Towards Post-Quantum Bitcoin

Side-Channel Analysis of Bimodal Lattice Signatures

Leon Groot BruinderinkEmail: l.groot.bruinderink@student.tue.nl

Student-ID: 0682427

A thesis submitted in partial fulfillmentof the requirements for the degree of

Master of Sciencein

Industrial and Applied Mathematics

Supervisors:prof.dr. Tanja Lange (TU/e)dr. Andreas Hulsing (TU/e)

dr. Lodewijk Bonebakker (ING)

January 2016

Acknowledgements

This thesis is the result of many months of work, both at my internship company INGand university TU/e. Before we rush into the contents of this thesis, I would like to takea moment to thank the people who made it possible. First of all, I would like to thankTanja Lange (TU/e) and Lodewijk Bonebakker (ING) for supervising this project andintroducing me to the fascinating aspects of their work. I am very grateful for the freedomand guidance they offered me throughout this period.

Second, I would like to thank my other TU/e supervisor Andreas Hulsing. It wasalways possible for me to ask questions and discuss my thesis. When I was stuck, heinspired me to continue my search for answers. I would also like to thank these threepeople, together with Jan Draisma, to take part in my graduation committee. I am alsovery thankful to Daniel J. Bernstein for attending the meetings with Tanja and Andreas,and for sharing his knowledge. Also thanks to Thijs Laarhoven and Benne de Weger fordiscussing the unknowns of this thesis.

Last but not least, I would like to thank my girlfriend, my family and friends for theirpersonal support and trust, during this period and all the years before. It was never hardto clear my head and just enjoy spending time with them.

Abstract

In this thesis, we investigate Bitcoin’s long term vision for the cryptographic protocolsit relies on. The biggest threat in the near future is a large quantum computer, ableto forge the digital signatures used by Bitcoin to secure transactions. When a largequantum computer arises, Bitcoin has to switch to post-quantum cryptography, in whichBimodal Lattice Signatures (BLISS) seem most promising to use. However, it is unclear ifthese signatures are vulnerable to side-channel attacks, which are mountable on actualimplementations. An important step in BLISS is sampling a discrete-Gaussian-distributedinteger, which is not straightforward to do. We investigated two sampling algorithmsmost used in practice, which both rely on table look-ups. We show that both methodsare vulnerable to cache-attacks, leading to extraction of the secret key. We provideexperimental results as verification. This means we need to re-invent ways to sample adiscrete Gaussian, or implement current methods more securely, before the scheme is readyfor implementation in the real-world.

ii

Contents

List of Algorithms 3

List of Tables 4

List of Figures 5

1 Introduction 61.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3 Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 The Security of the Blockchain 82.1 Introduction to Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 One-Way Functions and Hash-Functions . . . . . . . . . . . . . . . . . . . . . . 82.3 Proof-of-Work and Hash-Chaining . . . . . . . . . . . . . . . . . . . . . . . . . 92.4 Double Spending and 51% Computational Security . . . . . . . . . . . . . . . . 102.5 Adjustments for Post-Quantum Security . . . . . . . . . . . . . . . . . . . . . . 102.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Digital Signature Schemes 123.1 Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 Properties of Digital Signature Schemes . . . . . . . . . . . . . . . . . . . . . . 123.3 RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.4 Elliptic Curve Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.5 Factorization and Discrete Log with Shor’s Algorithm . . . . . . . . . . . . . . 17

4 Hash-Based Signature Schemes 184.1 One-Time Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.2 Merkle Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.3 Practicality Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Introduction to Lattices 245.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.2 Definitions and Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.3 Lattice Basis Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.4 Hard Lattice-Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.5 A First Attempt of Lattice-Based Signatures . . . . . . . . . . . . . . . . . . . 31

6 Lattice-Based Signatures In Practice 336.1 More Hard Lattice Problems: SIS and LWE . . . . . . . . . . . . . . . . . . . . 336.2 BLISS: Bimodal Lattice Signature Scheme . . . . . . . . . . . . . . . . . . . . . 346.3 Gaussian Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6.3.1 The Discrete Gaussian Distribution . . . . . . . . . . . . . . . . . . . . 366.3.2 Rejection Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376.3.3 Cumulative Distribution Table . . . . . . . . . . . . . . . . . . . . . . . 37

6.4 Lattice Implementations Via NTRU Lattices . . . . . . . . . . . . . . . . . . . 38

1

6.5 Parameter Suggestions For BLISS . . . . . . . . . . . . . . . . . . . . . . . . . 39

7 Side-Channel Attacks 407.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407.2 Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407.3 Cache-Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407.4 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

8 Cache-Attacks on BLISS 468.1 Intuition behind the Cache-Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 468.2 Cache-Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488.3 Cache-Attack 1: CDT Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

8.3.1 Modified CDT Sampling with Acceleration Table . . . . . . . . . . . . . 488.3.2 Cache-Attack Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . 508.3.3 Exploiting the Weakness . . . . . . . . . . . . . . . . . . . . . . . . . . . 518.3.4 Extracting the Secret Key . . . . . . . . . . . . . . . . . . . . . . . . . . 538.3.5 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

8.4 Cache-Attack 2: Rejection Sampling . . . . . . . . . . . . . . . . . . . . . . . . 568.4.1 Modified Rejection Sampling with Exponential Table . . . . . . . . . . . 568.4.2 Cache-Attack Weakness and Exploitation . . . . . . . . . . . . . . . . . 578.4.3 Extracting the Secret Key . . . . . . . . . . . . . . . . . . . . . . . . . . 588.4.4 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

8.5 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598.6 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608.7 A Short Note on Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 61

9 Summary 629.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Bibliography 64

Appendix 66

A Cache Weaknesses for Suggested Parameter Sets 66

2

List of Algorithms

1 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 RSA Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 RSA Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Elliptic Curve Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Elliptic Curve DSA Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Elliptic Curve DSA Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 LOTSS Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 LOTSS Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 LOTSS Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1910 Merkle Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1911 Merkle Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2012 Merkle Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2213 LLL Lattice Basis Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2814 GGH Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3115 GGH Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3116 GGH Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3117 BLISS Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3418 BLISS Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3519 BLISS Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3520 Basic Rejection Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3721 CDT Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3822 Square-and-Multiply Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 4023 CDT Sampling with Acceleration Table . . . . . . . . . . . . . . . . . . . . . . 5024 Cache-Attack on BLISS with CDT Sampling . . . . . . . . . . . . . . . . . . . 5525 Rejection Sampling with Exponential Table . . . . . . . . . . . . . . . . . . . . 5726 Cache-Attack on BLISS with Rejection sampling . . . . . . . . . . . . . . . . . 59

3

List of Tables

1 Parameter Suggestions for BLISS . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Visualization of Intersection Weakness . . . . . . . . . . . . . . . . . . . . . . . 513 Visualization of Jump Weakness . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Experimental Results Cache-Attacks on BLISS . . . . . . . . . . . . . . . . . . 605 Table of Cache-Line Analysis BLISS-0 . . . . . . . . . . . . . . . . . . . . . . . 676 Cache Weaknesses for BLISS-0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 Table of Cache-Line Analysis BLISS-I . . . . . . . . . . . . . . . . . . . . . . . 718 Cache Weaknesses for BLISS-I . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Table of Cache-Line Analysis BLISS-II . . . . . . . . . . . . . . . . . . . . . . . 7310 Cache Weaknesses for BLISS-II . . . . . . . . . . . . . . . . . . . . . . . . . . . 7411 Table of Cache-Line Analysis BLISS-III . . . . . . . . . . . . . . . . . . . . . . 7712 Cache Weaknesses for BLISS-III . . . . . . . . . . . . . . . . . . . . . . . . . . 7713 Table of Cache-Line Analysis BLISS-IV . . . . . . . . . . . . . . . . . . . . . . 8014 Cache Weaknesses for BLISS-IV . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4

List of Figures

1 Secp256k1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Merkle Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Merkle Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Merkle Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Lattice Spanned By Two Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Lattice With Two Different Bases . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Visualization of LLL basis reduction . . . . . . . . . . . . . . . . . . . . . . . . 288 The Shortest Vector Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 The Closest Vector Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3010 Attack on GGH Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 3211 Discrete Gaussian distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3612 Visualization of Cache Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . 4113 Prime + Probe cache attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4314 Visualization of Cache-Attack on RSA . . . . . . . . . . . . . . . . . . . . . . . 4415 CDT Sampling with Acceleration Table . . . . . . . . . . . . . . . . . . . . . . 4916 Biased Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5317 Weight Function Rejection Sampling . . . . . . . . . . . . . . . . . . . . . . . . 57

5

1 Introduction

1.1 Motivation

With the introduction of Bitcoin in 2009 [19], by somebody using the pseudonym SatoshiNakamoto, a new alternative payment system was offered to our society. It is completelydecentralized: no trusted third party, like a bank, is needed to validate transactions. Anyonewith a computer and internet access, is able to set up an account and start making payments.By now, also many banks [13] are experimenting with this new, decentralized system forhandling their international payments. Setting up a new financial system for banks however,takes a lot of time. It requires a thorough analysis of security threats, as well as many politicalagreements. This is the reason why these systems are not changed often, and actually have notchanged in essence, since the first digital version of the transaction system. We will examinefuture security threats for Bitcoin, as it can add value to the long-term vision, that all bankshave to agree upon.

The reason why these decentralized payment systems, like Bitcoin, are called crypto-currencies is that without cryptography these systems would not exist. An important aspect isthe use of digital signature schemes: they provide for authentication of users and integrity oftransactions. The security of these signature schemes is based on hard mathematical problems,like factorization or the discrete logarithm. However, researchers believe it is very likelythat in 10 to 15 years there will be a large quantum computer, able to solve these problemsinstantly and thus breaking the signature schemes based on them. It means we have to changethe security of signature schemes to other mathematical problems, which are still hard forquantum computers.

Post-quantum cryptography refers to cryptosystems, which are thought to be secureagainst an attack by a quantum computer. This thesis will focus on lattice-based signatureschemes, and in particular the Bimodal Lattice Signature Scheme (BLISS) [8], which is a highlyoptimized scheme introduced by Ducas et. al. However, it is not well understood how thesecurity of lattice-based signature schemes is affected by so-called Side-Channel Attack (SCA).These attacks use physical information, like power consumption, timing information or memoryaccess patterns, to break the security of cryptographic implementations. The motivation toexamine the possibilities of these attacks, is to narrow the gap between theoretically securepost-quantum cryptography and practically secure implementations thereof. This is the mainobjective of this thesis.

6

1.2 Our Contributions

This thesis slowly builds up to the final section on side-channel attacks on BLISS. Thereare two main contributions in the shape of two concrete side-channel attacks. These attacksexploit cache-memory access patterns, and are therefore called cache-attacks, of an importantstep in the BLISS signature scheme: the discrete Gaussian sampler. Both attacks are capableof extracting the secret key and thus breaking the signature scheme. The results include anexperiment section of a modeled version of the attack. Last, we discuss the possibility ofremote timing attacks and we conjecture them to be possible.

1.3 Roadmap

The thesis begins with a journey through the cryptographic aspects of the Bitcoin protocol.The ”common denominator” in these first two chapters is the (lack of) security against quantumcomputers. First, chapter 2 will describe the security mechanisms of Bitcoin’s Blockchain: thepublic ledger of all transactions. It will explain the main building block for decentralization oftrust (hash-functions) and the influence of Grover’s algorithm, one of the two major results ofquantum computing related to cryptography.

In chapter 3, digital signatures are introduced and their importance in Bitcoin is explained.Two widely-used digital signature schemes, RSA and Elliptic Curves/DSA, are introducedand a brief explanation is given why these systems are broken by Shor’s algorithm, the othermajor result of quantum computing related to cryptography.

From this point, it will be clear that we need to switch to post-quantum signature schemes.Chapter 4 gives the first example of such a scheme: hash-based signature schemes. We willalso explain briefly why these schemes have some practical issues as a replacement of thedigital signatures used in Bitcoin.

Chapter 5 introduces the concept of lattices, with two hard mathematical lattice problems.These problems can be used as the basis for a digital signature scheme. However, at the endof this chapter we will show that it is not that straightforward to use them.

In chapter 6 two additional hard lattice problems are given, which are practical for lattice-based signature schemes. Also BLISS is introduced in this chapter, together with the discreteGaussian sampler step.

The remaining part of the thesis will focus on the main objective and contributions. Inchapter 7, side-channel attacks are introduced. Two possible side-channel attacks againstRSA are given, based on timing and cache information. We end the section with some generalcountermeasures.

In chapter 8, our two main contributions are given. We briefly summarize two practicalalgorithms for a discrete Gaussian sampler and show their weaknesses against cache-attacks.Experimental results and countermeasures are discussed. We briefly discuss the possibility ofremote timing attacks.

Finally, in chapter 9 we end the thesis with conclusions, recommendations and future work.Some open questions will be discussed as well.

7

2 The Security of the Blockchain

Bitcoin has proven to be a very robust system, as it remains unbroken. We will brieflyintroduce the security mechanisms of the transaction ledger, the Blockchain, in this chapter.The chapter ends with a discussing how security is affected by quantum computers.

2.1 Introduction to Bitcoin

Bitcoin is a decentralized payment system, enabling secure payments between users withoutusing a trusted third party (a bank). Thousands of special Bitcoin users, so-called miners,take care of the security of the whole system and (possibly) get rewarded for doing so. Theminers also agree on which transactions are to be included in the Blockchain: the all-timetransaction ledger. All transactions ever made are saved in the Blockchain and it is nearlyimpossible for a malicious entity to make changes. Each Bitcoin miner holds a copy of thisBlockchain and communicates with other miners for changes. The reason why we call Bitcoina crypto-currency, is because the security of transactions and the Blockchain is providedby cryptographic techniques. The idea behind the security mechanism of the Blockchain isexplained in this section.

2.2 One-Way Functions and Hash-Functions

To understand why Bitcoin is a secure, decentralized payment system, one must know aboutso-called one-way functions: a function H, for which, given input x, it is very easy to calculateits output H(x), but given output H(x) it is very hard to find any x with that output.The functions used in cryptography and in Bitcoin are special one-way functions, called(cryptographic) hash-functions, where input x can be any string, of any length, and outputH(x) will be some fixed-length output of bits. All users of Bitcoin use the hash-functionSHA-256. A secure hash-function H has the following properties:

Pre-Image Resistance A hash-function is pre-image resistant if it is a one-way function:given output H(x), it is hard to find any x with output H(x).

Second Pre-Image Resistance A hash-function is second pre-image resistant, if, given anyx, it is hard to find any y 6= x with the same hash-output: H(x) = H(y).

Collision Resistance A hash-function is collision resistant if it is hard to find any pair x 6= ywith the same hash-output: H(x) = H(y).

These properties are very important for Bitcoin and will be explained later.Let us assume from now on that the input and output of a hash-function are bits. In

cryptography, we assume a (cryptographic) hash-function behaves like a random function,so that is what we will use in this analysis. Suppose we put (partial) restrictions on theoutput H(x) and ask to find x which gives this correct output. This is asking for a (partial)pre-image. For instance, we want output H(x) to start with a zero and we do not care aboutthe remaining part:

H(x) = 0.........

The easiest way of finding such x is by brute-force search, so you can start with any x1 andcheck if H(x1) starts with a zero. If not, pick a different x2 and check again. Continue like

8

this until you have a correct x where H(x) starts with a zero. On average, you would onlyhave to check 2 different x’s to find a matching one! To see why, remember we can assumeH to behave like a random function. This means that we can model H such that for eachposition in the output sequence, we can flip a coin and pick bit 1 if it is heads and 0 if thecoin is tails. On average, one would have to flip a coin twice to see a tails, which is why onaverage we would have to check 2 different x’s to find H(x) that starts with a zero.

To make this pre-image search a little harder, we ask to find x such that H(x) starts withmany zero’s: 10 zero’s, or 20! On average we would have to check 210, or 220, different inputsx to find a correct one in those cases: we need 10 or 20 tails in a row. For larger numbers itwill take some time to find a suitable x, even for a modern computer.

2.3 Proof-of-Work and Hash-Chaining

This partial pre-image search for inputs, with an output that starts with many zero’s, isexactly what Bitcoin miners are doing. In practice however, the miners search for an outputthat, when modelled as an integer, is below a target value T they all agree on, but it has thesame probability as finding an output that starts with many zero’s. When a miner has founda matching input, he/she broadcasts the input to the network to show it is valid: everyonecan check easily by just inserting the input in the hash-function and checking that the outputstarts with a lot of zero’s. The input is enough to prove that a miner has found the correctone: a proof-of-work. Finding this pre-image is actually that hard, that doing this on yourown will take, on average, many years. It is like winning the lottery. However, since there arethousands of miners, chances that someone will find a pre-image quite fast become higher andhigher: someone will eventually win the lottery. This is the basic idea behind the functionalityfor Bitcoin’s Blockchain.

As a payment system, users of Bitcoin are able to make transactions to each-other. Fornow assume users are able to make transactions securely and they broadcast their transactionsto the Bitcoin network. The Bitcoin miners, the ones that search for a specific pre-imageof a hash-function, collect all these transactions. If we assume the Blockchain, the ledgercontaining previous valid transactions, is secure, the miners need a way to add new transactionsand keeping the Blockchain secure. A valid new block, agreed to by the Bitcoin community,contains a set of new transactions, some space for random input and, very important, the hashof the previous chain. Miners are asked for a partial pre-image of the hash of this new validblock, and preimage has to start with many zero’s. Miners pick random inputs to search forthis partial pre-image and broadcast it to the network if they found it. The Bitcoin networkappends this newly found block to the Blockchain and the new transactions become valid.

By including the hash of the previous block, this previous block becomes better protected.Changes to content in the previous block will change the hash of that block, but also thehash-output of all blocks after it will change. This is why we call it the Bitcoin Blockchain:the complete set of all transactions ever done are chained together using hash-functions.

Now suppose two miners find different valid blocks and broadcast them to the network.They are unable to chain after each-other, because they both used the same hash of the lastblock. It means there is a fork in the chain: there are now two valid last blocks. Miners canpick either of them as the last block and try to build a new one. Having fork after fork isvery unlikely, which means eventually one fork will be the ”longest”. Longest in this case,means the chain with the highest number of blocks. The Bitcoin community will always followthe longest chain known in the network: it is a universal consensus rule everyone follows. So

9

eventually, the shorter part of the fork will be dropped.

2.4 Double Spending and 51% Computational Security

The biggest accomplishment of Satoshi Nakamoto was to solve the double spending problemin a trustless network. When do I actually know, or have enough trust, that I have receivedmy money and am able to spend it again, without a bank/trusted third party telling meso? When a transaction is included in a valid block, which is included in the Blockchain,it becomes known to the whole network as a valid transaction. Now suppose a maliciousBitcoin participant wants to undo his transaction he made earlier: he wants to double spendhis money. To do this, he has to make changes to the block containing his transaction, andtherefore change the hash-output of that block. So he has to find a new valid block, removinghis previous transaction. But since the hash-output of the new block changed, all blocks afterit also changed. He has to find a completely new chain of blocks, to remove his previoustransaction.

While the malicious user was trying to find a new block with its fraudulent transaction,the honest Bitcoin users were also looking for new blocks to append to the current chain. Themalicious user has to outrun the honest chain by finding valid blocks faster, since the networkalways follows the longest chain. This requires more computational power than the honestBitcoin users all together. To be more precise: when a malicious user, or group of users, has51% of the total computational power of the network, it is highly likely it can outrun thehonest Bitcoin chain and be able to make fraudulent transactions. However, since there arethousands of miners with very expensive equipment, chances are very small that one group isable to get this amount of power. Furthermore, there is an economical incentive to be a honestuser when you have this amount of computational power. When miners find a new block,they are rewarded with bitcoins. When a user has 51% computational power, it will find halfof every new block found by the whole network, which means it gets rewarded with a lot ofbitcoins. These rewards are probably higher than the gains from fraudulent transactions.

