On recovering block cipher secret keys in the cold boot attack setting

This paper presents a general strategy to recover a block cipher secret key in the cold boot attack setting. More precisely, we propose a key-recovery method that combines key enumeration algorithms and Grover's quantum algorithm to recover a block cipher secret key after an attacker has procured a noisy version of it via a cold boot attack. We also show how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT, and LowMC. Additionally, since evaluating the third-round post-quantum candidates of the National Institute of Standards and Technology (NIST) post-quantum standardization process against different attack vectors is of great importance for their overall assessment, we show the feasibility of performing our hybrid attack on Picnic, a post-quantum signature algorithm being an alternate candidate in the NIST post-quantum standardization competition. According to our results, our method may recover the Picnic private key for all Picnic parameter sets, tolerating up to $40\%$ of noise for some of the parameter sets. Furthermore, we provide a detailed analysis of our method by giving the cost of its resources, its running time, and its success rate for various enumerations.


Introduction
Post-quantum cryptography has gained much attention in the past few years.One of the main reasons is the National Institute of Standards and Technology (NIST) call for proposals for post-quantum schemes (Signature schemes and Key encapsulation mechanisms).Currently, the call is in the third round, and there are few candidates for signature schemes: Picnic, Falcon, Rainbow, Crystals-Dilithium, GeMSS, and SPHINCS+.
The security of the schemes relies on different mathematical properties, so one can break a scheme if one finds a way to exploit some weaknesses in these mathematical properties, and hence may, in an easy way, recover information that is sensitive.Moreover, there are attacks where the main target is the implementation of the scheme, and such attacks are called side-channel attacks.One of those attacks is called a cold boot attack.Briefly, the idea of the attack is to fetch sensitive data from the memory of an electronic device.
This paper presents a general procedure by which a cold boot attacker may recover a block cipher secret key after procuring a noisy version of the key via a cold boot attack.More specifically, we describe a method that exploits key enumeration algorithms and a well-known quantum algorithm, namely, Grover's Algorithm.Also, we show how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT, and LowMC.Furthermore, we give a use case where Picnic (a third-round signature scheme from NIST) is evaluated in the cold boot attack setting, focusing on its current reference implementation.According to our knowledge, this is the first paper evaluating this signature scheme in the cold boot attack setting.In the study case, we further detail our key-recovery method for Picnic private keys in the cold boot attack setting, providing a detailed analysis of its costs of resources, its running time, and success rates for all Picnic parameter sets.
This paper is structured as follows.In Section 2, we present background material about cold-boot attacks, the model we assume for studying cold-boot attacks on cryptographic schemes, as well as a literature review on previous works on cold-boot attacks on cryptographic algorithms and background material on quantum computing.Section 3 gives a high-level idea of the key-recovery problem in the cold blood attack setting.In Section 4, we present our hybrid key-recovery method.In particular, Section 4.2 describes our key-recovery strategy combined with Grover's quantum algorithm (a.k.a hybrid attack), its running time, and costs in terms of resources for several block ciphers.In Section 5, we concentrate on Picnic, particularly on its key-generation algorithm and implementation, providing a detailed description of how to apply our algorithm to LowMC in the context of Picnic.Lastly, Section 6 encloses our final comments on the paper, highlighting some future research works.

Background
In this section, we will present background material about cold boot attacks, the model we assume for studying cold-boot attacks on cryptographic schemes, a literature review of previous works about cold boot attacks on cryptographic algorithms, background material on quantum computing, and lastly, a general strategy to tackle the key-recovery problem in the cold boot attack setting.

