Physical Security in the Post-quantum Era
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Journal of Cryptographic Engineering manuscript No.
(will be inserted by the editor)
Physical Security in the Post-quantum Era
A Survey on Side-channel Analysis, Random Number Generators, and
Physically Unclonable Functions
Sreeja Chowdhury∗ · Ana Covic∗ · Rabin Yu Acharya · Spencer Dupee
Fatemeh Ganji† · Domenic Forte
arXiv:2005.04344v2 [cs.CR] 8 Feb 2021
the date of receipt and acceptance should be inserted later
Abstract Over the past decades, quantum technology is discussed and compared to attacks launched in the
has seen consistent progress, with notable recent devel- classic world. Besides, proposals for quantum random
opments in the field of quantum computers. Tradition- number generation and quantum physically unclonable
ally, this trend has been primarily seen as a serious risk functions are compared to their classic counterparts and
for cryptography; however, a positive aspect of quan- further analyzed to give a better understanding of their
tum technology should also be stressed. In this regard, features, advantages, and shortcomings. Finally, seen
viewing this technology as a resource for honest parties from these three perspectives, this survey provides an
rather than adversaries, it may enhance not only the outlook for future research in this direction1 .
security, but also the performance of specific crypto-
Keywords: Hardware Security, Root-of-Trust, Quantum Com-
graphic schemes. While considerable effort has been de-
puting, Physically Unclonable Functions, True Random Number
voted to the design of quantum-resistant and quantum-
Generators, Quantum Random Number Generators, Side-channel
enhanced schemes, little effort has been made to un-
Analysis
derstanding their physical security. Physical security
deals with the design and implementation of security
measures fulfilling the practical requirements of crypto-
graphic primitives, which are equally essential for clas- 1 Introduction
sic and quantum ones. This survey aims to draw greater
The omnipresence of computers, computing platforms,
attention to the importance of physical security, with
and services has been shaping the way that we handle
a focus on secure key generation and storage as well
various tasks ranging from simple switching to weather
as secure execution. More specifically, the possibility of
forecasting performed by controllers in modern appli-
performing side-channel analysis in the quantum world
ances and supercomputers, respectively. For the lat-
ter purposes, it is widely accepted that several com-
S. Chowdhury, A. Covic, R. Yu Acharya, S. Dupee, and D. Forte putational problems are fundamentally hard, even for
∗ These authors have equally contributed to this work.
modern machines with state-of-the-art computational
Florida Institute for Cybersecurity Research,
power and resources. With the development of quan-
University of Florida
601 Gale Lemerand Dr, Gainesville, FL 32603 tum physics, it is claimed that further computational
USA
1 This is a post-peer-review, pre-copyedit version of an
E-mail: {sreejachowdhury, anaswim, rabin.acharya,
spdupee, dforte}@ufl.edu article published in Journal of Cryptographic Engineering.
The final authenticated version will be available online at:
https://doi.org/10.1007/s13389-021-00255-w.
F. Ganji © 2021 Springer-Verlag GmbH. Personal use of this material is
† Corresponding author
permitted. Permission from Springer-Verlag GmbH must be ob-
Electrical and Computer Engineering, tained for all other uses, in any current or future media, includ-
Worcester Polytechnic Institute ing reprinting/republishing this material for advertising or pro-
100 Institute Road, Worcester, MA 01609-2280 motional purposes, creating new collective works, for resale or
USA redistribution to servers or lists, or reuse of any copyrighted com-
E-mail: fganji@wpi.edu ponent of this work in other works.
2 Sreeja Chowdhury∗ et al.
power can be gained through describing the behav- are difficulties in implementing such generators. One
ior of systems at a higher level of granularity (i.e., is how one should examine whether the generator ex-
atomic and subatomic levels), where classical physics hibits the desired uniformity, which has been addressed
fails [Maslov et al, 2018]. Since the introduction of this by introducing the notion of “adversarially controlled
idea, it has been doubted whether a practically feasible sources of randomness” in the literature. In the classic
computational machine operating on quantum princi- world, this issue has been well studied; however, in a
ples can be built [Ladd et al, 2010; Dyakonov, 2019]. quantum world, more effort must be put into tackling
In spite of all criticisms, the efforts to realize quan- this problem. More precisely, we are interested in pro-
tum computers have been made progressively, but an cedures, which can guarantee that the bits produced by
admittedly considerable breakthrough was recently re- the generator are close to being indistinguishable from
ported in [Arute et al, 2019; Moore, 2019]. Interestingly uniform bits from the point of view of a quantum ad-
enough, it has been demonstrated that their proposed versary.
processor, named “Sycamore”, comprised of fast, high- Secure key generation and storage using phys-
fidelity quantum logic gates can perform a computa- ically unclonable functions (PUFs): The premise
tional task in 200 seconds, which would take the world’s underlying the concept of PUFs is that they can gen-
fastest supercomputer 10,000 years to finish. erate unpredictable and instance-specific random num-
Perhaps the most drastic consequence of this tech- bers to offer physically secure key generation and stor-
nological advancement is that now, one of the main age. In the classic world, after the introduction of the
challenges in the realization of attacks on some of first PUF, it has become evident that PUFs are vulner-
the cryptographical schemes could be dealt with. More able to a wide range of attacks covering physical, inva-
specifically, for more than two decades, it has been sive attacks to non-invasive machine learning (ML) at-
thought that the quantum computers required to run tacks. Several countermeasures, from structural to pro-
Grover’s and Shor’s algorithms - which can break the tocol level, have been proposed to increase the security
security of symmetric and public-key cryptography, re- of PUFs against various types of attacks. Nevertheless,
spectively [Grover, 1996; Shor, 1999] - could not be when assessing the security of these proposals, the main
practically achievable [Schneier, 2018]. The Sycamore question to ask is that if they could remain secure in
processor can be seen, of course, as a first step towards a quantum world. In this regard, not only should new
building powerful quantum computers, which can com- PUFs be designed and implemented, but also threat
promise the security of cryptographic protocols applied models and risk assessments of possible attacks have to
in our every-day life. Besides these protocols, other cru- be considered carefully.
cial questions to ask would be: in the face of quantum- Secure execution: Nowadays, it is widely accepted
enabled attacks, which physical primitives remain se- that in the classic world, the general assumption about
cure. In fact, while the impact of the quantum com- the secure execution of cryptographic implementations
puting paradigm on various cryptographic protocols has been refuted by mounting numerous attacks. This
and primitives has been intensely studied, its effect on has initiated a new line of research with the aim of en-
physical security is less well understood. Physical secu- hancing the design of circuits to minimize side-channel
rity concerns developing measures to meet the needs of leakages. This direction should be further pursued to in-
cryptographic primitives in practice. More concretely, vestigate how mathematical algorithms employed in the
such measures should be in place to narrow the gap side-channel analysis, and in particular, their compu-
between the characteristics of a cryptographic primi- tational complexity would evolve in a quantum world.
