The emergence of quantum computers poses a significant threat to the security of conventional public-key cryptosystems, driving the demand for quantum-resistant cryptographic solutions. In response, the National Institute of Standards and Technology (NIST) conducted a multi-year competition, ultimately selecting four ciphers. Among these, Falcon employs cumulative distribution table (CDT) sampling, which produces arrays of random values derived from a discrete Gaussian distribution during the signature generation phase. This array is then used with secret key information, forming the core of Falcon. Enhanced variants of Falcon, such as Mitaka, SOLMAE, and Antrag, implemented CDT sampling using comparison operations. Previous research by Choi et al. proposed a single trace analysis and countermeasure for CDT sampling, which exploited a non-constant-time vulnerability in 8-bit AVR microcontrollers. However, this vulnerability is specific to certain environments, and a potential vulnerability in comparison-operation-based constant-time CDT sampling remains unstudied. This paper is an extension of that study. This paper investigates the constant-time operation of comparison-operation-based CDT sampling on Arm Cortex-M4-based chips and proposes a deep learning-based side-channel analysis to recover the sampling values using a novel vulnerability. The proposed model achieves an F1 score of 1.0 and a recovery success rate of 99.97%.
Read full abstract