Cold boot attacks
A cold boot attack is a kind of data remanence attack by which an adversary could fetch sensitive data from an electronic device's main memory after the device has supposedly deleted the memory data.This attack vector exploits the data remanence property of Dynamic RAM (DRAM).Through it, an adversary might recover readable memory content after the device's power is off for a while.This attack vector, introduced in [20], has been explored extensively against multiple cryptographic schemes, as we will discuss in Section 2.3.In this setting, an adversary, who has physical access to a device, might retrieve chunks of memory content from the device via carrying out a cold-rebooting on it [20,30,48].In general terms, the adversary forces the operating system to shut down, which causes it to go past all tasks that typically execute during a normal shutdown, such as the file system synchronization.Therefore such an adversary may employ an external disk to start and run a lightweight operating system to copy memory contents of pre-boot DRAM to a file.Alternatively, such an attacker may remove the physical memory modules from the device (if possible) and place them in an adversary-controlled device.The attacker then may run a lightweight operating system to copy and paste chunks of memory content from these physical memory modules to an external drive.Because of some physical effects on the main memory, the memory bits experience a deterioration process once the device's power is off, by which some bits get changed.Particularly some 0 bits of the original content change to 1 bits and vice-versa.Therefore the extracted data from the target device's main memory will be recognizably different from the original memory data.
Previous works [20,30,48] point out that an attacker can decelerate the bit degrading process by means of spraying a chemical product, like liquid nitrogen, onto the memory modules (that is, spraying cold compressed liquid onto the modules may maintain the original bit states for a prolonged period).Nonetheless, the attacker has yet to extract the memory content before restoring any important information from the target device's main memory.To extract chunks of memory, the attacker has to handle several possible issues.On rebooting, the initial boot process may overwrite chunks of memory with its running code and data, even though the overwritten chunks are normally small.Moreover, the initial boot process might execute a destructive memory check, yet this memory check may be bypassed.In particular, the attacker may use memory-imaging tools to produce correct dumps of memory contents to any external device, as was reported in [20,30,48].These tools consume trivial amounts of RAM and usually are placed in memory in such a way that do not affect the data of interest.In case that such an attacker cannot force boot memory-imaging tools, the attacker removes the memory modules and place them in a compatible device and copy and paste the content to an external disk, like mentioned by the authors of [20].
Once the attacker extracts some memory content, the attacker has to profile the content to estimate the probabilities of bit-flipping.That is the probability for a 1 to 0 bit flipping and a 0 to 1 bit flipping.Furthermore, according to the results of the experiment reported in [20], almost all memory bits tend to decay to predictable "ground" states, with only a portion flipping in the opposite direction.Additionally, the authors of [20] mention that the probability of a bit-flipping in the opposite direction stays constant and is very small (circa 0.01) as time elapses, while the probability for a bit to decay to the ground state increases over time.These results suggest that the attacker could model the decay in a portion of the memory as a binary asymmetric channel, i.e., we can assume that the probability for a 1 to 0 bit flipping is a fixed number and that the probability for a 0 to 1 bit flipping is another fixed number in a given time.Note that by reading and counting the number of 0 bits and 1 bits, the attacker can discover the ground state of a specific memory region.Additionally, the attacker can estimate the bit-flipping probabilities by comparing the bit count of original content in a memory region with its corresponding noisy version.
Finding encryption keys after procuring memory content is another challenge that the attacker has to address.Such a problem has been extensively discussed in [20] for Advanced Encryption Standard (AES) and RSA keys in-memory images.Even though the algorithms presented in [20] are scheme-specific, their algorithmic rationale may be easily adapted to devise key-finding algorithms for other schemes.These algorithms search for specific secret-key-identifying characteristics in the secret key in-memory formats as identifying labels for sequences of bytes.More precisely, these algorithms search for byte sequences with low Hamming distance to these identifying labels and verify that the remaining bytes in a possible sequence satisfy some conditions.Once the previous issues are coped with, the attacker will obtain a version with errors of the original secret key obtained from the memory image.Hence the attacker's ultimate goal is to reconstruct the original private key from its noisy version with the help of public cryptographic data associated with the target key.
The study of cold boot attacks on cryptographic algorithms has focused on developing key-recovery algorithms to efficiently and effectively reconstruct a secret key from its noisy version with the help of associated public cryptographic data for a target cryptosystem and evaluate the robustness and tolerance of these key-recovery algorithms to noise.

Cold boot attack model
Based on our previous discussion on cold boot attacks, we assume an attacker knows about the data structures storing the private key in memory and has access to the corresponding public parameters without any noise.Also, we suppose such an attacker procures a noisy version of the target private key via applying several key finding algorithms.We note that finding the memory region that stores the private key is require to carry out this attack in practice and may be taken care of via applying several key finding algorithms [20,30,48].Therefore, the adversary's main objective is to reconstruct the original private key.
We denote α = P (0 → 1) as the probability of a 0 to 1 bit-flipping (a 0 bit in the bit representation of the private key changes to a 1 bit).Moreover, we denote β = P (1 → 0) as the probability of a 1 to 0 bitflipping (viz.a 1 bit in the bit representation of the secret key changes to a 0 bit).Furthermore, based on experimental results obtained in [20,30,48], we assume one of these values is very small (approximately 0.001) and not liable to variation over time, while the other value does increase over time.As stated by preceding works on cold boot attacks [20,30,48], such an attacker may estimate both α and β by comparing original content with its corresponding noisy version (using the public key), and both remain fixed across the memory region that stores the private key.

Literature review
In this section, we present a review of previous works about cold boot attacks on cryptographic schemes.In particular, we introduce this literature review by describing cold boot attacks on RSA, then cold boot attacks on discrete-logarithm-based schemes, then cold boot attacks on symmetric-key schemes, and finally cold boot attacks on post-quantum schemes.

