Paper 2022/1713

Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste

Elena Dubrova, Royal Institute of Technology
Kalle Ngo, Royal Institute of Technology
Joel Gärtner

CRYSTALS-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized. It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of CRYSTALS-Kyber's implementations to side-channel attacks. The unprotected and first-order masked software implementations have been already analysed. In this paper, we present deep learning-based message recovery attacks on the $\omega$-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU for $\omega \leq 5$. The main contribution is a new neural network training method called recursive learning. In the attack on an $\omega$-order masked implementation, we start training from an artificially constructed neural network $M^{\omega}$ whose weights are partly copied from a model $M^{\omega-1}$ trained on the $(\omega-1)$-order masked implementation, and then extended to one more share. Such a method allows us to train neural networks that can recover a message bit with the probability above 99% from high-order masked implementations.

Available format(s)
Public-key cryptography
Publication info
Post-quantum cryptography CRYSTALS-Kyber side-channel attack masking
Contact author(s)
dubrova @ kth se
kngo @ kth se
jgartner @ kth se
2022-12-13: approved
2022-12-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Dubrova and Kalle Ngo and Joel Gärtner},
      title = {Breaking a Fifth-Order Masked Implementation of CRYSTALS-Kyber by Copy-Paste},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1713},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.