Paper 2021/1307

In-depth Analysis of Side-Channel Countermeasures for CRYSTALS-Kyber Message Encoding on ARM Cortex-M4

Hauke Malte Steffen and Lucie Johanna Kogelheide and Timo Bartkewitz

Abstract

A variety of post-quantum cryptographic schemes are currently undergoing standardization in the National Institute of Standards and Technology's post-quantum cryptography standardization process. It is well known from classical cryptography that actual implementations of cryptographic schemes can be attacked by exploiting side-channels, e.g. timing behavior, power consumption or emanation in the electromagnetic field. Although several of the reference implementations currently in the third and final standardization round are - to some extent - implemented in a timing-constant fashion, resistance against other side-channels is not taken into account yet. Implementing sufficient countermeasures, however, is challenging. We therefore exemplarily examine CRYSTALS-Kyber, which is a lattice-based key encapsulation mechanism currently considered as a candidate for standardization. By analyzing the power consumption side-channel during message encoding we develop four more and compare six different implementations with an increasing degree of countermeasures. We show that introducing randomization countermeasures is crucial as all examined implementations aiming at reducing the leakage by minimizing the Hamming distance of the processed intermediate values only are vulnerable against single-trace attacks when implemented on an ARM Cortex-M4.