SHIFT SNARE: Uncovering Secret Keys in FALCON via Single-Trace Analysis

๐Ÿ“… 2025-04-01
๐Ÿ›๏ธ IACR Cryptology ePrint Archive
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF

career value

222K/year
๐Ÿค– AI Summary
This work uncovers a critical side-channel vulnerability in the discrete Gaussian sampling (DGS) step of FALCONโ€”a NIST-standardized post-quantum signature schemeโ€”during key generation. Specifically, it exploits a sign-bit leakage induced by a 63-bit right shift on 64-bit integers in the reference implementation. We propose the first single-trace power-analysis attack capable of accurately determining the sign (โˆ’1 or 0) of polynomial coefficients using only one power trace. Our method integrates side-channel analysis with statistical hypothesis testing. Evaluated on an ARM Cortex-M4 embedded platform for FALCON-512, it achieves a per-coefficient recovery success rate of 99.9999999478% and a full-secret-key recovery rate of 99.99994654%. This is the first attack to fully recover a FALCON secret key under a single-trace setting, breaking the conventional multi-trace paradigm and highlighting practical side-channel risks of lattice-based signatures in resource-constrained deployments.

Technology Category

Application Category

๐Ÿ“ Abstract
This paper presents a novel single-trace side-channel attack on FALCON -- a lattice-based post-quantum digital signature protocol recently approved for standardization by NIST. We target the discrete Gaussian sampling operation within the FALCON key generation scheme and use a single power measurement trace to succeed. Notably, negating the `shift right 63-bit' operation (for 64-bit values) leaks critical information about the `-1' vs. `0' assignments to intermediate coefficients. These leaks enable full recovery of the generated secret keys. The proposed attack is implemented on an ARM Cortex-M4 microcontroller running both reference and optimized software implementations from FALCON's NIST Round 3 package. Statistical analysis with 500k tests reveals a per coefficient success rate of 99.9999999478% and a full key recovery success rate of 99.99994654% for FALCON-512. This work highlights the vulnerability of current software solutions to single-trace attacks and underscores the urgent need to develop single-trace resilient software for embedded systems.
Problem

Research questions and friction points this paper is trying to address.

Single-trace attack on FALCON key generation
Exploits leakage in discrete Gaussian sampling
Recovers secret keys with high success rate
Innovation

Methods, ideas, or system contributions that make the work stand out.

Single-trace attack on FALCON key generation
Exploits shift right 63-bit operation leak
ARM Cortex-M4 implementation with high success