 Hello and welcome to our presentation about attacking and defending mass polynomial comparison for lattice-based cryptography. This is a joint work with Chivam Basin, Jan-Peter Denwerks and Thomas Pöpelmann and it will be presented by Michiel van Beierendonk and myself, Daniel Heinz. I want to start by giving a short introduction about side channel security in lattice-based cryptography and general decryption failure attacks on the FO transform, which is used among many lattice-based candidates. Then we will present two mass comparison algorithms, which were designed to be side channel secure, followed by two attacks on these algorithms showing that they are actually not. Finally we will present our fixed plus noise framework, which is designed to detect such leakages in the near future and to prevent some insecure algorithms. Let's start off with our motivation for our work. As commonly known, the National Institute of Standards and Technology has issued a post-quantum standardization process, which is currently in its third and final round. Apparently the theoretical security of post-quantum algorithms isn't enough in practice and this is why the research focus has shifted a lot towards side channel security. The most common counter measure against side channel attacks is called masking. This is the possibility to split an algorithm in N randomized shares, preventing an attacker from gaining important information about the secret data from N-1 shares. In lattice-based cryptography, boolean and arithmetic operations are used and therefore arithmetic masking or boolean masking is needed. One of the most important tools in lattice-based cryptography to detect chosen cipher text attacks is the usage of the Fuji Saki Okamoto transform. This means that the output, the decrypted message M gets re-encrypted again and the resulting cipher text is compared to the input cipher text. If a non-valid cipher text is inserted, this means that the resulting output cipher text will not match the input cipher text and the output will be completely random. Apparently all operations depending on the secret key, SK prime, have to be masked to ensure side channel security. In our graphics, we have underlayed the respective operations in gray. It has to be stated that the output of the comparison function is public and is not sensitive data, as the knowledge of a invalid cipher text does not reveal any information to the attacker. One of the most important observations in the F.O. transform is that if the message M prime only slightly differs to the message M, which was originally encrypted in cipher text C, the complete output cipher text C tilde will change completely, not just a bit. This is because the message M prime is used as a seed for the randomness used in the Sakaiba or Saba re- encryption. This fact can be used to mount some very powerful decryption failure attacks. To do so, we submit cipher text C equal to U and V plus a very small error E, and this very small error E only affects one coefficient of the polynomial V. This can then result in two cases. The polynomial V is normally only added onto the product of U and the secret key. Therefore, the manually inserted error E can also be only added onto this intermediate value, which we call W in the graphic below. If we don't trigger a bit flip, the message M prime is equal to the originally encrypted message M, and if we trigger a bit flip, the message M will be different to the message M prime in this bit. This means if we can distinguish between the two cases M equals 0 or M equals 1, or if a bit flip is triggered or not, we can receive equations about the intermediate value W and therefore about our secret key, which is inserted in W. When taking a look at the FO transform and no triggered bit flip, it becomes clear that the re-encryption will be exactly the same as the encryption for the originally submitted message M, which corresponds to the cipher text C equal to U and V. Also, the cipher text C tilde will be equal to U and V, as M prime is equal to M. This resides in a comparison, which differs in only exactly one coefficient, which is the coefficient where the error E is inserted. Therefore, the output of the comparison is still no, but it is only different in one coefficient. However, if the bit flip during the decryption is triggered, everything in red will be completely different from the original encryption of the message M. Also, the resulting cipher text C tilde will result in complete randomness compared to the originally submitted cipher text C, and the comparison will therefore output no, as every coefficient will probably be different between C tilde and C. In practice, the decryption failure attacks are not that easy to mount, as for instance, Kuiber and Saber have a compression of the cipher text parts U and V in place. As visualized above, instead of equalities, we only get inequalities about the intermediate value W, and therefore about the secret key. However, it is possible to estimate the remaining security by using previously presented frameworks. In our work, we have used the previously presented decryption failure attack framework to mount some first order side channel attacks on two masked implementations of the comparison in the Fujisaki Okamoto transform. Furthermore, we have identified a collision attack on the masked comparison algorithm of Bache et al, which does not even need side channel information. However, the ideas in this work are still usable, and therefore we have proposed the fix, which reduces the number of needed comparison and probably the needed operation time. Finally, we propose an adaptive leakage detection framework, which differentiates more clearly between sensitive and nonsensitive leakage. Let's move on to the two masked comparison algorithms. The first one is only usable for the first order masking and is based on hashes. We obtain two cipher texts, the re-encrypted and the submitted cipher text. The algorithm performs a separate comparison for each cipher text part U and V. Therefore, we have two shares U1 and U2 and compare if they are equal to the submitted cipher text. To prevent sensitive leakage, the randomized share U1 is subtracted from the public polynomial. In case both polynomials are the same, meaning the public and the re-encrypted, the share U1 is then equal to the share U2, and hashing them both at the same time and comparing them would result in zero. Otherwise, some value other than zero would appear. The approach from Bache