| 引用本文: |
-
乔泽华,张倩,刘月君,周永彬,明经典.基于挑战的差值聚类法:一种面向Dilithium实现的快速侧信道攻击[J].信息安全学报,已采用 [点击复制]
- qiao ze hua,zhang qian,liu yue jun,zhou yong bin,ming jing dian.Difference Clustering Based on Challenges: An Efficient Side-Channel Attack on Dilithium[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 2024年8月,美国国家标准与技术研究院(NIST) 正式发布首批后量子密码(PQC)标准规范,其一为基于模格的数字签名算法CRYSTALS-Dilithium (简称Dilithium)。随着PQC迁移工作的推进,侧信道攻击成为工程实践的一个重要安全关切。针对Dilithium的非模板侧信道攻击通常首先尝试恢复数论变换域形式表示的私钥系数,而后进行逆数论变换得到正常域私钥系数。实际上,数论变换域形式表示的私钥系数取值范围远大于正常域私钥系数,这将显著增加侧信道分析的技术难度,由此带来的一个直接后果是,样本数量较小时,需要较长时间对每个私钥系数枚举约2^13种可能;另一方面,目前暂未见对高噪声环境下相关分析攻击效果的技术讨论。为解决上述问题,本文提出了基于挑战的差值聚类法,并使用非模板攻击完成Dilithium正常域完整私钥的直接恢复。本质上,该方法通过获得私钥s1和s2参与的多项式乘法结果cs1和cs2的分布特性,利用公开签名挑战 对侧信息泄漏进行分类,并结合硬件平台补码特性放大不同类别的理论信息泄漏分布差异,继而结合聚类技术快速恢复私钥。在NIST推荐的ARM Cortex-M4硬件基准平台上进行的实验结果表明,使用150~500能量迹,借助通用计算机可在1分钟内恢复出Dilithium2,3,5完整私钥s1和s2;在相同实验环境下,本文方法比Chen等人[1]小样本下最快的公开工作时间开销减少5,000倍以上。有趣的是,这种显著技术优势在高噪声场景下将被进一步放大,例如,当信噪比为0.1时,基于挑战的差值聚类法使用600条能量迹仅需4分钟即可恢复出Dilithium2完整私钥,而应用Chen等人[1]方法需要4,000条能量迹,且时间开销为820小时。 |
| 关键词: 后量子密码学,Dilithium,侧信道攻击,差值聚类 |
| DOI: |
| 投稿时间:2024-12-01修订日期:2025-01-07 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)国家重点研发计划 云南省重大科技专项计划 |
|
| Difference Clustering Based on Challenges: An Efficient Side-Channel Attack on Dilithium |
|
qiao ze hua1, zhang qian2, liu yue jun3, zhou yong bin4, ming jing dian5
|
| (1.Institute of Information Engineering, Chinese Academy of Sciences,Key Laboratory of Cyberspace Security Defense,School of Cyber Security, University of Chinese Academy of Sciences;2.Institute of Information Engineering, Chinese Academy of Sciences, Key Laboratory of Cyberspace Security Defense;3.School of Cyberspace Security, Nanjing University of Technology, Nanjing;4.Institute of Information Engineering, Chinese Academy of Sciences,School of Cyberspace Security, Nanjing University of Technology;5.Jiaxing Research Institute, Zhejiang University) |
| Abstract: |
| In August 2024, the National Institute of Standards and Technology (NIST) officially released the first batch of post-quantum cryptography (PQC) standards, including the module-lattice-based digital signature algorithm, originally named CRYSTALS-Dilithium (referred to as Dilithium). As PQC migration progresses, side-channel attacks have become a significant security concern in practical implementations. Existing non-template side-channel analysis methods for Dilithium typically attempt to recover private key coefficients in the Number Theoretic Transform (NTT) domain first, followed by an inverse NTT to obtain the private key coefficients in the normal domain. However, the coefficient range in the NTT domain is significantly larger than that in the normal domain, which greatly increases the difficulty of side-channel analysis. Consequently, when the number of traces is small, recovering each private key coefficient may re-quire enumerating a value space of approximately . Moreover, there is currently a lack of discussion on the effective-ness of such attacks in high-noise environments. To address these challenges, this paper proposes a challenge-based dif-ference clustering method and, for the first time, utilizes a non-template attack to directly recover the complete private key of Dilithium in the normal domain. Specifically, the proposed method analyzes the distribution characteristics of the polynomial multiplication results cs1 and cs2, which involve private key components s1 and s2. Using the publicly available signature challenge , the method classifies side-channel leakage information and amplifies the theoretical differences in power leakage distributions across categories by leveraging the signed magnitude representation of the hardware platform. Finally, clustering techniques are employed to rapidly recover the private key. Experimental results on the NIST-recommended ARM Cortex-M4 hardware platform demonstrate that the proposed method requires only 150 to 500 power traces to recover the complete private keys s1 and s2 of Dilithium2, Dilithium3, and Dilithium5 within one minute using a general-purpose computer. Under the same experimental conditions, the proposed method reduces the time overhead by more than 5,000 times compared to the state-of-the-art small-trace attack proposed by Chen[1] et al.. In-terestingly, this significant technical advantage is further amplified in high-noise scenarios. For instance, when the sig-nal-to-noise ratio is 0.1, the proposed challenge-based difference clustering method requires only 600 power traces and 4 minutes to recover the complete private key of Dilithium2, whereas Chen[1] et al.’s method requires 4,000 power traces and an execution time of 820 hours. |
| Key words: Post-Quantum Cryptography Dilithium side-channel attack difference clustering |
