DTDS: Dilithium Dataset for Power Analysis
-
摘要: 量子计算的飞速发展威胁了传统密码系统的安全性,进而推动了后量子密码算法的研究与标准化。Dilithium数字签名算法基于格理论设计,于2024年被美国国家标准与技术研究院(NIST)选定为后量子密码算法标准。同时,对Dilithium的侧信道分析,特别是能量分析,也成为当前的研究热点。然而,现有的能量分析数据集主要针对经典分组密码算法,如AES等,缺乏Dilithium等新型算法的数据集,限制了相关侧信道分析方法的研究。为此,该文采集并公开首个针对Dilithium算法的能量分析数据集,旨在促进后量子密码算法的能量分析研究。该数据集基于Dilithium的开源参考实现,在Cortex M4处理器上运行,并通过专用设备采集,包含
60000 条Dilithium签名过程中采集的能量迹,以及与每条能量迹对应的签名源数据和敏感中间值。进一步对构造的数据集进行可视化分析,详细研究了随机多项式生成函数polyz_unpack的执行过程及其对能量迹的影响。最后,使用模板分析和深度学习分析方法对数据集进行建模和测试,验证了该数据集的有效性和实用性。数据集和相关代码见https://doi.org/10.57760/sciencedb.j00173.00001 。-
关键词:
- 后量子算法 /
- Dilithium算法 /
- 侧信道分析 /
- 能量分析 /
- 数据集
Abstract:Objective The development of quantum computing threatens the security of traditional cryptosystems and advances the research and standardisation of post-quantum cryptographic algorithms. The Dilithium digital signature algorithm is designed based on the lattice theory and was selected by USA National Institute of Standards and Technology (NIST) as the standard for post-quantum cryptographic algorithms in 2024. Meanwhile, the side channel analysis of Dilithium, especially the power analysis, has become a current research hotspot. However, the existing power analysis datasets are mainly for classical packet cryptography algorithms, such as AES, etc., and the lack of datasets for novel algorithms, such as Dilithium, restricts the research of side-channel security analysis methods. Results and Discussions For this reason, this paper collects and discloses the first power analysis dataset for the Dilithium algorithm, aiming to facilitate the research on power analysis of post-quantum cryptographic algorithms. The dataset is based on the open-source reference implementation of Dilithium, running on a Cortex M4 processor and captured by a dedicated device, and contains 60,000 traces captured during the Dilithium signature process, as well as the signature source data and sensitive intermediate values corresponding to each trace. Conclusions The constructed DTDS dataset is further visualised and analysed, and the execution process of the random polynomial generation function polyz_unpack and its effect on the traces are investigated in detail. Finally, the dataset is modelled and tested using template analysis and deep learning analytics to verify the validity and usefulness of the dataset. The dataset and code could be found at https://doi.org/10.57760/sciencedb.j00173.00001. -
Key words:
- Post-quantum algorithm /
- Dilithium /
- Side channel analysis /
- Power analysis /
- Dataset
-
表 1 Dilithium安全级别参数
NIST 安全级别 2 3 5 $ q $[模数] 8380417 $ n $[$ {R_q} $的维度] 256 $ (k,l) $[$ {\boldsymbol{A}} $的维度] (4,4) (6,5) (8,7) ${\gamma _1}$[${\boldsymbol{y}}$的范围] ${2^{17}}$ ${2^{19}}$ ${2^{19}}$ 
下载: 导出CSV
1 密钥生成