RSA setting
The research paper by Heninger and Shacham [22] is the first work dealing with this class of attacks on RSA keys.They introduce a key-recovery algorithm, which relies on Hansel lifting and exploit the redundancy found in the popular RSA secret key in-memory format.The research papers by Henecka et al. [21] and Paterson et al. [35] further the initial work, and both research papers exploit the mathematical structure on which RSA relies.Furthermore, the research paper by Paterson et al. [35] further concentrates on the error channel's asymmetric nature, which is intrinsically connected to the cold boot setting, analyzing the key-recovery problem from an information-theoretic perspective.

Discrete logarithm setting
The first research work that looks into this attack in the discrete logarithm setting is by Lee et al. [29].This work pays particular attention to recovering the secret key x given the public key g x , where g is a field element and x is a positive integer.Their model assumes the attacker has access to the public key g x and the noisy version of the private key x, as well as knowledge of an upper bound on the number of errors found in the noisy version of the secret key.Since their algorithm assumes knowing such an upper bound (hardly achievable) and exploits small redundancy in the secret-key format, it does not perform well in recovering keys if these keys are susceptible to considerable levels of noise.
A follow-up work by Poettering and Sibborn [37] also explores this attack in the discrete logarithm setting, more concretely in the elliptic curve cryptography (ECC) setting.Their work is practical since it centers on two implementations for elliptic curve cryptography.In particular, this work exploits redundancy present in two secret key in-memory formats from two popular ECC implementations from Transport Layer Security (TLS) libraries.They develop a dedicated key-recovery algorithm in the bit-flipping model for each studied memory representation, showing better results than the preceding work.

Symmetric key setting
Regarding the feasibility of cold boot attacks against symmetric-key primitives, several papers have already explored this class of attacks against some prominent block ciphers.At first, the paper by Albrecht and Cid [3] concentrates on the recovery of symmetric encryption keys by employing polynomial system solvers.Particularly, they use integer programming techniques and apply them to the key-recovery of Serpent block cipher's secret keys, and also introduce a dedicated key-recovery algorithm to Twofish secret keys.Furthermore, the paper by Kamal and Youssef [26] introduces key-recovery algorithms based on SAT-solving techniques to tackle the same problem.We refer the interested reader to [3,26,23] for more details.

Post-quantum setting
Regarding the feasibility of performing this attack against post-quantum crypto-systems, several research papers have already carried out cold boot attacks on post-quantum schemes.At first, the work by Paterson et al. [36] explores this attack against NTRU.Their work focuses on two existing NTRU implementations, the ntru-crypto implementation and the tbuktu/Bouncy Castle Java implementation.For each in-memory format analyzed in the paper, a dedicated key-recovery algorithm is presented and tested in the bit-flipping model.One of their key-recovery algorithms may recover the private key for a small and fixed α and varying β ranging from 1% up to 9%.A follow-up work by Villanueva-Polanco [43] expands on the previous results and presents a general key-recovery strategy via key enumeration, which is successfully applied to recover BLISS private keys.Another paper by Villanueva-Polanco [46] adjusts the previous key recovery strategy to successfully key-recovery LUOV private keys, exploiting the fact that a LUOV private key is derived from a 256 bit string.Additionally, these ideas are applied to tackle the key-recovery problem for toy parameters of Rainbow and McEliece Public-Key Encryption [44].Another recent paper [47] extends these ideas to successfully key-recovery Supersingular Isogeny Key Encapsulation (SIKE) Mechanism private keys.Furthermore, Albrecht et al. [4] explore cold boot attacks on post-quantum cryptographic schemes based on the ring-and module-variants of the Learning with Errors (LWE) problem.Their work concentrates on Kyber key encapsulation mechanism (KEM) and New Hope KEM, for which they present dedicated key recovery algorithms to tackle both cases in the bit-flipping model.

Quantum Background
Quantum registers are qubit strings whose length determines the amount of information that they can store.In superposition, each qubit in the register is in a superposition of |0 and |1 , and consequently, a register of n qubits is in a superposition of all 2 n possible bit strings represented by n "classical" bits.
As with single qubits, the squared absolute value of the amplitude associated with a given bit string is the probability of observing that bit string upon collapsing the register to a classical state.

Quantum gates
In classical computing, binary values, as stored in a register, pass through logic gates that, given a certain binary input, produce a certain binary output.Mathematically, classical logic gates are described as boolean functions.Quantum logic gates present a certain similarity with classical gates.When a quantum logic gate is applied to quantum registers it maps the current state to another state, transforming the state until it reaches a final state, i.e., the measured state.
There are several quantum gates each one with a specific function.In this work, we will use, 1qClifford, CNOT and Toffoli gate.For more details about gates and quantum computing see [1].
Remark 1.Since all evolution in a quantum system can be described by unitary matrices and all unitary transformations are invertible, all quantum computation is reversible.For a computation to be reversible the output of the computation contains sufficient information to reconstruct the input, i.e. no input information is erased.Unless, one needs to measure the state, the collapse of the state, i.e., the measurement is the only non-unitary operation in quantum computing.

