Paper 2023/1587
A Single-Trace Message Recovery Attack on a Masked and Shuffled Implementation of CRYSTALS-Kyber
Abstract
Last year CRYSTALS-Kyber was chosen by NIST as a new, post-quantum secure key encapsulation mechanism to be standardized. This makes it important to assess the resistance of CRYSTALS-Kyber implementations to physical attacks. Pure side-channel attacks on post-quantum cryptographic algorithms have already been well-explored. In this paper, we present an attack on a masked and shuffled software implementation of CRYSTALS-Kyber that combines fault injection with side-channel analysis. First, a voltage fault injection is performed to bypass the shuffling. We found settings that consistently glitch the desired instructions without crashing the device. After the successful fault injection, a deep learning-assisted profiled power analysis based on the Hamming weight leakage model is used to recover the message (shared key). We propose a partial key enumeration method that allows us to significantly increase the success rate of message recovery (from 0.122 without enumeration to 0.887 with 32 enumerated bits).
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Fault injectionSide-channel attackCRYSTALS-KyberML-KEMPost-quantum cryptography
- Contact author(s)
-
jendral @ kth se
kngo @ kth se
ruize @ kth se
dubrova @ kth se - History
- 2023-10-13: approved
- 2023-10-13: received
- See all versions
- Short URL
- https://ia.cr/2023/1587
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1587,
author = {Sönke Jendral and Kalle Ngo and Ruize Wang and Elena Dubrova},
title = {A Single-Trace Message Recovery Attack on a Masked and Shuffled Implementation of CRYSTALS-Kyber},
howpublished = {Cryptology ePrint Archive, Paper 2023/1587},
year = {2023},
note = {\url{https://eprint.iacr.org/2023/1587}},
url = {https://eprint.iacr.org/2023/1587}
}