$\zeta \leftarrow {\{ 0,1\} ^{256}}$ $\left( {\rho ,{\rho ^\prime },K} \right) \in {\{ 0,1\} ^{256}} \times {\{ 0,1\} ^{512}} \times {\{ 0,1\} ^{256}}: = {{H}}(\zeta )$ ${\boldsymbol{A}} \in R_q^{k \times \ell }: = {\text{Expand}}{\boldsymbol{A}}(\rho )$ $\left( {{{\boldsymbol{s}}_1},{{\boldsymbol{s}}_2}} \right) \in S_\eta ^\ell \times S_\eta ^k: = {\text{ExpandS}}\left( {{\rho ^\prime }} \right)$ ${\boldsymbol{t}}: = {\boldsymbol{A}}{{\boldsymbol{s}}_1} + {{\boldsymbol{s}}_2}$ $\left( {{{\boldsymbol{t}}_1},{{\boldsymbol{t}}_0}} \right): = {\text{Power2Roun}}{{\text{d}}_q}({\boldsymbol{t}},d)$ $ \text{tr}\in {\{0,1\}}^{256}:={H}\left(\rho \Vert {{\boldsymbol{t}}}_{1}\right) $ ${\text{return }}\left( {{\text{pk}} = \left( {\rho ,{{\boldsymbol{t}}_1}} \right),{\text{sk}} = \left( {\rho ,K,{\text{tr}},{{\boldsymbol{s}}_1},{{\boldsymbol{s}}_2},{{\boldsymbol{t}}_0}} \right)} \right)$
下载: 导出CSV
2 Sign($ {\text{sk}} $,$ M $)
$ {\boldsymbol{A}} \in R_q^{k \times l}: = {\text{Expand}}A(\rho ) $ $\mu \in {\{ 0,1\} ^{512}}: = {{H}}\left( {{\bf{tr}}\parallel M} \right)$ $ \kappa : = 0,\left( {{\boldsymbol{z}},{\boldsymbol{h}}} \right): = \bot $ $\rho {{'}} \in {\{ 0,1\} ^{512}}: = {{H}}\left( {K\parallel \mu } \right)$ $ {\text{while}}({\boldsymbol{z}},{\boldsymbol{h}}){\text{ = }} \bot {\text{do}} $ $ {\text{ }}{\boldsymbol{y}}\in {\tilde{S}}_{{\gamma }_{1}}^{\ell }:=\text{ExpandMask}\left({\rho }^{\prime },\kappa \right)\text{ }本行调用\text{ }{\mathrm{polyz}}\_{\mathrm{unpack}}函数 $ $ \text{ }\text{ }{\boldsymbol{w}}:={\boldsymbol{Ay}} $ $ \text{ }{{\boldsymbol{w}}}_{1}:={\text{HighBits}}_{q}\left({\boldsymbol{w}},2{\gamma }_{2}\right) $ $ \text{ }\tilde{\boldsymbol{{c}}}\in {\{0,1\}}^{256}:={H}\left(\mu \parallel {{\boldsymbol{w}}}_{1}\right) $ $ \begin{array}{c}\text{ }c\in {B}_{\tau }:=\text{SamplelnBall}\left(\tilde{{\boldsymbol{c}}}\right)\end{array} $ $ \text{ }{\boldsymbol{z}}:={\boldsymbol{y}}+c{s}_{1} $ $ \text{ }{r}_{0}:={\text{LowBits}}_{\text{q}}\left({\boldsymbol{w}}-c{{\boldsymbol{s}}}_{2},2{\gamma }_{2}\right) $ $ \text{ }\text{if}\Vert {\boldsymbol{z}}{\Vert }_{\infty }\ge {\gamma }_{1}-\beta \text{or}\Vert {r}_{0}{\Vert }_{\infty }\ge {\gamma }_{2}-\beta ,\text{then}({\boldsymbol{z}},{\boldsymbol{h}}):=\perp $ $ \text{else} $ $ \text{ }{\boldsymbol{h}}:={\text{MakeHint}}_{q}\left(-c{{\boldsymbol{t}}}_{0},{\boldsymbol{w}}-c{{\boldsymbol{s}}}_{2}+c{{\boldsymbol{t}}}_{0},2{\gamma }_{2}\right) $ $ \text{ }\text{if}\Vert c{{\boldsymbol{t}}}_{0}{\Vert }_{\infty }\ge {\gamma }_{2}\text{or}\;\text{the}\#\text{of }{1}^{\prime }\text{s}\text{in }\;{\boldsymbol{h}}\;\text{is}\;\text{greater}\;\text{than}\;{\boldsymbol{\omega}}$,
$\text{then}({\boldsymbol{z}},{\boldsymbol{h}}):=\perp $$ \text{ }\kappa :=\kappa +\ell $ ${\text{return}}\;\sigma = \left( {\tilde {\boldsymbol{c}},{\boldsymbol{z}},{\boldsymbol{h}}} \right)$
下载: 导出CSV
表 2 采集参数表
品类 参数名称 参数信息 目标芯片 型号 STM32 F405 RGTx 平台 ChipWhisperer UFO 运行频率 25 MHz 外部高速时钟源 10 MHz 示波器 型号 Pico 3206D 模式 8 bit timebase 3 采样频率 125 MHz 其他 滤波器 BLP-48+ 50 M 放大器 无 算法 算法参数 Dilithium 2 编译器 arm-none-eabi-gcc 10.2.1 编译参数 − O 1 上位机 处理器 i7-12500 内存 64 GB DDR4
下载: 导出CSV
