Skip to main content
SpringerLink
Log in

A Shared Key Recovery Attack on a Masked Implementation of CRYSTALS-Kyber’s Encapsulation Algorithm

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 66 Accesses

Abstract

In July 2022, NIST selected CRYSTALS-Kyber as a new post-quantum secure public key encryption and key encapsulation mechanism to be standardized. To safeguard its shared and secret keys from side-channel attacks (SCA), countermeasures such as masking and shuffling are applied. However, the existing SCA-protected implementations of CRYSTALS-Kyber protect the decapsulation algorithm only. The encapsulation algorithm is not covered because single-trace shared key recovery attacks on encapsulation are not considered feasible. Since the same shared key is never encapsulated more than once, the attacker gets only a single trace per shared key from the execution of the encapsulation algorithm. In this paper, we demonstrate a practical single-trace shared key recovery attack on a first-order masked implementation of the encapsulation algorithm of Kyber-768 in ARM Cortex-M4 based on deep learning-assisted power analysis. Our main contribution is a new aggregation method for ensemble learning that enables enumeration during shared key recovery. Our experimental results show that a full shared key can be recovered with a 91% probability on average from a single trace captured from a different from profiling device.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Amiet, D., Curiger, A., Leuenberger, L., Zbinden, P.: Defeating NewHope with a single trace. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 189–205. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_11

    Chapter  Google Scholar 

  2. Avanzi, R., et al.: CRYSTALS-Kyber algorithm specifications and supporting documentation (2021). https://pq-crystals.org/kyber/data/kyber-specification-round3-20210131.pdf

  3. Backlund, L., Ngo, K., Gartner, J., Dubrova, E.: Secret key recovery attacks on masked and shuffled implementations of CRYSTALS-Kyber and Saber. Cryptology ePrint Archive, Paper 2022/1692 (2022). https://eprint.iacr.org/2022/1692

  4. Bos, J., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)

    Google Scholar 

  5. Bronchain, O., Cassiers, G.: Bitslicing arithmetic/Boolean masking conversions for fun and profit: with application to lattice-based KEMs. IACR Trans. Crypto. Hardware Embedded Syst. 553–588 (2022)

    Google Scholar 

  6. Dubrova, E., Ngo, K., Gärtner, J., Wang, R.: Breaking a fifth-order masked implementation of CRYSTALS-Kyber by copy-paste. In: Proceedings of the 10th ACM Asia Public-Key Cryptography Workshop, pp. 10–20 (2023)

    Google Scholar 

  7. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  8. Hamburg, M., et al.: Chosen ciphertext k-trace attacks on masked CCA2 secure Kyber. IACR Trans. Crypto. Hardware Embedded Systems, 88–113 (2021)

    Google Scholar 

  9. Heinz, D., Kannwischer, M.J., Land, G., Pöppelmann, T., Schwabe, P., Sprenkels, D.: First-order masked Kyber on ARM Cortex-M4. Cryptology ePrint Archive, Paper 2022/058 (2022). https://eprint.iacr.org/2022/058

  10. Maghrebi, H., Servant, V., Bringer, J.: There is wisdom in harnessing the strengths of your enemy: Customized encoding to thwart side-channel attacks. In: Fast Software Encryption, pp. 223–243 (2016)

    Google Scholar 

  11. von Neumann, J.: Probabilistic logics and the synthesis of reliable organisms from unreliable components. Automata Studies, pp. 43–98 (1956)

    Google Scholar 

  12. Ngo, K., Dubrova, E., Guo, Q., Johansson, T.: A side-channel attack on a masked IND-CCA secure Saber KEM implementation. IACR Trans. Crypto. Hardware Embedded Syst. 676–707 (2021)

    Google Scholar 

  13. Pacuit, E.: Voting methods. Stanford Encyclopedia of Philosophy (2019)

    Google Scholar 

  14. PARHAMI, B.: Threshold voting is fundamentally simpler than plurality voting. Inter. J. Reliab. Quality Saf. Eng. 1(01), 95–102 (1994)

    Google Scholar 

  15. Perin, G., Chmielewski, Ł., Picek, S.: Strength in numbers: improving generalization with ensembles in machine learning-based profiled side-channel analysis. IACR Trans. Crypt. Hardware Embedded Syst., 337–364 (2020)

    Google Scholar 

  16. Pessl, P., Primas, R.: More practical single-trace attacks on the number theoretic transform. In: Schwabe, P., Thériault, N. (eds.) Progress in Cryptology - LATINCRYPT 2019, pp. 130–149. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_7

    Chapter  Google Scholar 

  17. Polikar, R.: Ensemble learning. Ensemble machine learning: methods and applications, pp. 1–34 (2012)

    Google Scholar 

  18. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_25

    Chapter  Google Scholar 

  19. Ravi, P., Bhasin, S., Roy, S.S., Chattopadhyay, A.: On exploiting message leakage in (few) NIST PQC candidates for practical message recovery attacks. IEEE Trans. Inform. Forensics Sec. (2021)

    Google Scholar 

  20. Sim, B.Y., et al.: Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8, 183175–183191 (2020)

    Article  Google Scholar 

  21. Wang, H., Dubrova, E.: Tandem deep learning side-channel attack against FPGA implementation of AES. In: 2020 IEEE International Symposium on Smart Electronic Systems (iSES) (Formerly iNiS), pp. 147–150 (2020). https://doi.org/10.1109/iSES50453.2020.00041

  22. Wang, J., Cao, W., Chen, H., Li, H.: Practical side-channel attack on message encoding in masked Kyber. In: 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 882–889. IEEE (2022)

    Google Scholar 

  23. Wang, R., Brisfors, M., Dubrova, E.: A side-channel attack on a bitsliced higher-order masked CRYSTALS-Kyber implementation. Cryptology ePrint Archive (2023)

    Google Scholar 

  24. Wang, R., Dubrova, E.: A side-channel secret key recovery attack on CRYSTALS-Kyber using k chosen ciphertexts. In: International Conference on Codes, Cryptology, and Information Security, pp. 109–128. Springer (2023)

    Google Scholar 

  25. Xu, Z., Pemberton, O.M., Roy, S.S., Oswald, D., Yao, W., Zheng, Z.: Magnifying side-channel leakage of lattice-based cryptosystems with chosen ciphertexts: The case study of Kyber. IEEE Transactions on Computers (2021)

    Google Scholar 

  26. Zaid, G., Bossuet, L., Habrard, A., Venelli, A.: Efficiency through diversity in ensemble models applied to side-channel attacks:–a case study on public-key algorithms–. IACR Trans. Cryptographic Hardware Embedded Syst., 60–96 (2021)

    Google Scholar 

Download references

Acknowledgments

This work was supported in part by the Swedish Civil Contingencies Agency (Grant No. 2020-11632) and the Sweden’s Innovation Agency Vinnova (Grant No. 2023-00221).

Author information

Authors and Affiliations

  1. KTH Royal Institute of Technology, Stockholm, Sweden

    Ruize Wang & Elena Dubrova

Authors
  1. Ruize Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elena Dubrova
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ruize Wang .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, R., Dubrova, E. (2024). A Shared Key Recovery Attack on a Masked Implementation of CRYSTALS-Kyber’s Encapsulation Algorithm. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation