Power-based Side Channel Attack Analysis on PQC Algorithms

Tendayi Kamucheka, Michael Fahr, Tristen Teague, Alexander Nelson, David Andrews, Miaoqing Huang
Department of Computer Science and Computer Engineering
University of Arkansas
{tfkamuch,mjfahr,tdteague,ahnelson,dandrews,mqhuang}@uark.edu

Abstract—Power-based side channel attacks have been successfully conducted against proven cryptographic algorithms including standardized algorithms such as AES and RSA. These algorithms are now supported by best practices in hardware and software to defend against malicious attacks. As NIST conducts the third round of the post-quantum cryptography (PQC) standardization process, a key feature is to identify the security candidate algorithms have against side channel attacks, and the tradeoffs that must be made to obtain that level of protection. In this work, we document the development of a multi-target and multi-tool platform to conduct test vector leakage assessment of the candidate algorithms. The long-term goals of the platform are to 1) quantify test vector leakage of each of the primary and alternate candidates, 2) quantify test vector leakage of each of the candidates when adjustments and adaptations (e.g., masking) are applied, and 3) assess the equivalent security levels when tools of varying sophistication are used in the attack (e.g., commodity vs. specialized hardware). The goal of this work is to document the progress towards that standardized platform and to invite discussion in how to extend, refine, and distribute our tools.

1. Introduction

Cryptographic schemes developed for classical computers have relied on the assumption that factoring large integers is computationally intractable. Shor’s algorithm showed that integers could be factored in polynomial time given a sufficiently powerful quantum computer. Consequently, the need for newer quantum-resistant cryptographic standards has given rise to a new class of cryptography now commonly known as Post Quantum Cryptography (PQC).

Post Quantum Cryptography represents a class of quantum-proof or quantum-resistant cryptographic schemes not known to be susceptible to quantum computers. Plainly, no significant advantage is gained by executing a cryptanalytic attack on a quantum computer over a classic computer. At the time of this writing, promising PQC schemes are either code-based, hash-based, lattice-based, multivariate-based, and supersingular elliptic curve isogeny-based. It is not yet known which of these schemes will emerge as future standards. Furthermore, although large-scale quantum computing attacks still remain outside the scope of modern engineering capabilities, preparation has already begun to develop alternative schemes resistant to quantum attacks.

In 2009, the National Institute of Standards and Technology (NIST) launched the PQC initiative to standardize one or more quantum-resistant cryptographic schemes [1]. NIST is a non-regulatory government agency that develops technology, standards, and guidelines to help federal agencies meet requirements of the Federal Information Security Modernization Act of 2004 (FISMA) [2]. NIST is also responsible for producing Federal Information Processing Standards (FIPS) in accordance with FISMA. In 2016, NIST announced the NIST PQC competition in which contestants from all around the world were invited to submit candidate quantum-resistant cryptographic schemes for evaluation and ultimately standardization. NIST does not intend to pick a single winner out of the competition [3]. The successful candidate(s) will be selected for standardization and will augment the cryptographic algorithms specified in Federal Information Processing Standard (FIPS) 186-4 [4], [5].

By November 2017, 82 candidate algorithms were submitted for consideration of which 69 met the minimum requirements for entry [6]. The first round submissions included public-key encryption (PKE), key-establishment mechanisms (KEM), and digital signature (DS) schemes. Twenty six candidate schemes were selected for the second round of competition. NIST narrowed the selection to 9 PKE/KEM schemes and 6 DS schemes for the third round in July of 2020 [4], [6]. Most of the earlier candidates fell out the race because they were significantly compromised by cryptanalytic attacks while some merged to become stronger contenders. In the second round of the competition NIST evaluated the candidates schemes on cost and performance as well as security.