表 3 数据集文件描述
文件名 描述 polyz_unpack_traces.npy 能量迹文件,该文件为元数据加密过程中,polyz_unpack函数泄露能量数据,每个文件存储 5000 条能量迹,
每条能量迹包含20000 采样值。polyz_unpack_y.npy 敏感中间值文件,该文件为元数据加密过程,polyvecl_uniform_gamma1加密后的$ {\boldsymbol{y}} $值,
包含5000 个随机系数$ {\boldsymbol{y}} $,每个$ {\boldsymbol{y}} $为4×256个值。mate.req 元数据文件,该文件与训练集曲线文件一一对应,包含 5000 个签名数据,每个签名包含序号(counter)、种子(seed)、公钥(pk)、 私钥(sk)、消息(msg)、消息长度(mlen)、签名后消息(sm)和签名后消息长度(smlen)。
下载: 导出CSV
3 polyz_unpack(poly *r, const uint8_t *a)
void polyz_unpack(poly *r, const uint8_t *a) { unsigned int i; for(i = 0; i < NN / 4; ++i) { r->coeffs[4*i+0] = a[9*i+0]; r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8; r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16; r->coeffs[4*i+0] &= 0x3FFFF; r->coeffs[4*i+1] = a[9*i+2] >> 2; r->coeffs[4*i+1] |= (uint32_t)a[9*i+3] << 6; r->coeffs[4*i+1] |= (uint32_t)a[9*i+4] << 14; r->coeffs[4*i+1] &= 0x3FFFF; r->coeffs[4*i+2] = a[9*i+4] >> 4; r->coeffs[4*i+2] |= (uint32_t)a[9*i+5] << 4; r->coeffs[4*i+2] |= (uint32_t)a[9*i+6] << 12; r->coeffs[4*i+2] &= 0x3FFFF; r->coeffs[4*i+3] = a[9*i+6] >> 6; r->coeffs[4*i+3] |= (uint32_t)a[9*i+7] << 2; r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10; r->coeffs[4*i+3] &= 0x3FFFF; r->coeffs[4*i+0] = GAMMA1 - r->coeffs[4*i+0]; r->coeffs[4*i+1] = GAMMA1 - r->coeffs[4*i+1]; r->coeffs[4*i+2] = GAMMA1 - r->coeffs[4*i+2]; r->coeffs[4*i+3] = GAMMA1 - r->coeffs[4*i+3]; } }
下载: 导出CSV
表 4 模板攻击不同兴趣点的准确率比较
兴趣点数量 建模数量 时间(s) 准确率(%) 8 30000 383.10 6.83 16 383.70 7.80 32 386.92 8.36 64 397.89 9.34 128 456.29 3.11
下载: 导出CSV
表 5 模板攻击不同建模数量的准确率比较
建模数量 兴趣点数量 时间(s) 准确率(%) 5000 32 312.09 6.79 10000 326.64 7.73 15000 341.61 7.90 20000 357.98 8.20 25000 371.08 8.25 30000 387.01 8.36
下载: 导出CSV
表 6 深度模型参数表
层类型 卷积核大小 卷积核数量 步长 填充 激活函数 输出形状 InputLayer - - - - - (None, input_shape) Conv1D 11 64 1 same relu (None, *, 64) AveragePool1D 2 - 2 - - (None, *, 32) Conv1D 11 128 1 same relu (None, *, 128) AveragePool1D 2 - 2 - - (None, *, 64) Flatten - - - - - (None, flattened_size) Dense - 256 - - relu (None, 256) Dense - 256 - - relu (None, 256) Dense - 32 - - (None, 32)
下载: 导出CSV
表 7 深度学习不同建模数量的准确率比较
建模数量 兴趣点数量 时间(s) 准确率(%) 5000 500 247.57 9.98 10000 540.30 18.12 15000 689.55 23.87 20000 850.91 26.72 25000 1101.74 27.28 30000 1569.06 28.88 40000 1867.35 30.29
下载: 导出CSV
-
[1] DUCAS L, KILTZ E, LEPOINT T, et al. Crystals-dilithium: A lattice-based digital signature scheme[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1): 238–268. doi: 10.13154/tches.v2018.i1.238-268. [2] NIST. NIST releases first 3 finalized post-quantum encryption standards[EB/OL]. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards, 2024. [3] MOODY D, PERLNER R, REGENSCHEID A, et al. Transition to post-quantum cryptography standards[R]. NIST IR 8547, 2024. [4] 胡伟, 袁超绚, 郑健, 等. 一种针对格基后量子密码的能量侧信道分析框架[J]. 电子与信息学报, 2023, 45(9): 3210–3217. doi: 10.11999/JEIT230267.HU Wei, YUAN Chaoxuan, ZHENG Jian, et al. A power side-channel attack framework for lattice-based post quantum cryptography[J]. Journal of Electronics & Information Technology, 2023, 45(9): 3210–3217. doi: 10.11999/JEIT230267. [5] 王永娟, 樊昊鹏, 代政一, 等. 