2.5 Adjustments for Post-Quantum Security

Grover’s algorithm [11] is one of two big breakthroughs for quantum computing, but is not avery severe threat to cryptography so far known. Roughly speaking, this algorithm is able tobrute-force search a solution in square-root time of the solution space. For example: whenthere are M words in a dictionary, Grover’s algorithm is able to find any word in about

√M

computational time. This means that a miner with a quantum computer, would be muchfaster than those without: they will find a pre-image with N zero’s in the same time anotherminer finds N/2 zero’s. A possible thing to do for the community would be to switch tobigger hash-functions, like SHA-512, and increase the amount of proof-of-work. This will makeit also harder for a quantum computer. But the best thing to do would be to switch to adifferent consensus scheme. There are a lot more alternative coins and Blockchains with otherconsensus algorithms, that do not rely on this 51% computational security. Other consensusschemes, like Ripple [24], rely even more on digital signature schemes, which are introduced inthe next chapter.

10

2.6 Conclusion

To conclude this chapter: the current consensus algorithm of Bitcoin would, in theory, allow aquantum computer to falsify the Blockchain. Other consensus schemes might be better to usein this case. The hash-functions however, remain unbroken and actually finding the completepre-image of SHA-256 would still be an impossible task, even for a quantum computer. Thisis why this thesis will focus on the other cryptographic part of Bitcoin: the threat of the otherbreakthrough of quantum computing are much higher than those of Grover’s. This will beexplained in the next chapter.

11

3 Digital Signature Schemes

In this chapter we will describe the fundamentals of digital signatures. These signatures are ofsignificant importance for Bitcoin. We will give two examples widely used on the internet andBitcoin itself. At the end of this chapter, we will briefly discuss Shor’s algorithm, the firstand most influential breakthrough of quantum computing, and explain why these systems arebroken once a quantum computer is large enough. The remaining part of this thesis will bedevoted to post-quantum digital signatures.

3.1 Public-Key Cryptography

One of the fundamental parts of Bitcoin is the usage of public-key cryptography. Cryptographyis mostly known for encryption: hiding a message for everyone except the holders of a secretkey. Until 1976, all cryptographic schemes were symmetric: both the sender and receiver of themessage had to use the same key for encryption and decryption. Diffie and Hellman publishedthe first asymmetric key cryptosystem [6], which could be used to agree on a symmetric key,based on public information: public-key cryptography. A public-key cryptographic schemerequires two keys: a secret, or private, key S and a public key P , which are mathematicallyconnected to each-other. This mathematical connection is based upon a trapdoor function,also called a trapdoor one-way function. Recall that a one-way function H has the propertythat it is easy to compute H(x) given x, but it is hard to compute x given H(x). A trapdoorfunction f(x) has the additional property that given some secret y, it is easy to compute xgiven f(x). These functions are the basis of public-key encryption. For example, an encryptionalgorithm can be viewed as a trapdoor function, which, on input of message m and public keyP , returns an encrypted version of m. The decryption can be viewed as the inverse function,that given the encrypted version and secret key S, returns m. Similar arguments hold for theconstruction of digital signature schemes, which will be introduced in the next section. Theone-way functions beneath these schemes are based on hard mathematical problems: solvingthe math-problem means breaking the cryptosystem.

3.2 Properties of Digital Signature Schemes

After introducing asymmetric cryptography, Diffie and Hellman also describe an additionalfeature of public-key cryptography: a digital signature scheme. A digital signature scheme isfulfilling three purposes: authentication, integrity and non-repudiation. The importance ofeach of these properties in Bitcoin is emphasized after introducing the property itself:

Authentication; proving authorship of a message. When ownership of a key-pair is boundto a specific user, a valid signature shows the message was sent by that user.

Bitcoin account-numbers are based on the public key of a user and transactions are sentto these account numbers. The user has to prove he is the owner of this account, beforehe is able to perform any transaction. All transactions in Bitcoin, and also all validatedtransactions in the Blockchain, contain a valid digital signature of a user.

Integrity; proving the message has not been altered during transmission. Although encryptionhides the contents from a message, a man-in-the-middle may easily change randomparts of the message. A valid signature shows the message has not been altered duringtransmission.

12

Bitcoin transaction-data are public and not even encrypted, which means any user whocaptures a transaction could easily change data. For instance, he could change thereceiving account-number to a number he owns. But this altered transaction does nothave a valid signature, and is thus rejected as a valid transaction by the network.

Non-repudiation; an entity that has signed some information cannot later deny havingsigned it.

A Bitcoin user who broadcasts a transaction with a valid signature is not capable ofgetting his money back: he cannot deny having signed it and thus cannot deny havingspent the money. This is one of the key concepts of Bitcoin, which can be seen as botha positive and negative property of the system: there is no refund mechanism.

There are many more use-cases of digital signatures, but we will focus on the usage forBitcoin. A digital signature scheme typically consists of three algorithms:

Key generation algorithm It selects a random secret key S from a set of possible secretkeys. The algorithm outputs the secret key and a corresponding public key P . We willdenote this by a key-pair (S, P )

Signing algorithm Given a message m and a private key S, it produces a signature µ.

Verification algorithm Given a message m, a signature µ and a public key P , it eitheraccepts or rejects the signature as a valid one.

These algorithms are at the basis of making transactions in the Bitcoin network. First, userscreate a valid key-pair, where the public key P is hashed to form an account number. Thisaccount number is shared with all other users. Second, to make a transaction, the requireddata (sending/receiving account number, amount, meta-data, etc) is formed. All this data issigned by the user holding the sending account number (who holds the corresponding secretkey). The valid signature is appended to the transaction. This transaction, together withpublic key P , is then shared with the Bitcoin network. Each miner will check if the transactiondata is valid and verify the signature of the transaction. If it is valid, the transaction canbe added to a new block in the Blockchain. If it is invalid, the transaction will be discardedimmediately.

Using digital signature schemes in practice comes with some minor changes in theseschemes. For instance, a message m is often hashed before it is signed. This has the followingadvantages:

• Security: given a message m and valid signature µ, it is in some signature schemes easyto forge a valid signature for an expanded message m′ = m||x or algebraically modifiedmessage m′ = k ·m. However, by first hashing and then signing, an attacker would haveto find hashes with these relations in order to do such signature forgery.

• Efficiency: since a hash-function has a fixed output, arbitrary large messages (documents)are signed more efficiently by first hashing them. The running time of signing will onlyincrease by the running time of hashing.

From now on, we always assume we hashed a message before it is signed, using a securehash-function. We omit the notation of H(m), and simply use m to denote a hashed message.

13

In the following section, two concrete examples of these algorithms are given, which arewidely used on the internet today: RSA and Elliptic Curve (ECC) signatures. For eachexample, an explanation is given why this signature works. Note that the examples areschool-book versions, which are not necessarely secure in practice.

3.3 RSA Signatures

Although Diffie and Hellman were the first to introduce the notion of digital signatures, theyonly conjectured that such schemes could exist. One year later, Ronald Rivest, Adi Shamirand Len Adleman invented the RSA algorithm [22], which could be used for encryption butalso to produce digital signatures. To this date, it is still the most commonly used public-keycryptosystem on the internet. It is based upon the hard problem of factorization.

Algorithm 1 RSA Key Generation

Output: A valid key-pair (S, P )1: Generate two large primes p, q. Set N = pq.2: Generate integers e, d such that ed ≡ 1 mod (p− 1)(q − 1).3: Output (S, P ) = (d, (N, e))

An important consequence of this key generation is that for any x < N :

xed ≡ x1 ≡ x mod N

To sign a message m < N , the following algorithm is used:

Algorithm 2 RSA Signing

Input: Secret key d, message m.Output: A valid signature µ for message m.1: Output µ ≡ md mod N

Finally, the RSA message-signature pair is validated by:

Algorithm 3 RSA Verification

Input: Public key (N, e), message m and signature µ.Output: Accept or Reject

1: Accept if m?≡ µe mod N

2: Reject otherwise.

A valid signature will be accepted since:

µe mod N ≡ med mod N ≡ mRemember that m is hashed before signed, otherwise there are other ways of forging a

signature. But now, in order to forge a signature, one needs a value d, with the property:

ed ≡ 1 mod (p− 1)(q − 1)

If we would know p or q, one of the factors of N , this is calculated easily using Euclidsextended algorithm. Knowing d is the trapdoor function used in RSA: factoring an RSAnumber p · q is very hard. This is why we say that RSA’s security is based on the hard problemof factorization.

14

3.4 Elliptic Curve Signatures

Bitcoin uses a different public-key cryptosystem, based on the discrete log problem in ellipticcurves. Explaining an elliptic curve is easiest by looking at a concrete example:

y2 = x3 + ax+ b

We say a point Q = (x, y) is on this curve if it satisfies the curve’s equation. Below is a pictureof this curve, with a = 0, b = 1, which is used by Bitcoin and is called Secp256k1:

Figure 1: Secp256k1 over R, used by Bitcoin

An elliptic curve over Fq is defined as the set of points (x, y) satisfying the above equationin Fq, together with a unity element O, also called the point at infinity. This means for anypoint Q on the curve: Q+O = Q = O+Q and O+O = O. The negated point −Q of a pointQ = (x, y) is (x,−y).

Let Q1 = (x1, y1) and Q2 = (x2, y2) be points on a elliptic curve E. Then the sum Q3 ofQ1 and Q2 is defined by:

Q3 =

{O if Q1 = −Q2

−R if x1 6= x2 or Q1 = Q2

Here, R is the third intersection point of the line through Q1 and Q2 and curve E.Let dQ denote the addition of Q to itself, d− 1 times. Elliptic curve cryptography is based

on the hardness of finding a scalar d, such that P = dQ for given points P ∈ 〈Q〉 and Q oncurve E. Finding d given P is called the Discrete Logarithm Problem (DLP ) on an ellipticcurve. The cryptographic system fixes a curve E and point Q, where point Q has a large ordern, meaning nQ = O.

The following algorithms are used in digital signature schemes based on elliptic curves,and are used by each user and for each transaction in Bitcoin.

15

Algorithm 4 Elliptic Curve Key Generation

Input: Elliptic curve E over Fq and a point Q on E. Point Q has order n.Output: A valid key-pair (S, P )1: Generate a large, random scalar d ∈ [1, n− 1]2: Calculate point P ′ = dQ3: Output (S, P ) = (d, P ′).

To sign a message m ∈ Fq, the following algorithm is used:

Algorithm 5 Elliptic Curve DSA Signing

Input: Secret key d, message m, point Q on E of order n.Output: A valid signature µ for message m.1: Select a random integer k ∈ [1, n− 1].2: Calculate point kQ = (x1, y1).3: Take r = x1 mod n. If r = 0, return to step 1.4: Compute s = k−1(m+ dr) mod n. If s = 0, return to step 1.5: Output signature µ = (r, s).

Finally, the elliptic curve message-signature pair is validated by:

Algorithm 6 Elliptic Curve DSA Verification

Input: Public key P = dQ, message m and signature µ = (r, s).Output: Accept or Reject1: Verify that r, s are both in the interval [1, n− 1]. Reject otherwise.2: Compute u = ms−1 mod n and v = rs−1 mod n.3: Calculate point S = uQ+ vP = (x2, y2). Reject if S = O.

4: Accept if r?≡ x2 mod n.

5: Reject otherwise.

A valid signature µ = (r, s) of m will be accepted, since:

uQ+ vP = uQ+ v · dQ= (u+ vd)Q

= (ms−1 + rs−1d)Q

= s−1(m+ rd)Q

= ((k−1(m+ rd))−1(m+ dr))Q

= k((m+ dr)−1(m+ dr))Q

= kQ

This means r ≡ x2 mod n as required. Forging a signature requires the knowledge of d,which can be obtained by calculating the discrete log of P = dQ and, as said earlier, this isvery hard to do. This is the trapdoor of elliptic curve cryptography.

16

3.5 Factorization and Discrete Log with Shor’s Algorithm

Shor’s algorithm [25] will change the field of cryptography completely. The fastest computerstill takes many centuries to solve the mathematical problems discussed in this chapter, buta large quantum-computer, that implements Shor’s algorithm, will solve these problems inseconds. This would mean these digital signature schemes are completely broken afterwards.Understanding Shor’s algorithm requires understanding quantum mechanics, which is out ofthe scope of this thesis. However, we will give a general idea why factorization is broken bythis algorithm.

Shor’s algorithm is capable of finding the period of a number a lot faster than traditionalcomputers. Given a number a and an modulus N = pq, the order of a is the smallest numberr such that:

ar ≡ 1 mod N

Although it is not immediately clear from this how this might help, we can write it in adifferent way:

(ar/2 − 1)(ar/2 + 1) ≡ 0 mod N

With high probability, the order r is divisible by 2 and both (ar/2 − 1) and (ar/2 + 1) are notmultiples of N . What this actually means, is that both (ar/2 − 1) and (ar/2 + 1) are factorsof N ! By trying enough random numbers a, calculating order r and checking if one of theabove factors is indeed a factor of N , means solving the factorization problem. Traditionalcomputers however, take a lot of time finding order r, but as said, a quantum computer withShor’s algorithm finds this order very fast. To use the analogy with the hardness of findingthe pre-image with mining: traditional computers take (sub)exponential time to factorize (notusing above method, but another algorithm [16]), while Shor’s algorithm takes polynomialtime. Similar arguments can be made to show that Shor’s algorithm also solves the discretelogarithm problem, the basis of elliptic curve signatures, in polynomial time, whilst it takesexponential time for conventional computers.

This means we cannot continue using signatures based on the factorization problem anddiscrete logarithm problem. Any attacker with a large enough quantum computer, usingShor’s algorithm, can easily find the secret key given the public key. For Bitcoin, this meansit can impersonate anyone in the community: the attacker can forge signatures and thereforespend another user’s money. The financial system would be completely broken. Luckily, thereare alternative schemes which do provide the necessary security.

17

4 Hash-Based Signature Schemes

In the previous chapter we concluded that, once a large quantum computer arises, implementingShor’s algorithm, the signature schemes used today are completely broken. The remainingpart of this thesis will focus on post-quantum signature schemes. The first example of sucha scheme is based on hash-functions. Recall that a hash-function is a one-way function H,with some security properties, such as pre-image resistance: given H(x), it is very hard tofind x. This property can be used to build signature schemes whose security relies only onthe security of the hash-function used. These functions are considered safe against quantumcomputers, which is why these signature schemes are safe too. However, these schemes havesome practicality issues, which will be described at the end of this chapter. This is the mainreason why this thesis will focus on another scheme secure against quantum computers.

4.1 One-Time Signature Schemes

The first hash-based signature scheme was introduced by Lamport [15] and is therefore calledthe Lamport One-Time Signature Scheme (LOTSS). As the name suggests: it can only beused once and it will become clear why when we introduce the signature algorithms. Let (x||y)denote the concatenation (appending) of string y to string x.

Algorithm 7 LOTSS Key Generation

Input: Message length k.Output: A valid key-pair (S, P )1: Generate 2k random numbers Xij ; 1 ≤ i ≤ k; j ∈ {0, 1} where Xij ∈ {0, 1}` for some

bit-size ` of the numbers.2: For each i, j, compute Yij = H(Xij), using some secure hash-function H.3: Output (S, P ) = ({Xij}, {Yij})

Note that constructing Xij from Yij is to hard due to the pre-image security of H. To signa message of bit-length k, one needs 2k random values and hash-values, which will becomeclear why when we introduce the signing and verification. Let mi be the i’th bit of messagem. Then the signing algorithm is as follows:

Algorithm 8 LOTSS Signing

Input: Secret values {Xij}, message m of bit-length k.Output: A valid signature µ for m.1: For each 1 ≤ i ≤ k:2: µi = Xi,mi .3: Return µ = (µ1||...||µk).

It means that, depending on the i’th bit of mi, one picks µi = Xi,0 if mi = 0 or µi = Xi,1

if mi = 1. Finally, the LOTSS-signature is validated by:

18

Algorithm 9 LOTSS Verification

Input: Public key {Yij}, signature µ for m.Output: Accept or Reject1: Accept if H(µi) = Yi,mi for all 1 ≤ i ≤ k2: Reject otherwise.

A valid signature is accepted since:

H(µi) = H(Xi,mi) = Yi,mi

The reason why this scheme is called a one-time signature scheme is because a signatureleaks half of the secret values Xij , since µi = Xi,mi . In the worst case, this system is completelybroken after two signatures. Let m′ be another message with the property m′i = 1−mi. Thenafter signing both m and m′, all secret values are exposed. This is why these schemes shouldonly be used once. However, in the next section we will explain how to build schemes whichare able to create more signatures out of these one-time signatures.

4.2 Merkle Signature Schemes

The Merkle signature scheme [18] can be used to sign a limited number of messages with onepublic key, using multiple one-time signature key-pairs such as Lamport’s signatures. Thenumber of messages must be a power of 2, so let N = 2n be the number of messages one wantsto sign with public key P . The signature algorithms are given as follows:

Algorithm 10 Merkle Key Generation

Input: N = 2n, the number of possible messages to sign.Output: A valid key-pair (S, P )1: Generate N key-pairs (Xi, Yi) for N one-time signatures (for instance, key-pairs for LOTSS)2: Build a special binary tree (the Merkle tree) of depth n, with nodes ai,j and leavesa0,j = H(Yj) for 0 ≤ j ≤ N − 1, using secure hash-function H.

3: The value of an inner node of the tree is the hash value of the concatenation of its children.So ai+1,j = H(ai,2j ||ai,2j+1).

4: Output S = {Xi}, P = (an,0). In other words: the secret key are all secret keys from theN one-time signatures and the public key is the root of the Merkle Tree.

A visualization of the Merkle tree is given in figure 2.

19

a3,0

a2,0

a1,0

H(Y0) H(Y1)

a1,1

H(Y2) H(Y3)

a2,1

a1,2

H(Y4) H(Y5)

a1,3

H(Y6) H(Y7)

Figure 2: Example of a Merkle Tree with n = 3. Each inner node is the hash value of theconcatenation of its children. The root a3,0, in orange, is the public key.

Now to validate a Merkle-signature, one needs to calculate the path (authentication path)from one of the leaves (the hash of the used one-time signature public key) to the root of theMerkle Tree (the public key). To do this, one needs the sibling of every node in the path,since each inner node is the hash of its two children. These values are part of the signature ofmessage m. To get this path, one can either compute the whole path using the secret values(build the tree from bottom up) or save the tree. Either way, we assume we have it for thesigning algorithm:

Algorithm 11 Merkle Signing

Input: Secret keys S = {Xi} of one-time signatures, message m.Output: A valid signature µ for m.1: Pick any unused secret key Xi to construct a one-time signature Si.2: Let A = (A0, A1, ..., An) denote the n nodes on the path in the Merkle tree, between leafa0,i = H(Yi) to top an,0 (excluded in signature, because it is public).

3: Let B = (B0, B1, ..., Bn) denote the siblings of A, such that As+1 = H(As||Bs) orAs+1 = H(Bs||As), depending on the path, for 0 ≤ s ≤ n− 1.

4: Output µ = (µi||Yi||B0||...||Bn−1)

20

a3,0

a2,0

a1,0

H(Y0)

Y0

H(Y1)

a1,1

H(Y2) H(Y3)

a2,1

a1,2

H(Y4) H(Y5)

a1,3

H(Y6) H(Y7)

Figure 3: Example of a Merkle signature with i = 0. X0 is the secret key used for the one-timesignature. The inner leaves marked in blue are the siblings Bi of the signature.

21

The verification of this algorithm is simply reconstructing the path from a0,i to an,0 usingBs:

Algorithm 12 Merkle Verification

Input: Root Merkle Tree (public) an,0, signature µ for m.Output: Accept or Reject1: Verify the one-time signature of m using µi and one-time signature public key Yi.2: Rebuild the path from A0 = a0,i = H(Yi) to an,0 by computing As+1 = H(As||Bs) orAs+1 = H(Bs||As) with Bs given in µ.

