A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM

Qian Guo; Thomas Johansson; Alexander Nilsson

doi:10.1007/978-3-030-56880-1_13

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM

Qian Guo, Thomas Johansson, Alexander Nilsson

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

Abstract

In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2020
Subtitle of host publication	40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II
Publisher	Springer
Pages	359-386
ISBN (Electronic)	978-3-030-56880-1
ISBN (Print)	978-3-030-56879-5
DOIs	https://doi.org/10.1007/978-3-030-56880-1_13
Publication status	Published - 2020 Aug 17
Event	40th Annual International Cryptology Conference, CRYPTO 2020 - Santa Barbara, United States Duration: 2020 Aug 17 → 2020 Aug 21

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	12171
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	40th Annual International Cryptology Conference, CRYPTO 2020
Country/Territory	United States
City	Santa Barbara
Period	2020/08/17 → 2020/08/21

Subject classification (UKÄ)

Other Computer and Information Science

Access to Document

10.1007/978-3-030-56880-1_13

https://eprint.iacr.org/2020/743

1 Doctoral Thesis (compilation)

Decryption Failure Attacks on Post-Quantum Cryptography
Nilsson, A., 2023 May 11, Lund: Lunds Universitet/Lunds Tekniska Högskola. 294 p.
Research output: Thesis › Doctoral Thesis (compilation)

Open Access
File

2 Active

Lightweight Cryptography for Autonomous Vehicles
Johansson, T. & Guo, Q.
2020/08/01 → 2023/12/31
Project: Research
Side channels on software implementations of post-quantum cryptographic algorithms
Nilsson, A., Johansson, T. & Stankovski Wagner, P.
2017/09/01 → 2023/12/31
Project: Dissertation

Cite this

Guo, Q., Johansson, T., & Nilsson, A. (2020). A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II (pp. 359-386). (Lecture Notes in Computer Science; Vol. 12171). Springer. https://doi.org/10.1007/978-3-030-56880-1_13

Guo, Qian ; Johansson, Thomas ; Nilsson, Alexander. / A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II. Springer, 2020. pp. 359-386 (Lecture Notes in Computer Science).

@inproceedings{65d795f61a5945c0aa6e45467fe15e03,

title = "A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM",

abstract = "In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls. ",

author = "Qian Guo and Thomas Johansson and Alexander Nilsson",

year = "2020",

month = aug,

day = "17",

doi = "10.1007/978-3-030-56880-1_13",

language = "English",

isbn = "978-3-030-56879-5",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "359--386",

booktitle = "Advances in Cryptology – CRYPTO 2020",

address = "Germany",

note = "40th Annual International Cryptology Conference, CRYPTO 2020 ; Conference date: 17-08-2020 Through 21-08-2020",

}

Guo, Q , Johansson, T & Nilsson, A 2020, A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. in Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II. Lecture Notes in Computer Science, vol. 12171, Springer, pp. 359-386, 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, United States, 2020/08/17. https://doi.org/10.1007/978-3-030-56880-1_13

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. / Guo, Qian ; Johansson, Thomas ; Nilsson, Alexander.

Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II. Springer, 2020. p. 359-386 (Lecture Notes in Computer Science; Vol. 12171).

Research output: Chapter in Book/Report/Conference proceeding › Paper in conference proceeding › peer-review

TY - GEN

T1 - A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM

AU - Guo, Qian

AU - Johansson, Thomas

AU - Nilsson, Alexander

PY - 2020/8/17

Y1 - 2020/8/17

N2 - In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls.

AB - In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack. Several proposed schemes in round 2 of the NIST post-quantum standardization project are susceptible to the proposed attack and we develop and show the details of the attack on one of them, being FrodoKEM. It is implemented on the reference implementation of FrodoKEM, which is claimed to be secure against all timing attacks. Experiments show that the attack code is able to extract the secret key for all security levels using about $2^{30}$ decapsulation calls.

U2 - 10.1007/978-3-030-56880-1_13

DO - 10.1007/978-3-030-56880-1_13

M3 - Paper in conference proceeding

SN - 978-3-030-56879-5

T3 - Lecture Notes in Computer Science

SP - 359

EP - 386

BT - Advances in Cryptology – CRYPTO 2020

PB - Springer

T2 - 40th Annual International Cryptology Conference, CRYPTO 2020

Y2 - 17 August 2020 through 21 August 2020

ER -

Guo Q , Johansson T , Nilsson A. A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part II. Springer. 2020. p. 359-386. (Lecture Notes in Computer Science). Epub 2020 Jun 18. doi: 10.1007/978-3-030-56880-1_13

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM

Abstract

Publication series

Conference

Subject classification (UKÄ)

Access to Document

Fingerprint

Research output

Decryption Failure Attacks on Post-Quantum Cryptography

Projects

Lightweight Cryptography for Autonomous Vehicles

Side channels on software implementations of post-quantum cryptographic algorithms

Cite this