During the third round NIST has incorporated performance and side channel resistance as features in the selection process. A standardized platform to analyze these features is necessary to prove these features for a given candidate. In this work, we present the development of a platform to analyze side channel power analysis of Round 3 finalist and alternate candidate algorithms. The work presented in this paper is in pursuit of our overall objective to quantify the side channel security of PQC candidates and their derivatives to an array of power-based techniques ranging from commodity hardware to specialized tools.
TABLE 1: NIST PQC competition round 3 finalists grouped by algorithm category.

|                                               | Hash-Based       | - |
|                                               | Lattice-Based    | CRYSTALS-Kyber [8] |
|                                               |                  | NTRU [9] |
|                                               |                  | SABER [10] |
|                                               | Multivariate PKE | - |
| Digital Signatures                            | Code-based       | BIKE [14] |
|                                               | Hash-Based       | HQC [15], [16] |
|                                               | Lattice-Based    | FrodoKEM [17] |
|                                               |                  | NTRU Prime [18] |
|                                               | Multivariate PKE | Rainbow [13] |
| Alternate Candidates                          | Code-based       | - |
|                                               | Hash-Based       | SPHINCS+ [19] |
|                                               | Lattice-Based    | - |
|                                               | Multivariate PKE | GeMSS [20] |

2. Background

2.1. Round 3 Candidates

In the third round of the PQC competition, the selected candidate algorithms are designated as either finalists or alternate candidates. The finalists are the more likely schemes to be considered for standardization while the alternates are schemes advanced into the third round with some but very low likelihood of being standardized [21].

Submissions to the competition have formally been separated into two classes, public-key encryption and key-establishment schemes, and digital signature schemes. In addition to these classes, the candidate algorithms represent multiple categories of cryptographic schemes by their underlying mathematical formulation. These categories are: 1) code-based, 2) hash-based, 3) lattice-based, and 4) multivariate PKE-based cryptography. Table 1 shows Round 3 candidates and their placement in the various algorithm categories.

Lattice-based Schemes are the most common among third round finalists. Because they are similar in their underlying mathematics and would therefore be susceptible to similar attacks, it is likely that at most one lattice-based algorithm will be selected for standardization [21]. Lattice-based schemes have emerged as popular candidates due to their relatively simple construction and robust security guarantees given by their underlying problems even in the worst case scenarios. Typical lattice problems that form the basis for their security include Shortest Integer Solution (SIS), Shortest Vector Problem (SVP), Learning With Errors (LWE), Ring-LWE (R-LWE), and Module-LWE (M-LWE). R-LWE and M-LWE are potentially reducible to SVP [22]. Thus far, lattice cryptosystems have been resistant to theoretic attacks. However, there has been less focus regarding the robustness of lattice-cryptography to side channel assisted attacks. More scrutiny of finalist candidates may reveal potential concerns. These concerns must be evaluated in a standardized and fair manner across all finalist candidates.

2.2. Side Channel Attack Methods

Typical side channel attack methods include cold boot attack, fault attack, timing attack, and power analysis. Cold boot attacks require the attacker to have physical access to the device. In this attack, the adversary applies coolant to the DRAM to freeze it and slow down the rate of information decay. The data on the DRAM is then dumped onto an external device for further analysis. A general attack targeting the number theoretic transform (NTT), which is commonly used by many ring- and module-LWE PQC algorithms like Kyber and NewHope, was demonstrated [23]. The attack recovered between 60 and 90% of the secret coefficients depending on the parameters used for algorithm strength.

Another common method of attack used for extracting secret information from cryptographic devices is the fault attack. This attack operates by having the adversary induce a fault into the cryptographic device, causing unintended operations to reveal secret information that can lead to a key recovery.

Timing attacks are yet another common method to extract secret information. Timing attacks are accomplished by analyzing the amount of time required to process cryptographic algorithms on varying inputs and using this data to recover secret information. A major countermeasure to this attack is to implement the algorithms in constant-time. However, this can incur significant overhead for the algorithm. Timing attacks have been found to be effective against many of the PQC algorithms including FrodoKEM, HQC, and Falcon.

Power analysis attacks are broader and more varied than other types of side channel attacks. One type of power
analysis attack that has been demonstrated is a simple power analysis (SPA) attack. In most cases, this type of attack requires a direct analysis of observed power or electro-magnetic (EM) radiation traces [24], [25]. The other form of attack is the differential power analysis (DPA), which applies additional analysis techniques like statistical correlation or device profiling and templating [25]. The analysis is performed on several, sometimes thousands of traces in conjunction with in-depth knowledge of the inner workings of the algorithm.

3. Power Analysis on Selected PQC algorithms

3.1. Equipment and Platforms

We are currently evaluating both hardware and software implementations of the target PQC algorithms. We collect the power traces using a Tektronix oscilloscope (model: MDO34 3-BW-200, bandwidth: 200 MHz, sample rate: 2.5 GS/s) and a commodity off-the-shelf NewAE ChipWhisperer-Lite.