A framework to key recovery
According to the results by Villanueva-Polanco [45], the key-recovery problem in the cold boot attack setting can be coped with through keyenumeration techniques.We now present the key idea from that paper.
Let us assume that k = k0 k1 k2 • • • kW −1 represent the noisy bit-string of a key of bit-length W obtained via a cold boot attack.This bit string can be written as a sequence of N = W/w chunks, where each chunk is of length w bits, i.e.
Let us assume we can generate full key candidates c for the original secret key encoding.Based on Bayes's theorem, the probability of c to be the correct full key candidate given the noisy version k is given by P(c| k) = P( k|c)P(c) . Thus the maximum likelihood estimation method suggests choosing c to maximise P(c| k).Note that both P( k) and P(c) are constants.Thus maximising it is equivalent to maximise P( k|c) = (1 − α) n 00 α n 01 β n 10 (1 − β) n 11 , where n00 counts the positions in which both c and k contain a 0 bit, n01 counts the positions in which c contains a 0 bit and k contains a 1 bit, etc.Or equivalently, choosing c such that maximises log P( k|c) .Therefore each candidate can be assigned a score, viz.S(c, k) := log P( k|c) .
Let us assume that the full key candidates c are written as a sequence of chunks as for k, i.e. c = C 0 ||C 1 || . . .||C N −1 , where C i is a w bit-string, then we may also assign a score S(C i , K i ) to each of the at most 2 w values for a chunk candidate After acquiring the lists of chunk candidates, one can run them into a "search" algorithm to find the correct key.The search can be performed by a classical or a classical-and-quantum search.In the latter, it is possible to use Grover's algorithm.However, as we will see in Section 4.2, the algorithm requires an oracle, and the oracle needs a quantum circuit of the underlying block cipher.In this regard, the attack becomes narrower in the direction of a specific implementation.

Recovering secret keys via a cold boot attack
In this section, we present our hybrid key-recovery method.We first will describe Grover's algorithm and how an attacker can use it to key-search for a block cipher and then present our key-recovery method, its general running time and costs in terms of resources.

Grover's algorithm
Grover's algorithm [19] is one of the most popular quantum algorithms among cryptographers.This algorithm provides a quadratic speedup for searching an element such as a key in a keyspace.In the following, we define the search problem: Definition 1.For N = 2 n , we are given a function f : {0, 1} N → {0, 1} which assumes the value 0 for almost all entries.The goal is to find an x such that f (x) = 1.
In the classical setting, one needs to perform Θ(N ) queries for finding x, the number of queries varies with the randomness in the search.In the quantum setting, that is, using Grover's algorithm, one needs to perform O( √ N ) queries.Algorithm 1 gives a high level abstraction of Grover's algorithm.
Algorithm 1 Grover's algorithm on a list with n elements (on a high level).

Grover(f, x):
Start with For more details about inversion about the mean see [50].

Key search for a block cipher
Grover's algorithm can be used for searching a key in a key space.However, first the attacker needs to define the Boolean function f which Grover's oracle will use it.So, a general definition can be found in [25] and it is as follows: Definition 2. Let E = (E, D) be a block cipher defined over (K, X ), where K = {0, 1} W and X = {0, 1} n .We denote by Ek(m) ∈ {0, 1} n the encryption of message block m ∈ {0, 1} n under key k.Given np plaintextciphertext pairs (mi, ci) with ci = Ek(mi).The goal is to apply Grover's algorithm to find the unknown key k by defining the function f as

Our key-recovery algorithm
Throughout this section, we present a key-recovery method that combines key enumeration algorithms and Grover's algorithm.The first version of this set of algorithms is introduced in [33] in the context of side-channel attacks and recently has been adjusted to be used in the cold boot attack setting on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism [47].
Here we adapt it for recovering a block cipher secret key sk from its noisy version procured via a cold boot attack.Let us assume that a cold boot attacker has access to a noisy version sk of a secret key sk ∈ K and a pair (m, c) ∈ X × X such that Esk(m) = c, and has estimated the values of α and β.The attacker's goal is to recover sk.
Recall that from our discussion in section 3, we can assign scores to each chunk candidate for a chunk by using the function S. Let W be the length of sk in bits, w be the length of a chunk in bits with w dividing W , η be an positive integer dividing N = W/w and let µ be a positive integer.Algorithm 2 creates lists of chunk candidates on inputs sk, W, w, η, µ.The function toWeight on input s returns a weight (a positive integer), as suggested in [33].Algorithm 2 makes use of a optimal key enumeration algorithm (OKEA) [45] to get the µ most high-scoring chunk candidates for the block of chunks from i Given the weights B1, B2, Algorithm 3 constructs a two dimensional array B with ξ × B2 entries.For i = ξ − 1 and 0 ≤ b < B2, the entry Algorithm 2 creates the lists of candidates.
for j ← 0 to µ − 1 do 21: // s is the total score of c.