tive implemented in reality and what is assumed about This is indeed a crucial step to provide a better un-
that cf. [Maes, 2013]. For these physical measures, re- derstanding of the attacker’s capabilities in the post-
ferred to as “Root-of-Trust” (ROT), in the face of at- quantum era.
tacks becoming feasible in the post-quantum era, the So far, we mainly emphasize how an adversary
physical-security assessment should be revisited. Par- equipped with quantum technology can compromise the
ticularly, the following objectives are essential for such security of physical primitives and RoTs. It is equally
an evaluation (see Figure 1). important to understand how this technology can en-
Secure key generation: True random number gener- hance security by accomplishing tasks that cannot be
ators (TRNGs) are one of the most well-acknowledged performed in the classic world. In this case, quantum
and promising candidates introduced to harvest ran- computers are not our main focus, but quantum de-
dom numbers from physical sources of randomness. Al- vices, in particular, RoTs that take advantage of en-
beit being trusted to generate random numbers with hanced properties offered by quantum physics. In other
high quality (i.e., being uniformly distributed), there words, providing the same functionality as their clas-
Physical Security in the Post-quantum Era 3
In our survey, after discussing how cryptography has
been leveraging the advantages of quantum technology
in Section 2, Sections 5–3 describes the recent develop-
ments in physical security and RoTs. In each of these
sections, a taxonomy is proposed, which reflects the
nature of existing methods in terms of how quantum
technology enables us to either enhance or assess the
security. In the latter case, we primarily look into at-
tacks that can be launched thanks to the progress made
in quantum technology. Finally, Section 6 expands on
lessons learned and future directions in this area of re-
Fig. 1: The tree-of-trust built on a root-of-trust (RoT). search.
RoT plays an important role in fulfilling the objec-
tives of physical security. These objectives include se-
cure key generation and storage as well as secure 2 Quantum Computing for Cryptography: A
execution, i.e., (ideally) eliminating certain physical Brief Overview
side-channels [Maes, 2013]. Some examples of RoTs
are PUFs, TRNGs, and side-channel-resistant schemes. As briefly discussed in Section 1, even carefully-chosen
Note that side-channels can be leaked at different levels cryptosystems devised for day-to-day applications in
of the tree-of-trust, e.g., interpreter-level side-channels the classic world could be susceptible to attacks, which
and timing side-channel leaked from a client and an become feasible in the quantum world. These attacks
algorithm in software, respectively [Verbauwhede and can be seen as immediate consequences of the develop-
Schaumont, 2007]. Nevertheless, in this survey, we are ment of quantum computers with more computational
interested in physical side-channels. power than their classical counterparts. The advantages
of quantum technology are, however, not limited to this
sical counterparts, quantum-enhanced RoTs should ex-
since it can be applied to equip honest parties2 with
hibit better features, e.g., security or efficiency. One
quantum-enhance devices to obtain significant improve-
popular example of such RoTs is quantum random num-
ment in comparison to a classical setting. This section
ber generation through key expansion, made possible
deals with the effects that quantum technologies have
in the quantum world (see, Section 4 for more details).
on the design of such devices as well as attacks against
The implementation of quantum-enhanced RoTs gains
cryptosystems.
pace thanks to various innovative products that should
rely on the security of these primitives.
A brief overview and the organization of the 2.1 Quantum Computing against Classical Schemes
paper: By drawing attention to the positive side and
negative side of the quantum technology for physical The practicality of our most common cryptographic
security, this survey investigates the state-of-the-art schemes, i.e., RSA, Diffie-Hellman, and Elliptic curve
techniques proposed in the literature. Before giving an cryptography (ECC), relies on the difficulty of two
overview of the content of each section, we stress that problems: the factoring problem and the discrete loga-
the goal of our survey covers neither an inclusive list of rithm problem [Li et al, 2016]. While factoring and dis-
all studies in quantum cryptosystem nor the detailed crete logarithms are not in themselves interesting prob-
design of systems developed to enhance the physical se- lems, they have been found to be crucial for public-key
curity in both of the classic and quantum world. Yet, cryptography. This application, in turn, remains suffi-
our survey aims at examining the research landscape ciently secure as far as the mathematical problems un-
in physical security and strengthening research in this derlying their design remain difficult. In other words,
direction. In this regard, it forms the basis for a sys- the computational-power requirements of established
tematic and comprehensive study on specific aspects cryptographic algorithms prevent attackers from steal-
of physical security in the quantum era, namely secure ing our data and allowing the security of public-key
key generation and storage as well as secure execution. systems and privacy of transactions for all. However,
For excellent surveys covering a broader spectrum of it is known that the advent of certain quantum algo-
research areas related to cyber-security and quantum rithms has theoretically transformed the exponential
cryptosystems, we refer the reader to [Mosca, 2018; 2 In this survey, as usually mentioned in cryptography-related
Wallden and Kashefi, 2019; Nejatollahi et al, 2019], just literature, we refer to users and attackers as honest and malicious
to name a few. parties, respectively.
4 Sreeja Chowdhury∗ et al.
time complexity of these cryptographic schemes; hence, 1965]. This behavior of quantum states has been val-
they cannot be assumed secure in the quantum world. idated experimentally, e.g., in the Stern and Gerlach
Notable quantum algorithms, which cause these se- experiment performed in 1922, which explained the
curity concerns, are Shor’s algorithm and Grover’s al- quantum property of spin in an electron [Gerlach and
gorithm [Shor, 1999; Grover, 1996]. Shor found a clever Stern, 1922]. The existence of such two-state systems
way to factor numbers in O((log N )3 ), and Grover en- has an important implication as they can also be seen as
hanced a brute force search√ in a database with N en- qubits, the basic unit of data generated using quantum
tries such that it takes N operations. Thus, Shor’s technology. It must be noted that though a qubit may
algorithm weakens RSA, Diffie-Hellman, ECC, and any exist in a combination of states, yet after measurement,
cryptosystem that relies on the aforementioned factor- it results in any one of the two possible outcomes. This
ing and discrete-log problems, while Grover’s algorithm result remains unchanged even after repeated measure-
greatly improves the attackers’ efficiency in tasks such ments as long as the procedure of measurement remains
as password cracking, see Figure 2. Therefore, the de- unchanged.