侧信道攻击与防御技术研究进展[J]. 计算机学报, 2023, 46(1): 202–228. doi: 10.11897/SP.J.1016.2023.00202.WANG Yongjuan, FAN Haopeng, DAI Zhengyi, et al. Advances in side channel attacks and countermeasures[J]. Chinese Journal of Computers, 2023, 46(1): 202–228. doi: 10.11897/SP.J.1016.2023.00202. [6] 王安, 葛婧, 商宁, 等. 侧信道分析实用案例概述[J]. 密码学报, 2018, 5(4): 383–398. doi: 10.13868/j.cnki.jcr.000249.WANG An, GE Jing, SHANG Ning, et al. Practical cases of side-channel analysis[J]. Journal of Cryptologic Research, 2018, 5(4): 383–398. doi: 10.13868/j.cnki.jcr.000249. [7] KOCHER P, JAFFE J, and JUN B. Differential power analysis[C]. The 19th Annual International Cryptology Conference, Santa Barbara, USA, 1999: 388–397. doi: 10.1007/3-540-48405-1_25. [8] KOCHER P. Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems[C]. The 16th Annual International Cryptology Conference, Santa Barbara, USA, 1996: 104–113. doi: 10.1007/3-540-68697-5_9. [9] 张伟娟, 白璐, 凌雨卿, 等. 缓存侧信道攻击与防御[J]. 计算机研究与发展, 2023, 60(1): 206–222. doi: 10.7544/issn1000-1239.202110774.ZHANG Weijuan, BAI Lu, LING Yuqing, et al. Cache side-channel attacks and defenses[J]. Journal of Computer Research and Development, 2023, 60(1): 206–222. doi: 10.7544/issn1000-1239.202110774. [10] GULLASCH D, BANGERTER E, and KRENN S. Cache games-bringing access-based cache attacks on AES to practice[C]. 2011 IEEE Symposium on Security and Privacy, Oakland, USA, 2011: 490–505. doi: 10.1109/SP.2011.22. [11] BONEH D, DEMILLO R A, and LIPTON R J. On the importance of checking cryptographic protocols for faults[C]. International Conference on the Theory and Applications of Cryptographic Techniques, Konstanz, Germany, 1997: 37–51. doi: 10.1007/3-540-69053-0_4. [12] MANGARD S, OSWALD E, and STANDAERT F X. One for all–all for one: Unifying standard differential power analysis attacks[J]. IET Information Security, 2011, 5(2): 100–110. doi: 10.1049/iet-ifs.2010.009. [13] 张晓宇, 陈开颜, 张阳, 等. 基于密钥差异的改进相关性分析方法研究[J]. 计算机应用研究, 2017, 34(9): 2791–2794. doi: 10.3969/j.issn.1001-3695.2017.09.050.ZHANG Xiaoyu, CHEN Kaiyan, ZHANG Yang, et al. Improved correlation power analysis based on difference variability[J]. Application Research of Computers, 2017, 34(9): 2791–2794. doi: 10.3969/j.issn.1001-3695.2017.09.050. [14] BRIER E, CLAVIER C, and OLIVIER F. Correlation power analysis with a leakage model[C]. Proceedings of the 6th International Conference on Cryptographic Hardware and Embedded Systems, Cambridge, USA, 2004: 16–29. doi: 10.1007/978-3-540-28632-5_2. [15] CHARI S, RAO J R, and ROHATGI P. Template attacks[C]. The 4th International Conference on Cryptographic Hardware and Embedded Systems, Redwood Shores, USA, 2002: 13–28. doi: 10.1007/3-540-36400-5_3. [16] 王燚, 吴震, 蔺冰. 对加掩加密算法的盲掩码模板攻击[J]. 