快速Dilithium 於Cortex-M4 平台實現的旁通道分析

Abstract

隨者量子電腦的發展，後量子密碼演算法，將會取代現有的非對稱密碼系統。在2022 年七月，美國國家標準暨技術研究院，公布了標準化的後量子數位簽章法，Crystal-Dilithium 是三個標準的其中一個，也是三個之中可以在合理時間內，於Cortex-M4 上運行的後量子數位簽章。

2022 年一月，一種運行於 Cortex-M4 加速版本的 Dilthium 被研發出來，它在小係數多項式乘法有更快的運算，使得運行的時間被近一步地縮短，然而也使其對旁通道攻擊的弱點進一步地被放大。

本文使用了相關性能量分析攻擊(Correlation Power Analysis) 和 T 檢定(T-test)， 將這兩種分析的方式結合，成功的攻擊了 Dilithium-2 的小係數多項式乘法，並且準確地還原其私鑰。Correlation Power Analysis 可以在短時間內，從66049 種可能性中找出最有可能的私鑰組合，而 Profiling T-test，則可從少數的組合中找到正確的答案，形成一個快速又有效果的攻擊方式。如果沒有使用 masking 或shuffling 進行防護，Dilithium 對於旁通道攻擊的防護是非常脆弱的。

With the development of quantum computers, post-quantum cryptography (PQC) and its digital signatures will replace asymmetric cryptographic systems. In July 2022, the National Institute of Standards and Technology (NIST) announced the standardized Postquantum signatures. Crystal-Dilithium is one of the three digital signature standards, and it is also one of the three that can run on the Cortex-M4 in a reasonable time. In January 2022, a faster version of Dilithium was developed. It has faster operations in small coefficient polynomial multiplication, further shortening the running time and amplifying its vulnerability to side-channel attacks.

This article uses the combination of Correlation Power Analysis and Profiling T-test to successfully attack Dilithium-2’s small coefficient polynomial multiplication to recover its sensitive information $s_1$ and $s_2$. Correlation Power Analysis can find the most likely $s_1$ and $s_2$ coefficient pairs from 66049 possibilities quickly. In contrast, the Profiling T-test can find the correct answer from a few candidates, forming a fast and effective attack method. Without the countermeasure of masking or shuffling for protection, Dilithium will be very vulnerable to side-channel attacks.