Paper 2023/1781

A Lattice Attack on CRYSTALS-Kyber with Correlation Power Analysis

Yen-Ting Kuo, University of Tokyo
Atsushi Takayasu, University of Tokyo

CRYSTALS-Kyber is a key-encapsulation mechanism, whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. As in its specification, Kyber prescribes the usage of the Number Theoretic Transform (NTT) for efficient polynomial multiplication. Side-channel assisted attacks against Post-Quantum Cryptography (PQC) algorithms like Kyber remain a concern in the ongoing standardization process of quantum-computer-resistant cryptosystems. Among the attacks, correlation power analysis (CPA) is emerging as a popular option because it does not require detailed knowledge about the attacked device and can reveal the secret key even if the recorded power traces are extremely noisy. In this paper, we present a two-step attack to achieve a full-key recovery on lattice-based cryptosystems that utilize NTT for efficient polynomial multiplication. First, we use CPA to recover a portion of the secret key from the power consumption of these polynomial multiplications in the decryption process. Then, using the information, we are able to fully recover the secret key by constructing an LWE problem with a smaller lattice rank and solving it with lattice reduction algorithms. Our attack can be expanded to other cryptosystems using NTT-based polynomial multiplication, including Saber. It can be further parallelized and experiments on simulated traces show that the whole process can be done within 20 minutes on a 16-core machine with 200 traces. Compared to other CPA attacks targeting NTT in the cryptosystems, our attack achieves lower runtime in practice. Furthermore, we can theoretically decrease the number of traces needed by using lattice reduction if the same measurement is used. Our lattice attack also outperforms the state-of-the-art result on integrating side-channel hints into lattices, however, the improvement heavily depends on the implementation of the NTT chosen by the users.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. ICISC 2023
CRYSTALS-Kyberlatticeside-channel attacknumber theoretic transform
Contact author(s)
kuruwakuo @ g ecc u-tokyo ac jp
takayasu-a @ g ecc u-tokyo ac jp
2023-11-25: revised
2023-11-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Yen-Ting Kuo and Atsushi Takayasu},
      title = {A Lattice Attack on CRYSTALS-Kyber with Correlation Power Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1781},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.