Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme
Files
(Restricted Access)
Date
2016
Authors
Groot Bruinderink, L.
Hülsing, A.
Lange, T.
Yarom, Y.
Editors
Gierlichs, B.
Poschmann, A.
Poschmann, A.
Advisors
Journal Title
Journal ISSN
Volume Title
Type:
Conference paper
Citation
Lecture Notes in Artificial Intelligence, 2016 / Gierlichs, B., Poschmann, A. (ed./s), vol.9813 LNCS, pp.323-345
Statement of Responsibility
Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange, and Yuval Yarom
Conference Name
18th International Conference on Cryptographic Hardware and Embedded Systems (CHES) (17 Aug 2016 - 19 Aug 2016 : Santa Barbara, CA)
Abstract
We present the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack. The attack is targeted at the discrete Gaussian sampler, an important step in the Bimodal Lattice Signature Schemes (BLISS). After observing only 450 signatures with a perfect side-channel, an attacker is able to extract the secret BLISS-key in less than 2 minutes, with a success probability of 0.96. Similar results are achieved in a proof-of-concept implementation using the Flush+Reload technique with less than 3500 signatures. We show how to attack sampling from a discrete Gaussian using CDT or Bernoulli sampling by showing potential information leakage via cache memory. For both sampling methods, a strategy is given to use this additional information, finalize the attack and extract the secret key. We provide experimental evidence for the idealized perfect side-channel attacks and the Flush+Reload attack on two recent CPUs.
School/Discipline
Dissertation Note
Provenance
Description
Lecture Notes in Computer Science, vol. 9813
Access Status
Rights
© International Association for Cryptologic Research 2016