**FPGA Platform:** Hardware implementations are evaluated on a Xilinx Virtex®-7 (XC7VX485T-2FFG1761C) VC707 FPGA board. Xilinx Vivado 2019.1 and SDK tools are used for design and synthesis of HDL (hardware description language) implementations. The VC707 FPGA board is equipped with one Texas Instruments PTD08A020W, one PTD08A010W, and five PTD08D210W DC-to-DC power modules. These power modules convert the 12V main input and supply the various power rails, which power the internal circuitry of the FPGA [26], [27]. The PTD08A020W and PTD08A010W modules each have a single voltage output and a corresponding current output for VCCINT and VCC_ADJ respectively. Each of the PTD08D210W modules has two voltage outputs, each of which has a corresponding current measurement output. Small copper hooks were soldered on the exposed pads of the current outputs corresponding to VCCINT, VCCAUX_IO, and VCCBRAM. The oscilloscope analog probes are attached to the copper hooks (see Figure 1) with the ground of the probes attached to the common ground of the FPGA board. Since the VC707 does not have any dedicated GPIO pin headers, the GPIO pins located inside the 20-pin XADC connector are used to get trigger signals, which are attached to the digital probes of the oscilloscope. For a more realistic attack where no trigger signals available to the attacker, it is possible to achieve the same result by soldering a suitable wire on the exposed RX pin of the UART port. Some profiling may be required to narrow the search space of the measured trace.

**Microcontroller Platforms:** Software implementations are evaluated on a STM32F4 Discovery (STM32F407G-DISCO1) evaluation kit. The evaluation board includes an STM32F407VG/16T6 microcontroller, which features a 32-bit ARM Cortex-M4 embedded processor. The software implementations are obtained from the “pqm4” library [28]. The Discovery board was modified using a solder rework station to enable direct contact to perform power analysis (see Figure 2). Specifically, on the LQFP100 package that houses the STM32 controller, pins 11, 19, 22, 28, 50, 75, and 100 were lifted from the pads, and 1Ω resistors were attached in series between pins 25 and 50 and their pads respectively. Hot glue was affixed to the resistors to stabilize the components so that the oscilloscope probes could be attached. A USB-TTL converter was used with a 2 pin cable connected to pins PA2 and PA3. These pins assisted in communication with the algorithms on the host machine. A logic probe was used with GPIO pins PC13 to PC15 to assist in timing the oscilloscope captures with specific parts of the algorithms. The oscilloscope trigger was configured to automate capturing the waveform based on output of the logic probe. To enable single-ended passive analog probes with the digital logic, a common ground was needed. Therefore, two analog probes were used. The probe tips were connected to each side of the shunt resistor and referenced to ground. A virtual math channel available on the Tektronix oscilloscope calculated the difference between the potential of the probes to generate the power trace. Note that this is a digital differential not an analog differential. In future work, we plan to explore the use of differential or active probes in order to quantify their benefit to SPA/DPA.
side channel analysis.

Our final capture platform is the NewAE ChipWhisperer-Lite 32-Bit synchronous power capture tool with a removable STM32F303 microcontroller featuring an ARM Cortex-M4 processor. This tool is to add a point of comparison to demonstrate the capability of commodity hardware when compared with higher-end tools (such as oscilloscopes). The capture device uses a Xilinx Spartan-6 FPGA to obtain 10-bit ADC captures at 105 MS/s. Our setup currently captures power traces from the default target board (i.e., STM32F303 microcontroller). Future work will capture traces from the STM32F4 Discovery board to make direct comparisons between capture methods. At this stage we can capture power traces of candidate algorithms, but do not have a basis for comparing these traces to those captured by the Tektronix oscilloscope. Therefore analysis of these traces is left to future work.

3.2. Test Vector Leakage Assessment

The Test Vector leakage Assessment (TVLA) [29] has become the de facto standard in the evaluation of side channel measurements. TVLA identifies differences between two sets of side channel measurements, such as power and EM traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces. TVLA identifies differences between two traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces.

