NIST has recently selected CRYSTALS-Kyber as a new public key encryption and key establishment algorithm to be standardized. This makes it important to evaluate the resistance of CRYSTALS-Kyber implementations to side-channel attacks. Software implementations of CRYSTALS-Kyber have already been thoroughly analysed. The discovered vulnerabilities have helped improve subsequently released versions and promoted stronger countermeasures against side-channel attacks. In this paper, we present the first attack on a protected hardware implementation of CRYSTALS-Kyber. We demonstrate a practical message (shared key) recovery attack on the first-order masked FPGA implementation of Kyber-512 by Kamucheka et al. (2022) using power analysis based on the Hamming distance leakage model. The presented attack exploits a vulnerability located in the masked message decoding function executed during the decryption step of decapsulation. The message recovery is performed using a profiled deep learning-assisted method which extracts the message directly, without explicitly retrieving each share. By repeating the same decapsulation multiple times, it is possible to increase the success rate of full shared key recovery to 99%. We also analyse the feasibility of recovering shared keys during encapsulation and propose a countermeasure against the presented attack that is also applicable to FPGA implementations of other cryptographic algorithms.

The CRYSTALS-Dilithium digital signature scheme, selected by NIST as a post-quantum cryptography (PQC) standard under the name ML-DSA, employs a public key compression technique intended for performance optimization. Specifically, the module learning with error instance (A, t) is compressed by omitting the low-order bits t0 of the vector t. It was recently shown that knowledge of t0 enables more effective side-channel attacks on Dilithium implementations. Another recent work demonstrated a method for reconstructing t0 from multiple signatures. In this paper, we build upon this method by applying profiled deep learning-assisted side-channel analysis to partially recover the least significant bit of t0 from power traces. As a result, the number of signatures required for the reconstruction of t0 can be reduced by roughly half. We demonstrate how the new t0 reconstruction method enhances the efficiency of recovering the secret key component s1, thereby facilitating digital signature forgery, on an ARM Cortex-M4 implementation of Dilithium.

As artificial intelligence plays an increasingly important role in decision-making within critical infrastructure, ensuring the authenticity and integrity of neural networks is crucial. This paper addresses the problem of detecting cloned neural networks. We present a method for identifying clones that employs a combination of metrics from both the information and physical domains: output predictions, probability score vectors, and power traces measured from the device running the neural network during inference. We compare the effectiveness of each metric individually, as well as in combination. Our results show that the effectiveness of both the information and the physical domain metrics is excellent for a clone that is a near replica of the target neural network. Furthermore, both the physical domain metric individually and the hybrid approach outperform the information domain metrics at detecting clones whose weights were extracted with low accuracy. The presented method offers a practical solution for verifying neural network authenticity and integrity. It is particularly useful in scenarios where neural networks are at risk of model extraction attacks, such as in cloud-based machine learning services.

In this paper, we present a side-channel attack on the hardware AES accelerator of a Bluetooth chip used in millions of devices worldwide, ranging from wearables and smart home products to industrial IoT. The attack leverages information about AES computations unintentionally transmitted by the chip together with RF signals to recover the encryption key. Unlike traditional side-channel attacks that rely on power or near-field electromagnetic emissions as sources of information, RF-based attacks leave no evidence of tampering, as they do not require package removal, chip decapsulation, or additional soldered components. However, side-channel emissions extracted from RF signals are considerably weaker and noisier, necessitating more traces for key recovery. The presented profiled machine learning-assisted attack can recover the full encryption key from 45,000 traces captured at a one-meter distance from the target device, with each trace being an average of 10,000 samples per encryption. This is a fourfold improvement over the correlation analysis-based attack on the same AES accelerator.

Traditional cryptographic methods for software integrity verification rely on validating cryptographic signatures attached to software binaries. However, these methods primarily focus on load-time measurements and may be circumvented by an attacker interfering with the boot process. To address this limitation, we propose a novel approach that uses side-channel data collected during software execution to generate a proof of software integrity. Through a side-channel trace encoder, we generate cryptographic keys derived from the unique side-channel profiles of software processes. This ensures that only the processes with expected side-channel characteristics can produce the valid key, effectively linking software integrity verification to runtime behavior. We demonstrate the feasibility of this approach in a secure boot setting compliant with the TCG DICE framework. The presented solution provides holistic boot protection while enhancing resilience against attacks such as fault injection, misconfiguration, and downgrading of security algorithms.