3: Accept if An = an,0 (root Merkle tree). Reject Otherwise.

a3,0

a2,0

a1,0

H(Y0)

X0

H(Y1)

a1,1

H(Y2) H(Y3)

a2,1

a1,2

H(Y4) H(Y5)

a1,3

H(Y6) H(Y7)

Figure 4: Verifying the signature (in blue) by reconstructing the path (in red) from H(Y0) tothe root an,0, which is also the public key.

22

It is very important to use a different one-time signature each time you construct a Merklesignature: using a one-time signature twice will again jeopardize security. This is why thisscheme is called stateful: the user needs to remember which signatures have been used. Thereis a stateless, optimized alternative called SPHINCS [4], which is using multiple Merkle-trees,together with random numbers.

4.3 Practicality Issues

All you need to build hash-based signature schemes is a secure hash-function. This is alreadyrequired, because messages are hashed before signed. As we have seen in chapter two, thesecurity of hash-functions is minimally impacted by quantum computers. However, if we gointo more details, there are some disadvantages to these schemes which make them unsuitablein the situation of this thesis.

The first and most important issue is that of the signature size. The size of a LOTSS-signature depends on k secret values Xij . To achieve a security of, say, 128 bits, one needssecret values of at least 256 bits due to the birthday paradox. Since, also in this case, messagesare hashed before signed, we have k = 256 bits too. This means, a LOTSS-signature is of size256 · 256 = 65536 bits. That is 30 times more than RSA signatures on the internet and 256times more than elliptic curve signatures used in Bitcoin! The signature size will dominatethe size of blocks in the Blockchain when using this. There is a more efficient scheme, calledWinternitz’s signatures [26], which can reduce the size of LOTSS-signatures. However, toachieve a linear decrease in signature size, the signing time becomes exponentially bigger. Thiscould make the scheme more practical, but the signatures are still only usable once. It meansthat Bitcoin users have to be very careful to use an account only once!

Using many-time signature schemes, like Merkle signatures, has another practicality issue.One has to keep track of the so-called state of the scheme: remember which one-time signaturesare already used. This is very hard to do in practice, especially in the use-case of Bitcoin.Chances are high that a Bitcoin user wants to store keys in many places, allowing to spendmoney using multiple devices. But all these devices need to track the state of the signatures, inorder to maintain security. This issue is hard to deal with. The stateless alternative SPHINCS[4], which is highly optimized, does not have this issue but has signature sizes of 41000 bytes,which means for all these schemes the signature size is dominating the whole Blockchain.

Despite these practicality issues, it is advised [2] to start using these signature schemes,for applications such as Bitcoin. The reason for this is simple: the security of hash-basedsignatures is well understood and does not require significant software updates. Hash-functionsare already implemented for other purposes. Another way of constructing post-quantumdigital signatures will be introduced in the next chapters. These schemes do not have thepracticality issues just described, but their security is not yet well understood.

23

5 Introduction to Lattices

Several cryptosystems secure against quantum computers, are based on problems in lattices.These systems are considered very promising for practical use. Lattice-based signature schemesare fast (comparable to the speed of elliptic curve signatures), have practical signature sizes(comparable to the size of RSA signatures) and have relatively small keys (comparable to thesize of RSA keys) [8]. The name suggests these systems are based on hard problems in lattices,and to understand them, we need to understand lattices. The theory of lattices is very broadand complex, which is why we only introduce the parts which are relevant. As an example, weend the section with the first, but broken, signature scheme related to a hard lattice problem.

5.1 Notations

The theory of lattices relies heavily on linear algebra, which is why we first introduce someimportant notations. Let Rn be the n-dimensional Euclidean vector-space over R with itsusual set of rules and Zn is the space of vectors with only integer coefficients. We define therounding function

dxc : R→ Z, dxc = bx+ 0.5cto be the integer closest to x. Column vectors are denoted by bold letters x, where a matrix Bhas column vectors bi. We say a lattice is of rank m if it is spanned by m linearly independentvectors. We use the Euclidean inner-product of two vectors:

〈x,y〉 =

n∑i=1

xiyi

and consider both the L1, L2 and L∞ norms:

||x||1 = |x1|+ |x2|+ · · ·+ |xn|

||x||2 =√

x21 + x2

2 + · · ·+ x2n

||x||∞ = max1≤i≤n

|xi|

However, when we do not give any subscript 1, 2,∞ with a norm, we always refer to the L2

norm. The distance between two vectors is denoted by d(x,y) = ||x− y|| and the distancebetween an element x ∈ Rn and a set E ⊂ Rn is:

d(x, E) = miny∈E||x− y||

5.2 Definitions and Bases

We can define a (integer) lattice Λ of dimension n, spanned by vectors {b1, ...,bm} ⊂ Zn,where b1, ...,bm are linearly independent vectors over Z, as the set of all linear combinationsof the bi’s with integer coefficients:

Λ(b1, ...,bm) :=

{m∑i=1

xibi|x1, ..., xm ∈ Z

}

24

We call the vectors {b1, ...,bm} a basis of the lattice. One of the easiest examples of a latticeis the set Zn, spanned by the n standard unit vectors ei. As with a normal collection ofvectors, we can also identify a lattice by using the matrix B ∈ Zm×n, whose columns are thevectors bj as vectors in Zn, and the lattice can be written as:

Λ = {Bx|x ∈ Zm}

In this case, the rank of B equals m. We say that Λ is of full rank if the rank m of the latticeequals the dimension n of the space. In the remaining part of this thesis, all lattices introducedwill be of full rank unless stated otherwise. It is easiest to visualize a lattice in the case of 2dimensions, as in figure 5.

O

b1

b2

Figure 5: Visualization of a lattice spanned by two vectors, b1 and b2. Each lattice point canbe expressed as a linear combination of these two vectors.

An important aspect of a lattice is that there are infinitely many bases to choose, whichall span the same lattice. Another way of saying this, is that we can apply any uni-modulartransformation matrix U ∈ Zn×n, that is, a matrix with det(U) = ±1, to a basis B and thenew basis will span the same lattice:

Λ(B) = {(BU)x | x ∈ Zn} = Λ(BU)

Below is an example of the previous lattice, with another basis in blue:

25

O

b1

b2

r1

r2

Figure 6: Visualization of a lattice with two different bases. We call basis B = {b1, b2} a goodbasis and R = {r1, r2} a bad basis.

Note that the first basis is nearly orthogonal, while the second basis is more angular.Furthermore, the second basis has longer vectors than the first. Therefore, we call basis{b1, b2} a good basis of the lattice and {r1, r2} a bad basis. This difference in bases allow theusability of lattices in cryptography. This is because a lot of lattice problems, introduced later,are easy to solve when you know a good basis, but are very hard to solve when you only knowa bad basis. This makes them suitable as a trapdoor. To make this difference more precise,we will define the notion of the orthogonality defect.

Let Λ ⊂ Zn be a lattice spanned by {b1, ...,bn}. Let B be the matrix, whose columns arethe bi. Then we define the orthogonality defect δ as:

δ(B) =

∏ni=1 ||bi||2| det(B)|

We call | det(B)| the volume vol(Λ(B)) of Λ. Note that the vol of Λ is independent of thebases, which follows immediately from calculations:|det(BU)| = | det(B) det(U)| = |det(B) · ±1| = |det(B)|. From the definition of the orthogo-nality defect, you can derive that δ(B) ≥ 1, but in the case of the bases in figure 5.2 we canalso conclude

δ({r1, r2}) > δ({b1,b2})Furthermore, we denote the length of the shortest non-zero vector in Λ with:

λ1(Λ) = miny∈Λ\{0}

||y||

Naturally, bases which have vectors with lengths close to this value are better than bases withonly large vectors.

26

5.3 Lattice Basis Reduction

As introduced in the previous section, we have good bases and bad bases for a lattice, where agood basis is as orthogonal as possible. Lattice Basis Reduction methods try to transform abad basis into a good basis. There are many Reduction algorithms, but we will focus on theLenstra-Lenstra-Lovasz algorithm (LLL) [17]. This algorithm runs in polynomial time in thedimension of the lattice and many other algorithms are modifications of this algorithm. Tounderstand the main principles behind this method, we will first describe how orthogonalizationis done in linear algebra over R: the Gram-Schmidt Orthogonalization method.

Given a basis b1, ...,bn, we can define the Gram-Schmidt Orthogonalization (GSO) of thebasis by using an iterative process:

b∗1 := b1,

b∗2 := b2 − µ21b∗1,

b∗i := bi −i−1∑j=1

µijb∗j ,

where the GSO-coefficients are given by:

µij =〈bi,b∗j 〉||b∗j ||2

; i > j.

The meaning of these GSO-coefficients is that µijbi is the projection of bi on b∗j . Byremoving all these projections, the vectors become naturally orthogonal. So after this process,the GSO-coefficients µij = 0 and the vectors b∗1, ...,b

∗n form an orthogonal basis.

Now note that the µij are not necessarily in Z, which means we cannot use these valueswhen we reduce a lattice. However, we can simply round these values dµijc to the nearestinteger and use these values instead. This rounded version of GSO is called a Size-Reductionstep and is the main step in LLL.

After a Size-Reduction, we know that |µij | ≤ 12 , since that is the biggest error one can

make by rounding. This means that b∗i is already close to orthogonal to b∗j for all j < i.Afterwards, b∗i will be used to decrease bj ’s for j > i, but not the other way around! Soafter a Size-Reduction step, one can swap b∗i with bi+1, and another Size-Reduction stepmight reduce b∗i even further. So by a process of Size-Reductions and swaps, one can reducethe lattice further and further. But this would mean an exponential running time, unless westop after a certain condition. The LLL algorithm uses the Lovasz condition as a stoppingcriteria, which makes the algorithm run in polynomial time and the resulting basis has somenice properties. The Lovasz condition, with factor δ ∈ (1

4 , 1) is defined as:

δ||b∗i ||2 ≤ ||b∗i+1 + µi+1,ib∗i ||2

for all 1 ≤ i ≤ n. Another way of viewing this condition is that if the Lovasz condition doesnot hold, swapping b∗i and b∗i+1 significantly reduces the norm of b∗i . It means there is still alot of progress to be made in reducing the lattice. A summary of LLL is given below, whereδ ∈ (1

4 , 1) is used in Lovasz condition:

27

Algorithm 13 LLL Lattice Basis Reduction

Input: Lattice basis B = {b1, ...,bn}Output: A reduced lattice basis B∗

1: Size-Reduce b1, ...,bn (using rounded GSO-coeffcients dµijc).2: If there exists an index i which violates Lovasz condition:3: Swap bi,bi+1 and go to step 1.4: Output B∗ = {b∗1, ...,b∗n}

One can prove that this algorithm terminates in polynomial time in the lattice rank m = n,vector space dimension n and maximal bit-length of the bi’s. Furthermore, after LLL thebasis B∗ has the following property:

||b∗1|| ≤(

1

δ − 14

)(n−1)/2

· λ1(Λ)

However, implementations of LLL perform much better than theory predicts and find muchsmaller vectors. Similar bounds can be constructed for other basis vectors of B∗, which meansthere is an upper-bound β for which ||bi|| ≤ β for all 1 ≤ i ≤ n. A visualization of LLL and βis given below.

O

r1

r2

β

v1

v2

Figure 7: Visualization of LLL lattice basis reduction, with input basis {r1, r2}. LLL will finda basis, with smaller orthogonality defect and vectors smaller than bound β

5.4 Hard Lattice-Problems

As with RSA and elliptic curve Cryptography, we need a trapdoor function based on ahard mathematical problem. In the previous section we already mentioned that there arelattice-problems which are very hard to solve given a bad basis, but easy when given a goodbasis. This means an input of such a problem can be used as a trapdoor function, and is thus

28

usable in building a cryptosystem. However, as we will see in the end of this chapter, it is notthat straightforward to construct a secure system.

Two classical lattice-problems are easily recognized by their name: the Shortest VectorProblem (SVP) and the Closest Vector Problem (CVP). As their names suggest, both involvefinding a vector with a certain property.

The Shortest Vector Problem is the problem of, given basis B of lattice Λ, find a non-zerovector x ∈ Λ\{0} which has minimal length in the lattice:

||x|| = miny∈Λ\{0}

||y|| = λ1(Λ)

Note that this vector is not unique: also −x and more vectors are possible as a solution.

O

v

r1

r2

Figure 8: An instance of the Shortest Vector Problem, with input basis {r1, r2}. Find a vectorv with minimal length: ||v = λ1(Λ)

The Closest Vector Problem is the problem of, given basis B of lattice Λ, and a targetvector v (not necessarily in the lattice), find the vector x ∈ Λ closest to v:

d(v,Λ) = ||x− v||

29

O

v

x

r1

r2

Figure 9: An instance of the Closest Vector Problem, with input basis {r1, r2} and targetvector v. Find a vector x closest to v

One can show that if you are able to solve CVP, then you can also solve SVP. The best wayto solve these problems, is to use a lattice reduction algorithms, like LLL, and proceed furtherfrom there. LLL will produce a relatively short basis in polynomial time and afterwards onecan continue with Enumeration [9] or Sieving [1] algorithms to solve these problems exactly.However, this last step will take exponential time in doing so. Given a good basis of thelattice, both problems are solved easily. A signature scheme based on CVP is given in thenext section.

30

5.5 A First Attempt of Lattice-Based Signatures

One of the first cryptosystems based on hard lattice problems is named after their introducersGoldreich-Goldwasser-Halevi (GGH) [10]. It uses the closest vector problem as the keyingredient for both an encryption algorithm and as a signature scheme, together with a goodbasis (secret key) and bad basis (public key). The algorithms for the signature scheme are asfollows:

Algorithm 14 GGH Key Generation

Output: A valid key-pair (S, P )1: Generate a good basis B ∈ Zn×n.2: Generate a bad basis R = BU, for some uni-modular matrix U.3: Output (S, P ) = (B,R).

That the GGH signature scheme is build upon the CVP, will become clear from the signingalgorithm. We will model message m as a vector m, not necessarily in the lattice. Thensigning works as follows:

Algorithm 15 GGH Signing

Input: Secret key B, message m.Output: A valid signature µ for message m.1: Calculate lattice point z = dmB−1cB2: Output µ = z

Note that m is not an element of the lattice spanned by B, but is very close to z which isa lattice point. This is the reason why this scheme is based on the CVP: if one wants to forgea signature for message m, one needs to find the closest lattice point to m. Checking thatµ ∈ Λ and µ is close to m is the only thing to do for verification:

Algorithm 16 GGH Verification

Input: Public key R, message m, signature µOutput: Accept or Reject1: Verify that µ = z ∈ Λ(R) and that ||z−m|| is small.2: Reject if either of the above is false.

In other words: one verifies that the signer found a vector close to message m in the lattice.

31

The reason why this scheme is broken, is because every signature leaks secret information.With every signature, an element v = m−z is given, which lies in the parallelepipid spanned bythe secret vectors b1, ...,bn. When one captures enough vectors v, which does not require thatmany signatures, one knows the whole parallelepipid and can therefore take the surroundingvectors as secret basis. A visualization of this attack is given below:

O

m1

µ1

m1 − µ1

r1

r2

b1

b2

(a)

O

m1

µ1

m2

µ2

m2 − µ2

r1

r2

b1

b2

(b)

O

r1

r2

b1

b2

(c)

O

b1

b2

v1

v2

(d)

Figure 10: Step-by-step attack on GGH Signature Scheme. Each time a signature is given, anelement inside the parallelepipid (in grey) of a small basis is given. After enough signatures(step (a), (b), (c)), one has enough elements to compute the small basis from it (step (d)).

32

6 Lattice-Based Signatures In Practice

In the previous section we have seen how the GGH signature scheme is broken easily, because itleaks information about the secret key with each signature. In this section, we will first discusstwo other hard lattice problems and introduce the Bimodal Lattice Signature Scheme (BLISS)[8]. We will zoom in on the discrete Gaussian sampler, which is needed for sampling an errorvector in the signature scheme. We end the section with an efficient way of implementinglattice-based cryptography, as well as parameter suggestions from the authors of BLISS.

6.1 More Hard Lattice Problems: SIS and LWE

Lattice-based signatures used in practice do not rely on SVP or CVP, but rely on differentproblems. Two other problems which are hard to solve are the Short Integer Solution (SIS)and the Learning With Errors (LWE) probems. Unlike SVP and CVP, these problems are notproblems which have geometric meaning in lattices, but their hardness relies on the hardnessof the lattice problems discussed before. This means that one can transform SIS and LWE toproblems in lattices. They are considered hard on average, which means a random key willmost likely be a secure one.

Unlike SVP and CVP, both SIS and LWE are problems which are related to the vectorsmodulo a prime q:

Znq = {x = (x1, ..., xn) : xi ∈ Zq∀i}This means any linear combination of vectors in Znq will be an element of Znq , so we can definea lattice in this space, spanned by a matrix A ∈ Zn×nq :

Λq(A) = {Ax mod q|x ∈ Zn}

Short Integer Solution is the problem of, given matrix A ∈ Zn×nq , find a short, non-zerovector x ∈ Znq such that:

Ax ≡ 0 mod q

The hardness of this problem depends on how short the vector x must be. In other words: finda linear combination of these given n vectors, which results in a zero vector in Znq . A moregeneral version of SIS, called the in-homogeneous SIS, is the problem of, given A ∈ Zn×mq andtarget vector v, finding x such that:

Ax ≡ v ∈ Znq

To see the analogy with a lattice problem, we can define the space of all solutions of the aboveequation:

Λ⊥(A) = {x ∈ Z|Ax ≡ 0}This is called the dual lattice and the problem SIS is the Shortest Vector Problem in thisdual lattice. This is why we call SIS a lattice problem, since there is an analogy between thehardness of SIS and SVP.

The Learning With Errors(LWE) problem is also defined on Λq(A) and has resulted inmany cryptosystems, mainly encryption. As the name suggests, this problem involves an errorvector e ∈ Zn which is unknown.

Learning With Errors is the problem of, given public matrix A ∈ Zn×nq , and public vectorsb satisfying

bT ≡ sTA + eT ∈ Znq

33

for some unknown error vector e with fixed distribution D, find secret vector s ∈ Znq . Notethat this error vector is very important: if e is known, one has the equation:

bT − eT = sTA

and this is easily solvable for s ∈ Zn by a linear solver. Not all probability distributions D aresuitable, but multiple suffice to build a secure system. We can again define a (regular) latticeof solutions by:

Λ∗(A) = {xT ≡ sTA mod q}The problem of LWE is the problem of CVP in this lattice: in this case b is close to a vectorin Λ∗(A) and one has to find this vector. So the hardness of LWE is similar to the hardness ofCVP. We will see how to build a secure signature scheme on SIS next.

6.2 BLISS: Bimodal Lattice Signature Scheme

There exist many signature schemes based on the hardness of SIS and LWE, but one thatis in particularly optimized for practical uses is called Bimodal Lattice Signature Scheme [8](BLISS). This scheme is based on the hardness of SIS or LWE, depending on the parameters.The algorithms of BLISS given below are simplified, but are sufficient to understand the basicbuilding blocks of this scheme. This means the real scheme given in [8] is a bit more complex.Later in this chapter, we will explain in more detail how lattice-based cryptosystems areimplemented via NTRU lattices.

Algorithm 17 BLISS Key Generation

Input: Modulus q, lattice dimension n.Output: Key-Pair (S, P ).1: Divide dimension n = `′ + n′ into two parts, with `′ > n′.2: Sample a random, sparse matrix S′ ∈ Z`

′×n′

2q with coefficients S′ij ∈ {0, 1,−1}.

3: Set S =

(S′

In′

)∈ Zn×n

′

2q .

4: Sample a random matrix A′ ∈ Zn′×`′q .

5: Set A = (2A′|qIn′ − 2A′S′) ∈ Zn′×n

2q .6: Output (S, P ) = (S,A).

