kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Side-Channel Attack on a Higher-Order Masked CRYSTALS-Kyber Implementation
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0001-6281-4091
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0003-2349-3920
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems.ORCID iD: 0000-0001-7382-9408
2024 (English)In: Applied Cryptography and Network Security - 22nd International Conference, ACNS 2024, Proceedings, Springer Nature , 2024, p. 301-324Conference paper, Published paper (Refereed)
Abstract [en]

In response to side-channel attacks on masked implementations of post-quantum cryptographic algorithms, a new bitsliced higher-order masked implementation of CRYSTALS-Kyber has been presented at CHES’2022. The bitsliced implementations are typically more difficult to break by side-channel analysis because they execute a single instruction across multiple bits in parallel. However, in this paper, we reveal new vulnerabilities in the masked Boolean to arithmetic conversion procedure of this implementation that make the shared and secret key recovery possible. We also present a new chosen ciphertext construction method which maximizes secret key recovery probability for a given message bit recovery probability. We demonstrate practical shared and secret key recovery attacks on the first-, second- and third-order masked implementations of Kyber-768 in ARM Cortex-M4 using profiled deep learning-based power analysis.
Place, publisher, year, edition, pages
Springer Nature , 2024. p. 301-324
Keywords [en]
Kyber, LWE/LWR-based KEM, Post-quantum cryptography, Public-key cryptography, Side-channel attack
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-344819DOI: 10.1007/978-3-031-54776-8_12ISI: 001206024100012Scopus ID: 2-s2.0-85187721430OAI: oai:DiVA.org:kth-344819DiVA, id: diva2:1847625
Conference
22nd International Conference on Applied Cryptography and Network Security, ACNS 2024, Abu Dhabi, United Arab Emirates, Mar 5 2024 - Mar 8 2024
Note

QC 20240409

 Part of ISBN 9783031547751

Available from: 2024-03-28 Created: 2024-03-28 Last updated: 2025-12-05Bibliographically approved
In thesis
1. Side-Channel Attacks on Post-Quantum PKE/KEMs and Digital Signatures
Open this publication in new window or tab >>Side-Channel Attacks on Post-Quantum PKE/KEMs and Digital Signatures
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Traditional public key cryptosystems rely on the hardness of specific mathematical problems, such as integer factorization and discrete logarithm problem. However, these problems can be solved efficiently by Shor's algorithm on a large-scale quantum computer. Although the development of quantum computers has progressed slowly over the past 40 years, it is estimated that a cryptographically relevant quantum computer is likely to be available in 2040, which intensifies the need for quantum-resistant cryptographic algorithms. In response to the quantum threat, in 2016, NIST launched a competition for standardizing post-quantum cryptographic primitives. In August 2024, NIST selected CRYSTALS-Kyber as the public key encryption and key encapsulation standard, and CRYSTALS-Dilithium as the digital signature standard.

However, algorithms which are secure from the perspective of conventional cryptanalysis may still be vulnerable to physical attacks, such as side-channel attacks. This thesis evaluates the resilience of software implementations of three lattice-based post-quantum cryptographic algorithms: Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium to side-channel attacks.

The presented results are based on seven appended papers. Two of them focus on side-channel attacks on Saber, four target CRYSTALS-Kyber, and one considers CRYSTALS-Dilithium. The main contributions of the thesis are:

  1. We evaluate and compare power side-channel and EM side-channel attacks, pointing that amplitude-modulated EM emissions are typically weaker and require a higher sampling rate for secret recovery. We also investigate the difficulty of performing attacks on protected and unprotected implementations.
  2. We propose several methods to improve the attack efficiency. For example, a novel neural network model aggregation technique called threshold voting is introduced for deep learning-based attacks. A higher-order attack on CRYSTALS-Kyber is presented by combining the leakages from Barrett reduction and message decoding. Furthermore, an optimal chosen-ciphertext construction strategy is developed to maximize the probability of secret key recovery given a fixed probability of message bit recovery. 
  3. We provide a thorough discussion of various attack scenarios, including attacks on encapsulation, decapsulation, and signing procedures. For each scenario, we outline the assumptions and requirements for a successful attack.
  4. We present countermeasures to mitigate side-channel attacks at both the algorithmic and hardware levels. We also discuss the limitations of these countermeasures, as well as the challenges associated with deep learning-based attacks.