Side-channel attacks exploit information leaked through non-primary channels, such as power consumption, electromagnetic emissions, or timing, to extract sensitive data from cryptographic devices. Over the past three decades, side-channel analysis has evolved into a mature research field with well-established methodologies for analyzing standard cryptographic algorithms like the Advanced Encryption Standard (AES). However, the integration of side-channel analysis with formal methods remains relatively unexplored. In this paper, we present a hybrid attack on AES that combines side-channel analysis with SAT. We model AES as a SAT problem and leverage hints of the input and output values of the S-boxes, extracted via profiled deep learning-based power analysis, to solve it. Experimental results on an ATXmega128D4 MCU implementation of AES-128 demonstrate that the SAT-assisted approach consistently recovers the full encryption key from a single trace, captured from devices different from those used for profiling, within one hour. In contrast, without SAT assistance, the success rate remains below 80% after 26 hours of key enumeration.

In July 2022, NIST selected CRYSTALS-Kyber as a new post-quantum secure public key encryption and key encapsulation mechanism to be standardized. To safeguard its shared and secret keys from side-channel attacks (SCA), countermeasures such as masking and shuffling are applied. However, the existing SCA-protected implementations of CRYSTALS-Kyber protect the decapsulation algorithm only. The encapsulation algorithm is not covered because single-trace shared key recovery attacks on encapsulation are not considered feasible. Since the same shared key is never encapsulated more than once, the attacker gets only a single trace per shared key from the execution of the encapsulation algorithm. In this paper, we demonstrate a practical single-trace shared key recovery attack on a first-order masked implementation of the encapsulation algorithm of Kyber-768 in ARM Cortex-M4 based on deep learning-assisted power analysis. Our main contribution is a new aggregation method for ensemble learning that enables enumeration during shared key recovery. Our experimental results show that a full shared key can be recovered with a 91% probability on average from a single trace captured from a different from profiling device.

In response to side-channel attacks on masked implementations of post-quantum cryptographic algorithms, a new bitsliced higher-order masked implementation of CRYSTALS-Kyber has been presented at CHES’2022. The bitsliced implementations are typically more difficult to break by side-channel analysis because they execute a single instruction across multiple bits in parallel. However, in this paper, we reveal new vulnerabilities in the masked Boolean to arithmetic conversion procedure of this implementation that make the shared and secret key recovery possible. We also present a new chosen ciphertext construction method which maximizes secret key recovery probability for a given message bit recovery probability. We demonstrate practical shared and secret key recovery attacks on the first-, second- and third-order masked implementations of Kyber-768 in ARM Cortex-M4 using profiled deep learning-based power analysis.

Module Lattice Digital Signature Algorithm (MLDSA) is a post-quantum digital signature algorithm currently being standardised by the NIST. Devices making use of MLDSA are expected to soon become generally available in various environments. It is thus important to assess the resistance of ML-DSA implementations to physical attacks. This paper presents a fault injection attack on hedged ML-DSA in ARM Cortex-M4. First, voltage glitching is performed to skip computation of a seed during the generation of the signature. We identified settings that allowed us to consistently skip the necessary function without crashing the device. After the fault injection, the secret key vector s<inf>1</inf> is derived directly from the resulting faulty signature. The attack succeeds in recovering s<inf>1</inf> from a single trace with a probability of around 53%. We also propose countermeasures against the presented attack.

CRYSTALS-Kyber is a post-quantum secure key encapsulation mechanism which is currently being standardized by the NIST. This makes it important to assess the resistance of CRYSTALS-Kyber implementations to physical attacks. In this paper, we present an attack on a masked and shuffled implementation of CRYSTALS-Kyber in ARM Cortex-M4 that combines side-channel analysis (SCA) with fault injection. First, voltage glitching is performed to bypass the shuffling. We found settings that consistently skip the desired instructions without crashing the device. After the successful fault injection, a deep learning-assisted profiled power analysis based on the Hamming weight leakage model is applied to recover the message (shared key). We use a partial key enumeration method that significantly increases the success rate of message recovery. We also propose countermeasures against the presented attack.