The Test Vector leakage Assessment (TVLA) [29] has become the de facto standard in the evaluation of side channel measurements. TVLA identifies differences between two sets of side channel measurements, such as power and EM traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces. TVLA identifies differences between two sets of side channel measurements, such as power and EM traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces. TVLA identifies differences between two sets of side channel measurements, such as power and EM traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces. TVLA identifies differences between two sets of side channel measurements, such as power and EM traces, by computing the uni-variate Welch’s t-test for the sets of side channel measurements, such as power and EM traces.

\[ TVLA = \frac{\bar{\mu}_T - \bar{\mu}_F}{\sqrt{\frac{s^2_T}{n_T} + \frac{s^2_F}{n_F}}} \]

where \( \bar{\mu}_T, s_T, n_T \) and \( \bar{\mu}_F, s_F, n_F \) are the mean, standard deviation, and number of traces collected for \( T_r \); likewise for trace set \( T_f \).

The null hypothesis is rejected with a confidence level of 99.9999% if the absolute value of the t-test is greater than 4.5 [29]. Assuming independent leakage, any variation in the power traces are the result of the underlying computation not other factors such as hardware architecture features [31]. Therefore, a rejected null hypothesis—which constitutes a fail decision—suggests that the two trace sets \( T_r \) and \( T_f \) are different and as such might leak some information about the underlying computation. We use TVLA to confirm the presence and/or absence of side leakages for power traces measured on the oscilloscope and the ChipWhisperer.

3.3. Implementation and Results

The power traces of software implementation were captured for the Round 3 NIST PKE/KEM and DS algorithms from the “pqm4” library. Currently, the schemes CRYSTALS-KYBER, SABER, NTRU, CRYSTALS-DILITHIUM, and FALCON are all implemented on the microcontroller. Additionally, a masked version of the CRYSTALS-KYBER decapsulation procedure was implemented and tested on the microcontroller. Multiple different implementations existed for each scheme, including a clean reference implementation, a reference implementation submitted to NIST, an optimized implementation in plain C, and an implementation with Cortex-M4 specific optimizations. For our power analysis, the software traces were captured from the M4 optimized implementation. This library uses the PQClean API and is required to implement three different functions. The KEMs are required to implement key generation, encryption, and decryption functions. The DS algorithms are required to implement key generation, sign, and sign open functions. Triggers were used to assist in timing the start and end of these operations. Several binaries were available for each of the implementations, including a test, speed, hashing, and stack binary. The test binary was used to verify the algorithms were implemented correctly. For KEMs, it tested that the same shared key was derived for both Alice and Bob. For signature schemes, it tested the generated signature to ensure it could be verified correctly. Traces for each of the schemes were obtained during the execution of the test binaries.

In addition, we are in the progress to design pure hardware implementations of PQC algorithms on FPGAs. Currently, we have completed the hardware implementation of CRYSTALS-KYBER algorithm.

3.3.1. CRYSTALS-KYBER. We implemented the Kyber-512 variant based on Huang et al [32] on the FPGA. The parameters for Kyber512 are defined as \( k = 2, n = 256, q = 3329 \), \( n_2 = 2 \). Other parameters \( n_1, d_a, \) and \( d_s \) are positive integers. \( M = \{0,1\}^n \) is the message space and \( m \in M \). \( \chi_{n,q} \) is the centered binomial distribution and \( \chi_{n,q} \) is the distribution of \( n \)-degree polynomials with each element independently sampled from \( \chi_n \) [33]. The functions Compress and Decompress are defined as follows:

\[ \text{Compress}_q(x, d) := \left\lfloor \frac{2^d}{q} \cdot x \right\rfloor \mod (+) 2^d, \]

\[ \text{Decompress}_q(x, d) := \left\lfloor q/2^d \cdot x \right\rfloor, \]

Algorithm 1: Kyber.INDCPA.KEYGEN

\[
\begin{align*}
\text{Input: } & \{\rho, \sigma\} \leftarrow \{0,1\}^{256} \times \{0,1\}^{256} \\
\text{Input: } & A \leftarrow U(\{0,1\}^{k \times k}) \\
\text{Result: } & \text{return } PK \leftarrow (\hat{t}||\rho), SK \leftarrow \hat{s} \\
& A \stackrel{\$}{\leftarrow} U(\{0,1\}^{k \times k}) \\
& (s, e) \stackrel{\$}{\leftarrow} \chi_{m,eta_1}, \chi_{m,eta_2} \\
& s \leftarrow \text{NTT}(s) \\
& e \leftarrow \text{NTT}(e) \\
& \hat{t} \leftarrow \hat{s} \circ \hat{s} + \hat{e}
\end{align*}
\]
Regarding probe placement on the FPGA board, the power consumption estimation shown in Figure 3, which were given by the Vivado synthesis tool, was used to determine the best locations to probe. According to Figure 3, signals, logic and BRAMs are most likely to draw the most power. The circuitry of those features is powered by VCC_INT, VCCAUX_IO, and VCC_BRAM power rails on the FPGA [26], [34], [35]. From our experiments, we noted that the power rails on the FPGA are not isolated from each other. Hence it is difficult or impossible to guarantee the

