In response to side-channel attacks on masked implementations of post-quantum cryptographic algorithms, a new bitsliced higher-order masked implementation of CRYSTALS-Kyber has been presented at CHES’2022. The bitsliced implementations are typically more difficult to break by side-channel analysis because they execute a single instruction across multiple bits in parallel. However, in this paper, we reveal new vulnerabilities in the masked Boolean to arithmetic conversion procedure of this implementation that make the shared and secret key recovery possible. We also present a new chosen ciphertext construction method which maximizes secret key recovery probability for a given message bit recovery probability. We demonstrate practical shared and secret key recovery attacks on the first-, second- and third-order masked implementations of Kyber-768 in ARM Cortex-M4 using profiled deep learning-based power analysis.

The emergence of deep learning has revolutionized side-channel attacks, making them a serious threat to cryptographic systems. Clock randomization is a well-established mitigation technique against side-channel attacks that, when combined with duplication, has been shown to effectively protect FPGA implementations of block ciphers and post-quantum KEMs. In this paper, we present two deep-learning-based side-channel attacks on an FPGA implementation of AES protected with the clock randomization and duplication countermeasure. The attacks are based on identifying sporadic synchronicity in the execution of the encryption rounds of the two AES cores. We remedy this vulnerability by presenting three modular additions to the original design of the countermeasure that restores its security and increases its robustness.

CRYSTALS-Kyber has been selected by the NIST as a post-quantum public-key encryption and key establishment algorithm to be standardized. This makes it important to develop side-channel attack resistant implementations of CRYSTALS-Kyber. In this paper, we propose utilizing duplication combined with clock randomization as a means of protecting CRYSTALS-Kyber FPGA implementations from side-channel attacks. Such a countermeasure has been proven effective in ensuring side-channel resistance of AES FPGA implementations. It has the benefits of universal coverage, glitch immunity, and zero clock cycle overhead. We present a protected version of CRYSTALS-Kyber built on the top of the lightweight unprotected implementation by Xing el al. Our security evaluation shows that the protected implementation is resistant to deep learning-based side-channel attacks.

Deep learning transformed side-channel analysis and made many conventional countermeasures obsolete. This brings the need for more effective, deep learning-resistant defense mechanisms. We propose a method for protecting hardware implementations of cryptographic algorithms that combines clock randomization with duplication. The presented method ensures that the duplicated block generates algorithmic noise that is dependent on the input of the primary block and has a similar power profile. In addition, the duplicated block does not create any secret key-related leakage. We evaluate the presented method on the example of the Advanced Encryption Standard (AES) algorithm implemented in FPGA. Our experimental results show that the protected AES implementation is resistant to deep learning-based power analysis.

Clock randomization is one of the oldest countermeasures against side-channel attacks. Various implementations have been presented in the past, along with positive security evaluations. However, in this paper we show that it is possible to break countermeasures based on a randomized clock by sampling side-channel measurements at a frequency much higher than the encryption clock, synchronizing the traces with pre-processing, and targeting the beginning of the encryption. We demonstrate a deep learning-based side-channel attack on a protected FPGA implementation of AES which can recover a subkey from less than 500 power traces. In contrast to previous attacks on FPGA implementations of AES which targeted the last round, the presented attack uses the first round as the attack point. Any randomized clock countermeasure is significantly weakened by an attack on the first round because the effect of randomness accumulated over multiple encryption rounds is lost.

Several attacks on AES using far field electromagnetic (EM) emission as a side channel have been recently presented. Unlike power analysis or near filed EM analysis, far field EM attacks do not require a close physical proximity to the device under attack. However, in all previous attacks traces for the profiling stage are also captured at a distance (fixed or variable) from the profiling devices. This degenerates the quality of profiling traces due to noise and interference. In this paper, we train deep learning models on "clean"traces, captured through a coaxial cable. Our experiments show that the resulting models can extract the AES key from less than 500 traces on average captured at 15 m from the victim device without repeating each encryption more than once. This is a 20-fold improvement over the previous attacks which require about 10K traces for the same conditions. 

It is known that secret keys can be extracted from some USIM cards using Correlation Power Analysis (CPA). In this paper, we demonstrate a more advanced attack on USIMs, based on deep learning. We show that a Convolutional Neural Network (CNN) trained on one USIM can recover the key from another USIM using at most 20 traces (four traces on average). Previous CPA attacks on USIM cards required high-quality oscilloscopes for power trace acquisition, an order of magnitude more traces from the victim card, and expert-level skills from the attacker. Now the attack can be mounted with a $1000 budget and basic skills in side-channel analysis.

Recently, several deep-learning side-channel attacks on cryptographic algorithms were demonstrated. With the help of a trained deep-learning model, the attacker extracts the key from a few power traces captured from a victim device. However, previous works have shown that the inter-chip variation may significantly reduce the attack success probability. In this paper, we quantify the effect of inter-chip variation on the classification accuracy of Multi-Layer Perceptron (MLP) models. We show that, by training on multiple chips, we can increase the probability of recovering the key from a single trace from 39.95% to 86.07% on average. We also evaluate how the printed circuit board diversity affects the classification accuracy.

Deep learning side-channel attacks are an emerging threat to the security of implementations of cryptographic algorithms. The attacker first trains a model on a large set of side-channel traces captured from a chip with a known key. The trained model is then used to recover the unknown key from a few traces captured from a victim chip. The first successful attacks have been demonstrated recently. However, they typically train and test on power traces captured from the same device. In this paper, we show that it is important to train and test on traces captured from different boards. Otherwise, it is easy to overestimate the classification accuracy. For example, if we train and test an MLP model on power traces captured from the same board, we can recover all key byte values with 88.5% accuracy from a single trace. However, the single-trace attack accuracy drops to 13.7% if we test on traces captured from a board different from the one we used for training, even if both boards carry identical chips.