Practical Side-Channel Attack on Message Encoding in Masked Kyber

Since the message encoding in lattice-based schemes is vulnerable to side-channel attacks, a first-order masked message encoder has been proposed and applied to multiple masked implementations. However, the security of the masked encoder still lacks enough evaluation. In this paper, we investigate the security of the masked message encoder in a masked Kyber implementation. First, we give a detailed side-channel leakage analysis of the masked implementation in a specific platform, and we explain the technical challenges of designing a key recovery attack for the masked implementations. Even so, we still found a new 2-stage key recovery attack, which overcomes the difficulties and can recover the whole private key of the masked Kyber implementation with only 9 traces. In our experiments, we validate the attack on a Cortex-M4-based development board and the success rate of key recovery is almost up to 100% in 1000 experiments. According to the experiment results, the masked encoder can not prevent side-channel attacks efficiently and newer masking techniques are needed.

[1]  Michiel Van Beirendonck,et al.  Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations , 2023, IEEE Transactions on Computers.

[2]  I. Verbauwhede,et al.  Side-Channel Analysis of Lattice-Based Post-Quantum Cryptography: Exploiting Polynomial Multiplication , 2022, IACR Cryptol. ePrint Arch..

[3]  I. Gorbenko,et al.  Status report on the third round of the NIST post-quantum cryptography standardization process , 2022, Radiotekhnika.

[4]  Sujoy Sinha Roy,et al.  Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems With Chosen Ciphertexts: The Case Study of Kyber , 2022, IEEE Transactions on Computers.

[5]  Ingrid Verbauwhede,et al.  Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography , 2022, IACR Cryptol. ePrint Arch..

[6]  Naofumi Homma,et al.  Curse of Re-encryption: A Generic Power/EM Analysis on Post-Quantum KEMs , 2021, IACR Cryptol. ePrint Arch..

[7]  Ingrid Verbauwhede,et al.  Masked Accelerators and Instruction Set Extensions for Post-Quantum Cryptography , 2021, IACR Cryptol. ePrint Arch..

[8]  Elena Dubrova,et al.  Breaking Masked and Shuffled CCA Secure Saber KEM by Power Analysis , 2021, IACR Cryptol. ePrint Arch..

[9]  Joost Renes,et al.  Masking Kyber: First- and Higher-Order Implementations , 2021, IACR Cryptol. ePrint Arch..

[10]  Ingrid Verbauwhede,et al.  A Side-Channel-Resistant Implementation of SABER , 2021, IACR Cryptol. ePrint Arch..

[11]  Jian-Wei Pan,et al.  Quantum computational advantage using photons , 2020, Science.

[12]  Alexander Nilsson,et al.  A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM , 2020, IACR Cryptol. ePrint Arch..

[13]  Ray A. Perlner,et al.  Status report on the second round of the NIST post-quantum cryptography standardization process , 2020 .

[14]  Tim Güneysu,et al.  High-Speed Masking for Polynomial Comparison in Lattice-based KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[15]  Sujoy Sinha Roy,et al.  Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[16]  Paul Zbinden,et al.  Defeating NewHope with a Single Trace , 2020, PQCrypto.

[17]  Frederik Vercauteren,et al.  Timing Attacks on Error Correcting Codes in Post-Quantum Schemes , 2019, TIS@CCS.

[18]  John C. Platt,et al.  Quantum supremacy using a programmable superconducting processor , 2019, Nature.

[19]  Robert Primas,et al.  More Practical Single-Trace Attacks on the Number Theoretic Transform , 2019, IACR Cryptol. ePrint Arch..

[20]  Tim Güneysu,et al.  Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto , 2019, Public Key Cryptography.

[21]  Tim Güneysu,et al.  Practical CCA2-Secure and Masked Ring-LWE Implementation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[22]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[23]  Stefan Mangard,et al.  Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption , 2017, CHES.

[24]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[25]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[26]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[27]  T. Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[28]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[29]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[30]  A. Chattopadhyay,et al.  On Exploiting Message Leakage in (Few) NIST PQC Candidates for Practical Message Recovery Attacks , 2022, IEEE Transactions on Information Forensics and Security.

[31]  Matthias J. Kannwischer,et al.  First-Order Masked Kyber on ARM Cortex-M4 , 2022, IACR Cryptol. ePrint Arch..

[32]  Angshuman,et al.  Higher-order masked Saber , 2022, IACR Cryptol. ePrint Arch..

[33]  Elena Dubrova,et al.  A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM , 2021, IACR Cryptol. ePrint Arch..

[34]  Robert Primas,et al.  Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber , 2021, IACR Cryptol. ePrint Arch..

[35]  Shivam Bhasin,et al.  Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography , 2021, IACR Cryptol. ePrint Arch..

[36]  Jihoon Cho,et al.  Single-Trace Attacks on Message Encoding in Lattice-Based KEMs , 2020, IEEE Access.

[37]  Guigang Zhang,et al.  Deep Learning , 2016, Int. J. Semantic Comput..