Machine-Learning Side-Channel Attacks on the GALACTICS Constant-Time Implementation of BLISS
This work addresses a critical security problem for post-quantum cryptography implementations, specifically for developers and users of lattice-based schemes like BLISS, by exposing practical vulnerabilities in a constant-time design.
The paper tackles the vulnerability of the GALACTICS constant-time implementation of the BLISS post-quantum signature scheme to side-channel attacks, demonstrating three machine-learning-based attacks that exploit leakages in Gaussian sampling and signing to achieve high-accuracy key recovery on a Cortex-M4 device.
Due to the advancing development of quantum computers, practical attacks on conventional public-key cryptography may become feasible in the next few decades. To address this risk, post-quantum schemes that are secure against quantum attacks are being developed. Lattice-based algorithms are promising replacements for conventional schemes, with BLISS being one of the earliest post-quantum signature schemes in this family. However, required subroutines such as Gaussian sampling have been demonstrated to be a risk for the security of BLISS, since implementing Gaussian sampling both efficient and secure with respect to physical attacks is highly challenging. This paper presents three related power side-channel attacks on GALACTICS, the latest constant-time implementation of BLISS. All attacks are based on leakages we identified in the Gaussian sampling and signing algorithm of GALACTICS. To run the attack, a profiling phase on a device identical to the device under attack is required to train machine learning classifiers. In the attack phase, the leakages of GALACTICS enable the trained classifiers to predict sensitive internal information with high accuracy, paving the road for three different key recovery attacks. We demonstrate the leakages by running GALACTICS on a Cortex-M4 and provide proof-of-concept data and implementation for all our attacks.