et al is quite different, as it works for higher orders as well. We have a shared polynomial and a public polynomial, and we divide each of these into subsets of coefficients, which we call ij. Without loss of generality, we take a look at the subset i1. Each of these shares and also the public polynomials is first multiplied with some randomness. This randomness is the same for each share and also for the public polynomial. Then all coefficients in the subset i are summed up, and therefore we obtain a randomized value in each share and also in the public polynomial. One can then simply sum up over the randomized shares and compare the value with the public value. If the polynomials were the same in the first place, this result will always become true. However, if the polynomials are different and therefore completely different, this result will only become true if every randomness coefficient was zero. If the subsets are chosen largely enough, this probability is assumed to be negligible. One can now repeat this process for every subset ij. The outputs of each comparison or each partial comparison of the sets ij are stored unmasked, and Michiel will now explain how this can be exploited for a first-order side-generator attack in the same way as the first-order method with the hashes from order at the item. Hi, I'm Michiel van Berendonk, and I'll be taking over from Daniel to talk about our attacks on these two mass comparison algorithms. Then I'll proceed by describing our fixed plus noise framework, which aims to catch sensitive leakages in such implementations, and finally I'll conclude our talk. The main idea of our attack is to submit ciphertext in two classes, exactly as in the introduction. On the left, we submit ciphertext with a small error, denoted as e minus one. This error is small enough that it doesn't introduce a bit flip in the message m prime, and correspondingly the re-encrypted ciphertext will only slightly differ from the submitted ciphertext. The slight difference is exactly at the location where we introduced the error, which in our case is the polynomial v. An important consequence of this is that the polynomial u is unchanged, and that it's submitted and re-encrypted versions are equal. On the right, we submit ciphertext with incremental error e. e is only incremented by one from e minus one. This time, e is large enough to trigger a bit flip, and the submitted and re-encrypted ciphertext will differ completely. Even though the f4 transform will detect both classes of modifications and produce the same bit of information in both cases, and this bit of information is that the ciphertext is rejected, the same doesn't hold true for side channel information. In particular, the crucial observation here is that the hash-based method unmasks a partial comparison of u. On the left, this comparison is true. On the right, this comparison is false. We expect this information to show up in side channel traces because it is unmasked. Therefore, it can reveal us exactly which value for e results in the case shown on this slide, where e has a bit flip, whereas e minus one does not. We mount our attack as a simple fixed versus fixed t-test, where either fixed class is the ones are the ones we just talked about. On one hand, we have a class with the error e minus one. On the other hand, we have a class with the error e. Then, we collect side channel traces from either class, we partition them into the classes, and we compute the t-setsistic. This is shown here on both figures, where on the left we show the t-setsistic after as little as 1000 measurements, for the errors e equals 4, e equals 5, and e equals 6. On the right, we show the evolution of the t-setsistics throughout these measurements to show you how quickly the leakage is caught. When e equals 4, the error is too small that both e and e minus one do not cause a bit flip. When e equals 6, the error is too large, both e and e minus one cause a bit to flip. Exactly when e equals 5, both classes of measurements are different. e has a flip in this case, whereas e minus one does not. The resulting t-setsistic, shown in black here on this slide, shows a large peak. The point in time where this peak sits is exactly at the unmasking of the comparison of u, the polynomial, which is unchanged. In one class of measurements, this comparison is still true. In the other class of measurements, it is false. Our attack on the higher-order method proceeds very similarly. Here, instead of comparing and unmasking both ciphertext components, the comparison proceeds in a number of sets. On the figure here, there are exactly 16 sets. Again, for e equals 5, we can clearly distinguish t-test leakage. For the error e minus one, only one of the sets will fail the comparison, whereas for the error e, all sets will fail. We can clearly distinguish 16 leakage peaks corresponding to the unmasking of each of the 16 sets. On the higher-order method, we can also mount a collision attack that doesn't need any side channels. As we just mentioned, the method splits the comparison into several sets. Each set also has a certain probability that the ciphertext modification will pause the comparison. This is exactly the probability that one of the randomly sampled values takes on the value 0. This will be 1 over q, in our case. One of the explicit assumptions in the method then is that the faulty ciphertext results in a completely different re-encrypted ciphertext. In this case, such a collision where the randomly sampled value takes on the value 0 will need to happen in all of the sets. The probability for this to happen becomes 1 over q to the power of L, where L is the number of sets. L can then be chosen for sufficient security. However, we have just shown that this assumption that all sets will fail for a modified ciphertext doesn't hold true. We can submit ciphertext as shown on the left here on this slide, where the ciphertext modification is small enough that only one of the sets will fail the comparison. This allows us now to mount a simple cc attack. We submit some faulty ciphertext and if we're on the left side of this slide we expect to eventually pause the comparison, because the collision probability is now only 1 over q. If we're on the right, we will not pause the comparison because the collision probability is 1 over q to the L, where L is chosen for sufficient security. Again, this will allow us to distinguish between both cases and learn the value E that exactly partitions us into the case here