combining different optimization strategies, various time-memory trade-offs are explored. Our software implementation for Saber+ on selected RISC-V core takes just 3,809K, 3,594K, and 3,193K clock cycles for key generation, encapsulation, and decapsulation, respectively, while consuming only 4.8KB of stack at most.

Ultra High-Speed Polynomial Multiplications for Lattice-Based Cryptography on FPGAs

Lattice-based cryptography (LBC) has emerged as the most viable substitutes to the classical cryptographic schemes as 5 out of 7 finalist schemes in the 3rd round of the NIST post-quantum cryptography (PQC) standardization process are lattice based in construction. This work explores novel architectural optimizations in the FPGA-based hardware implementation of polynomial multiplication, which is a bottleneck in every LBC construction. To target ultra-high throughput, both schoolbook polynomial multiplication (SPM) and number theoretic transform (NTT) are explored: a completely parallel architecture of an SPM is undertaken while for NTT, radix-2 and radix- <inline-formula><tex-math notation="LaTeX">$2^2$</tex-math></inline-formula> multi-path delay commutator (MDC) based pipelined architectures are adopted. Our proposed high-speed SPM (HSPM) structure on latest Xilinx UltraScale+ FPGA is 5× faster than the state-of-the-art LBC designs. Whereas, the proposed high-speed NTT (HNTT) structure (i.e., R <inline-formula><tex-math notation="LaTeX">$2^2$</tex-math></inline-formula> MDC) takes only 0.63 <inline-formula><tex-math notation="LaTeX">$\mu$</tex-math></inline-formula> s for the encryption, hence achieving the highest throughput of 408 Mbps. Moreover, all of the proposed designs achieve highest design efficiencies (i.e., throughput per slice (TPS)) in comparison to available LBC designs.

Status report on the third round of the NIST post-quantum cryptography standardization process

In recent years, there has been steady progress in the creation of quantum computers. If large-scale quantum computers are implemented, they will threaten the security of many widely used public-key cryptosystems. Key-establishment schemes and digital signatures based on factorization, discrete logarithms, and elliptic curve cryptography will be most affected. Symmetric cryptographic primitives such as block ciphers and hash functions will be broken only slightly. As a result, there has been an intensification of research on finding public-key cryptosystems that would be secure against cryptanalysts with both quantum and classical computers. This area is often called post-quantum cryptography (PQC), or sometimes quantum-resistant cryptography. The goal is to design schemes that can be deployed in existing communication networks and protocols without significant changes. The National Institute of Standards and Technology is in the process of selecting one or more public-key cryptographic algorithms through an open competition. New public-key cryptography standards will define one or more additional digital signatures, public-key encryption, and key-establishment algorithms. It is assumed that these algorithms will be able to protect confidential information well in the near future, including after the advent of quantum computers. After three rounds of evaluation and analysis, NIST has selected the first algorithms that will be standardized as a result of the PQC standardization process. The purpose of this article is to review and analyze the state of NIST's post-quantum cryptography standardization evaluation and selection process. The article summarizes each of the 15 candidate algorithms from the third round and identifies the algorithms selected for standardization, as well as those that will continue to be evaluated in the fourth round of analysis. Although the third round is coming to an end and NIST will begin developing the first PQC standards, standardization efforts in this area will continue for some time. This should not be interpreted as meaning that users should wait to adopt post-quantum algorithms. NIST looks forward to the rapid implementation of these first standardized algorithms and will issue future guidance on the transition. The transition will undoubtedly have many complexities, and there will be challenges for some use cases such as IoT devices or certificate transparency.

New Low-Memory Algebraic Attacks on LowMC in the Picnic Setting

The security of the post-quantum signature scheme Picnic is highly related to the difficulty of recovering the secret key of LowMC from a single plaintext-ciphertext pair. Since Picnic is one of the alternate third-round candidates in NIST post-quantum cryptography standardization process, it has become urgent and important to evaluate the security of LowMC in the Picnic setting. The best attacks on LowMC with full S-box layers used in Picnic3 were achieved with Dinur’s algorithm. For LowMC with partial nonlinear layers, e.g. 10 S-boxes per round adopted in Picnic2, the best attacks on LowMC were published by Banik et al. with the meet-in-the-middle (MITM) method.In this paper, we improve the attacks on LowMC in a model where memory consumption is costly. First, a new attack on 3-round LowMC with full S-box layers with negligible memory complexity is found, which can outperform Bouillaguet et al.’s fast exhaustive search attack and can achieve better time-memory tradeoffs than Dinur’s algorithm. Second, we extend the 3-round attack to 4 rounds to significantly reduce the memory complexity of Dinur’s algorithm at the sacrifice of a small factor of time complexity. For LowMC instances with 1 S-box per round, our attacks are shown to be much faster than the MITM attacks. For LowMC instances with 10 S-boxes per round, we can reduce the memory complexity from 32GB (238 bits) to only 256KB (221 bits) using our new algebraic attacks rather than the MITM attacks, while the time complexity of our attacks is about 23.2 ∼ 25 times higher than that of the MITM attacks. A notable feature of our new attacks (apart from the 4-round attack) is their simplicity. Specifically, only some basic linear algebra is required to understand them and they can be easily implemented.

