Please use this identifier to cite or link to this item:
Scopus Web of Science® Altmetric
Type: Conference paper
Title: To BLISS-B or not to be - Attacking strongSwan’s implementation of post-quantum signatures
Author: Pessl, P.
Groot Bruinderink, L.
Yarom, Y.
Citation: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security( CCS '17), 2017 / pp.1843-1855
Publisher: Association for Computing Machinery
Issue Date: 2017
ISBN: 9781450349468
ISSN: 1543-7221
Conference Name: ACM SIGSAC Conference on Computer and Communications Security (CCS) (30 Oct 2017 - 03 Nov 2017 : Dallas, TX, US)
Statement of
Peter Pessl, Leon Groot Bruinderink, Yuval Yarom
Abstract: In the search for post-quantum secure alternatives to RSA and ECC, lattice-based cryptography appears to be an attractive and efficient option. A particularly interesting lattice-based signature scheme is BLISS, offering key and signature sizes in the range of RSA moduli. A range of works on efficient implementations of BLISS is available, and the scheme has seen a first real-world adoption in strongSwan, an IPsec-based VPN suite. In contrast, the implementation-security aspects of BLISS, and lattice-based cryptography in general, are still largely unexplored. At CHES 2016, Groot Bruinderink et al. presented the first side-channel attack on BLISS, thus proving that this topic cannot be neglected. Nevertheless, their attack has some limitations. First, the technique is demonstrated via a proof-of-concept experiment that was not performed under realistic attack settings. Furthermore, the attack does not apply to BLISS-B, an improved variant of BLISS and also the default option in strongSwan. This problem also applies to later works on implementation security of BLISS. In this work, we solve both of the above problems. We present a new side-channel key-recovery algorithm against both the original BLISS and the BLISS-B variant. Our key-recovery algorithm draws on a wide array of techniques, including learning-parity with noise, integer programs, maximimum likelihood tests, and a lattice-basis reduction. With each application of a technique, we reveal additional information on the secret key culminating in a complete key recovery. Finally, we show that cache attacks on post-quantum cryptography are not only possible, but also practical. We mount an asynchronous cache attack on the production-grade BLISS-B implementation of strongSwan. The attack recovers the secret signing key after observing roughly 6000 signature generations.
Keywords: Lattice-based cryptography; side-channel analysis; signatures; cache attacks; learning parity with noise; lattice reduction
Description: Session I1: Post-Quantum
Rights: © 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.
RMID: 0030080050
DOI: 10.1145/3133956.3134023
Published version:
Appears in Collections:Computer Science publications

Files in This Item:
File Description SizeFormat 
hdl_123313.pdfAccepted version1.09 MBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.