Here, In′ is the n′ × n′ identity matrix. By construction, secret S is a (matrix) solution ofthe general version of SIS:

AS ≡ qIn′ mod 2q

and thusAS ≡ O mod q

where O is the all-zero matrix. We will see shortly why we need the first equation to be true.To sign a message m, we need a different hash-function than usual. We will not go into detailson how to do this, but there are several methods to construct a hash-function, which outputsa vector with certain constraints. BLISS uses a hash-function H, which outputs a vectorc ∈ Zn′

with ||c||1 = κ and ci ∈ {0, 1}. Here, κ� n denotes the sparsity of c. In other words:it is a vector consisting of precisely κ coefficients 1 and the remaining coefficients are 0. As we

34

will see shortly, all signatures have a part which consists of a sum of κ secret vectors of key S.We will hide this secret part by using a noise vector y, where it is important that this noisevector is sampled according to a discrete Gaussian distribution Dσ [12]. By doing this, theaverage hardness of the scheme is just as hard as the worst-case hardness. Sampling a discreteGaussian in practice is not straight-forward, and we will zoom in on this distribution and howto sample from it in the next chapters. Like a regular Gaussian distribution, it has a certainstandard deviation σ and a mean µ, but we only use centered Gaussians with µ = 0. Wedenote the centered discrete Gaussian distribution, with standard deviation σ, by Dσ. Signinga message goes as follows:

Algorithm 18 BLISS Signing

Input: Secret key S, public key A and message m.Output: A valid signature µ for m.1: Sample y ∈ Dn

σ (discrete Gaussian).2: Compute c = H(Ay mod 2q||m), c ∈ {0, 1}n′

, ||c||1 = κ.3: Choose a random bit b ∈ {0, 1}.4: Set z = y + (−1)bSc.5: Go to step 1 with probability 1− ρ∗(z, c)6: Output µ = (z, c)

Note that in step 5, we restart the whole signature creation process with probability 1− ρ∗depending on z, c. The reason why we do this, is that z is distributed according to Dσ,Sc: adiscrete Gaussian centered around Sc. This means that after a couple of signatures, we havea lot of information about Sc: all signature values of z are centered around that value. Thiswould mean it has the same weakness as GGH. The probability 1− ρ∗ is chosen such that, inthe long run, z is distributed according to Dσ. In other words: by occasionally rejecting asignature, we make sure that we do not leak any secret information.

To be precise:

ρ∗ = 1/

(M exp

(−||Sc||2σ2

)cosh

(〈z, Sc〉σ2

))where M > 1 is chosen such that in any case ρ∗ ≤ 1 for any z, c.

Bit b is sampled such that we either add or subtract the secret part Sc from y. The authorsof BLISS introduced this bit b, such that ρ∗ is smaller than without using this bit b. So thisoptimizes the speed, since we reject fewer signatures on average.

The verification algorithm is as follows:

Algorithm 19 BLISS Verification

Input: Public key A, signature µ for m. Bound β2.Output: Accept or Reject1: Reject if ||z||2 > β2 or ||z||∞ > q/4.

2: Accept if c?= H(Az + qc mod 2q||m)

The first two conditions make sure that vector z is small. Bound β2 makes sure that zis sampled from a centered discrete Gaussian distribution. Now, a valid signature will beaccepted since:

Az + qc = A(y + (−1)bSc) + qc = Ay + (−1)bqc + qc ≡ Ay mod 2q

35

because of the way how A, S are constructed.In the signing algorithm, the discrete Gaussian sample y ∈ Dn

σ is used to hide the secretrelation Sc. This step is actually the main speed bottleneck of this algorithm: sampling adiscrete Gaussian is quite hard. But like with LWE, this step is very important since knowingy means you have relation:

z− y = (−1)bSc

where only bit b and secret key S is unknown. How to exploit this relation will be shown inthe last chapter of this thesis.

6.3 Gaussian Sampling

In this section we will zoom in on how to actually sample a discrete Gaussian, since it is avery important step and it is slowing the algorithm down significantly.

6.3.1 The Discrete Gaussian Distribution

The discrete Gaussian distribution is easily visualized: it is the distribution defined over theintegers, with the proportional values as the corresponding Gaussian distribution over thereals:

-40 -20 20 40x

0.01

0.02

0.03

0.04

Dσ (x)

: σ = 10: σ = 20: σ = 30

Figure 11: The (centered) discrete Gaussian distribution, with σ ∈ {10, 20, 30}.

The probability distribution of a discrete Gaussian distribution, with mean µ and standarddeviation σ is given by:

Dµ,σ(x) =pµ,σ(x)∑+∞

y=−∞ pµ,σ(y)

for x ∈ Z and where pµ,σ(x) = exp(−(x−µ)2

2σ2

)is the regular Gaussian probability. Note that

the sum in the denominator is necessary to make sure that Dµ,σ is actually a probabilitydistribution.

36

This distribution is defined over all integers Z, but in practice we do not need big numbers.This is why we use a so-called tail-cut and we only sample integers smaller than this cut. To bemore precise, we pick a number τ and we only sample Gaussian distributed integers between−τσ and +τσ. This suffices to hide the secret part: the tail probability is negligible for thesecurity loss. In practice often τ is the square root of the security level. What this meanswill be shown with the parameter suggestions. Furthermore, in lattice-based cryptography wealways choose µ = 0, so we further denote D0,σ = Dσ. And since the Gaussian is symmetricaround 0, we can focus on the non-negative part of this distribution and pick a random signwith probability 1/2. In this method, we need to take half of the zero’s we sample.

6.3.2 Rejection Sampling

One of the earliest sampling methods for discrete Gaussians is based on rejection sampling. Thebasic rejection method is straightforward: it picks a random number x and with probabilityDσ(x) it accepts the sample.

Algorithm 20 Basic Rejection Sampling

Input: Standard deviation σ, tail-cut τ .Output: Gaussian sample y ∈ Dσ

1: Sample a random integer x ∈ {0, ..., τσ} uniformly at random.2: Compute random bit r1 with probability Dσ(|x|) of being 1.3: If r1 = 0 goto step 1.4: If x = 0: compute bit r2 with probability 1/2. If r2 = 0, goto step 1.5: Compute random bit b with probability 1/2.6: Output (−1)bx

So on the long run, these integers are Gaussian distributed. There are modifications onthis algorithm, which will speed-up this method. However, in practice it is much easier to usea so-called Cumulative Distribution Table, which will be introduced next.

6.3.3 Cumulative Distribution Table

As the name says, it uses a Cumulative Distribution Table (CDT): a table of inverses of theCumulative Distribution Function F of the discrete Gaussian. For any number u ∈ [1/2, 1)there is a unique x ∈ Z+ such that

F (x− 1) =∑

0≤i≤x−1

Dσ(i) < u ≤∑

x≤i≤τσDσ(i) = F (x)

By storing F (x) we can map a random number u ∈ [1/2, 1) to correctly distributed integersand pick a sign at the end.

37

Algorithm 21 CDT Sampling

Input: Standard deviation σ, tail-cut τ . Cumulative Distribution Table F for integers in{0, ..., τσ}

Output: Gaussian sample y ∈ Dσ.1: Compute a random number u ∈ [1/2, 1).2: Find x ∈ Z such that F (x) < u ≤ F (x+ 1).3: Compute random bit b with probability 1/2.4: Output (−1)bx

Here, F (0) should be reduced such that there is no doubled probability of sampling a zero.Note that for u very close to 1, the algorithm does not find a sample x, because of the tail-cut.However, we assume the probability of this to happen negligible.

This method is the easiest and fastest way of sampling from the discrete Gaussian, but itneeds a large table for storing all these values. This is the method often used, since the largetable is no issue for modern CPU’s. This is only a problem for small devices, which can userejection sampling.

6.4 Lattice Implementations Via NTRU Lattices

A major bottleneck of quantum-secure systems, such as code/hash-based signatures, but alsogeneral lattice-based signature schemes, are the huge key-sizes. Luckily, in the case of latticeswe can apply a small trick which, from what is known so far, does not influence security. Bychoosing so-called cyclic lattices, we can reduce the key-sizes of lattice-based cryptosystemsby a significant amount. Instead of using a whole set of vectors as a basis, we can use onlyone vector and rotate it enough times to form a basis. An easy example is the identity matrix,which corresponds to a set of vectors which are all rotations of the unit vector.

Using cyclic lattices means we can represent both public and private keys by a singlevector each. But if we would like to do operations, we would need to compute the wholelattice, out of this single vector, every time we want to use it. However, these cyclic bases canbe represented by a polynomial in a specific mathematical set. One can show a congruencebetween operations of cyclic lattices over Znq and operations over the ring R = Zq[x]/(xn + 1).Let f, g ∈ Zq[x]/(xn + 1) be two polynomials, with coefficients fi, gi; 0 ≤ i ≤ n− 1. Then forthe product h = f · g we have:

hk =∑

i+j≡k mod n

figj · (−1)bi+jnc mod q

The last term of the sum is for the calculation mod(xn + 1), which means xn ≡ −1. Themultiplication can be written as a matrix-vector multiplication over Zq. We can rotate f toform matrix F, with entries Fij satisfying:

Fij = fi+j mod n · (−1)bi+jnc

Let g be the vector with coefficients gi = gi. Then f · g over R equals Fg over Zq.So instead of computing the lattice, we will model the single vector as a polynomial in R

and perform operations via these rings. This greatly improves practicality, and it is thereforeused and already standardized. The term NTRU lattice is used whenever we talk about thesepolynomials that represent cyclic lattices. So in real-life implementations, this is the systemthat is being used, but the underlying system relies on lattices.

38

6.5 Parameter Suggestions For BLISS

In the paper on BLISS [8], the authors also give parameter suggestions. One of the tasks ofa cryptographer is quantifying the security of a cryptographic system. In other words: howstrong is a cryptographic algorithm? In an attempt to quantify it, often a security level λis used, which is represented in bits. It means that it takes at least 2λ operations to breakthe system. It is based on the best known theoretic attack on that algorithm. Unfortunately,lattice-based cryptography is a fairly new area, which means the security levels are decreasingwith every new cryptanalytic algorithm. Below in table 1 are the numbers shown in [8], but itis possible that these numbers should be different now. The authors of BLISS introduce fiveparameter sets, each for different applications. The parameters we focus on are: security levelλ, dimension n, modulus q, Gaussian standard deviation σ and sparsity κ. We also give thesignature size in kilobits and signing speed in milliseconds, where the signature algorithm isoptimized.

Parameter Set Optimized For Size Speed λ n q σ κ

BLISS-0 (Toy) Fun 3.3 0.241 ≤ 60 256 7681 100 12BLISS-I Speed 5.6 0.124 128 512 12289 215 23BLISS-II Size 5 0.480 128 512 12289 107 23BLISS-III Security 6 0.203 160 512 12289 250 30BLISS-IV Security 6.5 0.375 192 512 12289 271 39

Table 1: Parameter suggestions for BLISS from [8]. The resulting signature size is givenin kilobits and the signature speed is given in milliseconds. There are more parameters toconsider for implementations, details are in [8]

We end with a comparison of the signature sizes and signing speed with current widely usedsignature schemes RSA and elliptic curves with security level λ = 128 bits. RSA signaturesrequire signature size at least 4 kb, which is about the same as BLISS. Signing speed of RSA inthis case is about 8.6 milliseconds, which is way higher than BLISS. Elliptic curve signaturesare very small, about 0.5 kb, but the speed is about the same as BLISS: 0.106 milliseconds.This means that BLISS signatures come close to the practical signatures we already use today,although elliptic curve signature sizes are out of reach. In the next two chapters, we will startexploring the possibilities of side-channel attacks against this scheme.

39

7 Side-Channel Attacks

7.1 Introduction

To break public-key cryptography, it is not always necessary to break the underlying hardmathematical problem (mathematical cryptanalysis). So-called Side-Channel Attacks (SCA)use information leakage due to actual implementation of a cryptosystems, such as a digitalsignature scheme. Physical features of the implementation, such as power consumption,(cache)memory usage and timings, might be abused to retrieve secret information, whichallows to find the secret key. Side-channel attacks have shown to be very effective in breakingreal-world security, such as the widely used internet protocol SSL/TLS [5]. These attacksmust always be considered when implementing cryptography.

7.2 Timing Attacks

One of the first examples by Kocher [14] is using timing information in the modular exponen-tiation in the RSA signature scheme:

md mod N

where only d is unknown. In practice, this is a time consuming operation and is thereforimplemented using a combined Square-and-Multiply exponentiation method:

Algorithm 22 Square-and-Multiply Algorithm

Input: Base a, exponent x, (big) modular NOutput: y = ax mod N1: Let x =

∑w−1i=0 xi2

i, with xi the bits of x.2: Let s0 = 1.3: Set y = 14: For k = w − 1 to 0:5: If xk = 1:6: Set y = y · a mod N7: Set y = y2 mod N8: Return y.

In the case of RSA, depending on bit xk = dk of secret key d =∑w−1

i=0 di2i step 5 of the

above algorithm is executed (multiplication), which is more time consuming than just thesquaring (step 6). By gathering enough messages m and signature timings, one is able toretrieve bit dk by this timing information. Doing this bit-by-bit, one can retrieve secret key d.We will not go into details how to actually do this, but it is important to note that timinginformation of a such a small part of the algorithm can mean a significant security breach. In[5] the authors showed that it is indeed possible to mount such an attack.

7.3 Cache-Attacks

A second, broad type of side-channel attacks are based on cache memory mechanisms. Althoughthis requires access to CPU resources, it can be shown that also these attacks can be mountedremotely. For instance, in [20] the authors show it is possible to mount these attacks in regular

40

browsers using JavaScript. A cache memory is a small piece of fast memory, to bridge the gapbetween processor speed (fast) and working memory RAM speed (slow). The cache is sharedbetween all threads: they all have to compete for the same resources. It aims at keeping theCPU as busy as possible by minimizing load/store latency. Most CPUs have two or threelevels of cache-memory, called L1, L2 and L3. These caches are inclusive: data in L1 is alsocontained in L2, which is contained in L3, and all data is contained in the main memory. Thesizes of these caches differ per CPU, but they are much smaller than main memory (the orderof 3MB). A cache is divided into multiple small cache-lines, typically of 64 Bytes. This meansmemory data is also divided into parts of 64 Bytes. Data in main memory is assigned to acertain cache-set (set of cache-lines) by an address-tag and is associated with a cache-linevia a mapping. The type of mapping depends on the CPU being used and there are twoextreme scenarios: the direct mapping and the fully associative cache. Direct mapping meansa memory location, assigned to a cache-set, has only one location where it can be stored ina cache-line. This means that the look-up will be quick, but different parts of the memorywill compete for the same cache-line, while other parts are empty. The fully associative cachemeans a memory location can be stored anywhere in the cache. This means that a look-upwill be slower, but it reduces the number of collisions. Figure 12 summarizes the story so far:

L1 Cache

Thread 1

Thread 2

Thread 3

Figure 12: Cache memory is fast memory close to the CPU and is shared among threads.In this example, three threads currently have data in cache and are competing for the samememory. Cache memory is divided in cache-lines, so data in main memory is also divided inblocks of the size of these cache-lines.

Now when data is requested, it is first checked to which cache-set it belongs. Then,depending on the mapping, it is checked if the data is inside the cache-lines it is associatedwith. This is done for every level of cache-memory until data is found, where each higher levelcauses more latency. However, retrieving data from main memory causes a significant latency,resulting in a so-called cache-miss. There are three types of cache-misses:

41

• Cold start misses: they occur when data is first requested.

• Capacity misses: they occur when the size of data exceeds the size of the cache.

• Conflict misses: they occur when data from an earlier access has meanwhile been evictedfrom the cache.

In this thesis, we will not consider capacity misses since the contents of the tables will notexceed the cache-size. However, there are several attacks based on cold start and conflictmisses. The reason why we can take advantage of cache-misses, is because the cache memoryis shared among all applications, processes and threads. Even if every process is executed in asandbox-mode (no unwanted data-sharing) and therefore protected from malicious processes,cache-memory can be manipulated to retrieve secret information. There are several types ofattacks:

• Evict+Time. The attacker measures the time it takes to execute a piece of victim code.The attacker then flushes the cache with own memory, and then times the victim codeagain. The difference in timing reveals something about whether the victim uses thatpart of the cache.

• Prime + Probe. The attacker fills the cache with its own memory and waits for thevictim to execute his code. After this, the attacker measures the time it takes to accessthe memory that he placed in cache before. If a data access is slow, the victim neededthat part of the cache and that reveals something about what the victim did.

• Flush + Reload. This attack uses the fact that processes often share memory. Theattacker first flushes a shared memory address and then waits for the victim to executehis code and measures the time it takes to access the memory. The time will tell theattacker if the victim placed the address in question in the cache by accessing it.

Note the subtle, but important difference between Evict+Time and the other attacks. WithEvict+Time, the attacker measures time based on execution of the victim code, but with theother attacks it measures time for his own memory accesses. This means Evict+Time hasmore noise in its timings.

There are different ways of flushing the cache, but the general concept is by using evictionset(s). An eviction set is a set of locations in the memory which, when accessed, occupies asingle cache-line mapping to the same cache-set, which is shared with the victims code. Byaccessing all locations in the eviction set, all victim data is removed (flushed) from the cacheand the attacks can begin.

42

L1 Cache

Attacker Data

Victim Data

(a) Prime

L1 Cache

Attacker Data

Victim Data

Learning Algorithms

Vitcim Table

(b) Probe

Figure 13: Visualization of Prime + Probe cache attack. The attacker fills the cache withhis data (step (a)) and waits for the victim to perform cryptographic operations. When theattacker notices that the victim is putting data in cache (step (b)), his data will be removedand will cause delays in his memory accesses. By carefully learning the access patterns fromthe victim, since there is a mapping from main memory to cache-lines, the attacker is able tolearn which data from the victim table has been used.

Note that the most one can learn from these attacks is therefore if a certain cache-line isused by the victim process. If multiple, different variables are mapped to the same cache-line,we are unable to see the difference. This is why in general one does not learn the exact datathe victim accessed, but a range of possibilities. However, it has been shown that this isenough to retrieve a secret RSA key (as visualised in figure 14 or AES’ symmetric key. Bycarefully monitoring the cache (Prime + Probe) and looking for activities from the victim,Percival [21] was able to track the activities of the Square-and-Multiply, together with theChinese Remainder Theorem, of algorithm 7.2, used in RSA in an old OpenSSL version:

43

Figure 14: A visualization of a cache attack by monitoring the cache, using Prime + Probe.The shading of each block indicates the number of CPU cycles needed to access all thecache-lines in a cache-set, where darker blocks means more cycles (Picture from [21])

44

7.4 Countermeasures

In the process of developing cryptographic systems, one always has to take these side-channelattacks into account. An obvious prevention of timing attacks are constant-time implemen-tations, but they have in general a few downsides. To make an implementation constanttime, everything has to work at the worst-case speed, which can greatly reduce practicality.It has been showed by Bernstein [3] that even an implementation using table look-ups hastime dependencies. Another countermeasure against timing attacks is using so-called masking:randomizing of secret operations. A nice masking example is that of RSA. Instead of signingoperation md mod N , one takes a random integer r and computes (rm)d = rdmd mod N .The signature is then computed by division by rd. Any timing information gained fromsigning is randomized by r and therefor useless. However, this increases the complexity ofimplementation. An attacker could also ask for a signature of a message twice, which mightstill reveal the necessary information.

Countermeasures for cache-attacks are not straightforward. A simple technique mightbe to pre-load all possibly necessary tables before a cryptographic operation. Besides thepracticality issue, since tables are loaded before each operation, increasing the operation time,this might not even work. Modern CPU’s often allow multi-threading: the sharing of CPUresources between threads. In this case, the cache is even shared between operations. Thismeans that after loading the whole table or parts of it, an attacker with a malicious threadcan still remove the whole table from cache before secret cryptographic operations are done.The cache-attack will still be possible in that case. The best way is to deal with these attacksby design.

After this brief introduction to side-channel attacks, we move on to the final chapter, inwhich we examine possibilities of side-channel attacks on BLISS.

