The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Morgane Guerreau; Ange Martinelli; Thomas Ricosset; Mélissa Rossi

Paper 2022/057

The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon

Morgane Guerreau, ANSSI

Ange Martinelli, ANSSI

Thomas Ricosset, Thales

Mélissa Rossi

, ANSSI

Abstract

Falcon is a very efficient and compact lattice-based signature finalist of the NIST's Post-Quantum standardization campaign. This work assesses Falcon's side-channel resistance by analyzing two vulnerabilities, namely the pre-image computation and the trapdoor sampling. The first attack is an improvement of Karabulut and Aysu (DAC 2021). It overcomes several difficulties inherent to the structure of the stored key like the Fourier representation and directly recovers the key with a limited number of traces and a reduced complexity. The main part of this paper is dedicated to our second attack: we show that a simple power analysis during the signature execution could provide the exact value of the output of a subroutine called the base sampler. This intermediate value does not directly lead to the secret and we had to adapt the so-called hidden parallelepiped attack initially introduced by Nguyen and Regev in Eurocrypt 2006 and reused by Ducas and Nguyen in Asiacrypt 2012. We extensively quantify the resources for our attacks and experimentally demonstrate them with Falcon's reference implementation on the ELMO simulator (McCann, Oswald and Whitnall USENIX 2017) and on a Chipwhisperer Lite with STM32F3 target (ARM Cortex M4). These new attacks highlight the need for side-channel protection for one of the three finalists of NIST's standardization campaign by pointing out the vulnerable parts and quantifying the resources of the attacks.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: A minor revision of an IACR publication in TCHES 2022
Keywords: Power Analysis Lattices Falcon Signature Scheme Hidden Parallelepiped Attack
Contact author(s): morgane guerreau @ gmail com
ange martinelli @ ssi gouv fr
thomas ricosset @ thalesgroup com
melissa rossi @ ssi gouv fr
History: 2022-06-15: revised; 2022-01-18: received; See all versions
Short URL: https://ia.cr/2022/057
License: CC BY

BibTeX

@misc{cryptoeprint:2022/057,
      author = {Morgane Guerreau and Ange Martinelli and Thomas Ricosset and Mélissa Rossi},
      title = {The Hidden Parallelepiped Is Back Again: Power Analysis Attacks on Falcon},
      howpublished = {Cryptology ePrint Archive, Paper 2022/057},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/057}},
      url = {https://eprint.iacr.org/2022/057}
}