Paper 2022/919

Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking

Kalle Ngo, KTH Royal Institute of Technology
Ruize Wang, KTH Royal Institute of Technology
Elena Dubrova, KTH Royal Institute of Technology
Nils Paulsrud, KTH Royal Institute of Technology

In this paper, we present the first side-channel attack on a higher-order masked implementation of an IND-CCA secure lattice-based key encapsulation mechanism (KEM). Our attack exploits a vulnerability in the procedure for the arithmetic to Boolean conversion which we discovered. On the example of Saber KEM, we demonstrate successful message and secret key recovery attacks on the second- and third-order masked implementations running on a different device than the profiling one. In our experiments, we use the latest publicly available higher-order masked implementation of Saber KEM in which all known vulnerabilities are patched. The presented approach is not specific to Saber and can be potentially applied to other lattice-based PKE and KEM algorithms, including CRYSTALS-Kyber which has been recently selected for standardization by NIST.

Available format(s)
Attacks and cryptanalysis
Publication info
Public-key cryptography Post-quantum cryptography Saber KEM LWE/LWR-based KEM Side-channel attack Power analysis
Contact author(s)
kngo @ kth se
ruize @ kth se
dubrova @ kth se
nilspa @ kth se
2022-07-14: approved
2022-07-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Kalle Ngo and Ruize Wang and Elena Dubrova and Nils Paulsrud},
      title = {Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking},
      howpublished = {Cryptology ePrint Archive, Paper 2022/919},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.