45

8 Cache-Attacks on BLISS

The main result of this Masters’ thesis is a practical side-channel attack against BLISS. Thebottleneck of this signature scheme is calculating discrete-Gaussian-distributed values for anoise vector. We will revisit the two algorithms considered most practical and used by BLISS,one using a big table and one using a very small table. While the first method is the fastestand most practical way of sampling, the second method is more suitable for small devices.For both of these Gaussian sampling methods, there is a weakness we can exploit using acache-attack.

8.1 Intuition behind the Cache-Attacks

The setting of the attacks given next, is the following. We use a simplified version of BLISS:the victim has two keys, A,S ∈ Zn×n2q , such that AS ≡ qIn mod 2q and public key A andsecret key S represent full rank lattices. We assume an attacker has access to the cache ofa victim, and can mount cache-attacks (Prime + Probe). The victim is signing multiplemessages/transactions and the attacker is collecting these signatures, together with cacheinformation from signing. Using this additional information, the attacker wants to extract thesecret key of the victim. The cache-attacks will target the noise-vector y ∈ Dn

σ required in theBLISS signature scheme. The signature µ = (z, c) hides a system of n equations over Z:

z1

z2

...zn

︸ ︷︷ ︸Signature

=

y1

y2

...yn

︸ ︷︷ ︸

Noise

+ (−1)b︸ ︷︷ ︸Sign

− s1 −− s2 −− ... −− sn −

︸ ︷︷ ︸

Secret Lattice

·

c1

c2

...cn

︸ ︷︷ ︸Signature

Here, y ∈ Dnσ , b ∈ {0, 1} and S ∈ Zn×nq are unknowns. But since we will target an imple-

mentation of the scheme, the secret lattice S = {si} is an NTRU lattice, meaning it is acyclic rotation of one vector s. The part S · c can be modeled as a polynomial multiplication.However, instead of rotating s into lattice S, we can also rotate signature vector c into latticeC with the relation:

Sc = Cs

This means the hidden relation of the signatures becomes:z1

z2

...zn

︸ ︷︷ ︸Signature

=

y1

y2

...yn

︸ ︷︷ ︸

Noise

+ (−1)b︸ ︷︷ ︸Sign

− c1 −− c2 −− ... −− cn −

︸ ︷︷ ︸Signature Lattice

·

s1

s2

...sn

︸ ︷︷ ︸

Secret

Here, ci are rotations of c. We can write this equation as z = y + (−1)bCs.Now suppose we can determine any noise vector y ∈ Dσ from cache information. If we

collect one signature, then only b and s are unknown in the equation above and we can writeit as:

(−1)b(z− y) = Cs

46

We can use a linear solver twice (once for each value of b) and extract secret vector s easily.We can verify correctness of s with the public key. So this is quite easy, but being able todetermine any noise vector from cache information seems a bit too optimistic.

So let us be more restrictive: suppose we can determine, from cache information, if acoordinate yi of y is in some small set G, where we know G in advance. We do not makeany errors with this determination whether yi is in set G and if yi is indeed in this set G,we can determine the value. Since G is sparse, we probably need more than one signature,because for some coordinates in y we cannot determine its value. In total, we need to acquire(at least) n linear relations, where n is the dimension of s. Suppose we need N signaturesbefore n coordinates yi are known to be in set G. We get signatures µj = (zj , cj) withzj = yj + (−1)bjCjs for 1 ≤ j ≤ N . Here, Cj has rows cji, where cji are rotations of signaturevector cj , and zji, yji are coordinates of zj ,yj for 1 ≤ i ≤ n. We can use the above vectorequations and zoom in on coordinate-wise equations, and get:

zji = yji + (−1)bj 〈cji, s〉

So suppose, from cache-information, we know that coordinate yji is in set G and determinedits value. We can again write the equation as:

(−1)bj (zji − yji) = 〈cji, s〉

In this equation, bit bj and secret vector s are unknown, so we would like to save this rotatedvector cji and zji − yji for our linear solver. So let us call ζk = cji with zji − yji = zk − yk ascorresponding value. We can acquire n of these equations using multiple signatures and formthe following system:

(−1)b1(z1 − y1)(−1)b2(z2 − y2)

...(−1)bn(zn − yn)

=

− ζ1 −− ζ2 −− ... −− ζn −

·s1

s2

...sn

Unfortunately: all n bits bk are unknown. This would mean we cannot use a linear solver,

or we have to try a linear solver 2N times, where N is the number of signatures. For large N ,this is useless. But we can apply a restriction to the equation we got earlier:

zji = yji + (−1)bj 〈cji, s〉

We can require that zji must be equal to yji, by verifying with the signature vector zj , beforewe use cji as one of the n vectors ζk in the system we want to solve in the last step. By doingthis, we would eliminate bit bj :

(−1)bj (zji − yji) = 0 = 〈cji, s〉

If we collect n of the vectors ζk = cji satisfying the above equation, we end up with system:

Ms = 0

where M is a matrix of (possibly rotated) vectors ζk = cji, extracted from multiple signatures,and 0 is the all-zero vector. We can simply compute the kernel of M and search for the secretkey s in the kernel space.

47

As a final extension of this analysis, suppose we make an error with very low probabilityα ∈ (0, 1) in the determination whether coordinate yji is in set G . If we make an error, thenit was not yji that was sampled but it was yji ± 1, so we make an error up to 1. We can thenapply the same method as above, but Ms would not be the zero vector, but rather a smallvector in the lattice spanned by the signature vectors ζk = cji of M. Intuitively, we can useLLL to search for small vectors in this lattice. We will show that this is indeed possible.

The above overview of the cache-attack is explained more thoroughly in the remainingpart of this section.

8.2 Cache-Attack Model

In the previous chapter, we introduced several building blocks of the cache and types of attacks.For a cache-attack on BLISS, we make the following assumptions of the CPU model:

• Cache-lines are 64 Bytes, whereas each entry of the tables used in BLISS is 8 bytes(data-type LONG). This means there are 8 entries in each cache-line.

• Subsequent table entries are in subsequent cache-lines. That is, entry at position i ofthe table is in cache-line position bi/8c.

• Memory is mapped via direct mapping: each cache-line is mapped to the same locationin cache each time.

• We implemented a modeled version of the Prime + Probe cache-attack. This meansin the actual experiments, we assume we are getting information about the position ofcache-activity of the victim. Furthermore, we assume we are able to map this cache-activity to certain cache-lines of the specific tables used by the victim. In other words:for each table look-up at position i we get the cache-line position bi/8c that has beenused by the victim.

These are some quite strong assumptions, but it is realistic that a cache-attack is able toget this information without many errors. It requires a more sophisticated implementationto actually measure cache-activity for the Prime + Probe part. Lastly, we assume we knowthe parameters of the system, which is a mild assumption. Some of the parameters are alsorequired for verification.

8.3 Cache-Attack 1: CDT Sampling

8.3.1 Modified CDT Sampling with Acceleration Table

The first and easiest way is to sample from a discrete Gaussian distribution is to construct alarge table with all possible values for the inverse of the distribution and sample with randomvalues between 1/2 and 1. This is also described in section 6.3.3. However, to actually acquirethe correct integer on input of the random value, means we need to search in the table. Themost common way of doing this is to do a binary search, which will take O(logN) steps whereN = τσ is the size of the table. Since the precision of these table entries needs to be quitelarge, it will also require a lot of bit comparisons per step in the binary search. Taking allinto account, using such a method will still be rather slow. There is a faster CDT samplingmethod, relying on two speed-ups. First, instead of doing a binary search on the whole tableeach time, the method first selects an interval in the table and then perform a binary search

48

only on that interval. This requires a second table containing intervals, which is called anAcceleration Table AT. The easiest way of implementing this is to have an acceleration tablewith 256 entries, where the intervals grow larger towards the end. This means you can simplysample a byte, and pick the correct table entry immediately. Using such a table will reducethe number of steps needed for the binary search. Note that the interval is sampled uniformlyat random, but in the end we want a discrete Gaussian distributed value. So we need to takethe uniformity of the interval into account. What this means in practice, is that some of theintervals are partially overlapping: AT[i] ∩AT[j] 6= ∅ for some i, j ∈ {0, 255}. At the end, wewant for each integer x:

256∑i=0

P[AT[i]] · P[X = x|X ∈ AT[i]] = Dσ(x)

We call this equation the Probability Requirement. In other words: the total probabilitydivided over the intervals for integer x, which is in the end the probability to sample x, shouldbe equal to the probability according to a discrete Gaussian. So the search must be done insuch a way, that it satisfies the above requirement. We can model each step of the binarysearch tree within an interval AT[i] with a probability pi to go to the left child and (1− pi) togo to the right child. Each step contributes to the probability P[X = x|X ∈ AT[i]] of samplingvalue x in AT[i]. All these probabilities added up should satisfy the Probability Requirement.We use this property later in our attack.

1 2 3 4 5 6 7 8 9 10 11IntervalsValues

r2

x1

p2

x2

1− p2

p1

x3

p3

x4

1− p3

1− p1

Figure 15: The values of the large Cumulative Distribution Table are divided over intervals.First, an interval is selected uniform at random. In this example, interval 9 is picked. Then,via a binary search the correct value is searched for. The probabilities pi are such that theProbability Requirement is satisfied. The total probability to hit x2 in interval 9 is in thiscase: P[X = x2|X ∈ AT[9]] = p1 · (1− p2).

Second, instead of using the full precision to compare the random value to the table entry,the method does byte-per-byte comparisons and uses more random numbers when there isneed for more precision. This is done via a binary search. Most of the table entries areseparated enough to determine which value is to be sampled, given the first few bytes. Thiseffect grows when only comparing inside the same interval. When it is clear which sample

49

is to be retrieved, one can stop the search and output it. So we assume the table entriesare sequences of some fixed number of bytes, where we can compare byte per byte until wereached the correct value.

So the fastest algorithm using a big Cumulative Distribution Table with Acceleration Tableis roughly as follows:

Algorithm 23 CDT Sampling with Acceleration Table

Input: Cumulative Distribution Table CDT with standard deviation σ, tail-length τ . Ac-celeration table AT containing intervals. Each entry CDT[x] is a sequence of bytes andrepresents a floating point approximation of the inverses of the Cumulative DistributionFunction values of Dσ.

Output: Discrete-Gaussian-distributed sample y ∈ Dσ

1: Pick a random byte r1 ∈ {0, ..., 255}.2: Let interval I = AT[r1] ⊂ {0, ..., τσ} be the interval to search for a sample.3: Set j = 1.4: Pick a random byte r2.5: Perform a binary search in I, using table look-ups in table CDT, and try to find x ∈ Z

such that CDT[x] < r2 ≤ CDT[x+ 1] for byte j of the table entries.6: If the binary search fails to find an x ∈ Z for this comparison, take j ← j + 1 and go to

step 4.7: Compute random sign b with probability 1/2.8: Output y = (−1)bx.

For most values of r2, step 5 will find the sample for j = 1.

8.3.2 Cache-Attack Weaknesses

In the cache-attack model, we assumed to get the index of the cache-lines of the tables used.What this means for the sampling method from algorithm 23, is that we obtain the followingcache information for each coordinate yi in y:

• The cache-line of interval table AT: a range of 8 adjacent intervals R = {AT[i], ...,AT[i+7]}, i = 0, 8, 16, ..,. We can use the inverse of the table to retrieve the correct i, soultimately we know: r1 ∈ {i, ..., i+ 7}.

• The cache-line of every table-lookup of the CDT table, needed in the binary search:a range of 8 adjacent values T = {CDT[j], ...,CDT[j + 7]}, j = 0, 8, 16, ... We canuse the inverse of the table to retrieve the correct j, for which we know that lookupx ∈ {j, ..., j + 7} and CDT[x] ∈ T .

There are two types of cache-weaknesses in this sampling method, and we will denote theseby an Intersection weakness and a Jump weakness.

Intersection Weakness We exploit the fact that we are using two tables and in both caseswe get the cache-line. Given these two cache-lines, we can intersect the possible intervalsfrom cache-line R with the possible CDT table look-ups of cache-line T . Now this cangive an interval J with the property:

J ∈ R and ∀x ∈ J : x ∈ T

50

Value 0 1 2 3 4 5 6 7 8 9 10 11

Cache-Line CDT 0 1

Cache-Line Interval Table 0 1

Table 2: Visualization of an Intersection Weakness. In this example, in red the cache-linesof a table look-up are given for both the CDT and Interval table. By intersecting these twocache-lines, we get an interval with the possible sampled values (in green).

Jump Weakness We exploit the fact that for bigger intervals, the binary search part inCDT becomes larger and larger. For some integers G at the boundary of these intervals,the table lookup is in a different cache-line compared to all other integers not in G inthe same interval. That is, we have a set G of possible values for the table entries, with:

G ⊂ AT[i] and ∀x ∈ G : x ∈ T2 and ∀y ∈ AT[i] \G : y ∈ T1

where 0 ≤ i ≤ 255. So G is a subset of AT[i], such that its elements lie in a differentcache-line compared to the remaining set AT[i] \G. T1, T2 are different cache-lines ofthe CDT table look-ups.

This means there is a jump in the used cache-lines for certain values of interval AT[i].So we know for a certain cache-access pattern that the corresponding Gaussian sample|y| ∈ G.

Value 0 1 2 3 4 5 6 7 8 9 10 11

Cache-Line CDT 0 1

Interval 0 1 2

Table 3: Visualization of a Jump Weakness. In this example, interval AT [1] = {5, 6, 7, 8, 9} isdivided over two cache-lines of the CDT, line T0 = {0, 1, 2, 3, 4, 5, 6, 7} and T1 = {8, 9, 10, 11, ...}.Since the binary search begins in the middle of the interval, at value 7, cache-line T0 (denotedin yellow and red) is always requested. However, only for values 8 and 9, cache-line T1 isalso requested in addition. So when both cache-line T0 and T1 are requested, we get a setG = {8, 9} of possible values.

In appendix A, there is a table of weaknesses for every parameter set advised by theauthors of BLISS.

These two types of weaknesses can give a range of possible values for coordinate yi of noisevector y ∈ Dn

σ . However, if this range is too large, we do not gain enough information to findthe secret key. In the next section, we describe two ways of restricting ourselves, which helpus to recover more information.

8.3.3 Exploiting the Weakness

For each standard deviation σ, we can identify possible Intersection and Jump weaknessesin the Gaussian Sampling method. Moreover, we can restrict ourselves to only use thoseweaknesses with additional properties, which will help us in the offline part. Denote the sizeof an Intersection weakness by the size of interval |J | and the size of a Jump weakness by

51

the size of set |G|, where J,G are as defined in the previous section. For the CDT Samplingmethod, we have the following additional requirements:

Size Requirement The weaknesses derived in the previous section can have any size, butwill at least be of size two (or an interval is totally unique). The reason for this issimple: the binary search is a search in a binary tree, which means the last step willalways return one of two values. We will restrict ourselves to weaknesses of size up totwo. Then we know from the cache-line analysis that coordinate yi must be one of twovalues: |yi| ∈ {g1, g1 + 1} or |yi| ∈ {g1, g1 − 1} for some value g1 ⊂ {0, ..., τσ}. Fromnow, we denote these possibilities for |yi| by |yi| ∈ {g1, g1 ± 1}. Now since we narrowedthe possibilities down to two values, we make an error up to 1 if we assume either ofthem to be true.

Biased Requirement Remember that the intervals can be partially overlapping and havethe probability requirement that

255∑i=0

P[AT[i]] · P[X = x|X ∈ AT[i]] = Dσ(x)

Each step in the binary search can be modeled as a probability pi to go to the left childand probability (1− pi) to go to the right child. By using cache weaknesses, combinedwith the Size Requirement, we have narrowed the possibilities of coordinate yi downto two: |yi| ∈ {g1, g1 ± 1}. It means we know the path in the binary search tree up tothe last step. For some samples however, due to the above probability requirement andprobabilities pi, we can furthermore measure that if |yi| ∈ {g1, g1±1}, then pi = α of thetime it will be g1 (or g1 ± 1). In other words: the last step in the binary search withinan interval is very biased towards one value. We only take those weaknesses which havea small α, and thus are very biased. By assuming the value with highest probability(1− pi) = (1− α) to be true, we make an error of size at most 1 with low probability α.

52

1 2 3 4 5 6 7 8 9 10 11IntervalsValues

r2

x1

α ≈ 0

x2

1− α

p1

x3

p3

x4

1− p3

1− p1

Cache Weakness

Figure 16: Example of weakness satisfying the biased requirement. In this example, both x1

and x2 are part of a cache weakness. So when the left part of interval 9 is requested, theattacker will know it up to the last step in the tree. When this is the case, with probability(1− α), this will be x2. For small α(≈ 0), this gives the attacker additional information: theycan assume x2 to be true and that is correct with high probability (1− α). This behavior ispossible, because of the Probability Requirement.

Given both the Size and Biased Requirement, we narrow the number of exploitableweaknesses a little bit, but this will help us a lot in the offline part.

In appendix A, there is a table of weaknesses satisfying the Size and Biased requirementsfor every parameter set advised by the authors of BLISS.

8.3.4 Extracting the Secret Key

Note that in the previous section we concluded that we can learn that the absolute value of acoordinate yi in the noise vector is one of two values: |yi| ∈ {g1, g1 ± 1}, which also leaves thequestion open which sign coordinate yi has. However, we assume we can learn it by lookingat the sign of zi = yi + (−1)b〈ci, s〉, because sign(zi) 6= sign(yi) is only possible if and onlyif |〈ci, s〉| ≥ zi + yi. Since both c, s are sparse and small, we assume this possibility to benegligible. So when we learn |yi|, we learn its sign by looking at the sign of zi.

In section 8.1, when discussing the intuition behind the cache-attacks, we ended with ascenario, in which we were able to determine whether coordinate yi is in some sparse setG, and we make an error with low probability α ∈ (0, 1). For these coordinates yi, we candetermine their values with an error up to size 1. To link it with the previous section: cacheweaknesses satisfying the Size requirement enable us to get a sparse set G, where we candetermine the coordinate yi and make an error up to size 1, and the Biased requirement withsmall α enables the low probability in making an error. In this section, we finalize the attackusing LLL.

We assume an attacker Eve has access to the cache of victim Alice and can mount cache-

53

attacks. Alice has a BLISS key-pair (A,S) = (a, s) and signs multiple messages/transactions.Eve collects information from cache, together with these signatures µj = (zj , cj) with zj =yj + (−1)bjCjs for 1 ≤ j ≤ N , where the number of signatures N is high enough to haveenough linear relations to extract the secret key. Here, Cj has rows cji, where cji are rotationsof signature vector cj , and zji, yji are coordinates of zj ,yj for 1 ≤ i ≤ n. We can use theabove vector equations and zoom in on coordinate-wise equations, and get:

zji = yji + (−1)bj 〈cji, s〉

So suppose, from cache-information, Eve knows that coordinate yji is in set G anddetermined its value, and makes an error up to 1 with probability α. Eve requires thatzji = yji before collecting ζk = cji in a matrix M whose rows are the vectors ζk, because inthat case:

〈ζk, s〉 ∈ {0, 1,−1}but with probability (1− α): 〈ζk, s〉 = 0. After collecting n of these vectors ζk, we have thefollowing information regarding Ms:

E[||Ms||22] = αn

It means for small α, vector Ms is a small vector in the lattice spanned by rows ζk of M.We can use LLL basis reduction algorithm on M, to get an LLL-reduced version MR of M anda unitary transformation matrix U, with:

MU = MR

We cannot verify correctness of vector Ms, so we cannot search for it in MR. However, we cantry all columns uk of U and test whether this gives the secret key by verifying correctnesswith the public key. To do that, we rotate vector uk into NTRU lattice P and check whether

AP?≡ qI mod 2q. If this is the case, we found the secret key (or its negative)!

Note that we used a vague notion of ”short vector” Ms, because it is unclear under whatconditions it is short enough, that a basis reduction algorithm, like LLL, finds it. We do not(yet) have a proof when LLL finds it, but in practice we have an easy way to make sure itfinds it: randomize this process. Instead of waiting for n vectors ζk = cji, gather more than n,for instance 2n vectors, and pick a random subset of n vectors as input for LLL. Experiments(section 8.5) confirm that this method works and succeeds in finding the secret key (or itsnegative).

