International Association
for Cryptologic Research

In this talk, we present a side-channel attack on a Bluetooth chip embedded in millions of devices worldwide, from wearables and smart home products to industrial IoT. The attack marks a significant milestone as previous attempts to recover the encryption key from the proprietary hardware AES-CCM accelerator in this chip were unsuccessful. Our approach leverages side-channel information from AES computations that is unintentionally transmitted by the chip together with the RF signals. Unlike traditional side-channel attacks based on power or near-field EM emissions, the presented one leaves no evidence of tampering, eliminating the need for package removal, chip decapsulation, or additional soldered components. However, side-channel signals which we extract from RF signals are considerably weaker and noisier, requiring more traces for successful key recovery. The presented attack requires 180,000 traces, with each trace computed by averaging 10,000 measurements per encryption.

<p>Most of the previous attacks on Dilithium exploit side-channel information which is leaked during the computation of the polynomial multiplication cs1, where s1 is a small-norm secret and c is a verifier's challenge. In this paper, we present a new attack utilizing leakage during secret key unpacking in the signing algorithm. The unpacking is also used in other post-quantum cryptographic algorithms, including Kyber, because inputs and outputs of their API functions are byte arrays. Exploiting leakage during unpacking is more challenging than exploiting leakage during the computation of cs1 since c varies for each signing, while the unpacked secret key remains constant. Therefore, post-processing is required in the latter case to recover a full secret key. We present two variants of post-processing. In the first one, a half of the coefficients of the secret s1 and the error s2 is recovered by profiled deep learning-assisted power analysis and the rest is derived by solving linear equations based on t = As1 + s2, where A and t are parts of the public key. This case assumes knowledge of the least significant bits of t, t0. The second variant uses lattice reduction to derive s1 without the knowledge of t0. However, it needs a larger portion of s1 to be recovered by power analysis. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The experiments show that the attack assuming the knowledge of t0 can recover s1 from a single trace captured from a different from profiling device with a non-negligible probability. </p>