Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme

Files

RA_hdl_108057.pdf (368.18 KB)
  (Restricted Access)

Date

2016

Authors

Groot Bruinderink, L.
Hülsing, A.
Lange, T.
Yarom, Y.

Editors

Gierlichs, B.
Poschmann, A.

Advisors

Journal Title

Journal ISSN

Volume Title

Type:

Conference paper

Citation

Lecture Notes in Artificial Intelligence, 2016 / Gierlichs, B., Poschmann, A. (ed./s), vol.9813 LNCS, pp.323-345

Statement of Responsibility

Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom

Conference Name

18th International Conference on Cryptographic Hardware and Embedded Systems (CHES) (17 Aug 2016 - 19 Aug 2016 : Santa Barbara, CA)

Abstract

We present the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack. The attack is targeted at the discrete Gaussian sampler, an important step in the Bimodal Lattice Signature Schemes (BLISS). After observing only 450 signatures with a perfect side-channel, an attacker is able to extract the secret BLISS-key in less than 2 minutes, with a success probability of 0.96. Similar results are achieved in a proof-of-concept implementation using the Flush+Reload technique with less than 3500 signatures. We show how to attack sampling from a discrete Gaussian using CDT or Bernoulli sampling by showing potential information leakage via cache memory. For both sampling methods, a strategy is given to use this additional information, finalize the attack and extract the secret key. We provide experimental evidence for the idealized perfect side-channel attacks and the Flush+Reload attack on two recent CPUs.

School/Discipline

Dissertation Note

Provenance

Description

Lecture Notes in Computer Science, vol. 9813

Access Status

Rights

© International Association for Cryptologic Research 2016

License

Grant ID

Call number

Persistent link to this record