The cache-attack is summarized as follows:

54

Algorithm 24 Cache-Attack on BLISS with CDT Sampling

Input: Signer Alice with key-pair (A,S). Malicious Eve with access to cache-patterns of Alice.Input parameters n, σ, q, κ of BLISS. Eve has access to signature vectors (z, c) from Alice.Alice uses CDT sampling with table AT for noise vector y.

Output: Eve extracts secret key S of Alice.1: Let k = 0 be the number of vectors gained by Eve and let L = [] be an empty list of

vectors.2: While (k < 2n):3: Alice creates signature (z, c). Eve collects this signature, together with cache

information for each coordinate yi of noise vector y. Let ci be a rotation of vector of c.4: For each i = 1, ..., n:5: If Eve can determine coordinate yi (with error probability α) from cache

information and if zi = yi: the include vector ζk = ci in M and set k = k + 1.6: End While.7: Set boolean KeyFound = False.8: While (not KeyFound):9: Take a random subset of n vectors of L and construct matrix M.

10: Perform LLL basis reduction on M to get: MU = MR, where U is a unitarytransformation matrix and MR is LLL reduced.

11: For each i = 1, ..., n:12: Construct NTRU lattice P by rotating column vector ui of U.

13: Check if AP?≡ qI mod 2q, then KeyFound = True.

14: Return secret key S = P of Alice.

8.3.5 Complexity Analysis

There are two things that determine the speed of this side-channel attack: the number ofsignatures needed to get enough signatures and the number of LLL lattice basis reductionsneeded to find the secret key. We will give a formula for the first complexity, but for the secondpart we first need to understand why LLL can be used to find the key, which is still an openquestion at this moment. Experimental results suggest that about 2 LLL computations aresufficient to find the secret key. We do know that we need Ms to be a small vector, otherwiseit will not be in the reduced version of M. This is satisfied, because we restricted the sizeswith the size and biased requirements.

From the cache weaknesses we get a set G, for which we can determine if yi ∈ G and wemake an error up to size 1 with probability α. It means that for yi ∈ G, there is a cache accesspattern wi with a weakness, satisfying the size and biased requirement. Let W be the set ofcache-access patterns for set G. Then if wi ∈W , we know that yi ∈ G and can determine itsvalue.

Then step 5 of the algorithm is satisfied when wi ∈W and zi = yi. The probabilities ofthese events are independent of each-other, which means:

P[zi = yi, wi ∈W ] = P[zi = yi] · P[wi ∈W ]

The first part we can write in a different way:

P[zi = yi] = P[〈s, ci〉 = 0]

55

The right hand side can be calculated, because we know the distributions of s and ci.The second part, P[wi ∈W ], can be calculated using knowledge about the interval table

AT and the probability requirement. We use a heuristic approach to calculate this probabilityby simulation.

In total, the expected number of signatures N , to acquire 2n vectors ζk needed in thealgorithm equals:

E[N ] =2n

n · P[zi = yi, wi ∈W ]=

2

P[〈s, c〉 = 0]P[wi ∈W ]

In the Experiments section (section 8.5), this expected number is given together with theexperimental values.

8.4 Cache-Attack 2: Rejection Sampling

8.4.1 Modified Rejection Sampling with Exponential Table

The huge downside of CDT sampling is the big look-up table. Section 6.3.2 introduced rejectionsampling, but this method has significant practicality issues: the number of rejections and thecost of calculating the probability to reject. In the same paper [8] where BLISS is introduced,the authors describe an improved rejection sampling algorithm relying on two speedups. First,instead of trying to sample from Dσ, break this distribution into pieces that are nicer tosample from, using the following property:

Dσ = KDσ2 + U(0,K − 1)

where K = d σσ2 e+ 1 is the number of pieces, Dσ2 is the discrete binary Gaussian distribution

with standard deviation σ2 = 12 ln 2 and U(0,K−1) is the discrete Uniform distribution between

0 and K − 1. This means, instead of sampling from Dσ, one needs to draw one sample fromDσ2 and one sample from U(0,K−1). There is an efficient way of sampling from Dσ2 by usingrandom bits [8] and sampling from a discrete uniform distribution is easy. If samples x1 ∈ Dσ2

and x2 ∈ U(0,K − 1) are sampled accordingly, then y = K · x1 + x2 is distributed accordingto Dσ if we accept with probability exp(−x2(x2 + 2Kx1)/(2σ2)). The number of times this isrejected is way less than the number of rejections with plain rejection sampling (section 6.3.2).So by breaking the distribution into smaller pieces, the sampling time decreases significantly.

The second speedup is based on the fact that accepting a sample with an exponentialvalued probability is hard to do in practice. These exponential values need to have highprecision, and hence take some time to calculate on the fly. An easy improvement is simplystoring these exponential values and looking them up in a table. But this would still require abig look-up table, which is what we want to avoid in the first place. However, one can usethe binary representation of the sample and perform a rejection step for each non-zero bit ofit. This means, instead of needing N table entries, one needs logN . Combining this methodwith the previous speed-up, means the table size is log(N) for N = (K − 1)(K − 1 + 2Kτσ2)for tail-cut τ .

Using both speedups, the modified rejection sampling algorithm with an exponential tableis summarized below:

56

Algorithm 25 Rejection Sampling with Exponential Table

Input: Standard deviation σ, tail-cut τ . Values σ2 = 12 ln 2 , K = d σσ2 e+ 1. Small exponential

table ET with exponential values exp(i/(2σ2)) for i ∈ {0, ..., logN} where N = (K −1)(K − 1 + 2Kτσ2)

Output: Gaussian sample y ∈ Dσ.1: Sample x1 ∈ Dσ2 via rejection sampling using random bits.2: Sample x2 ∈ U(0,K − 1) and set y = Kx1 + x2.3: Set r1 = −x2(x2 + 2Kx1).4: For each non-zero bit of r1, compute an exponentially distributed bit using the exponential

values in table ET. If this bit is zero, goto step 1.5: If y = 0: compute bit r2 with probability 1/2. If r2 = 0, goto step 1.6: Compute random sign bit b with probability 1/2.7: Output (−1)by

8.4.2 Cache-Attack Weakness and Exploitation

For this second cache-attack to work, we assume to get the following information for eachsample yi in vector y:

• The activity of table ET for the last trial in the sampling algorithm, that is: has therebeen a table look-up in ET for the last non-rejected value, which is ultimately the valuefor yi.

This information is based on step 5 of the algorithm. Only in this step there are possibletable look-ups in table ET. However, when x2 = 0, there are no table look-ups at all in ET,since r1 = 0. Let the Weight(z) of a number z be defined as the Hamming-Weight of z, thatis: the number of non-zero coefficients in the binary representation of z. Then step 5 of thealgorithm will not use a table-lookup for when Weight(z) = 0 with z = −x2(x2 + 2Kx):

50 100 150 200y+xK

2

4

6

8

10

Weight(−y(y+2 ·K ·x))

Figure 17: The weight of numbers z = −x2(x2 + 2Kx) where x2 ∈ {0, 1, ...,K − 1} andx ∈ {0, 1, 2, 3} for K = 50. These weights represent the number of table look-ups in table ETin the rejection sampling algorithm

57

So when there is no table look-up for yi, we know that |yi| ∈ {0,K, 2K, ...} = G. Againwe assume to learn the sign of yi by looking at corresponding coordinate zi of signature vectorz. That this determines a unique yi, we need |〈s, ci〉| ≤ κ < K. Furthermore, since κ < K, weknow the exact value of yi if there was no table look-up used to sample. Verifying that κ < Kis easily done using the public parameters.

8.4.3 Extracting the Secret Key

We can use the same method as with the first cache-attack, to combine information from cachewith information from signature vector z.

In the intuition of the cache-attacks, section 8.1, we discussed an attack scenario where wecan determine, from cache information, if a coordinate yi of y is in some sparse set G, wherewe know G in advance. We do not make any errors with this determination whether yi is inset G and if yi is indeed in this set G, we know its value. The above weakness satisfies thisscenario: if there is no table look-up in ET for coordinate yi, we know what the value of yi is,without making any errors.

Analogues to the previous attack: Alice has a BLISS key-pair (A,S) and signs multipletransactions/messages. Eve collects information from cache, together with these signaturesµj = (zj , cj) with zj = yj + (−1)bjCjs for 1 ≤ j ≤ N , where the number of signatures Nis high enough to have enough linear relations to extract the secret key. Here, Cj has rowscji, where cji are rotations of signature vector cj , and zji, yji are coordinates of zj ,yj for1 ≤ i ≤ n. Again using coordinate-wise equations:

zji = yji + (−1)bj 〈cji, s〉.

So suppose, from cache-information, Eve knows that coordinate yji ∈ {0,±K,±2K, ....}and exactly determined its value. Eve requires that zji = yji before including ζk = cji in amatrix M whose rows are the vectors ζk, because in that case:

〈ζk, s〉 = 0

When Eve collects n of these vectors ζk satisfying above equation, she has the followingsystem:

Ms = 0

It means that s is a kernel vector of M. One can prove that when collecting n vectorsuniformly at random, they are most likely to be linearly independent. This means that M islikely to have no kernel vector at all, so if it does have a kernel vector, it has to be the secretvector! Calculating the kernel space of a matrix is easily done. However, if the kernel spacedoes not contain the secret vector, one can collect more vectors and repeat.

In total, the cache-attack works as follows:

58

Algorithm 26 Cache-Attack on BLISS with Rejection sampling

Input: Signer Alice with key-pair (A,S). Malicious Eve with access to cache-patterns of Alice.Input parameters n, σ, q, κ of BLISS. Eve has access to signature vectors (z, c) from Alice.Alice uses rejection sampling with table ET for noise vector y.

Output: Eve extracts secret key S of Alice.1: Let k = 0 be the number of vectors gained by Eve and let L = [] be an empty list of

vectors.2: While(k < n):3: Alice creates signature (z, c). Eve collects this signature, together with cache

information for each coordinate yi of noise vector y. Let ci be a rotation of vector of c.4: For each i = 1, ..., n:5: If Eve can determine coordinate yi (with no error) from cache information

and if zi = yi: then include vector ζk = ci in L and set k = k + 1.6: End While.7: Calculate the kernel space of L, this gives a matrix U such that LU = 0, where 0 is the

all-zero matrix.8: For each column ui of U:9: Construct NTRU lattice P by rotating column vector ui of U.

10: Check if AP?≡ qI mod 2q. If this is the case, return secret key S = P of Alice.

11: Goto step 2.

8.4.4 Complexity Analysis

As with Cache-Attack 1, the complexity is determined by the number of signatures needed andthe offline part, which is calculated as the running time of finding the kernel space, dividedby the probability that the secret vector is in the kernel. For simplicity we assume that theprobability that the secret vector is part of the kernel, is equal to the probability that nrandom vectors are linearly independent, which is approximately 1. This means that theoffline part is negligible and that the algorithm will always terminate.

Estimating the probability that we can determine yi is easier now and can be calculatedexactly, because it is the probability that yi ∈ {0,±K,±2K, ...}. Again when zi = yi, we knowthat 〈c, s〉 = 0. So in total, we get the expected number of signatures to be:

E[N ] =1

P[yi ∈ {0,±K,±2K}] · P[〈s, c〉 = 0]

In the next section, this expected number is given together with the experimental values.

8.5 Experiments

The authors of BLISS provided a research oriented implementation of the signature scheme ontheir web-page [7]. This implementation is not optimized, but sufficed to show experimentalresults of the above cache-attacks. The implementation of the signature schemes are tweakedto provide the cache information. For each of the parameter sets advised eventually bythe authors, the cache-attack succeeds in finding the secret key and breaking the scheme.The following table states the expected value of the number of signatures E[N ] based onthe complexity analysis and the average experimental values N for the required number ofsignatures.

59

Sampling Method Parameter Set BLISS E[N ] N Running Time Offline Part

CDT Sampling BLISS-0 (Toy) 5036 5084 3.535 (1.69)BLISS-I 900 880 57.792 (1.73)BLISS-II 4039 4032 72.951 (2.18)BLISS-III 1859 1895 45.272 (1.18)BLISS-IV 2377 2402 66.875 (1.64)

Rejection Sampling BLISS-0 (Toy) 1102 1113 0.839 (1.0)BLISS-I 1694 1671 14.709 (1.0)BLISS-II 839 824 14.437 (1.0)BLISS-III 2970 3018 15.951 (1.0)BLISS-IV 4154 4223 18.103 (1.0)

Table 4: Experimental results of cache-attacks 1 and 2 on BLISS. For each parameter set andsampling method, we did 100 experiments and all succeeded in finding the secret key. Theexpected number of necessary signatures E[N ] and the average experimental value of N aregiven. Time is given in seconds, between parentheses is the average number of LLL’s andkernel calculations.

The experimental number of signatures are close to the expected necessary number ofsignatures. An important end note is that the offline part is influenced by dimension n, butfor the CDT sampling this highly depends on the number of LLL computations one has toperform. Since this is still unclear, the timings are just an indication of a possible runningtime, nothing more. The experiments always succeed to find the secret key and the averagerunning times are quite low. In the case of rejection sampling we do know that the kernel willbe found with probability about 1, which is confirmed by the experiments.

8.6 Countermeasures

We discuss some countermeasures against the previously given cache attacks.In the CDT sampling method, we use two tables which give rise to two different cache

weaknesses. The jump weaknesses can be countered by simply iterating all values inside aninterval: this will always give a jump whenever an interval is divided over multiple cache-lines.The intersection weakness however, is not that simple to avoid. The best countermeasurewould be to take this weakness into account when both tables are constructed. That is: preventleaking information when cache-lines of both tables are given. However, it is unclear how thiscan be done efficiently.

Tweaking the construction of the tables could also help in preventing the offline part ofthe particular attacks described in this section. By making sure that there is no such thing asa biased value inside an interval, the attacker cannot construct the small vector to search forwith LLL. This means the attacker cannot know how to choose the linear relations based onthe signature vector z. But also in this case it is unclear how to tweak the table such that allintervals are unbiased.

Finally, for the rejection sampling algorithm it is easiest to always randomly sample afixed number (one or two) of values from the exponential table. This means there is alwayscache-activity and there is no way of distinguishing between the values. This should alsominimize the additional time.

60

8.7 A Short Note on Timing Attacks

We began the side-channel analysis of this thesis by looking at timing attacks. This type ofattack is very powerful, because it can easily be mounted remotely. A timing attack measuresthe total time to perform a cryptographic operation (signing, decryption), and tries to usedifferences in these times, to extract the secret key. Most discrete Gaussian sampling methodshave a timing issue: one can link the average sampling time to the size of a sample. This isalso noted in [23]. However, how to turn this timing issue into exploitation remains unclear.There are several major issues to cope with:

• Only the total signature time is given, but one needs the time per coordinate. Assumingthat the attacker gets the time in the number of clockcycles (integers). Then only whenall sampling times of the coordinates are relatively prime, is one able to reconstruct timesfor the individual coordinates and possibly map them to the correct place. However, thisis very unlikely to be true and also repetitions are possible. Otherwise, the attacker getsa subset sum problem, which in general is a hard problem. Assuming that the remainingpart of the algorithm is constant time is also highly unlikely. There are many factorswhich will introduce noise, making the subset sum problem even harder.

• Even if on average one is able to link a sample time to the size of a sample, it is unclearhow to use this when the attacker is just given a single sampling time. In most timingattacks/cache-timing attacks, one is able to use a lot of running times and average outthe noise. But this is not possible for timing attacks on the Gaussian sampling. For eachsignature, a different noise vector is used which means an attacker cannot use multiplesampling times and average out the noise. The attacker is given a time and has to decide,only from that time, which sample it is, because a coordinate of the noise vector is onlyused once. He could construct a confidence interval for each sample and when it is insideone of these intervals, decide it is the appropriate one. This is only possible when allconfidence intervals are non-overlapping and for the sampling with big tables, the timesare nearly the same. It is then very likely that the attacker makes many errors.

For the cache-attacks described in the previous section, no timing information is used todetermine the samples. This means that, when cache-line activity is given, the attack iscompletely deterministic.

61

9 Summary

We started this thesis with the cryptographic aspects of the Bitcoin protocol, both Blockchainand digital signatures, and showed that we need to adapt it to make it post-quantum secure.The most important part to change are the digital signatures, since the Blockchain’s securitycould also rely on the security of these signatures. As an introduction to post-quantum signatureschemes, hash-based signatures were discussed. Although these schemes have some practicalityissues, certainly in the use-case of Bitcoin, it is advised to switch to these schemes first whenquantum-computers arise. The security is well understood and no major hardware/softwarechanges are necessary. However, lattice-based signature schemes are more practical in this case,which is why we focus on these schemes. The security level of lattice-based signature schemesis still uncertain, but it was certainly not clear whether it was robust against side-channelattacks. These attacks have to be considered, before using lattice-based signatures for seriousapplications such as Bitcoin. To understand the security, we introduced the theory of latticesand lattice-basis reductions. We focused on a highly optimized scheme, called BLISS, andexamined a crucial step, the discrete Gaussian sampler, in more depth.

In the last chapter we showed two potential cache-attacks on BLISS, resulted in breakingthe scheme. The first one is exploiting weaknesses, when sampling a discrete Gaussian isdone using a Cumulative Distribution Table, combined with an acceleration table. Thesampling algorithm has two potential cache-attack weaknesses, denoted by intersection andjump weaknesses. However, for the offline part to work, we restricted ourselves in usingthese weaknesses, at the expense of using more samples. When both the size and biasedrequirement are satisfied, one is able to construct a small vector inside a lattice, spanned byvectors extracted from signatures. By using the LLL lattice-basis reduction algorithm, one isable to find the secret key in the unitary transformation matrix of the reduction. However, itis still unclear why this is the case and it remains an open question.

The second cache-attack is usable when sampling discrete Gaussians is implemented with arejection sampling algorithm, combined with a small table with exponential values. For certainvalues of the sampler, there is no look-up in this table. This significantly reduces the numberof values possible when this is encountered. This resulted in a concrete offline attack, wherethe secret vector is part of the kernel of the integer matrix, spanned by signature vectors.

9.1 Conclusions

The goal of this thesis was to examine side-channel attacks for BLISS, an optimized lattice-based signature scheme. We started with the possibilities of timing attacks. Some poeplehad expressed the belief that these attacks were easily mounted, because sampling a discreteGaussian in constant time is not doable with current methods. Despite this, we found nopossibility of mounting such a timing attack. The main problem is that only the globalexecution time is retrievable, whilst one needs the sampling time per coordinate.

Our results in concrete side-channel attacks for BLISS, based on the discrete Gaussiansampler, are new as far as we know. To put this in broader perspective: we think this work isvery usable to narrow the gap of lattice-based cryptography in theory and practice. Usinga big look-up table for the discrete Gaussian sampler invites for cache-attacks, but we alsoshowed that the alternative, based on rejection sampling, has a weakness for cache-attacks.This means we need to re-invent ways to sample a discrete Gaussian, or implement currentmethods more securely, before the scheme is ready for implementation in the real-world.

62

9.2 Future Work

This thesis leaves several open questions. The most important one is the question why theoffline part of the first cache-attack finds the secret key. If one would list all vectors of thesame size as the secret in the lattice we created, than it would be an impossible outcome thatwe find the secret key. But experiments confirm that it is very likely that the secret key isfound. It could be possible that there are not that many short basis vectors of the lattice wecreate, and that it is therefore likely that we find the secret key. Another possibility is thatthe weakness is actually in the part where the sparse signature vector is created by hashing.This is a vital step in our cache-attack and we will investigate this further in the future.

The second important question is how we can adapt the CDT sampler with accelerationtable, to make it robust against cache-attacks. We think it should be robust by design, whichmeans the table should be constructed in such a way that the attacks are not possible.