### Table 2: Kyber-512 resource utilization on VC707 FPGA.

<table>
<thead>
<tr>
<th>Resource</th>
<th>Available</th>
<th>Utilization</th>
<th>Utilization %</th>
</tr>
</thead>
<tbody>
<tr>
<td>LUT</td>
<td>303600</td>
<td>168953</td>
<td>55.65</td>
</tr>
<tr>
<td>FF</td>
<td>607200</td>
<td>143412</td>
<td>23.62</td>
</tr>
<tr>
<td>BRAM</td>
<td>1030</td>
<td>264</td>
<td>25.63</td>
</tr>
<tr>
<td>DSP</td>
<td>2800</td>
<td>53</td>
<td>1.89</td>
</tr>
</tbody>
</table>

Our implementation is designed around the AXI-Lite IP protocol to take advantage of the AXI bus for communication between host PC and the Kyber512 IP core, which is clocked at 100 MHz. The host PC is equipped with an Intel i7-8700 CPU clocked at 3.2GHz and 16 GB of system memory. A script on the host PC written in Ruby 3.0.0p0 communicates with a control program running on the FPGA’s Microblaze soft-core over UART. The control program is responsible for communicating inputs and outputs with the Kyber IP core.

For the purposes of measurement, two trigger signals are placed in the design, one to mark the beginning and the end of the algorithm and another to pick out specific sections of the algorithm like the Number Theoretic Transform (NTT) module. Trace collection is automated. The host PC is connected to the oscilloscope via the USB VISA interface. A Python script is responsible for configuring, arming, and capturing traces from the oscilloscope. The trigger signals from the FPGA enable trace capture when the oscilloscope is armed.

Algorithm 2: Kyber.INDCPA.ENC

Input: \( PK = (\ell | \rho) \)
Input: \( m \in M \)
Input: \( r \in \mathbb{Z} [0, 1]^{256} \)
Result: return \( c \leftarrow (c_1 \| c_2) \)
\[
A \leftarrow U(q)^{k \times k} \\
(r, e_1, c_2) \leftarrow x_{n, n_1} \times x_{n, n_2} \times x_{n, n_2} \\
f \leftarrow \text{INTT}(r) \\
u \leftarrow \text{INTT}(A \circ f) + e_1 \\
v \leftarrow \text{INTT}(f \circ f) + e_2 + \frac{|q|}{2} \cdot m \\
c_1 \leftarrow \text{Compress}(u, d_u) \\
c_2 \leftarrow \text{Compress}(v, d_v)
\]

Algorithm 3: Kyber.INDCPA.DEC

Input: \( SK = \mathcal{\bar{s}} \)
Input: \( c_1, c_2 \leftarrow c \)
Result: return \( m \in M \)
\[
u \leftarrow \text{Decompress}(c_1, d_u) \\
v \leftarrow \text{Decompress}(c_2, d_v) \\
m \leftarrow \text{Compress}(v - \text{INTT}(\mathcal{\bar{s}} \circ \text{INTT}(u)), 1)
\]

Algorithm 4: Kyber.CCAKEM.ENC

Input: \( PK = (\ell | \rho) \)
Result: \( c \leftarrow (c_1 \| c_2) \)
Result: Shared key \( K \in \{0, 1\}^{256} \)
\[
m \leftarrow \{0, 1\}^{256} \\
N \leftarrow H(m) \\
(K, r) \leftarrow G(m \| H(PK)) \\
c \leftarrow \text{Kyber.INDCPA.ENC}(PK, m, r) \\
K \leftarrow H(K \| H(c))
\]