22:
// c is a bitstring of η • w bits 23: (s, c) ← OKEA.getNext(); 24: Π.append((s, c)); 25: end for 26: L.append(Π); 27: end for 28: return L; 29: end Function contains the number of chunk candidates such that their total score plus b lies in the interval [B1, B2).Therefore, On the other hand, for i = ξ −2, ξ −3, . . ., 0, and 0 ≤ b < B2, the entry B[i][b] contains the number of chunk candidates that can be constructed from the chunk i to the chunk ξ −1 such that their total score plus b lies in the interval [B1, B2).Therefore, B[i][b] may be calculated as follows.For is the total number of full key candidates with weights in the interval [B1, B2).
Algorithm 4 simply constructs the matrix B by calling create and then computes the total number of full key candidates with weights in [B1, B2) by returning We now present Algorithm 5.This algorithm returns the full key candidate kr with weight in the interval [B1, B2), with r ∈ {1, 2, 3 . . ., B[0][0]}.By construction the output of Algorithm 5 is deterministic in the sense that for given fixed values of L, B, B1, B2, W, w, η, µ and r, Algorithm 5 will return the same key kr.
Indeed, let us assume that L, B, B1, B2, W, w, η, µ and r are inputs to Algorithm 5. We first analyse the lines from 7 to 19 of Algorithm 5. Let Algorithm 3 constructs the two dimensional array B.
for b ← 0 to B 2 − 1 do 7: for j ← 0 to µ − 1 do 8: end for 13: end for 14: for i ← ξ − 2 to 0 do 15: for b ← 0 to B 2 − 1 do 16: for j ← 0 to µ − 1 do 17:  B ← create(L, B 1 , B 2 , W, w, η, µ); 3: return B[0, 0] 4: end Function us fix i ∈ {0, . . ., ξ − 2}.For j ∈ {0, . . ., µ − 1}, the condition of the line 12 verifies whether r is less than the number of chunk candidates that can be constructed from the chunk i + 1 to the chunk ξ − 1 such that their total score plus b + s lies in the interval [B1, B2).If so, the algorithm finds the proper j for the fixed i, then concatenate the chunk candidate Similarly, the block of instructions from the line 20 to the line 29 finds the proper j for i = ξ − 1.Note that the selection of j's are determined by the input parameters.Hence, for given fixed values of L, B, B1, B2, W, w, η, µ and r, Algorithm 5 will return the same key kr.
For completeness, we present Algorithm 6 that enumerates and tests all full key candidates with weight in the interval [B1, B2) in a classic way (without a quantum algorithm).The function T is a boolean function that returns 1 if k satisfies some specific condition.Otherwise, it returns 0.
We now present Algorithm 7 that performs a quantum key enumeration over an interval with roughly e full key candidates.In particular, it searches over an interval of the form [Bmin, Be), where Bmin is the Algorithm 5 returns the full key candidate k r with weight in the interval [B 1 , B 2 ).end for 20: i ← ξ − 1; 21: return k 31: end Function minimum weight that a full candidate can attain given the list L and Be is a calculated weight to guarantee the number of full candidates with weights in the interval [Bmin, Be) will be roughly e. Recall that L contains ξ = N /η lists of chunk candidates.Therefore we can calculate the value Bmin by summing the score of the first chunk candidate of each list contained in L.
We recall that Algorithm 7 is "generic", that is, it uses Grover's algorithm in line 11 to speed up a small set of keys.The advantage of this approach is that one can attack a more broad spectrum of symmetric ciphers.

Quantum circuit for f
The quantum circuit for f (Line 10 of Algorithm 7) can be seen as the oracle implementation of E. In particular, given a plain-text/cipher-text pair (m, c), T is defined as Algorithm 6 enumerates and tests all full key candidates with weight in the interval [B 1 , B 2 ).
In a practical example, let us suppose that Algorithm 7 at line 9 generates a matrix B such that B[0][0] = 2 s , where s = 16.Therefore, 2 16  candidates need to be tested.At line 11, Grover's algorithm is run with an oracle f, which can be constructed from the result by [25], to check if it can find the correct answer.Given we have an unique result, we will need to run this algorithm O( √ 2 16 = 2 8 ) times, until we have reached our correct solution or not.
As pointed out, a critical component of our algorithm is the quantum oracle, so we will next present how to implement the quantum oracle for several block ciphers, namely, AES, PRESENT, and GIFT.Afterward, in Section 5, we further evaluate our algorithm for LowMC, in particular in the context of Picnic, the post-quantum signature algorithm currently being assessed by the NIST standardization process.