Possible extensions of this thesis are examining cache-attacks on the discrete Gaussiansampler on other cryptographic algorithms that use it, such as an LWE encryption scheme.The cache-attacks should provide linear relations of the secret key. Furthermore, it might bethe case that other side-channel attacks are also possible, such as power analysis, which is outof the scope of this thesis.

63

References

[1] Miklos Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest latticevector problem. In Jeffrey Scott Vitter, Paul G. Spirakis, and Mihalis Yannakakis, editors,STOC, pages 601–610. ACM, 2001.

[2] Daniel Augot, Lejla Batina, Daniel J. Bernstein, Joppe Bos, Johannes Buchmann, WouterCastryck, Orr Dunkelman, Tim Guneysu, Shay Gueron, Andreas Hulsing, Tanja Lange,Mohamed Saied Emam Mohamed, Christian Rechberger, Peter Schwabe, Nicolas Sendrier,Frederik Vercauteren, and Bo-Yin Yang. Initial recommendations of long-term secure post-quantum systems. Available at http://pqcrypto.eu.org/docs/initial-recommendations.pdf,2015.

[3] Daniel J. Bernstein. Cache-timing attacks on AES. https://cr.yp.to/antiforgery/cachetiming-20050414.pdf, 2005.

[4] Daniel J. Bernstein, Daira Hopwood, Andreas Hulsing, Tanja Lange, Ruben Niederhagen,Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox-O’Hearn.SPHINCS: practical stateless hash-based signatures. In Elisabeth Oswald and MarcFischlin, editors, EUROCRYPT, volume 9056 of Lecture Notes in Computer Science,pages 368–397. Springer, 2015.

[5] David Brumley and Dan Boneh. Remote timing attacks are practical. Computer Networks,48(5):701–716, 2005.

[6] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transac-tions on Information Theory, 22(6):644–654, 1976.

[7] Leo Ducas, Alain Durmus, Tancrede Lepoint, and Vadim Lyubashevsky. BLISS: BimodalLattice Signature Schemes. http://bliss.di.ens.fr/, 2013.

[8] Leo Ducas, Alain Durmus, Tancrede Lepoint, and Vadim Lyubashevsky. Lattice Signaturesand Bimodal Gaussians. In Ran Canetti and Juan A. Garay, editors, CRYPTO, volume8042 of Lecture Notes in Computer Science, pages 40–56. Springer, 2013.

[9] Ulrich Fincke and Michael Pohst. Improved methods for calculating vectors of short lengthin a lattice, including a complexity analysis. Mathematics of computation, 44(170):463–471,1985.

[10] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems fromlattice reduction problems. In Burton S. Kaliski Jr., editor, CRYPTO, volume 1294 ofLecture Notes in Computer Science, pages 112–131. Springer, 1997.

[11] Lov K. Grover. A fast quantum mechanical algorithm for database search. In Gary L.Miller, editor, STOC, pages 212–219. ACM, 1996.

[12] Tim Guneysu, Vadim Lyubashevsky, and Thomas Poppelmann. Practical lattice-basedcryptography: A signature scheme for embedded systems. In Emmanuel Prouff andPatrick Schaumont, editors, CHES, volume 7428 of Lecture Notes in Computer Science,pages 530–547. Springer, 2012.

64

[13] Jemima Kelly. Nine of world’s biggest banks join to form blockchain partnership. http://www.reuters.com/article/us-banks-blockchain-idUSKCN0RF24M20150915, 2015.

[14] Paul C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, andother systems. In Neal Koblitz, editor, CRYPTO, volume 1109 of Lecture Notes inComputer Science, pages 104–113. Springer, 1996.

[15] Leslie Lamport. Constructing digital signatures from a one-way function. Technicalreport, Technical Report CSL-98, SRI International Palo Alto, 1979.

[16] Arjen K. Lenstra, Hendrik W. Lenstra Jr., Mark S. Manasse, and John M. Pollard. Thenumber field sieve. In Harriet Ortiz, editor, STOC, pages 564–572. ACM, 1990.

[17] Arjen K. Lenstra, Hendrik W. Lenstra Jr., and Laszlo Lovasz. Factoring polynomialswith rational coefficients. Mathematische Annalen, 261(4):515–534, 1982.

[18] Ralph C. Merkle. A certified digital signature. In Gilles Brassard, editor, CRYPTO,volume 435 of Lecture Notes in Computer Science, pages 218–238. Springer, 1989.

[19] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.

org/bitcoin.pdf, 2008.

[20] Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis.The spy in the sandbox: Practical cache attacks in javascript and their implications.In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, ACM SIGSAC, pages1406–1418. ACM, 2015.

[21] Colin Percival. Cache missing for fun and profit. http://css.csail.mit.edu/6.858/

2011/readings/ht-cache.pdf, 2005.

[22] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digitalsignatures and public-key cryptosystems. Commun. ACM, 21(2):120–126, 1978.

[23] Markku-Juhani O. Saarinen. Gaussian sampling precision and information leakage inlattice cryptography. IACR Cryptology ePrint Archive, 2015:953, 2015.

[24] David Schwartz, Noah Youngs, and Arthur Britto. The Ripple protocol consensusalgorithm. Ripple Labs Inc White Paper, 2014.

[25] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithmson a quantum computer. SIAM Review, 41(2):303–332, 1999.

[26] Robert S. Winternitz. Producing a one-way hash function from DES. In David Chaum,editor, CRYPTO, pages 203–207. Plenum Press, New York, 1983.

65

A Cache Weaknesses for Suggested Parameter Sets

In this section, we describe the analysis part of cache-attack 1. For each parameter setsuggested by the authors of BLISS, two tables are given. An overview table, with all intervalsand corresponding cache-lines of the interval table (AT) and cache-lines of table CDT. Then,both intersection and jump weaknesses are given with cache patterns, satisfying the sizerequirement. Lastly, when we also restrict with the biased requirement, we end up with a setof values G, with a error-rate of α.

BLISS-0

Overview Cache-Line Analysis

Intervals Cache-line Interval Cache-line CDT

[[0, 2], [1, 3], [2, 4], [3, 5]] 0 0[[4, 6], [5, 7], [6, 8]] 1 0

[[7, 9]] 1 1[[8, 10], [9, 11], [10, 12], [11, 13]] 2 1

[[12, 14], [13, 15], [14, 16]] 3 1[[15, 17]] 3 2

[[16, 18], [17, 19], [18, 20], [19, 21]] 4 2[[20, 22], [21, 23], [22, 24]] 5 2

[[23, 25]] 5 3[[24, 26], [25, 27], [26, 28], [27, 29]] 6 3

[[28, 30], [29, 31], [30, 32]] 7 3[[31, 33]] 7 4

[[32, 34], [33, 35], [34, 36], [35, 37]] 8 4[[36, 38], [37, 39], [38, 40]] 9 4

[[39, 41]] 9 5[[40, 42], [41, 43], [42, 44], [43, 45], [44, 46]] 10 5

[[45, 47], [46, 48]] 11 5[[47, 49], [48, 50]] 11 6

[[49, 51], [50, 52], [51, 53], [52, 54]] 12 6[[53, 55], [54, 56]] 13 6

[[55, 57], [56, 58], [57, 59]] 13 7[[58, 60], [59, 61], [60, 62], [61, 63], [62, 64]] 14 7[[63, 65], [64, 66], [65, 67], [66, 68], [67, 69]] 15 8

[[68, 70], [69, 71], [70, 72]] 16 8[[71, 73], [72, 74]] 16 9

[[73, 75], [74, 76], [75, 77], [76, 78], [77, 79]] 17 9[[78, 80]] 18 9

[[79, 81], [80, 82], [81, 83], [82, 84]] 18 10[[83, 85], [84, 86], [85, 87], [86, 88]] 19 10

[[87, 89], [88, 90]] 19 11[[89, 91], [90, 92], [91, 93], [92, 94], [93, 95], [94, 96]] 20 11

[[95, 97], [96, 98], [97, 99], [98, 100], [99, 101], [100, 102]] 21 12

66

[[101, 103], [102, 104]] 22 12[[103, 105], [104, 106], [105, 107], [106, 108], [107, 109]] 22 13

[[108, 110], [109, 111], [110, 112]] 23 13[[111, 113], [112, 114], [113, 115], [114, 116]] 23 14[[115, 117], [116, 118], [117, 119], [118, 120]] 24 14[[119, 121], [120, 122], [121, 123], [122, 124]] 24 15[[123, 125], [124, 126], [125, 127], [126, 129]] 25 15

[[126, 129], [128, 130], [129, 131], [130, 132], [131, 133]] 25 16[[132, 134], [133, 135], [134, 137]] 26 16

[[134, 137], [136, 138], [137, 139], [138, 140], [139, 142], [141, 143]] 26 17[[142, 144]] 27 17

[[143, 146], [145, 147], [146, 149], [148, 150], [149, 152]] 27 18[[151, 153], [152, 155]] 27 19

[[154, 156], [155, 158], [157, 160]] 28 19[[159, 161], [160, 163], [162, 165], [164, 167], [166, 169]] 28 20

[[166, 169]] 28 21[[168, 171], [170, 173], [172, 175], [174, 178]] 29 21[[174, 178], [177, 180], [179, 182], [181, 185]] 29 22

[[181, 185], [184, 188]] 29 23[[187, 191], [190, 194]] 30 23

[[190, 194], [193, 197], [196, 200]] 30 24[[199, 204], [203, 208]] 30 25[[207, 212], [211, 217]] 30 26

[[211, 217]] 30 27[[216, 222], [221, 228]] 31 27[[221, 228], [227, 235]] 31 28[[227, 235], [234, 243]] 31 29[[234, 243], [242, 254]] 31 30[[242, 254], [253, 268]] 31 31

[[253, 268]] 31 32[[253, 268], [267, 290]] 31 33

[[267, 290]] 31 34[[267, 290]] 31 35

[[267, 290], [289, 1202]] 31 36[[289, 1202]] 31 37-149

Table 5: Table of cache-line analysis of BLISS-0. For eachinterval created, the corresponding AT and CDT cache-linesare given. These two cache-lines are at the basis for theweaknesses exploited on CDT sampling with accelerationtable. Note that the possible values inside an interval are notincluding the upper bound.

Cache Weaknesses

Weakness Type Values Cache-line Interval Cache-Line Pattern CDT

67

Intersection 7, 8 1 1Intersection 15, 16 3 2Intersection 23, 24 5 3Intersection 31, 32 7 4Intersection 39, 40 9 5Intersection 78, 79 18 9Intersection 142, 143 27 17

Jump 127, 128 25 15, 16Jump 135, 136 26 16, 17Jump 167, 168 28 20, 21Jump 174, 175 29 22, 21Jump 183, 184 29 22, 23Jump 190, 191 30 24, 23Jump 215, 216 30 26, 26, 27

Table 6: List of cache weaknesses for BLISS-0. For each type,the associated values and cache-line patterns are given.

The set of values G, with cache-weakness satisfying both the size and biased requirements, is:

G = {127}

with α = 0.09.

BLISS-I

Overview Cache-Line Analysis

Intervals Cache-line Interval Cache-line CDT

[[0, 2], [1, 3], [2, 4], [3, 5], [4, 6], [5, 7], [6, 8]] 0 0[[7, 9]] 0 1

[[8, 11], [10, 12], [11, 13], [12, 14], [13, 15], [14, 16]] 1 1[[15, 17], [16, 18]] 1 2

[[17, 19], [18, 20], [19, 21], [20, 22], [21, 23], [22, 24]] 2 2[[23, 25], [24, 26]] 2 3

[[25, 27], [26, 29], [28, 30], [29, 31], [30, 32]] 3 3[[31, 33], [32, 34], [33, 35]] 3 4

[[34, 36], [35, 37], [36, 38], [37, 39], [38, 40]] 4 4[[39, 41], [40, 42], [41, 44]] 4 5

[[43, 45], [44, 46], [45, 47], [46, 48]] 5 5[[47, 49], [48, 50], [49, 51], [50, 52]] 5 6[[51, 53], [52, 54], [53, 55], [54, 57]] 6 6

[[54, 57], [56, 58], [57, 59], [58, 60], [59, 61]] 6 7[[60, 62], [61, 63], [62, 64]] 7 7

[[63, 65], [64, 66], [65, 68], [67, 69], [68, 70]] 7 8[[69, 71], [70, 72]] 8 8

[[71, 73], [72, 74], [73, 75], [74, 76], [75, 78], [77, 79]] 8 9

68

[[78, 80]] 9 9[[79, 81], [80, 82], [81, 83], [82, 84], [83, 85], [84, 87], [86, 88]] 9 10[[87, 89], [88, 90], [89, 91], [90, 92], [91, 94], [93, 95], [94, 96]] 10 11

[[95, 97]] 10 12[[96, 98], [97, 99], [98, 101], [100, 102], [101, 103], [102, 104]] 11 12

[[103, 105], [104, 106]] 11 13[[105, 108], [107, 109], [108, 110], [109, 111], [110, 112]] 12 13

[[111, 114], [113, 115], [114, 116]] 12 14[[115, 117], [116, 119], [118, 120]] 13 14

[[119, 121], [120, 122], [121, 123], [122, 125], [124, 126]] 13 15[[125, 127], [126, 128]] 14 15

[[127, 130], [129, 131], [130, 132], [131, 134], [133, 135], [134, 136]] 14 16[[135, 137], [136, 139], [138, 140], [139, 141], [140, 143], [142, 144]] 15 17

[[143, 145], [144, 147]] 15 18[[146, 148], [147, 149], [148, 151], [150, 152]] 16 18[[151, 153], [152, 155], [154, 156], [155, 157]] 16 19

[[156, 159], [158, 160]] 17 19[[159, 161], [160, 163], [162, 164], [163, 166], [165, 167], [166, 168]] 17 20

[[167, 170], [169, 171], [170, 173], [172, 174], [173, 176]] 18 21[[175, 177], [176, 179], [178, 180]] 18 22[[179, 182], [181, 183], [182, 185]] 19 22

[[182, 185], [184, 186], [185, 188], [187, 189], [188, 191], [190, 192]] 19 23[[191, 194], [193, 196], [195, 197], [196, 199], [198, 200]] 20 24

[[199, 202], [201, 204], [203, 205]] 20 25[[204, 207], [206, 209]] 21 25

[[206, 209], [208, 210], [209, 212], [211, 214], [213, 215], [214, 217]] 21 26[[214, 217], [216, 219]] 21 27

[[218, 221], [220, 222], [221, 224]] 22 27[[223, 226], [225, 228], [227, 230], [229, 232]] 22 28

[[231, 233]] 22 29[[232, 235], [234, 237], [236, 239], [238, 241]] 23 29

[[238, 241], [240, 243], [242, 245], [244, 247], [246, 249]] 23 30[[246, 249]] 23 31

[[248, 251], [250, 253], [252, 255], [254, 258]] 24 31[[254, 258], [257, 260], [259, 262], [261, 264]] 24 32

[[263, 266]] 24 33[[265, 269], [268, 271], [270, 273]] 25 33

[[270, 273], [272, 276], [275, 278], [277, 280]] 25 34[[279, 283], [282, 285]] 25 35

[[284, 288]] 26 35[[287, 290], [289, 293], [292, 296]] 26 36[[295, 298], [297, 301], [300, 304]] 26 37

[[303, 307]] 26 38[[306, 310], [309, 313]] 27 38

[[309, 313], [312, 316], [315, 319], [318, 322]] 27 39[[318, 322], [321, 325], [324, 329]] 27 40

[[324, 329], [328, 332]] 27 41

69

[[331, 335], [334, 339]] 28 41[[334, 339], [338, 343], [342, 346]] 28 42[[342, 346], [345, 350], [349, 354]] 28 43[[349, 354], [353, 358], [357, 363]] 28 44

[[357, 363]] 28 45[[362, 367], [366, 371]] 29 45[[366, 371], [370, 376]] 29 46[[375, 381], [380, 386]] 29 47

[[380, 386], [385, 391], [390, 397]] 29 48[[390, 397], [396, 403]] 29 49

[[396, 403]] 29 50[[402, 409]] 30 50

[[402, 409], [408, 415], [414, 422]] 30 51[[414, 422], [421, 430]] 30 52[[421, 430], [429, 438]] 30 53[[429, 438], [437, 446]] 30 54[[437, 446], [445, 455]] 30 55[[445, 455], [454, 466]] 30 56

[[454, 466]] 30 57[[454, 466]] 30 58[[465, 477]] 31 58

[[465, 477], [476, 490]] 31 59[[476, 490]] 31 60

[[476, 490], [489, 505]] 31 61[[489, 505]] 31 62

[[489, 505], [504, 523]] 31 63[[504, 523]] 31 64

[[504, 523], [522, 545]] 31 65[[522, 545]] 31 66[[522, 545]] 31 67

[[522, 545], [544, 575]] 31 68[[544, 575]] 31 69[[544, 575]] 31 70

[[544, 575], [574, 624]] 31 71[[574, 624]] 31 72[[574, 624]] 31 73[[574, 624]] 31 74[[574, 624]] 31 75[[574, 624]] 31 76[[574, 624]] 31 77[[623, 2588]] 31 78-322

70

Table 7: Table of cache-line analysis of BLISS-I. For eachinterval created, the corresponding AT and CDT cache-linesare given. These two cache-lines are at the basis for theweaknesses exploited on CDT sampling with accelerationtable. Note that the possible values inside an interval are notincluding the upper bound.

Cache Weaknesses

Weakness Type Values Cache-line Interval Cache-Line Pattern CDT

Intersection 7, 8 0 1Intersection 78, 79 9 9Intersection 95, 96 10 12Intersection 231, 232 22 29

Jump 55, 56 6 6, 7Jump 183, 184 19 22, 23Jump 207, 208 21 25, 26Jump 215, 216 21 26, 27Jump 239, 240 23 29, 30Jump 247, 248 23 30, 31Jump 254, 255 24 32, 31Jump 271, 272 25 33, 34Jump 311, 312 27 38, 39Jump 318, 319 27 40, 39Jump 327, 328 27 40, 40, 41Jump 334, 335 28 42, 41Jump 342, 343 28 43, 42Jump 366, 367 29 46, 45Jump 390, 391 29 49,48Jump 407, 408 30 50, 50, 51Jump 414, 415 30 52, 52, 51

Table 8: List of cache weaknesses for BLISS-I. For each type,the associated values and cache-line patterns are given.

The set of values G, with cache-weakness satisfying both the size and biased requirements, is:

G = {8, 55, 207, 255, 327, 335, 390, 415}

with α ≥ 0.10.