Efficient Implementation of Dilithium Signature Scheme on FPGA SoC Platform

In the process of NIST postquantum cryptography standardization, module lattice-based Dilithium has been chosen as one of the three third-round finalists for digital signature schemes. More evaluations of its implementation efficiency on different platforms are required for further competition. In this article, we present an efficient implementation of Dilithium on a field-programmable gate array (FPGA) system-on-chip (SoC) platform. To achieve a high computation speed, we design a hardware architecture to perform the main body of the algorithm, and the preprocessing and postprocessing steps are accomplished by the processor. For the hardware architecture, we take some optimizations on the most time-consuming operations, that is, polynomial multiplication, hashing, and sampling. Polynomial multiplications are accelerated by the radix-4 number theoretic transform (NTT) architecture with a conflict-free memory mapping scheme. A fast modular multiplication on the Dilithium modulus is proposed to support the underlying calculations. For hashing and sampling, we design a multipurpose hashing unit and a compact sampling unit. The cooperative work of the two units accelerates the sampling process significantly. We implement the Key Generation, Signing, and Verification algorithms of the round-3 Dilithium at all three security levels on the Xilinx Zynq-7000 platform. Compared with existing software/hardware codesign for Dilithium on a similar platform, our design achieves about <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$17\times $ </tex-math></inline-formula> and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$40\times $ </tex-math></inline-formula> improvements in performance for the Signing and Verification algorithms, respectively, at the cost of about <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$7.8\times $ </tex-math></inline-formula> more look up table (LUT) resources.

Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems With Chosen Ciphertexts: The Case Study of Kyber

Lattice-based cryptography, as an active branch of post-quantum cryptography (PQC), has drawn great attention from side-channel analysis researchers in recent years. Despite the various side-channel targets examined in previous studies, detail on revealing the secret-dependent information efficiently is less studied. In this paper, we propose adaptive EM side-channel attacks with carefully constructed ciphertexts on Kyber, which is a finalist of NIST PQC standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require fewer traces and avoid building complex templates. We practically evaluate our methods using both a reference implementation and the ARM-specific implementation in pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret key with between eight and 960 traces, depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures.

A Key-Recovery Side-Channel Attack on Classic McEliece Implementations

In this paper, we propose the first key-recovery side-channel attack on Classic McEliece, a KEM finalist in the NIST Post-quantum Cryptography Standardization Project. Our novel idea is to design an attack algorithm where we submit special ciphertexts to the decryption oracle that correspond to cases of single errors. Decoding of such ciphertexts involves only a single entry in a large secret permutation, which is part of the secret key. Through an identified leakage in the additive FFT step used to evaluate the error locator polynomial, a single entry of the secret permutation can be determined. Iterating this for other entries leads to full secret key recovery. The attack is described using power analysis both on the FPGA reference implementation and a software implementation running on an ARM Cortex-M4. We use a machine-learning-based classification algorithm to determine the error locator polynomial from a single trace. The attack is fully implemented and evaluated in the Chipwhisperer framework and is successful in practice. For the smallest parameter set, it is using about 300 traces for partial key recovery and less than 800 traces for full key recovery, in the FPGA case. A similar number of traces are required for a successful attack on the ARM software implementation.

Analysis of the FO Transformation in the Lattice-Based Post-Quantum Algorithms

Newer variants of the Fujisaki–Okamoto transformation are used in most candidates of the third round of the NIST Post-Quantum Cryptography standardization call in the category of public key encryption schemes. These transformations are applied to obtain a highly secure key encapsulation mechanism from a less secure public key encryption scheme. Furthermore, there are five candidates (three finalists and two alternatives) that passed to the third round of the process and whose security is based in lattice problems. This work analyzes the different ways in which the lattice-based candidates of the NIST call apply the Fujisaki–Okamoto transformation and the particularities of each application. The study of such differences and their repercussion in the design of the proposals will allow a better understanding of the algorithms. Moreover, we propose a modification of the Kyber algorithm—the only public key encryption candidate established as a PQC standard by NIST in its more recent publication—in order to avoid the re-encryption in the decapsulation algorithm and, in this way, to reduce the side channel attacks vulnerability.