Groot Bruinderink, L.Hülsing, A.Lange, T.Yarom, Y.Gierlichs, B.Poschmann, A.2017-09-262017-09-262016Lecture Notes in Artificial Intelligence, 2016 / Gierlichs, B., Poschmann, A. (ed./s), vol.9813 LNCS, pp.323-34597836625313960302-97431611-3349http://hdl.handle.net/2440/108057Lecture Notes in Computer Science, vol. 9813We present the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack. The attack is targeted at the discrete Gaussian sampler, an important step in the Bimodal Lattice Signature Schemes (BLISS). After observing only 450 signatures with a perfect side-channel, an attacker is able to extract the secret BLISS-key in less than 2 minutes, with a success probability of 0.96. Similar results are achieved in a proof-of-concept implementation using the Flush+Reload technique with less than 3500 signatures. We show how to attack sampling from a discrete Gaussian using CDT or Bernoulli sampling by showing potential information leakage via cache memory. For both sampling methods, a strategy is given to use this additional information, finalize the attack and extract the secret key. We provide experimental evidence for the idealized perfect side-channel attacks and the Flush+Reload attack on two recent CPUs.en© International Association for Cryptologic Research 2016SCA; Flush+Reload; Lattices; BLISS; Discrete GaussiansConference paper003005465510.1007/978-3-662-53140-2_160003897050000162-s2.0-84981344695263579Yarom, Y. [0000-0003-0401-4197]