Quantum AES
As previously mentioned, quantum computations need to be reversible.Also, the oracle O present in Grover's algorithm implements the block cipher as a reversible function.In [17], the authors give the first version of a reversible AES.Their seminal work generate other implementations in the literature such as [7,27,28,25,14].
AES is a block cipher, designed by Daemen and Rijmen [13].It is based on Rijndael but only provides 128-bit blocks.AES has different transfor-Algorithm 7 performs a quantum key enumeration over a interval with roughly e full key candidates.return ⊥; 20: end Function mations operating on an intermediate result that is called State.The state can be seen as an array of bytes, with four rows and four columns.The number of rounds Nr depends on the size of the key, e.g., AES-128 performs 10 rounds, AES-192 performs 12 rounds and AES-256 performs 14 rounds.
In the encryption process with AES, one needs first to perform key addition, denoted by AddRoundKey, followed by Nr − 1 executions of Round, and finally one application of FinalRound.The Round function is the application of 4 transformations which are SubBytes, ShiftRows, MixColumns and AddRoundKey.The FinalRound consists of the application of SubBytes, ShiftRows and AddRoundKey.Algorithm 8 shows, in a pseudo C language, how those rounds are put together.One advantage of AES is that one just needs to implement the transformation functions and then reuse them in the rounds.

Algorithm 8 High level description of AES.
Function AES(State, CipherKey) KeyExpansion(CipherKey, ExpandedKey); AddRoundKey(State, ExpandedKey[0]); In the latest literature, we can see an improvement in the quantum circuit developed to AES.In our case, we will consider the implementation in [25] since it gives the lowest depth.We consider the "in-place" setting, more details in [25,Sec. 4.6].Table 1 gives the number of gates necessary to run AES in Grover's algorithm.PRESENT [49] and GIFT [8] follow the block cipher construction, that is, both schemes have a certain number of rounds in which they apply an Sbox transformation followed by a permutation.However, each of them has some difference.For PRESENT, the first operation is the addition of the round key, while, for GIFT, the first operation is the Sbox transformation.
PRESENT has block sizes of 64 bits, and GIFT uses 64 and 128 bits blocks.PRESENT support 80-bit key size, and both of them support 128-bit key size.More details can be found in the original papers [49,8].
Fortunately, there are implementations of both of them in the quantum world, that is, there are reversible implementations using quantum gates.The work in [24] provides a deeper analysis of the quantum circuit.Table 2 show the number of gates for PRESENT and GIFT.The authors in [24] give the estimation using CNOT and Toffoli gates, in order to use in our work we use the same decomposition as [17] and decompose 1 Toffoli gate as 7 T gates + 8 Clifford gates.We remark that this gives an upper bound on the number of T gates as we use the generic decomposition; the circuits above could be built using T-gates directly and possibly use fewer T gates [2].Generic Implementation and Different ciphers.We present the costs to implement AES, PRESENT and GIFT into a quantum computer.As mentioned before, our attack is generic, and one can easily replace the function f(•) in Algorithm 7 by one of those implementations.
In the following, we will focus in LowMC given that it is the one used in Picnic, which is the scope of this work.

Cold boot attacks on Picnic
In this section, we further evaluate our algorithm for LowMC, in particular in the context of Picnic, the post-quantum signature algorithm currently being assessed by the NIST standardization process.We first describe the key-generation algorithm as it is implemented in [40].We then describe the inner workings of LowMC and its Quantum version, and then the costs and success rate of our algorithm in this context.

Picnic key generation algorithm
In our analysis, we use the current reference implementation of Picnic [40].Algorithm 9 summarizes the process of key generation.
Algorithm 9 Picnic's Key Generation Algorithm As one can see, the input of the function KeyGen is P, which represents an instance of a structure to store a parameter set (paramset_t).This structure points to a relatively big set of fields.In particular, the field stateSizeBytes refers to the number of bytes needed to store stateSizeBits bits, which is the bit length of sk, m and c.In particular, Table 3 shows the values of both stateSizeBits and stateSizeBytes for each Parameter Set for Picnic, as defined in the Picnic reference implementation file picnic.c[40].
For the sake of completeness, the call to randBytes(size) returns a random byte array of length size, while the call to zeroTrailBits(byteArray, bitLength) sets to 0 all bits of byteArray at position i for all bitLength < i ≤ 8 • l, where l is the number of entries of byteArray.At line 6, we see a call to LowMCEnc, the LowMC encryption algorithm, which we will describe next.

