面向格密码的能耗分析攻击技术

Power Analysis Attacks for Lattice-Based Cryptography

量子计算的飞速发展对传统密码的安全性带来巨大挑战,Peter Shor提出的量子计算模型下分解整数和计算离散对数的多项式时间算法对基于传统数论难题的密码系统构成了威胁.美国国家标准与技术研究院(NIST)于2016年开始征集后量子公钥密码算法标准,其中,大多基于格、基于哈希、基于编码、基于多变量这四种密码体制,而基于格的密码体制在其公钥尺寸、计算效率和安全性方面具有更好的平衡性,所占比例最大.然而,格密码的实现在实际环境中易遭受能耗分析攻击(Power Analysis Attacks).能耗分析攻击是利用密码设备运行过程中产生的功耗、电磁等信息,攻击者建立这些旁路信息与密码算法中间值之间的联系从而恢复密钥等敏感信息.自从能耗分析攻击出现以来,该类攻击手段严重威胁了密码系统的安全.随着量子计算的发展,后量子密码的安全性日益成为密码研究的热点,特别地,近期NIST公布了最新轮的后量子密码算法,作为占据比例最多的格密码,其侧信道安全性也受到了学术界的广泛关注.本文针对格密码的能耗分析攻击技术从攻击模型、攻击目标、攻击条件开展研究,分析了面向格密码的攻击原理、格密码的各个算子的侧信道安全性,重点介绍了适用于NIST第三轮格密码的攻击技术,以及相应防护方案的攻击技术,最后讨论了现有面向格密码的能耗分析攻击面临的问题及未来研究方向.

With the rapid development of quantum computer research,design,and manufacturing technology,the era of quantum computing is gradually coming.Cryptosystems based on traditional number theory problems are threatened.The development of cryptosystems in the post-quantum era has become a hot spot in the field of cryptography.The National Institute of Standards and Technology(NIST)began to solicit standards for post-quantum public key cryptography algorithms.It announced seven candidate algorithms for the third round,five of which are lattice cryptographic schemes.Lattice-based cryptosystems rely on adding noise to linear equations to solve complex problems and have the largest share in the Post-Quantum Cryptography(PQC)due to their better balance in public key size,computational efficiency,and security.However,implementing lattice ciphers is vulnerable to power analysis attacks in the application of practical environments.Power analysis attacks have been viewed as a physical attack method to recover the sensitive information of cryptographic algorithms effectively.The attackers capture the power consumption,electromagnetic or other information generated during the operation of cryptographic devices and establish the relationship between this information and the intermediate value of the cryptographic algorithm.Since the emergence of power analysis attacks as an important attack method at the hardware level,it has seriously threatened the security of the cryptographic system.In particular,NIST announced the candidate post-quantum cryptographic algorithms in the third round of the PQC project.The academic community has also been widely concerned about the resistance against power analysis attacks of lattice-based cryptography.Lattice ciphers play a vital role in post-quantum cryptography,and its side-channel security is an indispensable indicator to comprehensively measure algorithm security.Therefore,the research on power analysis attack techniques for lattice ciphers results from the current NIST post-quantum algorithm standard and even post-quantum cryptography is an important topic for practical applications.Power analysis attacks greatly threaten the development and evaluation of lattice cipher schemes.Due to the novelty of many lattice-based cipher schemes,many security vulnerabilities have still not been evaluated.There are various types of existing attack models,all of which can recover the key information or message of the lattice cipher.Many works have also proposed the protection schemes for lattice ciphers to resist these power analysis attacks.Still,the existing protection schemes hardly satisfy the security and efficiency requirements.This work studies the side-channel attack technology of lattice-based cryptography in view of the attack model,target,and condition.We analyze the attack mechanism and the security of each operation of lattice-based cryptography.This work starts with analyzing the cryptographic scheme,the attacking methods of different operators,and investigates the cause of the vulnerability in the scheme from the perspective of designers.In addition,the attack principle of the latest protection scheme is analyzed,and the internal reasons for the breach of the protection scheme are explained.It focuses on the attack methods against the third round of NIST lattice-based cryptography.Moreover,we analyze the attack technologies for countermeasures.Finally,we present the drawbacks and trends of power analysis attacks for lattice-based cryptography.