Paper 2024/1248

A Not So Discrete Sampler: Power Analysis Attacks on HAWK signature scheme

Morgane Guerreau, CryptoNext Security
Mélissa Rossi, ANSSI
Abstract

HAWK is a lattice-based signature scheme candidate to the fourth call of the NIST's Post-Quantum standardization campaign. Considered as a cousin of Falcon (one of the future NIST post-quantum standards) one can wonder whether HAWK shares the same drawbacks as Falcon in terms of side-channel attacks. Indeed, Falcon signature algorithm and particularly its Gaussian sampler, has shown to be highly vulnerable to power-analysis attacks. Besides, efficiently protecting Falcon's signature algorithm against these attacks seems a very challenging task. This work presents the first power analysis leakage review on HAWK signature scheme: it extensively assesses the vulnerabilities of a central and sensitive brick of the scheme, the discrete Gaussian sampler. Knowing the output x of the sampler for a given signature leads to linear information about the private key of the scheme. This paper includes several demonstrations of simple power analysis attacks targeting this sample x with various attacker strengths, all of them performed on the reference implementation on a ChipWhisperer Lite with STM32F3 target (ARM Cortex M4). We report being able to perform key recoveries with very low (to no) offline resources. As this reference implementation of HAWK is not claimed to be protected against side-channel attacks, the existence of such attacks is not surprising, but they still concretely warn about the use of this unprotected signature on physical devices. To go further, our study proposes a generic way of assessing the performance of a side-channel attack on x even when less information is recovered, in a setting where some protections are implemented or when the attacker has less measurement possibilities. While it is easy to see that x is a sensitive value, quantifying the residual complexity of the key recovery with some knowledge about x (like the parity or the sign of some coefficients) is not straightforward as the underlying hardness assumption is the newly introduced Module-LIP problem. We propose to adapt the existing methodology of leaky LWE estimation tools (Dachman-Soled et al. at Crypto 2020) to exploit the retrieved information and lower down the residual key recovery complexity. To finish, we propose an ad-hoc technique to lower down the leakage on the identified vulnerability points. These modifications prevent our attacks on our platform and come with essentially no cost in terms of performance. It could be seen as a temporary solution and encourages more analysis on proven side-channel protection of HAWK like masking.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
A minor revision of an IACR publication in TCHES 2024
DOI
10.46586/tches.v2024.i4.156-178
Keywords
Side-channel attackHAWK signature schemeResidual complexity
Contact author(s)
morgane guerreau @ gmail com
melissa rossi @ ssi gouv fr
History
2024-10-31: last of 2 revisions
2024-08-06: received
See all versions
Short URL
https://ia.cr/2024/1248
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1248,
      author = {Morgane Guerreau and Mélissa Rossi},
      title = {A Not So Discrete Sampler: Power Analysis Attacks on {HAWK} signature scheme},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1248},
      year = {2024},
      doi = {10.46586/tches.v2024.i4.156-178},
      url = {https://eprint.iacr.org/2024/1248}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.