Algorithm 5: Kyber.CCAKEM.DEC

Input: \( c \leftarrow (c_1 \| c_2) \)
Input: \( SK \leftarrow \mathcal{\bar{s}} \)
Result: Shared key \( K \leftarrow \{0, 1\}^{256} \)
\[
PK \leftarrow SK + 13 \cdot k \cdot \frac{n}{8} \\
h \leftarrow SK + (13 + d_t) \cdot k \cdot \frac{n}{8} + 32 \in \{0, 1\}^{256} \\
z \leftarrow SK + (13 + d_t) \cdot k \cdot \frac{n}{8} + 64 \\
m' \leftarrow \text{Kyber.CPAPKE.DEC}(SK, (c_1, c_2)) \\
(r', r'' \leftarrow G(m') \}
\]
\[
c' \leftarrow \text{Kyber.CPAPKE.ENC}(PK, m', r') \\
if c = c' then \\
K \leftarrow H(K \| H(c)) \\
else \\
K \leftarrow H(z \| H(c))
end
The results of non-specific Test Vector Leakage Assessment for Kyber-512 on Xilinx Virtex-7 FPGA platform. The x-axis shows time in seconds. Yellow and green lines are digital trigger signals.

In addition, two different software implementations of Kyber were analyzed. Namely, the implementation provided by the “pqm4” repository of Kyber-512, and a masked version of the Kyber-512 decryption based on work from Pessl and Prokop [36]. The Pessl implementation was converted from the C++ implementation to C to interoperate with the “pqm4” software, and was selected because it features a masked decoder in the decryption. The primary motivation for this masking is to prevent the Fujisaki-Okamoto (FO) transformation from leaking information. The FO transformation is performed in decapsulation and has been found to reveal information in schemes that do not use error correcting codes. It has been shown that through this leak, a plaintext checking oracle can be instantiated [37]. Therefore, it is crucial that masking can properly circumvent this attack, and it follows that any candidates that use the FO transformation will be similarly affected.

The power traces of the non-masked Kyber-512 software implementation are illustrated in Figures 5a and 5b. Figure 4 shows the preliminary result of the non-specific t-test for Kyber-512 on the FPGA. The result was obtained from 4000 traces (2000 fixed input traces vs. 2000 random input traces). A control experiment is set up with fixed vs. fixed inputs that we expected to show no leakage. Another experiment with fixed vs. random inputs was also setup to identify the

(a) VCCBRAM(I) - Result of fixed vs. fixed TVLA control test. (b) VCCBRAM(I) - Result from fixed vs. random TVLA. Traces were measured from current output of VCCBRAM power rail.

(c) VCCAUX_IO(I) - Result of fixed vs. fixed TVLA control test. (d) VCCAUX_IO(I) - Result of fixed vs. random TVLA. Power traces were measured from current output of VCCAUX_IO power rail.

Figure 4: The results of non-specific Test Vector Leakage Assessment for Kyber-512 on Xilinx Virtex-7 FPGA platform. The x-axis shows time in seconds. Yellow and green lines are digital trigger signals.

Independent leakage assumption. The current draw output of the VCCBRAM and VCCAUX_IO were selected for measurement because they appeared to draw the most power.
3.3.2. A Few Other PQC Algorithms. Figure 5 also includes the power traces of other two Round 3 finalists, i.e., SABER and NTRU. SABER is a LWR-based KEM. The NTRU implementation is “ntruhps2048509”. In addition, the power trance of the signature scheme CRYSTALS-DILITHIUM is shown in Figure 6. We are working on the implementations of masked versions of these algorithms. Then we will evaluate their security robustness based on power analysis.
4. Conclusions

Power-based side channel attacks can be used to reveal the leakage of cryptography algorithms. Therefore, it is critical to perform a thorough power analysis on implementations of Round 3 PQC finalists and alternate candidate algorithms to evaluate their security robustness. In this work, we have built a multi-target and multi-tool platform to collect power traces from both hardware and software implementations of PQC algorithms using oscilloscope and commodity ChipWhisperer-Lite. This platform provides us the capability to perform power analysis on PQC algorithms based on Test Vector Leakage Assessment (TVLA).

Given the traces from both fixed and random inputs on the hardware implementation of Kyber-512, TVLA has shown the presence of some leakage at two locations on the traces. We are in the process of applying TVLA on hardware and software implementations of other Round 3 PQC algorithms to demonstrate the presence of leakages and identify their specific sources.

Acknowledgment

This work was supported in part by NIST Award 60NANB20D016. We also like to thank Daniel Apon of NIST for his help on project discussion and manuscript writing.

References


