Paper 2023/1931

Single-Trace Side-Channel Attacks on CRYSTALS-Dilithium: Myth or Reality?

Ruize Wang, KTH Royal Institute of Technology
Kalle Ngo, KTH Royal Institute of Technology
Joel Gärtner, KTH Royal Institute of Technology
Elena Dubrova, KTH Royal Institute of Technology

We present a side-channel attack on CRYSTALS-Dilithium, a post-quantum secure digital signature scheme, with two variants of post-processing. The side-channel attack exploits information leakage in the secret key unpacking procedure of the signing algorithm to recover the coefficients of the polynomials in the secret key vectors ${\bf s}_1$ and ${\bf s}_2$ by profiled deep learning-assisted power analysis. In the first variant, one half of the coefficients of ${\bf s}_1$ and ${\bf s}_2$ is recovered by power analysis and the rest is derived by solving a system of linear equations based on ${\bf t} = {\bf A}{\bf s}_1 + {\bf s}_2$, where ${\bf A}$ and ${\bf t}$ are parts of the public key. This case assumes knowledge of the least significant bits of the vector ${\bf t}$, ${\bf t}_0$. The second variant waives this requirement. However, to succeed, it needs a larger portion of ${\bf s}_1$ to be recovered by power analysis. The remainder of ${\bf s}_1$ is obtained by lattice reduction. Once the full ${\bf s}_1$ is recovered, all the other information necessary for generating valid signatures can be trivially derived from the public key. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The profiling stage (trace capture and neural network training) takes less than 10 hours. In the attack assuming that ${\bf t}_0$ is known, the probability of successfully recovering the full vector ${\bf s}_1$ from a single trace captured from a different from profiling device is non-negligible (9%). The success rate approaches 100% if multiple traces are available for the attack. Our results demonstrate the necessity of protecting the secret key of CRYSTALS-Dilithium from single-trace attacks and call for a reassessment of the role of compression of the public key vector ${\bf t}$ in the security of CRYSTALS-Dilithium implementations.

Available format(s)
Attacks and cryptanalysis
Publication info
Dilithiumpost-quantum digital signaturekey recovery attackside-channel attacklattice reduction
Contact author(s)
ruize @ kth se
kngo @ kth se
jgartner @ kth se
dubrova @ kth se
2023-12-21: approved
2023-12-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ruize Wang and Kalle Ngo and Joel Gärtner and Elena Dubrova},
      title = {Single-Trace Side-Channel Attacks on {CRYSTALS}-Dilithium: Myth or Reality?},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1931},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.