sign of cryptographic schemes that rely on the factoring This should not be confused with the concept of
and discrete logarithm problems should be revisited. “entanglement” referring to a particle with individual
There are, however, protocols that remain states that cannot be defined independently, i.e., de-
“quantum-proof” such as lattice-based cryptogra- pending on the state of other particles- even if be-
phy, code-based cryptography, and multivariate ing spread far apart [Leighton and Sands, 1965]. This
cryptography [Chen et al, 2016; Campagna et al, 2015; means that measurements on the state of one entan-
Perlner and Cooper, 2009]. In order to fully enjoy gled particle affect the state of all of its entangled
the advantages associated with these protocols, huge particles. Interestingly enough, this characteristic has
obstacles to making them practical solutions should found applications in quantum cryptography, partic-
be overcome. First and foremost, the adversary model ularly quantum key distribution. More concretely, in
in the realm of post-quantum cryptography should be 1984, Charles H. Bennett and Gilles Brassard theorized
well defined. The fact that adversaries might benefit a way of information-theoretically secure communica-
from quantum technology, even in the future, makes tion in a quantum system [Bennett and Brassard, 1984].
it impossible to neglect the importance of defining Their protocol, called BB84, has proposed a quantum
precise adversary models [Hsu, Jeremy, 2019]. The key distribution (QKD), where one can create a key
second issue is related to determining the level of from qubits and transmit it to another user.
security that we expect from a cryptosystem. This Such a quantum key has some important proper-
level can be further translated to the key length, ties: first, it is harvested from a truly random source
the time required to compromise the security of this because of the randomness inherent in the measure-
key, and the time needed to implement a system to ment of unpolarized qubits along an axis. Secondly, if
offer this level of security [Mosca, 2018]. Last but not an eavesdropper attempts to read a quantum key, the
least, in line with the latter problem, post-quantum interaction with the key’s state is guaranteed to cause
cryptographic schemes should be developed that noticeable change, therefore providing verification that
achieve high efficiency and security simultaneously, see, the key is secure – something which is proven mathe-
e.g., [National Institute of Standards and Technology, matically (a corollary of the no-cloning theorem [Woot-
2019]. The next section is devoted to this matter. ters and Zurek, 1982]), and is not possible in classical
computing.
Let us consider this protocol as an example of how
2.2 Benefits of Quantum Computing for Cryptography quantum-enhanced cryptosystems can be realized in
practice, thereby making the following observations.
The danger of quantum computing is much publicly First, implementation of such a QKD system suffers
advertised; however, quantum technology is not simply from a stability problem – qubits by nature are very
restricted to methods of attacks. The quantum tech- unstable. Hence, if the system is not robust enough, it
nology has two further useful properties in the context cannot be said with certainty whether a change in state
of cryptography: truly random processes and tamper- was due to eavesdropping or system instability. This is-
evident states. This positive side of this technology can sue has been studied and resolved (to some extent), see,
be traced back to the introduction of two-state quan- e.g., [Asaad et al, 2020], resulting in further advance-
tum systems, whose quantum states can be seen as the ment in quantum cryptosystems [Wallden and Kashefi,
quantum superposition of two independent, physically 2019; Dowling and Milburn, 2003]. Second, similar to
distinguishable quantum states [Leighton and Sands, various other types of cryptosystems, a QKD relies onPhysical Security in the Post-quantum Era 5
Fig. 2: Taxonomy of post quantum-cryptographic schemes. While quantum computation offers advantages in several
useful applications, it can be misused by adversaries attempting to break the security of cryptographic primitives.
In this regard, compared with the best classical computers, quantum computers facilitate running algorithms and
conducting analysis, e.g., side-channel analysis.
the quality of the randomness source, from which the tacks, which are modeled as black-box attacks, adver-
keys are extracted. Validation of this assumption is ab- saries during SCA have access to the “grey” box [Li
solutely vital; otherwise, keys used in such a system can et al, 2016], in which internal physical quantities are
be prone to attacks (e.g., guessing). As a prime example observed and analyzed for the key extraction [Li et al,
of this, the security and applicability of a cryptosystem 2016]. Side-channel is performed in two steps. Firstly,
presented in [Di Falco et al, 2019] has been questioned, physical leakage of each query performed on crypto-
partly due to the randomness source suggested in that graphic implementation needs to be turned into prob-
study [Hsu, Jeremy, 2020]. Therefore, an important goal ability and score vectors [Standaert, 2010]. This infor-
for future research is to sharpen our understanding of mation is valuable because further key extraction can
the conditions that ensure adequate security so that be performed. The second step is to sort information
quantum cryptosystems can achieve a high level of reli- and search over every individual key until the entire
ability and security. In this respect, it is critical that the key is completed and extracted [Standaert, 2010; Taha
objectives of physical security are also achieved for such and Eisenbarth, 2015]. The more complex or noisy the
cryptosystems, e.g., quantum bit commitment, quan- leaky data is, the more difficult the side-channel attack
tum coin-flipping, quantum fingerprints, quantum data becomes to perform [Standaert, 2010].
hiding, quantum authentication, and encryption. These
applications share some commonalities: (1) for them,
the quantum technology has inherent advantages over 3.1 SCA in Classic World
classical protocols, and (2) they may need secure key
generation and storage as well as secure execution. The SCA and its countermeasures belong to a mature field,
next sections (Section 5-3) describe methods and appa- which has been investigated for more than twenty
ratus developed for this purpose. years [Li et al, 2016]. A high-level overview of SCA has
been reported in [Fan and Verbauwhede, 2012]. Further,
numerous literature overviews of side-channel attacks
3 Side-Channel Analysis have been reported over the years, such as [Li et al,
2016; Le et al, 2008; Fan and Verbauwhede, 2012; Spre-
Side-channel attacks (SCA) have been a prominent itzer et al, 2017; Narain et al, 2014]. SCAs are mainly
method of extracting sensitive data from cryptographic separated into two categories based on the type of ex-
elements of the chip in the classic world. Such attacks ploited information: physical and logical. Physical at-
exploit physical vulnerabilities in the hardware imple- tacks obtain information found from physical features
mentation rather than flaws of the mathematical struc- of the device [Fan and Verbauwhede, 2012], such as
ture of the algorithm. Compared to cryptographic at- power consumption and electromagnetic emissions. In6 Sreeja Chowdhury∗ et al.
