Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber

Mike Hamburg; Julius Hermelink; Robert Primas; Simona Samardjiska; Thomas Schamberger; Silvan Streit; Emanuele Strieder; Christine van Vredendaal

Paper 2021/956

Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber

Mike Hamburg, Julius Hermelink, Robert Primas, Simona Samardjiska, Thomas Schamberger, Silvan Streit, Emanuele Strieder, and Christine van Vredendaal

Abstract

Single-trace attacks are a considerable threat to implementations of classic public-key schemes, and their implications on newer lattice-based schemes are still not well understood. Two recent works have presented successful single-trace attacks targeting the Number Theoretic Transform (NTT), which is at the heart of many lattice-based schemes. However, these attacks either require a quite powerful side-channel adversary or are restricted to specific scenarios such as the encryption of ephemeral secrets. It is still an open question if such attacks can be performed by simpler adversaries while targeting more common public-key scenarios. In this paper, we answer this question positively. First, we present a method for crafting ring/module-LWE ciphertexts that result in sparse polynomials at the input of inverse NTT computations, independent of the used private key. We then demonstrate how this sparseness can be incorporated into a side-channel attack, thereby significantly improving noise resistance of the attack compared to previous works. The effectiveness of our attack is shown on the use-case of CCA2 secure Kyber $k$-module-LWE, where $k\in\{2,3,4\}$. Our $k$-trace attack on the long-term secret can handle noise up to a $\sigma \leq 1.2$ in the noisy Hamming weight leakage model, also for masked implementations. A $2k$-trace variant for Kyber1024 even allows noise $\sigma \leq 2.2$ also in the masked case, with more traces allowing us to recover keys up to $\sigma \leq 2.7$. Single-trace attack variants have a noise tolerance depending on the Kyber parameter set, ranging from $\sigma \leq 0.5$ to $\sigma \leq 0.7$. As a comparison, similar previous attacks in the masked setting were only successful with $\sigma \leq 0.5$.

Note: Author list in alphabetical order.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Published by the IACR in TCHES 2021
Keywords: Kyber NTT belief propagation side-channel attack CCA BKZ
Contact author(s): mhamburg @ rambus com
julius hermelink @ unibw de
robert primas @ iaik tugraz at
simonas @ cs ru nl
t schamberger @ tum de
silvan streit @ aisec fraunhofer de
emanuele strieder @ aisec fraunhofer de
christine cloostermans @ nxp com
History: 2021-07-22: received
Short URL: https://ia.cr/2021/956
License: CC BY

BibTeX

@misc{cryptoeprint:2021/956,
      author = {Mike Hamburg and Julius Hermelink and Robert Primas and Simona Samardjiska and Thomas Schamberger and Silvan Streit and Emanuele Strieder and Christine van Vredendaal},
      title = {Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber},
      howpublished = {Cryptology ePrint Archive, Paper 2021/956},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/956}},
      url = {https://eprint.iacr.org/2021/956}
}