BLISS-II

Overview Cache-Line Analysis

71

Intervals Cache-line Interval Cache-line CDT

[[0, 2], [1, 3], [2, 4], [3, 5]] 0 0[[4, 6], [5, 7], [6, 8]] 1 0

[[7, 9]] 1 1[[8, 10], [9, 11], [10, 12], [11, 13], [12, 14]] 2 1

[[13, 15], [14, 16]] 3 1[[15, 17], [16, 18]] 3 2

[[17, 19], [18, 20], [19, 21], [20, 22]] 4 2[[21, 23], [22, 24]] 5 2[[23, 25], [24, 26]] 5 3

[[25, 27], [26, 28], [27, 29], [28, 30], [29, 31]] 6 3[[30, 32]] 7 3

[[31, 33], [32, 34], [33, 35]] 7 4[[34, 36], [35, 37], [36, 38], [37, 39], [38, 40]] 8 4

[[39, 41], [40, 42], [41, 43], [42, 44]] 9 5[[43, 45], [44, 46], [45, 47], [46, 48]] 10 5

[[47, 49]] 10 6[[48, 50], [49, 51], [50, 52], [51, 53]] 11 6

[[52, 54], [53, 55], [54, 56]] 12 6[[55, 57], [56, 58]] 12 7

[[57, 59], [58, 60], [59, 61], [60, 62], [61, 63]] 13 7[[62, 64]] 14 7

[[63, 65], [64, 66], [65, 67], [66, 68]] 14 8[[67, 69], [68, 70], [69, 71], [70, 72]] 15 8

[[71, 73]] 15 9[[72, 74], [73, 75], [74, 76], [75, 77], [76, 78], [77, 79]] 16 9

[[78, 80]] 17 9[[79, 81], [80, 82], [81, 83], [82, 84]] 17 10[[83, 85], [84, 86], [85, 87], [86, 88]] 18 10

[[87, 89], [88, 90]] 18 11[[89, 91], [90, 92], [91, 93], [92, 94], [93, 95], [94, 96]] 19 11

[[95, 97], [96, 98], [97, 99], [98, 100], [99, 101], [100, 102]] 20 12[[101, 103], [102, 104]] 21 12

[[103, 105], [104, 106], [105, 107], [106, 108], [107, 109]] 21 13[[108, 110], [109, 111], [110, 112]] 22 13

[[111, 113], [112, 114], [113, 115], [114, 116]] 22 14[[115, 117], [116, 118], [117, 119], [118, 120]] 23 14[[119, 121], [120, 122], [121, 123], [122, 124]] 23 15[[123, 125], [124, 126], [125, 127], [126, 128]] 24 15[[127, 129], [128, 130], [129, 132], [131, 133]] 24 16

[[132, 134], [133, 135], [134, 136]] 25 16[[135, 137], [136, 138], [137, 140], [139, 141], [140, 142]] 25 17

[[141, 143], [142, 145]] 26 17[[142, 145], [144, 146], [145, 147], [146, 149], [148, 150], [149, 151], [150, 153]] 26 18

[[150, 153]] 26 19[[152, 154], [153, 156], [155, 157], [156, 159], [158, 160]] 27 19

72

[[159, 162], [161, 163], [162, 165]] 27 20[[164, 167], [166, 169]] 28 20

[[166, 169], [168, 170], [169, 172], [171, 174], [173, 176]] 28 21[[175, 178], [177, 180]] 28 22[[179, 183], [182, 185]] 29 22

[[182, 185], [184, 187], [186, 190], [189, 192]] 29 23[[191, 195], [194, 197], [196, 200]] 29 24[[199, 203], [202, 207], [206, 210]] 30 25[[206, 210], [209, 214], [213, 218]] 30 26[[213, 218], [217, 222], [221, 226]] 30 27

[[221, 226], [225, 231]] 30 28[[230, 237]] 31 28

[[230, 237], [236, 244]] 31 29[[236, 244], [243, 251]] 31 30[[243, 251], [250, 260]] 31 31[[250, 260], [259, 271]] 31 32[[259, 271], [270, 286]] 31 33

[[270, 286]] 31 34[[270, 286], [285, 310]] 31 35

[[285, 310]] 31 36[[285, 310]] 31 37

[[285, 310], [309, 1284]] 31 38[[309, 1284]] 31 39-159

Table 9: Table of cache-line analysis of BLISS-II. For eachinterval created, the corresponding AT and CDT cache-linesare given. These two cache-lines are at the basis for theweaknesses exploited on CDT sampling with accelerationtable. Note that the possible values inside an interval are notincluding the upper bound.

Cache Weaknesses

Weakness Type Values Cache-line Interval Cache-Line Pattern CDT

Intersection 7, 8 1 1Intersection 30, 31 7 3Intersection 47, 48 10 6Intersection 62, 63 14 7Intersection 71, 72 15 9Intersection 72, 78 16 9Intersection 78, 79 17 9

Jump 143, 144 26 17, 18Jump 151, 152 26 18, 19Jump 167, 168 28 20, 21Jump 183, 184 29 22, 23Jump 206, 207 30 26, 25

73

Table 10: List of cache weaknesses for BLISS-II. For eachtype, the associated values and cache-line patterns are given.

The set of values G, with cache-weakness satisfying both the size and biased requirements, is:

G = {143}

with α ≥ 0.07.

BLISS-III

Overview Cache-Line Analysis

Intervals Cache-line Interval Cache-line CDT

[[0, 2], [1, 3], [2, 5], [4, 6], [5, 7], [6, 8]] 0 0[[7, 10], [9, 11]] 0 1

[[10, 12], [11, 13], [12, 14], [13, 16]] 1 1[[15, 17], [16, 18], [17, 19], [18, 21]] 1 2

[[20, 22], [21, 23], [22, 24]] 2 2[[23, 26], [25, 27], [26, 28], [27, 29], [28, 31]] 2 3

[[30, 32]] 3 3[[31, 33], [32, 34], [33, 35], [34, 37], [36, 38], [37, 39], [38, 40]] 3 4

[[39, 42], [41, 43], [42, 44], [43, 45], [44, 47], [46, 48]] 4 5[[47, 49], [48, 50]] 4 6

[[49, 52], [51, 53], [52, 54], [53, 55], [54, 57]] 5 6[[54, 57], [56, 58], [57, 59], [58, 60]] 5 7

[[59, 62], [61, 63], [62, 64]] 6 7[[63, 65], [64, 67], [66, 68], [67, 69], [68, 71]] 6 8

[[70, 72]] 7 8[[71, 73], [72, 74], [73, 76], [75, 77], [76, 78], [77, 80]] 7 9

[[79, 81]] 7 10[[80, 82], [81, 83], [82, 85], [84, 86], [85, 87], [86, 89]] 8 10

[[86, 89], [88, 90], [89, 91]] 8 11[[90, 93], [92, 94], [93, 95], [94, 96]] 9 11

[[95, 98], [97, 99], [98, 100], [99, 102]] 9 12[[101, 103], [102, 104]] 10 12

[[103, 106], [105, 107], [106, 108], [107, 110], [109, 111], [110, 113]] 10 13[[110, 113]] 10 14

[[112, 114], [113, 115], [114, 117], [116, 118], [117, 119], [118, 121]] 11 14[[118, 121], [120, 122], [121, 123]] 11 15[[122, 125], [124, 126], [125, 128]] 12 15

[[127, 129], [128, 130], [129, 132], [131, 133], [132, 135]] 12 16[[134, 136]] 13 16

[[135, 137], [136, 139], [138, 140], [139, 142], [141, 143], [142, 145]] 13 17[[142, 145], [144, 146]] 13 18

74

[[145, 148], [147, 149], [148, 150], [149, 152]] 14 18[[151, 153], [152, 155], [154, 156], [155, 158]] 14 19

[[157, 159], [158, 161]] 15 19[[158, 161], [160, 162], [161, 164], [163, 165], [164, 167], [166, 168]] 15 20

[[167, 170]] 15 21[[169, 172], [171, 173], [172, 175], [174, 176]] 16 21[[175, 178], [177, 179], [178, 181], [180, 183]] 16 22

[[182, 184]] 17 22[[183, 186], [185, 187], [186, 189], [188, 191], [190, 192]] 17 23

[[191, 194], [193, 196]] 17 24[[195, 197], [196, 199], [198, 201]] 18 24

[[198, 201], [200, 202], [201, 204], [203, 206], [205, 207], [206, 209]] 18 25[[206, 209]] 18 26

[[208, 211], [210, 213], [212, 214], [213, 216]] 19 26[[215, 218], [217, 220], [219, 221], [220, 223]] 19 27

[[222, 225]] 20 27[[222, 225], [224, 227], [226, 229], [228, 231], [230, 233]] 20 28

[[230, 233], [232, 234], [233, 236], [235, 238]] 20 29[[237, 240]] 21 29

[[239, 242], [241, 244], [243, 246], [245, 248]] 21 30[[247, 250], [249, 252], [251, 254]] 21 31

[[253, 256]] 22 31[[255, 258], [257, 260], [259, 262], [261, 264]] 22 32

[[263, 267], [266, 269], [268, 271]] 22 33[[270, 273]] 23 33

[[270, 273], [272, 275], [274, 278], [277, 280]] 23 34[[279, 282], [281, 285], [284, 287], [286, 289]] 23 35

[[286, 289]] 23 36[[288, 292], [291, 294], [293, 296]] 24 36[[295, 299], [298, 301], [300, 304]] 24 37

[[303, 307], [306, 309]] 24 38[[308, 312]] 25 38

[[311, 314], [313, 317], [316, 320]] 25 39[[319, 323], [322, 325], [324, 328]] 25 40

[[327, 331]] 25 41[[330, 334], [333, 337]] 26 41

[[333, 337], [336, 340], [339, 343], [342, 346]] 26 42[[342, 346], [345, 350], [349, 353]] 26 43

[[349, 353], [352, 356]] 26 44[[355, 360]] 27 44

[[359, 363], [362, 367], [366, 370]] 27 45[[366, 370], [369, 374], [373, 378]] 27 46[[373, 378], [377, 381], [380, 385]] 27 47

[[380, 385]] 27 48[[384, 389], [388, 394]] 28 48

[[388, 394], [393, 398], [397, 402]] 28 49[[397, 402], [401, 407], [406, 411]] 28 50

75

[[406, 411], [410, 416]] 28 51[[415, 421]] 28 52[[420, 426]] 29 52

[[420, 426], [425, 431], [430, 437]] 29 53[[430, 437], [436, 442]] 29 54[[436, 442], [441, 448]] 29 55[[447, 454], [453, 461]] 29 56[[453, 461], [460, 468]] 29 57

[[460, 468]] 29 58[[467, 475]] 30 58

[[467, 475], [474, 482]] 30 59[[474, 482], [481, 490]] 30 60[[481, 490], [489, 499]] 30 61[[489, 499], [498, 508]] 30 62[[498, 508], [507, 518]] 30 63[[507, 518], [517, 529]] 30 64

[[517, 529]] 30 65[[517, 529], [528, 541]] 30 66

[[528, 541]] 30 67[[540, 554]] 31 67[[540, 554]] 31 68

[[540, 554], [553, 569]] 31 69[[553, 569]] 31 70

[[553, 569], [568, 586]] 31 71[[568, 586]] 31 72

[[568, 586], [585, 607]] 31 73[[585, 607]] 31 74

[[585, 607], [606, 633]] 31 75[[606, 633]] 31 76[[606, 633]] 31 77[[606, 633]] 31 78

[[606, 633], [632, 667]] 31 79[[632, 667]] 31 80[[632, 667]] 31 81[[632, 667]] 31 82

[[632, 667], [666, 724]] 31 83[[666, 724]] 31 84[[666, 724]] 31 85[[666, 724]] 31 86[[666, 724]] 31 87[[666, 724]] 31 88[[666, 724]] 31 89

[[666, 724], [723, 3006]] 31 90[[723, 3006]] 31 91-374

76

Table 11: Table of cache-line analysis of BLISS-III. For eachinterval created, the corresponding AT and CDT cache-linesare given. These two cache-lines are at the basis for theweaknesses exploited on CDT sampling with accelerationtable. Note that the possible values inside an interval are notincluding the upper bound.

Cache Weaknesses

Weakness Type Values Cache-line Interval Cache-Line Pattern CDT

Intersection 30, 31 3 3Intersection 70, 71 7 8Intersection 79, 80 7 10Intersection 134, 135 13 16Intersection 182, 183 17 22

Jump 55, 56 5 6, 7Jump 87, 88 8 10, 11Jump 111, 112 10 13, 14Jump 119, 120 11 14, 15Jump 143, 144 13 17, 18Jump 159, 160 15 19, 20Jump 199, 200 18 24, 25Jump 207, 208 18 25, 26Jump 223, 224 20 27, 28Jump 231, 232 20 28, 29Jump 271, 272 23 33, 34Jump 287, 288 23 35, 36Jump 335, 336 26 41, 42Jump 342, 343 26 43, 42Jump 351, 352 26 43, 44Jump 366, 367 27 46, 45Jump 383, 384 27 47, 47, 48Jump 406, 407 28 51, 50

Table 12: List of cache weaknesses for BLISS-III. For eachtype, the associated values and cache-line patterns are given.

The set of values G, with cache-weakness satisfying both the size and biased requirements, is:

G = {87, 111, 199, 231}with α ≥ 0.10.

BLISS-IV

Overview Cache-Line Analysis

77

Intervals Cache-line Interval Cache-line CDT

[[0, 2], [1, 4], [3, 5], [4, 6], [5, 8]] 0 0[[7, 9], [8, 10], [9, 12]] 0 1

[[11, 13], [12, 14], [13, 16]] 1 1[[15, 17], [16, 18], [17, 20], [19, 21], [20, 22]] 1 2

[[21, 24]] 2 2[[23, 25], [24, 26], [25, 28], [27, 29], [28, 30], [29, 32]] 2 3

[[31, 33]] 2 4[[32, 34], [33, 36], [35, 37], [36, 38], [37, 40]] 3 4

[[39, 41], [40, 42], [41, 44]] 3 5[[43, 45], [44, 46], [45, 48]] 4 5

[[47, 49], [48, 51], [50, 52], [51, 53], [52, 55]] 4 6[[54, 56]] 5 6

[[55, 57], [56, 59], [58, 60], [59, 61], [60, 63], [62, 64]] 5 7[[63, 65]] 5 8

[[64, 67], [66, 68], [67, 70], [69, 71], [70, 72]] 6 8[[71, 74], [73, 75], [74, 76]] 6 9[[75, 78], [77, 79], [78, 81]] 7 9

[[78, 81], [80, 82], [81, 83], [82, 85], [84, 86], [85, 88]] 7 10[[87, 89], [88, 90], [89, 92], [91, 93], [92, 95], [94, 96]] 8 11

[[95, 97], [96, 99]] 8 12[[98, 100], [99, 102], [101, 103], [102, 105]] 9 12

[[102, 105], [104, 106], [105, 107], [106, 109], [108, 110]] 9 13[[109, 112]] 10 13

[[111, 113], [112, 115], [114, 116], [115, 118], [117, 119], [118, 121]] 10 14[[118, 121], [120, 122]] 10 15

[[121, 123], [122, 125], [124, 126], [125, 128]] 11 15[[127, 129], [128, 131], [130, 132], [131, 134]] 11 16

[[133, 135], [134, 137]] 12 16[[134, 137], [136, 138], [137, 140], [139, 141], [140, 143], [142, 144]] 12 17

[[143, 146]] 12 18[[145, 148], [147, 149], [148, 151], [150, 152]] 13 18[[151, 154], [153, 155], [154, 157], [156, 158]] 13 19

[[157, 160]] 14 19[[159, 162], [161, 163], [162, 165], [164, 166], [165, 168]] 14 20

[[167, 170], [169, 171]] 14 21[[170, 173], [172, 174], [173, 176]] 15 21

[[175, 178], [177, 179], [178, 181], [180, 183], [182, 184]] 15 22[[183, 186], [185, 188], [187, 189], [188, 191], [190, 193]] 16 23

[[190, 193], [192, 194], [193, 196], [195, 198]] 16 24[[197, 200]] 17 24

[[199, 201], [200, 203], [202, 205], [204, 207], [206, 208]] 17 25[[207, 210], [209, 212]] 17 26[[211, 214], [213, 216]] 18 26

[[215, 217], [216, 219], [218, 221], [220, 223], [222, 225]] 18 27

78

[[222, 225], [224, 227]] 18 28[[226, 229], [228, 230], [229, 232]] 19 28

[[231, 234], [233, 236], [235, 238], [237, 240]] 19 29[[239, 242]] 19 30

[[241, 244], [243, 246], [245, 248]] 20 30[[247, 250], [249, 252], [251, 254], [253, 256]] 20 31

[[255, 258]] 20 32[[257, 260], [259, 263], [262, 265]] 21 32

[[262, 265], [264, 267], [266, 269], [268, 271], [270, 273]] 21 33[[270, 273], [272, 275]] 21 34[[274, 278], [277, 280]] 22 34

[[279, 282], [281, 285], [284, 287], [286, 289]] 22 35[[286, 289], [288, 291], [290, 294]] 22 36

[[293, 296]] 23 36[[295, 299], [298, 301], [300, 304]] 23 37

[[303, 306], [305, 309], [308, 311], [310, 314]] 23 38[[310, 314]] 23 39

[[313, 316], [315, 319], [318, 322]] 24 39[[318, 322], [321, 324], [323, 327], [326, 330]] 24 40

[[326, 330], [329, 332], [331, 335]] 24 41[[334, 338]] 25 41

[[334, 338], [337, 341], [340, 344]] 25 42[[343, 347], [346, 350], [349, 353]] 25 43[[349, 353], [352, 356], [355, 359]] 25 44

[[358, 362]] 26 44[[358, 362], [361, 366], [365, 369]] 26 45[[365, 369], [368, 372], [371, 376]] 26 46[[375, 379], [378, 383], [382, 386]] 26 47

[[382, 386]] 26 48[[385, 390], [389, 394]] 27 48

[[389, 394], [393, 398], [397, 401]] 27 49[[397, 401], [400, 405], [404, 410]] 27 50[[404, 410], [409, 414], [413, 418]] 27 51

[[413, 418]] 27 52[[417, 422], [421, 427]] 28 52

[[421, 427], [426, 431], [430, 436]] 28 53[[430, 436], [435, 441]] 28 54

[[435, 441], [440, 446], [445, 451]] 28 55[[445, 451], [450, 456]] 28 56[[455, 462], [461, 468]] 29 57[[461, 468], [467, 474]] 29 58[[467, 474], [473, 480]] 29 59[[479, 486], [485, 493]] 29 60[[485, 493], [492, 500]] 29 61[[492, 500], [499, 507]] 29 62

[[499, 507]] 29 63[[506, 515]] 30 63

79

[[506, 515], [514, 523]] 30 64[[514, 523], [522, 532]] 30 65[[522, 532], [531, 541]] 30 66[[531, 541], [540, 551]] 30 67[[540, 551], [550, 562]] 30 68

[[550, 562]] 30 69[[550, 562], [561, 574]] 30 70[[561, 574], [573, 586]] 30 71

[[573, 586]] 30 72[[573, 586]] 30 73[[585, 601]] 31 73[[585, 601]] 31 74

[[585, 601], [600, 617]] 31 75[[600, 617]] 31 76

[[600, 617], [616, 636]] 31 77[[616, 636]] 31 78

[[616, 636], [635, 658]] 31 79[[635, 658]] 31 80[[635, 658]] 31 81

[[635, 658], [657, 686]] 31 82[[657, 686]] 31 83[[657, 686]] 31 84

[[657, 686], [685, 724]] 31 85[[685, 724]] 31 86[[685, 724]] 31 87[[685, 724]] 31 88[[685, 724]] 31 89

[[685, 724], [723, 785]] 31 90[[723, 785]] 31 91[[723, 785]] 31 92[[723, 785]] 31 93[[723, 785]] 31 94[[723, 785]] 31 95[[723, 785]] 31 96[[723, 785]] 31 97

[[723, 785], [784, 3261]] 31 98[[784, 3261]] 31 99-406

Table 13: Table of cache-line analysis of BLISS-IV. For eachinterval created, the corresponding AT and CDT cache-linesare given. These two cache-lines are at the basis for theweaknesses exploited on CDT sampling with accelerationtable. Note that the possible values inside an interval are notincluding the upper bound.

Cache Weaknesses

80

Weakness Type Values Cache-line Interval Cache-line(s) CDT

Intersection 31, 32 2 4Intersection 54, 55 5 6Intersection 55, 63 5 7Intersection 63, 64 5 8

Jump 79, 80 7 9, 10Jump 103, 104 9 12, 13Jump 119, 120 10 14, 15Jump 135, 136 12 16, 17Jump 191, 192 16 23, 24Jump 223, 224 18 27, 28Jump 263, 264 21 32, 33Jump 271, 272 21 33, 34Jump 287, 288 22 35, 36Jump 310, 311 23 39, 38Jump 318, 319 24 40, 39Jump 326, 327 24 41, 40Jump 334, 335 25 42, 41Jump 351, 352 25 43, 44Jump 358, 359 26 45, 44Jump 367, 368 26 45, 46Jump 382, 383 26 48, 47Jump 399, 400 27 49, 50Jump 439, 440 28 54, 54, 55

Table 14: List of cache weaknesses for BLISS-IV. For eachtype, the associated values and cache-line patterns are given.

The set of values G, with cache-weakness satisfying both the size and biased requirements, is:

G = {79, 103, 119, 263}

with α ≥ 0.10.

81