LowMC block cipher
LowMC [5,6] is a block cipher that tries to reduce the multiplicative complexity of circuits.Different from other block ciphers, the instantiation of LowMC is not fixed, and it depends on the choice of certain parameters such as the block size, number of S-Boxes per round, and security expectations.Besides encryption and decryption, LowMC is also a component of the Picnic signature scheme.First, LowMC performs a key-whitening and then iterates a round function by R times, where R depends on the parameters.The round function consists of 4 steps and is summarized as follows.
1. SBoxLayer: A 3-bit S-Box is applied to the first 3m bits of the state in parallel, while an identity map is applied to the remaining bits; 2. MatrixMul: A regular matrix Li ∈ F n×n 2 is generated at random and the n-bit state is multiplied by Li; 3. ConstantAddition: An n-bit constant Ci ∈ F n 2 is randomly generated and then compute the addition of n-bit state and Ci; 4. KeyAddition: A full-rank matrix Mi+1 ∈ F n×k 2 is randomly generated.The n-bit round key Ki+1 is obtained by multiplying the k-bit master key with Mi+1.Then, the n-bit state is added with Ki+1, where addition means XOR operation.
To use LowMC in Picnic, the authors in [40] defined three levels: L1, L3, L5.For details about the construction given the parameters, we refer to the documentation in [40].

Quantum LowMC
In this context, we will need a quantum version of LowMC.Fortunately, [25] presents a quantum version of LowMC with low depth in their circuit.Furthermore, the authors provide a Q# implementation of the LowMC.We will reuse their results since it deals with the problems of building quantum circuits.Table 4 shows the number of quantum gates necessary for applying the LowMC encryption.The levels L1, L3, and L5 are the security levels required by Picnic scheme.Figure 1 shows the implementation of one S-Box, it is possible to notice that it requires 3 ancillas for storing intermediate results and it requires 12 CNOT gates and 3 Toffoli gates.In the Picnic specification it defines that a full S-boxLayer consists of 10 parallel S-Boxes.
The AffineLayer since it is an affine transformation, it consists of a matrix multiplication following by an addition of a constant vector.The details can be seen in [25,Sec. 5.2].The last function to describe, that is, the KeyExpansion and KeyAddition are only CNOT gates in parallel to perform the addition.

Costs for running our key recovery algorithm
The costs in terms of gates for running LowMC are similar to those provided in [25].The only difference for our case is that we will search in a smaller keyspace, that is, the candidates that Algorithm 7 generates in line 9. Table 5 shows the costs for running Grover's algorithm with the oracle provided in [25].Furthermore, we select 3 different sizes of windows for the interval [Bmin, Be), namely e ∈ {2 30 , 2 40 , 2 50 } full candidates.In our analysis, we need to consider the costs to run O(N ) times, since the costs provided in [25] are only for 1 query.In our case, our costs are  ), where each has size 2 s , for s = 0, 1, . ... One can reuse the circuit to run each chunk in sequence or run several instances of Grover's algorithm each one with their chunk of keys.
Remark 3. Our Algorithm 7 is a "hybrid" algorithm.In our case, we are considering that everything before the Grover's call is "classical" computation.The same after the call, that is, when we check if the element is found.Hence, we do not need to take into account the costs of the other functions in a quantum computer besides the one in line 11.Furthermore, in our costs, we assume that we always find the element in our search.However, as a future work, we suggest that it is necessary to evaluate the other case, i.e., when the Algorithm 7 will run more than one time.