Fig. 3: Comparison between side-channel attacks on (a) classical cryptographic algorithms, (b) post-quantum
cryptographic algorithms. Adversary (Eve) needs to be able to control the circuit and has access to the inputs and
data leakage. In (a) classical cryptographic algorithms dependency between the secret key and input data is more
apparent, compared to (b) post-quantum cryptographic algorithms, in which adversary must put additional effort
into finding the key-dependent data needed for SCA analysis.
contrast, logical attacks gain information from running or light [Spreitzer, 2014] to produce useful data, the
software properties, such as data-usage statistics [Fan most versatile parameters to exploit the security of the
and Verbauwhede, 2012], and data footprint, which can chip are timing, power consumption, and electromag-
be exploited through cold boot attacks [Villanueva- netic (EM) emissions [Narain et al, 2014]. Power Analy-
Polanco, 2019] (see, Figure 1). sis (PA) is a pioneering method in SCA, and most of the
This survey will focus on physical side-channel at- techniques used to analyze power emission data can be
tacks, which can be categorized into invasive, semi- applied to data collected through EM. The taxonomy in
invasive, and non-invasive attacks, as shown in Figure 4. Figure 4 also shows the categorization of these attacks
The invasive side-channel attack destroys the physical into profiled and non-profiled attacks [Le et al, 2008].
packaging of the integrated circuit while maintaining Profiling attacks, which model the device implementa-
functionality, and it cannot be returned to its orig- tion, through either analysis of a large number of signals
inal state. Semi-invasive attacks require backside de- from a reference device in an SCA attack called Tem-
capsulation, in which attacker can perform photonic plate attack, or through the pre-defined noise model
analysis [Tajik et al, 2017b], optical contactless prob- with pre-defined function, as in Stochastic attack [Le
ing [Tajik et al, 2017a] or laser stimulation [Lohrke et al, et al, 2008], or Linear Regression attack [Fu et al, 2017].
2018]. Finally, by performing non-invasive attacks, the Non-profiling attacks such as Partitioning PA, Differen-
attacker only observes specific physical parameters pro- tial PA, Simple PA, and Correlation PA [Le et al, 2008],
duced while the system is running, without affecting do not rely on modeling a reference device. The main
the IC packing. As discussed in the last section, such building blocks of the attacks mentioned above are il-
attacks can be active or passive. lustrated in Figure 3. As depicted in this figure, SCAs
performed in classic and quantum worlds share various
The most abundant attacks reported are non- similarities; however, due to their differences in nature,
invasive attacks. While there have been “exotic” means SCA in the quantum world should be considered in fur-
of executing this attack, by using acoustics [Deepa ther detail, as explained below.
et al, 2013], [Narain et al, 2014], [Gupta et al, 2016]Physical Security in the Post-quantum Era 7
Fig. 4: Taxonomy of side-channel analyses in classical and quantum computing settings. Physical side channel
attacks performed on classical algorithms are shown in blue, and attacks on quantum-resistant algorithms are
shown in orange, as well as the attacks by the quantum algorithms
3.2 SCA in Quantum World susceptibility to side-channel attacks has been investi-
gated due to the development of quantum algorithms.
Another front is using the runtime and space usage ad-
While the development and design of SCA and coun- vantages of quantum algorithm speed-up from quantum
termeasures against SCA on pre-quantum classical al- computers, [Montanaro, 2016], to launch side-channel
gorithms have been the most explored in this field, attacks on classical computation. The following sections
SCAs in the quantum world have been researched on will provide a detailed overview of post-quantum algo-
two fronts. Firstly, side-channel attacks in the quan- rithms, which will be followed by side-channel attacks
tum world became a point of interest for many re- on them.
searchers after the 2016 National Institute of Standards
and Technology (NIST) call for post-quantum algo-
rithms resistant to quantum computer attacks. Their8 Sreeja Chowdhury∗ et al.
3.2.1 Post-quantum Cryptographic Algorithms Learning with errors based algorithms, e.g.,
FRODO, and R-LWE NewHope algorithms, have been
Today’s core cryptosystems, including public-key en- attacked by differential power analysis. These attacks
cryption, digital signatures, and key exchange, are rely on a mathematically hard problem where the goal
mainly based on Diffie-Hellman key exchange, RSA is to distinguish between a uniformly random sample
(Rivest–Shamir–Adleman) public-key cryptosystem, from learning with error samples. Algorithm BLISS,
DSA (Digital Signature Algorithm) and elliptic curve which partially depends on R-LWE, has been exploited
cryptosystems [Alagic et al, 2019]. Since the develop- through electromagnetic emission analysis [Bindel et al,
ment of quantum algorithms provide at least quadratic 2016] and fault injection attack [Espitau et al, 2017].
speed-up of computation, and at most exponential In addition to BLISS, ring-TESLA and the GLP have
speed-up, RSA, DSA, and elliptic curve cryptosystems also been attacked by fault injection [Espitau et al,
will no longer be secure after the creation of large size 2017]. LAC algorithm is attacked by a timing attack
quantum computer [Alagic et al, 2019]. However, sym- in [D’Anvers et al, 2019]. In [Aysu et al, 2018], in algo-
metric encryption and hash functions will remain safe rithms, FRODO and NewHope intermediate values of
in the post-quantum era because exponential speed- matrix and polynomial multiplications depend on the
ups for quantum search algorithms are not achievable sub-keys. Intermediate values in polynomial multipli-
against them [Alagic et al, 2019]. The algorithms most cation in NewHope depend on the same coefficients of
promising against quantum computing are based on the the secret polynomial, while in FRODO, intermediate
lattice, code, hash, and multivariate public key prob- values in matrix multiplication depend on the values
lems. These algorithms will be introduced below. from the secret matrix. BLISS, ring-TESLA, and GLP
Lattice-based algorithms are considered promising contain an important step of rejection sampling, which
due to their security under worst-case hardness assump- creates a distribution of created signatures independent
tions and their simple construction. They are based on of the secret key. All three algorithms share the fol-
the shortest vector problem (SVP) in the lattice, as well lowing flow: firstly, the secret key and other variables
as ring learning with error (R-LWE) problem, which are sampled and manipulated into the public key. The
is believed to be reducible to SVP, an NP-hard prob- plaintext is hashed with the public key, either directly,
lem. Examples of Lattice-based algorithms are NTRU, or requires additional manipulation. The signature cre-
BLISS, ring-TESLA, the GLP, and LAC [Bindel et al, ated consists of two polynomials. Rejection sampling
2016; Espitau et al, 2017; D’Anvers et al, 2019], which is applied by compressing one polynomial, creating a
are based on ring learning with errors (R-LWE), the signature independent of the secret key. In the decryp-
ring short integer solution (R-SIS), and the decisional tion phase, the size of compressed and uncompressed
compact knapsack (DCK) problem [Bindel et al, 2016]. polynomials is checked if they are equal, as well as the
The original NTRU algorithm, consisting of algorithms equality of the un-hashed value of polynomials and ci-
NTRUSign and NTRUEncrypt, turned out to be sus- phertext.
ceptible to various attacks [Espitau et al, 2017], but its LAC algorithm consists of a key encapsulation
variation NTRU Prime is still a candidate in the second mechanism (KEM) and public-key encryption (PKE).
round of NIST standardization. Another lattice-based PKE consists of key generation algorithm, decryption,
algorithm based on the Mersenne Low Hamming Com- and encryption. In KEM, the key is created by expand-
bination Assumption, which involves error-correcting ing seed into a polynomial, which is uniformly and ran-
code, is Ramstake scheme [D’Anvers et al, 2019]. domly sampled from a pseudo-random generator. Er-
NTRU operations are based on truncated polyno- ror correction capabilities of this scheme depend on the
mial rings. Compared to the original NTRU, which deterministic derivation of error-correcting values from
consists of three stages (key generation, encryption, the uniform and random seed. Ramstake algorithm de-
and decryption), there are two mechanisms for en- pends on Mersenne prime numbers, which do not in-
cryption in NTRU Prime: Streamlined NTRU Prime crease Hamming Weight when modulo operations are
and NTRU LPRime, where latter one shares similar- performed on them.
ities with R-LWE schemes. NTRU Prime is exploited Code-based McEliece scheme, which has not been
through the leakage in polynomial multiplication of pri- mathematically broken since its introduction in the
vate key and known ciphertext in the product scanning 1970s, is based on the hardness of decoding a random
method [Huang et al, 2020]. The original version of the linear error-correcting code, such as Syndrome Decod-
NTRU algorithm was proven to be insecure because of ing, known to be NP-hard [Singh, 2019]. It requires a
the vulnerabilities exploited from the use of hash func- large key size, and it has been primarily used in encryp-
tions in encryption/decryption phases. tion. Multiple optimized McEliece schemes have beenPhysical Security in the Post-quantum Era 9
demonstrated with the primary goal of achieving faster eration of XMSS and tree generation, the public key is
encryption [Seho Myung et al, 2005], such as quasi- created from the seed coming from a PRNG. The sig-
cyclic low- and moderate- density parity code (QC- nature is performed using W-OTS+ signature scheme.
LDPC and QC-MDPC, respectively) in the McEliece Compared to XMSS, SPHINCS is a stateless scheme,
scheme. Its difficulty is based on the Syndrome De- which in addition to W-OTS+ , also uses HORST sig-
coding problem and the Goppa Codes Distinguishing nature schemes. Signatures are pseudo-randomly se-
problem. lected to sign the message [Kannwischer et al, 2018].
In classical McEliece, the private key is created from Side-channel attacks on hash-based post-quantum algo-
a parity check matrix, “scrambling” matrix, and permu- rithms are rarely performed, compared to lattice- and
tation matrix. Encryption is done by adding a vector code-based schemes, but work in [Kannwischer et al,
of errors to the manipulated plaintext. The first step of 2018] and [Castelnovi et al, 2018] proposed DPA and
decryption is the creation of codeword, which is done fault injection side-channel attacks, respectively.
by multiplying the ciphertext and permutation matrix. Multivariate Public Key Crypto-algorithms
Then, further decryption is done by the Patterson algo- (MPKC) rely on the NP-hard mathematical problem
rithm, which computes the syndrome of the codeword. of solving a set of multivariate quadratic polynomial
The syndrome is created by multiplying codeword with equations in a finite field. Various MPKC schemes have
the transpose of the parity check matrix. Multiplication been proposed, but the most promising ones which are
is done in two steps. Firstly, the syndrome is initial- shown to be the fastest come from the step-wise trian-
ized as a vector of zeros. Then, the algorithm iterates gular system family [Yi and Li, 2017]: Rainbow, Un-
through codewords. For ith entry of codeword with of balanced Oil and Vinegar (UOV), Tame Transforma-
value of 1, ith row of transposed parity check matrix is tion Signature (TTS) and its enhanced version enTTS.
added to syndrome vector. The next step is to trans- Digital signature scheme enTTS is believed to be the
form the syndrome vector into the syndrome polyno- fastest, which works with 20-byte hashes and 28-byte
mial. Patterson algorithm for that operation uses an signatures in GF(28 ), as reported in [Yi and Li, 2017].
algorithm that finds roots in polynomial and Extended The main building blocks of enTTS are secret mul-
Euclidean Algorithm (XGCD). Finally, the plaintext is tivariate polynomials of small size and linear maps.
obtained by multiplying syndrome with "scrambling" Most coefficients are zero, in which monomials do not
matrix, and by solving the key equation. occur twice. The central linear map consists of three
In QC-LDPC and QC-MDPC McEliece, the pri- layers [Czypek, 2012]. The hashed message needs to
vate key does not contain a permutation matrix, but go through the computation of affine transformations
it contains matrix Q created of a small number of 1s (matrix-vector multiplications and vector additions),
in every row. A code like this does not have an alge- evaluation of polynomials (element multiplications),
braic structure. With the sparse parity check matrix, and solving of a system of linear equations [Yi and Li,
error correction in decryption is efficient [Misoczki et al, 2017], to generate a signature of enTTS.
2013]. During the decryption phase in QC McEliece,
the bit-flipping algorithm is used to create syndrome 3.2.2 SCA on Post-quantum Cryptographic Schemes
by computing the number of unsatisfied parity-check
equations associated with every bit of parity-check ma- As shown in Table 1, side-channel attacks in the quan-
trix. Each bit that is involved in the number of equa- tum world are non-invasive attacks, and they exploit
tions greater than the threshold is flipped recomputing power leakage, electromagnetic emissions, and timing
the syndrome, which gets recomputed until syndrome leakages. Fault analysis (FA) attack launched in the
becomes zero. However, if in implemented design, the quantum world has been shown as both passive and
algorithm stops after a certain number of iteration, de- active attack, in which an attacker actively changes
coding failure happens. and observes the behavior of the system, or just pas-
Hash-based algorithms are used for digital signa- sively observes. Power analysis (PA) side-channel at-
tures, and their security relies on the security of their tacks launched in the quantum world are differential
associated hash function and/or binary hash tree struc- PA, correlation PA, and simple PA.
ture [Kannwischer et al, 2018]. A binary hash tree struc-
ture combines multiple one-time signature key pairs,
and it can be stateful or stateless, depending on if the Differential Power Analysis (DPA) is a statisti-
secret key gets updated or not after the signing. XMSS cal attack which analyzes measured power consump-
is a stateful digital signature scheme that is being stan- tion from traces of cryptographic algorithm implemen-
dardized [Kannwischer et al, 2018]. During the key gen- tation. Attacked traces are intermediate values that are10 Sreeja Chowdhury∗ et al.
