timing attack against SMAUG-T software
D. J. Bernstein
an attack demo that often recovers a long-term SMAUG-T128 secret key
from a few minutes of decapsulation timings of the optimized
implementation in the SMAUG-T package:
https://cr.yp.to/2024/20240511-smaug-t/attack.c
I copied this program into
SMAUG-T_Implementation package_v2/optimized_implementation/kem/src
on a 4-core 3GHz Intel Xeon E3-1220 v5 (Skylake), and used the script
shown below to compile the program and run 10 attack experiments. 6 of
the experiments succeeded in finding the secret key, taking 72 seconds,
53 seconds, 390 seconds, 304 seconds, 119 seconds, and 536 seconds
respectively. The other 4 experiments gave up after 660 seconds without
finding the secret key.
This demo can be improved. The demo uses a limited selection of
ciphertexts, uses only total dec timings (rather than checking for
contention on specific cache lines, branch-prediction slots, etc.), uses
a very simple model of how ciphertexts affect timings, uses very little
computation beyond the decapsulation, and does not exploit the SMAUG-T
software bug that selects particular positions for secrets.
---D. J. Bernstein
#!/bin/sh
CC="gcc -march=native -mtune=native -O3 -fomit-frame-pointer -mavx2 -mbmi2 -mpopcnt -Wall -Wextra"
for x in attack.c ciphertext.c dg.c fips202.c fips202x4.c hash.c hwt.c indcpa.c io.c kem.c key.c pack.c poly.c randombytes.c verify.c keccak/KeccakP-1600-AVX2.S keccak/KeccakP-1600-times4-SIMD256.c
do
y=`echo $x | sed 's/..$/.o/'`
[ $y -nt $x ] ||
$CC \
-DSMAUG_MODE=1 \
-I ../include \
-I ../include/keccak \
-c $x
done
$CC -o attack attack.o ciphertext.o dg.o fips202.o fips202x4.o hash.o hwt.o indcpa.o io.o kem.o key.o pack.o poly.o randombytes.o verify.o KeccakP-1600-AVX2.o KeccakP-1600-times4-SIMD256.o
for j in `seq 0 9`
do
time ./attack > attack.run.$j
done
성효은
Dear all,
We thank D. J. Bernstein for his efforts to validate the implementation of the KpqC Round 2 submissions. We agree with his analysis on the SMAUG-T implementation. Below, we specify our plans for upcoming updates regarding the timing attack and some issues raised here.
1. Limited randomness
We noticed this issue after Round 2 submission and updated the implementation on March 20 at the public git repository.
2. Reported TIMECOP complaints
Based on the reported TIMECOP complaints, we are working on updating the reference/optimized implementation of SMAUG-T to have a constant execution time. Most importantly, we are modifying the Hamming weight sampler regarding the timing attack. We appreciate D. J. Bernstein for suggesting several options for the constant-time Hamming weight sampler. We are implementing and analyzing the sampler from ia.cr/2024/583 and other possible options. Other TIMECOP complaints will also be dealt with accordingly. We will notify here when the update is ready.
Best Regards,
Team SMAUG-T
--
You received this message because you are subscribed to the Google Groups "KpqC-bulletin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kpqc-bulleti...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kpqc-bulletin/20240511181246.1998064.qmail%40cr.yp.to.