Success rate of our key recovery algorithm
In this section, we present the success rate of our key-recovery algorithm for each set of parameters defined for Picnic in [40].The success rates are estimated by performing simulations of our key recovery algorithm for several selected hyper-parameters.We note that our key-recovery method might find sk from sk, only if each list from the list L returned by Algorithm 2 contains the proper chunk candidates to reconstruct sk.In such a case, a full enumeration of all candidates constructed from the lists of chunk candidates contained in L will find the real private key.
Based on the previous observation, we estimate the success rate of our key-recovery method by assuming the attacker can perform various enumerations from the set of candidates, C, that can be constructed from L. In particular, we assume an attacker is able to enumerate (1) all candidates from C, and ( 2) the e best high-scoring candidates from C, where e ∈ {2 30 , 2 40 , 2 50 } (this is basically what Algorithm 7 does for a given e).
To calculate the success rate of our algorithm for a given α, β and a Picnic parameter set P, we perform the following experiment that consists of 100 trials.In each trial, we first create the key pair sk, pk via calling the key generation algorithm from Picnic, as implemented in the Picnic  reference implementation [40].We then perturb sk according to α, β to get sk.We then select appropriate values for W, w, η, µ, and generate L via calling Algorithm 2 and check if the real key can be reconstructed from L, i.e., by verifying if the corresponding chunk candidates are in the lists of chunk candidates contained in L. If so, that signifies that a full enumeration can recover sk.Otherwise, sk cannot be recovered.Additionally, in case sk can be recovered by a full enumeration, we then calculate three intervals of the form [Bmin, Be) for each e, as in Algorithm 7, to check if the score of the real private key lies in each of them.Note that this check verifies if performing an enumeration of the e best high-scoring candidates is enough to recover the real private key.
Figure 2 shows the results for the Picnic parameters picnic-{L1-FS, L1-UR, L1-full} and picnic3-L1.In particular, it shows that our key recovery algorithm may find the real private key for α = 0.001 and β in the set {0.001, 0.01, 0.02, . . ., 0.4} when run with the parameters W = 128, w = 8, η = 2 and µ ∈ {256, 512, 1024}.Note that the success rate improves as the value of e increases, which is expected.Similarly, Figure 2d shows the success rate for the full enumeration improves as the the value of µ increases, which is also expected.Additionally, note that although the bit length of the private key for the parameters sets picnic-L1-full and picnic3-L1 is 129 bits, the success rate of our al-  gorithm for these two parameter sets is essentially the same as shown by Figure 2.
Figure 3 shows the results for the Picnic parameters picnic-{L3-FS, L3-UR, L3-full} and picnic3-L3.In particular, it shows that our key recovery algorithm may find the real private key for α = 0.001 and β in the set {0.001, 0.01, 0.02, . . ., 0.3} when run with the parameters W = 192, w = 8, η = 3 and µ ∈ {256, 512, 1024}.As mentioned before, the success rate improves as the value of e increases, which is expected.Similarly, Figure 3d shows the success rate for the full enumeration improves as the the value of µ increases, which is also expected.
Figure 4 shows the results for the Picnic parameters picnic-{L5-FS, L5-UR, L5, L5-full} and picnic3-L5.In particular, it shows that our key recovery algorithm may find the real private key for α = 0.001 and β in the set {0.001, 0.01, 0.02, . . ., 0.2} when run with the parameters W = 256, w = 8, η = 4 and µ ∈ {256, 512, 1024}.As mentioned before, the success rate improves as the value of e increases, which is expected.Similarly, Figure 4d shows the success rate for the full enumeration improves as the the value of µ increases, which is also expected.Additionally, note that although the bit length of the private key for the parameters sets picnic-L5-full and picnic3-L5 is 255 bits, the success rate of our algorithm for these two parameter sets is essentially the same as shown by Figure 4.

Conclusions
This paper presented a general procedure by which a cold boot attacker may recover a block cipher secret key after procuring a noisy version of the key via a cold boot attack.More specifically, the procedure exploits key enumeration algorithms and a well-known quantum algorithm, namely, Grover's Algorithm.Also, we showed how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT,and LowMC.This paper also evaluated Picnic, a post-quantum signature algorithm, in the cold boot attack setting, focusing on its reference implementation.We showed that our key-recovery method effectively reconstructs Picnic private keys for all Picnic parameters for α = 0.001 and values of β in the set {0.001, 0.01, 0.02, . . ., 0.4} (the upper bound for β depends on the used parameter set).Additionally, we provided the costs for running our key recovery algorithm by giving the number of quantum gates required to implement it and its running time.As future work, we believe that our key-recovery algorithm may be adapted to tackle key-recovery of other post-quantum algorithms' private keys in the cold boot attack setting.

Figure 1 :
Figure 1: Quantum circuit for computation of one S-Box from LowMC.
[10,15,31,32,34,39,41,42,9,51,11,12,16,38,18,45]here each contains up to 2 w entries.More concretely, each list contains at most 2 w 2-tuples of the form (score, value), where the first component score is a real number (candidate score) and the second component value is a w-bit strings (candidate value).Now note that the original key-recovery problem reduces to a enumeration problem that consists in traversing the lists of chunk candidates to produce full key candidates c of which total scores are obtained by summation.The enumeration problem has been previously studied in the side-channel analysis literature[10,15,31,32,34,39,41,42,9,51,11,12,16,38,18,45], and there are many algorithms that may be useful for our key-recovery setting, in particular those enumerating full key candidates in descending order based on the score component.
Algorithm 4 computes the number of full key candidates in [B 1 , B 2 ).

Table 2 :
[24]er of quantum gates for the full encryption circuit for PRESENT and GIFT presented in[24].

Table 3 :
Values of both stateSizeBits and stateSizeBytes for each Parameter Set for Picnic

Table 4 :
Number of quantum gates for the full encryption circuit for LowMC presented in [25, Sec.5.4].