Most of the methods presented in this thesis are not limited to the specific algorithms described in the papers, and can be extended to other algorithms that are similar to Saber, CRYSTALS-Kyber, and CRYSTALS-Dilithium.
Abstract [sv]

Traditionella kryptosystem med offentlig nyckel bygger på svårigheten i specifika matematiska problem, såsom faktorisering av heltal och problemet med diskreta logaritmer. Dessa problem kan dock lösas effektivt med Shors algoritm på en storskalig kvantdator. Även om utvecklingen av kvantdatorer har gått långsamt under de senaste 40 åren, beräknas det att en kryptografiskt relevant kvantdator sannolikt kommer att finnas tillgänglig år 2040, vilket ökar behovet av kvantresistenta kryptografiska algoritmer. Som svar på hotet från kvantdatorer lanserade NIST 2016 en tävling för standardisering av kvantdatorsäkra primitiver. I augusti 2024 valde NIST CRYSTALS-Kyber som standard för asymmetrisk kryptering och nyckelinkapsling, och CRYSTALS-Dilithium som standard för digitala signaturer.

Algoritmer som är säkra ur konventionell kryptanalytisk synvinkel kan dock fortfarande vara sårbara för fysiska attacker, såsom sidokanalsattacker. Denna avhandling utvärderar motståndskraften hos mjukvaruimplementationer av tre gitterbaserade kvantdatorsäkra algoritmer: Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium mot sidokanalsattacker.

De presenterade resultaten baseras på sju bifogade artiklar. Två av dem fokuserar på sidokanalsattacker mot Saber, fyra riktar sig mot CRYSTALS-Kyber, och en behandlar CRYSTALS-Dilithium. Avhandlingens huvudsakliga bidrag är:

  1. Vi utvärderar och jämför effektbaserade och EM-baserade sidokanalsattacker, och påpekar att amplitudmodulerade EM-emissioner typiskt är svagare och kräver högre samplingsfrekvens för att återskapa hemligheter. Vi undersöker även svårigheten med att utföra attacker på skyddade och oskyddade implementationer.
  2. Vi föreslår flera metoder för att förbättra attackeffektiviteten. Till exempel introduceras en ny teknik för aggregering av neurala nätverksmodeller, kallad “threshold voting”, för attacker baserade på djupinlärning. En högre ordningens attack mot CRYSTALS-Kyber presenteras genom att kombinera läckage från Barrett-reduktion och meddelandede-kodning. Dessutom utvecklas en optimal strategi för valda chiffertextattacker för att maximera sannolikheten för att återskapa en hemlig nyckel givet en fast sannolikhet att återskapa av meddelandebitar.
  3. Vi ger en grundlig diskussion av olika attackscenarier, inklusive attacker mot inkapsling, avkapsling och signering. För varje scenario redogör vi för antaganden och krav för en framgångsrik attack.
  4. Vi presenterar motåtgärder för att försvåra sidokanalsattacker både på algoritm- och hårdvarunivå. Vi diskuterar också begränsningarna hos dessa motåtgärder samt utmaningarna med attacker baserade på djupinlärning.

De flesta metoder som presenteras i denna avhandling är inte begränsade till de specifika algoritmer som beskrivs i artiklarna, utan kan även tillämpas på andra algoritmer som liknar Saber, CRYSTALS-Kyber och CRYSTALS-Dilithium.
Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2025. p. xxiv, 125
Series
TRITA-EECS-AVL ; 2025:90
Keywords
Hardware Security, Side-Channel Attacks, Post-Quantum Cryptography, Public Key Encryption, Key Encapsulation Mechanism, Digital Signature, Hårdvarusäkerhet, Sidokanalsattacker, Kvantdatorsäker Kryptografi, Asymmetrisk Kryptering, Nyckelkapslingsmekanism, Digital signatur
National Category
Embedded Systems
Research subject
Information and Communication Technology
Identifiers
urn:nbn:se:kth:diva-371765 (URN)978-91-8106-417-9 (ISBN)
Public defence
2025-11-17, https://kth-se.zoom.us/j/66638877349, F3, Lindstedtsvägen 26, KTH Campus, Stockholm, 13:00 (English)
Opponent
Supervisors
Note

QC 20251019

Available from: 2025-10-19 Created: 2025-10-17 Last updated: 2025-10-27Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Wang, RuizeBrisfors, MartinDubrova, Elena

Search in DiVA

By author/editor
Wang, RuizeBrisfors, MartinDubrova, Elena
By organisation
Electronics and Embedded systems
Other Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 421 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access