Visible to the public Detecting Cache-Timing Vulnerabilities in Post-Quantum Cryptography Algorithms

TitleDetecting Cache-Timing Vulnerabilities in Post-Quantum Cryptography Algorithms
Publication TypeConference Paper
Year of Publication2018
AuthorsFacon, A., Guilley, S., Lec'Hvien, M., Schaub, A., Souissi, Y.
Conference Name2018 IEEE 3rd International Verification and Security Workshop (IVSW)
ISBN Number978-1-5386-6544-2
Keywordscache storage, cache-timing attacks, cache-timing vulnerabilities, composability, cryptographic algorithms, dedicated vulnerability research tool, development cycle, Encryption, execution behavior, leakage pattern detection, Metrics, NIST, NIST post-quantum cryptography project submissions, NIST post-quantum standardization project, post-quantum cryptography algorithms, program diagnostics, Proposals, pubcrawl, quantum cryptography, source code, static analysis, taint analysis, Tools, validation tools

When implemented on real systems, cryptographic algorithms are vulnerable to attacks observing their execution behavior, such as cache-timing attacks. Designing protected implementations must be done with knowledge and validation tools as early as possible in the development cycle. In this article we propose a methodology to assess the robustness of the candidates for the NIST post-quantum standardization project to cache-timing attacks. To this end we have developed a dedicated vulnerability research tool. It performs a static analysis with tainting propagation of sensitive variables across the source code and detects leakage patterns. We use it to assess the security of the NIST post-quantum cryptography project submissions. Our results show that more than 80% of the analyzed implementations have at least one potential flaw, and three submissions total more than 1000 reported flaws each. Finally, this comprehensive study of the competitors security allows us to identify the most frequent weaknesses amongst candidates and how they might be fixed.

Citation Keyfacon_detecting_2018