通信学报, 2019, 40(1): 1–14. doi: 10.11959/j.issn.1000-436x.2019007.WANG Yi, WU Zhen, and LIN Bing. Blind mask template attacks on masked cryptographic algorithm[J]. Journal on Communications, 2019, 40(1): 1–14. doi: 10.11959/j.issn.1000-436x.2019007. [17] 肖冲, 唐明. 基于深度学习的侧信道分析综述[J]. 计算机学报, 2025, 48(3): 694–720. doi: 10.11897/SP.J.1016.2025.00694.XIAO Chong and TANG Ming. A survey on deep learning-based side-channel analysis[J]. Chinese Journal of Computers, 2025, 48(3): 694–720. doi: 10.11897/SP.J.1016.2025.00694. [18] HETTWER B, GEHRER S, and GÜNEYSU T. Applications of machine learning techniques in side-channel attacks: A survey[J]. Journal of Cryptographic Engineering, 2020, 10(2): 135–162. doi: 10.1007/s13389-019-00212-8. [19] BENADJILA R, PROUFF E, STRULLU R, et al. Deep learning for side-channel analysis and introduction to ASCAD database[J]. Journal of Cryptographic Engineering, 2020, 10(2): 163–188. doi: 10.1007/s13389-019-00220-8. [20] KIM J, PICEK S, HEUSER A, et al. Make some noise. Unleashing the power of convolutional neural networks for profiled side-channel analysis[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(3): 148–179. doi: 10.13154/tches.v2019.i3.148-179. [21] GAO Yiwen, ZHANG Hailong, CHENG Wei, et al. Electro-magnetic analysis of GPU-based AES implementation[C]. The 55th Annual Design Automation Conference, San Francisco, USA, 2018: 121. doi: 10.1145/3195970.3196042. [22] BERZATI A, VIERA A C, CHARTOUNY M, et al. Exploiting intermediate value leakage in dilithium: a template-based approach[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(4): 188–210. doi: 10.46586/tches.v2023.i4.188-210. [23] QIAO Zehua, LIU Yuejun, ZHOU Yongbin, et al. Practical public template attacks on CRYSTALS-dilithium with randomness leakages[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 1–14. doi: 10.1109/TIFS.2022.3215913. [24] WANG Ruize, NGO K, GÄRTNER J, et al. Unpacking needs protection: A single-trace secret key recovery attack on dilithium[J]. IACR Communications in Cryptology, 2024, 1(3): 26. doi: 10.62056/a0fh89n4e. [25] ULITZSCH V Q, MARZOUGUI S, MEHDI T, et al. Profiling side-channel attacks on dilithium: A small bit-fiddling leak breaks it all[C]. The 29th International Conference on Selected Areas in Cryptography, Windsor, Canada, 2022: 3–32. doi: 10.1007/978-3-031-58411-4_1. [26] FAN Haopeng, ZHANG Hailong, WANG Yongjuan, et al. Screening least square technique assisted multivariate template attack against the random polynomial generation of dilithium[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 7118–7132. doi: 10.1109/TIFS.2024.3430854. [27] BRUINDERINK L G and PESSL P. Differential fault attacks on deterministic lattice signatures[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(3): 21–43. doi: 10.13154/tches.v2018.i3.21-43. [28] PICEK S, PERIN G, MARIOT L, et al. SoK: Deep learning-based physical side-channel analysis[J]. ACM Computing Surveys, 2023, 55(11): 227. doi: 10.1145/3569577. -
图(5) / 表(10)
计量
- 文章访问数: 372
- HTML全文浏览量: 213
- PDF下载量: 76
- 被引次数: 0
下载:
