Cryptology ePrint Archive: Report 2022/057

The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Morgane Guerreau and Ange Martinelli and Thomas Ricosset and Mélissa Rossi

Abstract: Falcon is a very efficient and compact lattice-based signature finalist of the NIST's Post-Quantum standardization campaign. This work assesses Falcon's side-channel resistance by analyzing two vulnerabilities, namely the pre-image computation and the trapdoor sampling. The first attack is an improvement of Karabulut and Aysu (DAC 2021). It overcomes several difficulties inherent to the structure of the stored key like the Fourier representation and directly recovers the key with a limited number of traces and a reduced complexity. The main part of this paper is dedicated to our second attack: we show that a simple power analysis during the signature execution could provide the exact value of the output of a subroutine called the base sampler. This intermediate value does not directly lead to the secret and we had to adapt the so-called hidden parallelepiped attack initially introduced by Nguyen and Regev in Eurocrypt 2006 and reused by Ducas and Nguyen in Asiacrypt 2012. We extensively quantify the resources for our attacks and experimentally demonstrate them with Falcon's reference implementation on the ELMO simulator (McCann, Oswald and Whitnall USENIX 2017) and on a ChipWhisperer Lite with STM32F3 target (ARM Cortex M4). While the success of these attacks may be unsurprising because the reference implementation does not claim any side-channel protection, these new attacks highlight the need for side-channel protection for one of the three finalists of NIST's standardization campaign by pointing out the vulnerable parts and quantifying the resources of the attacks.

Category / Keywords: public-key cryptography / Power Analysis, Lattices, Falcon Signature Scheme, Hidden Parallelepiped Attack

Date: received 17 Jan 2022

Contact author: morgane guerreau at gmail com, thomas ricosset at thalesgroup com, ange martinelli at ssi gouv fr, melissa rossi at ssi gouv fr

Available format(s): PDF | BibTeX Citation

Version: 20220118:161712 (All versions of this report)

Short URL: ia.cr/2022/057


[ Cryptology ePrint archive ]