on this slide. From there we can learn the sensitive value w, and this information can be used to significantly reduce the security and break the schemes. The fundamental flaw in both of the schemes is that they unmask partial comparisons of the ciphertext. While the final yes or no bit that is the output of the FALT transform does not contain any sensitive information, the same certainly does not hold true for the information contained in these partial comparisons. The hash based method permits a simple fix. Instead of comparing both ciphertext components individually using the hash based approach, it is possible to simply concatenate the ciphertext and hash both of them together. This method was already employed in a mask implementation of Saber and in this case the final unmasking no longer contains any sensitive information. For the higher order method the situation is led straightforward. Even if the mask sum which is now done on each set individually would be done over all the sets jointly, the collision probability of this still remains one over Q. Furthermore the security proof did not take into account that slightly modified ciphertext will still result in a re-encrypted ciphertext that is highly similar and in this case there is actual leakage of information when the final sum is unmasked. Because of these two issues there is no straightforward fix to the higher order method. However the ideas from this paper can still be reused to reduce the number of comparisons that are necessary in a mask implementation. We propose such an algorithm in our paper and call it reduced comparisons. The main idea is that if we repeat the mask sum over the entire ciphertext L times then the collision probability does become one over Q to the power of L. Furthermore we do not do any final unmasking but instead propose to simply use a masked Boolean comparison circuits as has been done before in the literature. In our work we find situational vulnerabilities in two mask comparison algorithms. To prevent such issues from happening in the future we propose a new framework which we call fixed plus noise. Before describing our framework an important question to ask is why the standard t-test did not detect the leakage that we saw in the previous slides. To answer this question it's important to first look at the specific way that the t-test was applied in masked implementations. The typical scenario is to conduct a fixed versus random t-test. In this case often the fixed ciphertext will be the ciphertext that is the output of the encapsulation and the random ciphertext is chosen completely random. One of the problems with this approach is that the fixed ciphertext will now be a valid ciphertext whereas the random ciphertext will be an invalid ciphertext. As a result there will be output leakage of the yes or no bit that is the output of the full transform but as we previously mentioned this output bit is nonsensitive. On this slide we show the resulting t-statistic for such a fixed versus random t-test. On the left we have the hash-based method and on the right we have the higher order method that partitions the comparison into sets. In the middle is the fixed method that was applied in the masked implementation of Saber where the hash-based method proceeds by concatenating the ciphertext components. In a fixed versus random t-test where the fixed ciphertext is valid and the random ciphertext is invalid all of these implementations show output leakage. This is exactly the leakage of the yes or no bit that is the output of the full transform. However something that might look very obvious is that this leakage is very similar to the leakage we exploited in our attacks on these implementations. In the standard fixed versus random t-test that's applied here on this slide it is very difficult to distinguish between sensitive and nonsensitive leakage. We propose to conduct the t-test differently which we called fixed plus noise versus random. The main idea is to choose both ciphertexts as invalid ciphertext thus eliminating the output leakage. The fixed ciphertext contains a small noise whereas the random ciphertext can still be taken essentially completely random. Our method is similar to a semi-fixed versus random t-test in the sense that it fixes the output bit of the full transform to reject the ciphertext. When applied to the mass comparison implementations it can immediately be seen that two of them are insecure whereas only the middle one is secure. The hash-based method and the higher order method shown on the left and on the right still show leakage in this case. This is exactly because the fixed plus noise class of the measurements will only cause one of the comparisons to fail or will only cause one of the sets to fail for the higher order methods. On the other hand the random class of measurements will cause all of the comparisons to fail. This is very similar to what we exactly exploited in our attacks with the only exception that we're now no longer really looking for the border case value that triggers us in either one case. In the middle implementation there is no longer any leakage. This shows that the leakage that we saw on the previous slide was indeed only the nonsensitive leakage of the full transform. On the other hand using our fixed plus noise framework it can be shown that the same does not hold true for the hash-based method and the higher order method. These methods leak more information than only the one output bit of the full transform and this information can be exploited to mount the attacks that we described previously. In our paper we further analyze our framework and we also provide a code snippet so that you can conduct the fixed plus noise versus random t-test yourself. To conclude our work we attack two mass implementations of polynomial comparisons in the ful transform. We could do so both with the first order side channel attack as well as with a collision attack that does not need any side channel information. We also showed how to modify the methods to prevent the sensitive leakage. Finally we propose the new fixed plus noise versus random framework that should serve to detect these insecurities in the future. We propose to reduce comparisons as a straightforward fix to the higher order method but we believe that there is interesting future work in a more efficient higher order mass comparison method. We would like to thank you for listening to our talk and do not hesitate to reach out to us if you have any questions.