A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM

In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.

[1]  Alexander Nilsson,et al.  A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM , 2020, IACR Cryptol. ePrint Arch..

[2]  Emmanuel Prouff,et al.  Breaking Cryptographic Implementations Using Deep Learning Techniques , 2016, SPACE.

[3]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[4]  Sujoy Sinha Roy,et al.  Drop by Drop you break the rock - Exploiting generic vulnerabilities in Lattice-based PKE/KEMs using EM-based Physical Attacks , 2020, IACR Cryptol. ePrint Arch..

[5]  Alan Hanjalic,et al.  Make Some Noise: Unleashing the Power of Convolutional Neural Networks for Profiled Side-channel Analysis , 2019, IACR Cryptol. ePrint Arch..

[6]  Mehdi Tibouchi,et al.  Masking the GLP Lattice-Based Signature Scheme at Any Order , 2018, EUROCRYPT.

[7]  Frederik Vercauteren,et al.  Additively Homomorphic Ring-LWE Masking , 2016, PQCrypto.

[8]  Frederik Vercauteren,et al.  A masked ring-LWE implementation , 2015, IACR Cryptol. ePrint Arch..

[9]  Tim Güneysu,et al.  Efficiently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto , 2019, Public Key Cryptography.

[10]  Elena Dubrova,et al.  How Diversity Affects Deep-Learning Side-Channel Attacks , 2019, 2019 IEEE Nordic Circuits and Systems Conference (NORCAS): NORCHIP and International Symposium of System-on-Chip (SoC).

[11]  Paul Zbinden,et al.  Defeating NewHope with a Single Trace , 2020, PQCrypto.

[12]  Sujoy Sinha Roy,et al.  On Exploiting Message Leakage in (few) NIST PQC Candidates for Practical Message Recovery and Key Recovery Attacks , 2020, IACR Cryptol. ePrint Arch..

[13]  Shivam Bhasin,et al.  Feature Selection Methods for Non-Profiled Side-Channel Attacks on ECC , 2018, 2018 IEEE 23rd International Conference on Digital Signal Processing (DSP).

[14]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[15]  Thomas P. Hayes,et al.  Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers , 2018, CCS.

[16]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[17]  Ingrid Verbauwhede,et al.  A Side-Channel-Resistant Implementation of SABER , 2021, IACR Cryptol. ePrint Arch..

[18]  Diego F. Aranha,et al.  Circumventing Uniqueness of XOR Arbiter PUFs , 2019, 2019 22nd Euromicro Conference on Digital System Design (DSD).

[19]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[20]  Emmanuel Prouff,et al.  Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures - Profiling Attacks Without Pre-processing , 2017, CHES.

[21]  Damien Stehlé,et al.  CRYSTALS-Kyber Algorithm Specifications And Supporting Documentation , 2017 .

[22]  Jihoon Cho,et al.  Single-Trace Attacks on Message Encoding in Lattice-Based KEMs , 2020, IEEE Access.

[23]  Sujoy Sinha Roy,et al.  Generic Side-channel attacks on CCA-secure lattice-based PKE and KEMs , 2020, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[24]  Elena Dubrova,et al.  Fault-Tolerant Design , 2013 .

[25]  Eric Peeters,et al.  Template Attacks in Principal Subspaces , 2006, CHES.

[26]  Mehdi Tibouchi,et al.  Masking Dilithium: Efficient Implementation and Side-Channel Evaluation , 2019, IACR Cryptol. ePrint Arch..

[27]  François Gérard,et al.  An Efficient and Provable Masked Implementation of qTESLA , 2019, IACR Cryptol. ePrint Arch..

[28]  Sujoy Sinha Roy,et al.  Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems With Chosen Ciphertexts: The Case Study of Kyber , 2022, IEEE Transactions on Computers.

[29]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[30]  Guigang Zhang,et al.  Deep Learning , 2016, Int. J. Semantic Comput..

[31]  E. Dubrova,et al.  How Deep Learning Helps Compromising USIM , 2020, CARDIS.