Table 1: Summary of physical attacks on post-quantum cryptographic algorithms (PQCA), where TA is Timing
Attack, FA is Fault Analysis, PA is Power Analysis, SPA is Simple PA, DPA is Differential PA, CPA is Correlation
PA, OTA is Online Template Attack and EMA is Electromagnetic Emissions Analysis
PQCA Type of Reference Degree of Success
SCA
Code-Based Algorithm
[Strenzke et al, 2008] Theoretical analysis of attack on degree
of error locator polynomial.
[Strenzke, 2010] Theoretical analysis of secret permuta-
TA
tion which decrease cost in brute force
secret key recovery and proof of concept
McEliece implementation.
[Shoufan et al, 2010] Experimental ciphertext recovery.
[Avanzi et al, 2011] Improved theoretical analysis of [Stren-
zke et al, 2008].
[Strenzke, 2013] Experimentally recovered secret infor-
mation: zero-element, linear and cubic
equations.
FA [Cayrel and Dusart, Theoretical analysis of fault injection
2010] sensitivity.
[Heyse et al, 2010] First analysis of experimental Goppa
polynomials recovery required for secret
SPA
key extraction from 8-bit AVR micro-
processor.
[Molter et al, 2011] Experimental ciphertext recovery from
FPGA XGCD algorithm implementa-
tion.
[von Maurich and Experimental 80-bit private key and se-
Güneysu, 2014] cret message recovery from STM32F4
Discovery Board and Atmel AVR
XMEGA-A1 Xplained Board implemen-
tations.
[Richmond et al, 2015] Experimental analysis of matrix multi-
plication implemented on ARM Cortex-
M3 which is required for permutation
matrix recovery in syndrome computa-
tion.
DPA [Petrvalsky et al, 2016] Experimental recovery of 64 by 64 per-
mutation matrix from the ARM Cortex-
M3.
[Santini et al, 2019] Theoretical model of partial key recov-
TA
ery.
[Eaton et al, 2018] Theoretical and experimental analysis of
QC-LDPC/MDPC key recovery which does not depend on
decoding failure rate using 220 samples
for 80-bit key, 223 samples for 128-bit
key and 25 for 256-bit key.
[Chen et al, 2015] Experimental full key recovery from
DPA FPGA implementation presented at De-
sign, Automation and Test in Europe
Conference 2014.
[Rossi et al, 2017] Experimental partial key recovery from
ChipWhisperer evaluation platform fol-
lowed by entire key recovery computed
by solving the system of noisy binary lin-
ear equations.
[Sim et al, 2019] Experimental full key recovery from 32-
bit processor eliminating need for solv-
ing linear equations from [Rossi et al,
2017].
[Fabsic et al, 2016] Theoretical full key recovery analysis.
SPA
[Sim et al, 2019] Experimental full key recovery from 32-
bit processor breaking the countermea-
sure proposed by [Rossi et al, 2017].
Continued on next pagePhysical Security in the Post-quantum Era 11
Table 1 – Continued from previous page
Lattice-Based Algorithm
[Huang et al, 2019] Theoretical and practical analysis
CPA
NTRU Prime of polynomial multiplication needed
for full key recovery implemented on
STM32F303RCT7 32-bit microcon-
troller.
[Huang et al, 2020] Experimental secret key recovery from
the polynomial multiplication from
Cortex-M4 implementations.
OTA [Huang et al, 2020] Experimental recovery of full private key
from the Cortex-M4 board implementa-
tion.
NTRUEncrypt TA [Silverman and Whyte, Theoretical and experimental analysis of
2006] partial secret key recovery.
NewHope, [Park and Han, 2016] Experimental full secret key recov-
SPA
FRODO ery from R-LWE-based schemes imple-
mented on 8-bit microcontroller.
DPA [Aysu et al, 2018] Experimental full secret key recovery
from SAKURA-G FPGA Board imple-
mentation with 99% success rate.
LAC TA [D’Anvers et al, 2019] Experimental analysis of full secret key
recovery under 2 minutes using less than
216 queries.
EMA [Espitau et al, 2017] Experimental full secret key recovery on
BLISS
embedded 8-bit AVR implementation.
FA [Bindel et al, 2016] Theoretical fault sensitivity analysis of
implemented algorithm.
ring-TESLA, FA [Bindel et al, 2016] Theoretical fault sensitivity analysis of
GLP implemented algorithms.
Ramstake TA [D’Anvers et al, 2019] Experimental full secret key recovery
under 2 minutes using approximately
2400 decryption queries.
Hash-Based Algorithm
DPA [Kannwischer et al, Theoretical partial secret key recovery
SPHINCS 2018] from simulated implementation.
[Castelnovi et al, 2018] Theoretical partial secret key recovery
FA
from multiple compelled signatures
[Genêt et al, 2018] Experimental analysis of theoretical
attack from [Castelnovi et al, 2018]
implemented on Atmel ARM-based
SAM3X8E with over 30% success prob-
ability from 64 forgery attempts.
XMSS DPA [Kannwischer et al, Unsuccessful theoretical key recovery.
2018]
MPKC-Based Algorithm
FA [Hashimoto, 2013] Theoretical analysis of partial key recov-
UOV, Rainbow
ery.
CPA [Park et al, 2018] Experimental full secret key recovery
from 8-bit AVR microcontroller with
help of algebraic key recovery attack.
TTS FA [Hashimoto, 2013] Theoretical analysis of partial key recov-
ery.
enTTS DPA, FA [Yi and Li, 2017] Theoretical analysis of partial key recov-
ery from naive Application Specific Inte-
grated Circuits (ASIC) implementation.12 Sreeja Chowdhury∗ et al.
manipulated in a way that they can be expressed as a tiple bit shift instructions, multiple track attack is
function of the secret key and known value. The at- performed to recover correct secret indices from a nu-
tacker often uses Hamming Weight (HW) or Hamming merous number of possible candidates.
