Hints from Hertz: Dynamic Frequency Scaling Side-Channel Analysis of Number Theoretic Transform in Lattice-Based KEMs

Authors

  • Tianrun Yu Hubei Key Laboratory of Intelligent Geo-Information Processing, School of Computer Science, China University of Geosciences, Wuhan, China; State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China
  • Chi Cheng Hubei Key Laboratory of Intelligent Geo-Information Processing, School of Computer Science, China University of Geosciences, Wuhan, China; State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China
  • Zilong Yang Hubei Key Laboratory of Intelligent Geo-Information Processing, School of Computer Science, China University of Geosciences, Wuhan, China; State Key Laboratory of Integrated Services Networks, Xidian University, Xian, China
  • Yingchen Wang The University of Texas at Austin, Austin, TX, USA
  • Yanbin Pan Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, China
  • Jian Weng College of Information Science and Technology, Jinan University, Guangzhou, China

DOI:

https://doi.org/10.46586/tches.v2024.i3.200-223

Keywords:

Lattice-based cryptography, Side-channel attacks, Hertzbleed attack, Post-Quantum cryptography, Kyber, Number Theoretic Transform

Abstract

Number Theoretic Transform (NTT) has been widely used in accelerating computations in lattice-based cryptography. However, attackers can potentially launch power analysis targeting the NTT because it is one of the most time-consuming parts of the implementation. This extended time frame provides a natural window of opportunity for attackers. In this paper, we investigate the first CPU frequency leakage (Hertzbleed-like) attacks against NTT in lattice-based KEMs. Our key observation is that different inputs to NTT incur different Hamming weights in its output and intermediate layers. By measuring the CPU frequency during the execution of NTT, we propose a simple yet effective attack idea to find the input to NTT that triggers NTT processing data with significantly low Hamming weight. We further apply our attack idea to real-world applications that are built upon NTT: CPAsecure Kyber without Compression and Decompression functions, and CCA-secure NTTRU. This leads us to extract information or frequency hints about the secret key. Integrating these hints into the LWE-estimator framework, we estimate a minimum of 35% security loss caused by the leakage. The frequency and timing measurements on the Reference and AVX2 implementations of NTT in both Kyber and NTTRU align well with our theoretical analysis, confirming the existence of frequency side-channel leakage in NTT. It is important to emphasize that our observation is not limited to a specific implementation but rather the algorithm on which NTT is based. Therefore, our results call for more attention to the analysis of power leakage against NTT in lattice-based cryptography.

Downloads

Published

2024-07-18

Issue

Section

Articles

How to Cite

Hints from Hertz: Dynamic Frequency Scaling Side-Channel Analysis of Number Theoretic Transform in Lattice-Based KEMs. (2024). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(3), 200-223. https://doi.org/10.46586/tches.v2024.i3.200-223