In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.

In this paper, we show that a software implementation of CCA secure Saber KEM protected by first-order masking and shuffling can be broken by deep learning-based power analysis. Using an ensemble of deep neural networks created at the profiling stage, we can recover the session key and the long-term secret key from 257 x N and 24 x 257 x N traces, respectively, where N is the number of repetitions of the same measurement. The value of N depends on the implementation, environmental factors, acquisition noise, etc.; in our experiments N = 10 is enough to succeed.The neural networks are trained on a combination of 80% of traces from the profiling device with a known shuffling order and 20% of traces from the device under attack captured for all-0 and all-1 messages. "Spicing'' the training set with traces from the device under attack helps minimize the negative effect of device variability. 

The hardware random number generator (RNG) integrated in STM32 MCUs is intended to ensure that the numbers it generates cannot be guessed with a probability higher than a random guess. The RNG is based on several ring oscillators whose outputs are combined and post-processed to produce a 32-bit random number per round of computation. In this paper, we show that it is possible to train a neural network capable of recovering the Hamming weight of these random numbers from power traces with a higher than 60% probability. This is a 4-fold improvement over the 14% probability of the most likely Hamming weight.

In the ongoing last round of NIST’s post-quantum cryptography standardization competition, side-channel analysis of finalists is a main focus of attention. While their resistance to timing, power and near field electromagnetic (EM) side-channels has been thoroughly investigated, amplitude-modulated EM emanations has not been considered so far.The attacks based on amplitude-modulated EM emanations are more stealthy because they exploit side-channels intertwined into the signal transmitted by the on-board antenna. Thus, they can be mounted on a distance from the device under attack.In this paper, we present the first results of an amplitude-modulated EM side-channel analysis of one of the NIST PQ finalists, Saber key encapsulation mechanism (KEM), implemented on the nRF52832 (ARM Cortex-M4) system-on-chip supporting Bluetooth 5.By capturing amplitude-modulated EM emanations during decapsulation, we can recover each bit of the session key with 0.91 probability on average.

Creating a good deep learning model is an art which requires expertise in deep learning and a large set of labeled data for training neural networks. Neither is readily available. In this paper, we introduce a method that enables us to recover messages of LWE/LWR-based PKE/KEMs using simple multilayer perceptron (MLP) models trained on a small dataset. The core idea is to extend the attack dataset so that at least one of its traces has the ground truth label to which the models are biased towards. We demonstrate the effectiveness of the presented method on the examples of CRYSTALS-Kyber and Saber algorithms implemented in ARM Cortex-M4 CPU on nRF52832 system-on-chip supporting Bluetooth 5.2.We use amplitude-modulated EM emanations which are typically weaker and noisier than power or near-field EM side channels, and thus more difficult to exploit.

Public-key cryptographic schemes currently in use depend on the intractability of certain mathematical problems such as integer factorization or the discrete logarithm. However, Shor's algorithm can solve these problems in polynomial time if large-scale quantum computers become available. This will compromise the security of today's public-key cryptosystems. To address this issue, new public-key cryptographic primitives are being developed. One of them is Saber whose security relies on the Learning With Rounding (LWR) problem that is believed to be hard for quantum computers. The resistance of unprotected and first-order masked implementations of Saber to side-channel attacks has been already investigated. In this paper, we demonstrate the first successful message and secret key recovery attacks on the second- and third-order masked implementations of Saber in ARM Cortex-M4 CPU by deep learning-based power analysis. Our experimental results show that currently available software implementations of Saber need better protection.

CRYSTALS-Kyber has been recently selected by the NIST as a new public-key encryption and key-establishment algorithm to be standardized. This makes it important to assess how well CRYSTALS-Kyber implementations withstand side-channel attacks. Software implementations of CRYSTALS-Kyber have already been analyzed and the discovered vulnerabilities were patched in the subsequently released versions. In this paper, we present a profiling side-channel attack on a hardware implementation of CRYSTALS-Kyber. Since hardware implementations carry out computations in parallel, they are typically more difficult to break than their software counterparts. We demonstrate a successful message (session key) recovery attack on a Xilinx Artix-7 FPGA implementation of CRYSTALS-Kyber  by deep learning-based power analysis. Our results indicate that currently available hardware implementations of CRYSTALS-Kyber need better protection against side-channel attacks.

CRYSTALS-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized. It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it  important to evaluate the resistance of CRYSTALS-Kyber's implementations to side-channel attacks. The unprotected and first-order masked software implementations have been already analysed. In this paper, we present deep learning-based message recovery attacks on the $\omega$-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU for $\omega \leq 5$. The main contribution is a new neural network training method called {\em recursive learning}. In the attack on an $\omega$-order masked implementation, we start training from an artificially constructed neural network $M^{\omega}$ whose weights are partly copied from a model $M^{\omega-1}$ trained on the $(\omega-1)$-order masked implementation, and then extended to one more share. Such a method allows us to train neural networks that can recover a message bit with the probability above 99\% from high-order masked implementations. 

Shuffling is a well-known countermeasure against side-channel analysis. It typically uses the Fisher-Yates (FY) algorithm to generate a random permutation which is then utilized as the loop iterator to index the processing of the variables inside the loop. The processing order is scrambled as a result, making side-channel analysis more difficult. Recently, a side-channel attack on a masked and shuffled implementation of Saber requiring 61,680 power traces to extract the secret key was reported. In this paper, we present an attack that can recover the secret key of Saber from 4,608 traces. The key idea behind the 13-fold improvement is to recover FY indexes directly, rather than by extracting the message Hamming weight and bit flipping, as in the previous attack.We capture a power trace during the execution of the decapsulation algorithm for a given ciphertext, recover FY indexes 0 and 255, and extract the corresponding two message bits. Then, we modify the ciphertext to cyclically rotate the message, capture a power trace, and extract the next two message bits with FY indexes 0 and 255. In this way, all message bits can be extracted.By recovering messages contained in $k*l$ chosen ciphertexts constructed using a new method based on error-correcting codes with length $l$, where $k$ is the security level, we recover the long term secret key. To demonstrate the generality of the presented approach, we also recover the secret key from a masked and shuffled implementation of CRYSTALS-Kyber, which NIST recently selected as a new public-key encryption and key-establishment algorithm to be standardized.