Distance (HD) model to predict power consumption. Multiple-trace DPA methodology consists of splitting
HD models leakage as switching bits, while HW mod- the attack position into two parts. In the first part,
els leakage based on the number of bits in measured masking is performed with all ones or all zeroes. In
data. The attackers use a statistical tool to compute this step, the power consumption at each point is
the correlation between predictions and the acquired modeled as a sum of data-dependent power and Gaus-
power consumption traces. DPA vulnerabilities of the sian noise power. Modeling the data-dependent power
post-quantum crypto schemes are discussed below, and consumption with HW, there is a linear relationship
they are summarized in Table 1. between total power consumption and HW modeled
value. Using the Pearson correlation coefficient be-
– Code-based algorithms: DPA usually attacks an in-
tween these two parameters, the first part of the cor-
termediate value, which is a function of known data
rect indices can be recovered. In the second part, the
and secret key. This dependency is not straightfor-
CPA is performed to find the rest of the correct in-
ward in the classical McEliece scheme. The syndrome
dices by bit rotation.
was thought to be the variable needed to be attacked,
– MPKC algorithms: DPA on MPKC recovers the secret
but ciphertext only directs how the syndrome is com-
affine map by targeting matrix-vector product, such
puted for the parity check matrix and does not con-
as in Rainbow and UOV schemes in [Park et al, 2018].
tain the ciphertext in it. DPA attack on code-based
The hurdle present in this attack is that neither inter-
scheme classical McEliece from [Petrvalsky et al, 2016]
mediate values nor the vector which multiplies secret
is launched on bit permutation of ciphertext. HW
affine maps are known. However, if the scheme is im-
model is applied to individual bits of leakage model.
plemented with a specific key structure [Park et al,
Correlation analysis must be performed for each in-
2018], CPA can be performed to extract the values of
put bit. The permutation matrix gets recovered by
the secret affine map. [Park et al, 2018] has launched
comparing known ciphertext and permuted cipher-
the attack on 8-bit AVR microcontroller, recovering
text to correlation peaks from each measurement. One
full secret key, see Table 1. DPA attack on enTTS al-
measurement corresponds to one row of the permuta-
gorithm requires help from fault analysis, to perform
tion matrix. However, in QC McEliece schemes, DPA
the DPA attack correctly. [Yi and Li, 2017] analyzed
is performed on syndrome computation, because the
a DPA attack on enTTS by executing algorithm sev-
parity matrix is sparse, containing the same informa-
eral times implemented on Application-Specific Inte-
tion in each row rotated one bit each row, [Chen et al,
grated Circuits (ASIC), with different inputs and get-
2015].
ting a set of power consumption traces from affine
DPA methodology on constant-time multiplica-
transformations and central map with multivariate
tion [Sim et al, 2019], which forms syndrome, con-
polynomials. While the algorithm is executing, sensi-
sists of splitting the attack position into two parts,
tive variables are manipulated by fault attack, which
word rotation and bit rotation, which computes differ-
changes the random values to fixed values. This sen-
ent parts of the parity matrix. Constant-time masked
sitive variable is related to the secret key and known
multiplication has been implemented as a counter-
variable. Making a hypothesis about the secret key,
measure against timing attacks. However, this coun-
the attacker can predict the sensitive value and cor-
termeasure is vulnerable against DPA in private syn-
responding leakage. Correlation analysis is then per-
drome computation. Prior to [Sim et al, 2019], attacks
formed between the predicted value and measured
failed to recover the entire key because constant-time
power. To map hypothetical sensitive values to cor-
multiplication software implementation results were
responding leakages, the Hamming Distance model is
saved in the same register, creating numerous candi-
used because enTTS is implemented on CMOS.
dates for secret indices. Further, the system of linear
– Lattice-based algorithms: CPA on lattice-based algo-
equations had to be solved, such as in [Rossi et al,
rithm NTRU Prime in [Huang et al, 2019] concen-
2017], whose complexity increases with the number
trates on multiplication of ciphertext and private key
of possible candidates. However, the attack in [Sim
in the decryption phase. It considers HW of interme-
et al, 2019] proposed multiple and single trace attacks
diate value to be expected power consumption. The
to overcome the need for solving linear equations, as
correlation analysis algorithm processes all HW poly-
stated in Table 1. If the process provides single-bit
nomials and the corresponding measured power val-
shift instructions, a single trace attack is sufficient
ues with respect to the user-set correlation threshold.
by recognizing left shift instruction, while for mul-Physical Security in the Post-quantum Era 13
The candidate is determined from all optimal guesses, cies during the computation. It can also be successful
with the largest absolute value of the correlation coef- against recognizing certain operations within the algo-
ficient. The attack recovers full key from polynomial rithm since each operation has its own power signa-
multiplication from the NTRU Prime implemented on ture [Heyse et al, 2010]. SPA can only be used when
the 32-bit microcontroller, [Huang et al, 2019], see Ta- the signal-to-noise (SNR) ratio is high enough; oth-
ble 1. Intermediate states of matrix-polynomial mul- erwise, DPA would be a better choice. SPA on post-
tiplication also depend heavily on the same subkey, in quantum cryptographic algorithms is reported on code
other lattice-based algorithms, such as FRODO and and lattice-based schemes.
NewHope. The main limitation of applying DPA on
lattice-based algorithms is the frequency of false pos- – Code-based algorithms: SPA performed on classical
itives because similar outputs are created for similar McEliece has been able to extract permutation and
sub-keys. To mitigate this issue, the attacker observes parity-check matrices. If these operations are com-
intermediate results and key bit by bit. According to puted individually, then matrices are successfully re-
to [Aysu et al, 2018], because of modular reductions in covered. However, if these two are combined in com-
the process, only one bit will have a high correlation. putation, they are recovered combined as well [Heyse
This attack in [Aysu et al, 2018] forms an ensemble of et al, 2010]. The HW of permuted ciphertext and orig-
possible keys. inal ciphertext is the same because only the location
– Hash-based algorithms: Power analysis attack on of the ciphertext gets permuted. Permutation matrix
hash-based algorithms requires a function which de- can be recovered if the attacker only considers cipher-
pends on the secret key and known value, to be found. text with HW equal to 1. The attacker has also been
Then, the function is called twice, during the key and able to visually recognize when the summation is per-
signature generations. A limited number of function formed [Heyse et al, 2010; Richmond et al, 2015]. SPA
calls is the reason for a few SCA on hash-based al- attack also recovers an error vector, which is added to
gorithms being reported. Measurement is filled with encoded plaintext. The attacker needs to have access
noise, and in both function calls, a value known to the to the Euclidean algorithm to recognize the error lo-
attacker is the same. The ideal case occurs when the cator polynomial, [Molter et al, 2011]. The decryption
hash function and PRNG do not leak any informa- of chosen ciphertext, and measuring power traces, the
tion, which is not entirely accurate in practice [Kan- attacker is able to recover the error vector from power
nwischer et al, 2018]. Another difference is that the peaks which correspond to Euclidean algorithm iter-
one-time signature is called multiple times during the ation numbers, see Table 1.
authentication path, giving attackers a greater possi- – Lattice-based algorithms: SPA on R-LWE based cryp-
bility to attack the scheme. In practice, the attacker is tographic scheme attack the decryption phase by visu-
not powerful enough to arbitrarily choose the leakage ally inspecting if the modular addition is larger than
function and change it during every signature and key the modulus [Park and Han, 2016]. In the first step
creation, so authentication path leakage gets reduced of the SPA on R-LWE, the ciphertext is chosen. Then
to the leakage of a single, one-time signature scheme decryption is performed on the chosen ciphertext. The
OTS. DPA has been analyzed on the SPHINCS algo- next step is to recognize if the modular addition is exe-
rithm, as reported in Table 1, while the same attack cuted, and if it is, the secret key can be recovered. SPA
is not successful against the XMSS algorithm. has been performed on NewHope and FRODO, ex-
perimentally recovering entire secret key with a high
Comparison to classic world algorithms: DPA against success rate, as noted in Table 1.
AES consists of attacking each round of AES and using
the recovered secret as a known variable in the next Comparison to classic world algorithms: SPA in the
round, [Jaffe, 2007]. Compared to any of the attacks on classic world is dangerous, having even been success-
post-quantum cryptographic algorithms, this attack is ful against RSA (by recovering a private bit from the
straightforward and does not require a search for a func- square-and-multiply algorithm) and against KeeLog.
tion that depends both on sub-key and value known to Compared to the classic world, the post-quantum world
the attacker. In the classic world, various multi-bit sta- does not have easily distinguishable functions, espe-
tistical tools are used in final key recovery, while in the cially considering that entire matrices need to be re-
post-quantum world, correlation analysis seems only to covered, compared to keystream in the classic world.
be used, thus reducing DPA to CPA. Electromagnetic Emission Attacks (EMA):
Simple Power Analysis (SPA): Simple power anal- Techniques used in electromagnetic emission analysis
ysis (SPA) visually analyzes power traces measured are the same as the ones used in power analysis. The
over time. Such attack exploits key and data dependen- only difference in attack is how data is acquired, as14 Sreeja Chowdhury∗ et al.
the measurement setup is different. The main challenge post-quantum world have been successfully launched on
is to recognize the possible data leakage. In the post- code-based and lattice-based algorithms.
quantum cryptographic algorithm, the EMA attack has
been launched on the lattice-based algorithm BLISS re- – Code-based algorithms: The attack in [Strenzke et al,
covering the full secret key from embedded 8-bit AVR 2008] is the first timing attack on the McEliece al-
implementation; see Table 1. The source of leakage in gorithm without any countermeasures exploiting the
this algorithm is in the rejection sampling algorithm time needed for decryption execution and learning the
during the signature generation [Espitau et al, 2017]. dependence of errors in decoding algorithm and error
The attacker is assumed to know the absolute norm of locator polynomial. The attack is further extended
integer of interest. The rejection sampling step leaks and analyzed in [Strenzke, 2010], where the private
the relative norm of the secret key. The rejection sam- key in the Patterson algorithm is attacked by exploit-
pling is important to achieve correct output distribu- ing the time required to solve the key equation. It
tion, and its construction is very similar to the square- is accomplished by attacking private key in the Pat-
and-multiply algorithm, which allows for visual inspec- terson algorithm, where error locator polynomial is
tion of bits through Single EMA (SEMA) [Espitau et al, related to the secret, and the time needed to solve the
2017]. key equation leaks information about used polynomi-
The research in this direction has resulted in a als. However, this attack was shown to be impractical
generic attack presented in [Ravi et al, 2020], which in [Strenzke, 2013]. The timing attack in [Strenzke,
can be adaptable to various LWE-based PKE/KEM 2013] takes advantage of the multiplication of syn-
schemes. The proposed attack is a chosen-ciphertext drome with a scrambling matrix, more specifically of
one enabled through EM side-channel analysis. The syndrome inversion. [Strenzke, 2013] expands on work
leakage is identified within the constant-time decod- in [Strenzke, 2010] by using the leakage from syn-
ing procedures of error-correcting codes (ECC) that are drome inversion, together with the leakage in solv-
employed to examine the validity of decrypted code- ing the key equation, creating a practical attack that
words. Similarly, the Fujisaki-Okamoto transform used recovers secret information: zero-element, linear and
to detect invalid or maliciously formed ciphertexts has cubic equations, see Table 1.
shown to be susceptible to the proposed attack. Build- Timing attacks against optimized versions of
ing upon this attack, in [Schamberger et al, 2020], McEliece algorithm, QC-MDPC, and QC-LDPC, are
Schamberger et al. has proposed the first profiling proposed in [Santini et al, 2019; Eaton et al, 2018].
power side-channel attack mounted on the KEM scheme In [Eaton et al, 2018], the parts of the key are re-
used in code-based Hamming Quasi Cyclic (HQC) cryp- covered by exploiting the decryption failure rate and
tosystem [Melchor et al, 2018]. Although the constant- measuring the number of iterations in the decryp-
time implementation of an ECC has been considered tion phase. Average decryption time to correct errors
in [Melchor et al, 2018], the ECC decoders of the refer- varies, and [Eaton et al, 2018] shows the correlation
ence implementation exhibit a power consumption pat- between errors and key.
tern depending on whether an error must be corrected. – Lattice-based algorithms: A timing attack has been
This has been leveraged in their attack to disclose the reported on lattice-based algorithms, specifically R-
entire secret key. LWE schemes. In this attack, [D’Anvers et al, 2019],
decryption errors are detected and exploited prior
Another example of EMA is given in [Lahr et al,
to being corrected. Because constant-time error-
2020], where the system under attack is the code-based
correcting schemes are not easily implemented, de-
Niederreiter. The attack is based on timing side-channel
cryption takes different time for codewords, which
plaintext-recovery attack introduced in [Shoufan et al,
those that contain and those that do not contain er-
2010]; however, as the constant-time hardware imple-
rors.
mentation is selected to mount the attack, EM side-
channel is substituted for the timing side-channel. The Comparison to classic World Algorithms: Timing at-
attack has been further optimized in terms of the num- tacks in quantum settings are significantly underde-
ber of required side-channel queries. veloped compared to numerous timing attacks in the
Timing Attacks (TA): Timing attacks (TA) are a classic world. Compromising the error correction also
type of side-channel attack in which the attacker ex- exists in the classic world, which is only one of the
ploits the time required for the completion of a logi- numerous techniques reported. Another difference is
cal operation. The time required for operation execu- that countermeasures in the classic world are developed
tion can also differ within the operation itself, based to the extent of questioning the practicality of timing
on the inputs being processed. Timing attacks in the attacks, while in post-quantum world timing attacksYou can also read
