Paper 2025/1956
A Chosen-Ciphertext Side-Channel Attack on Shuffled CRYSTALS-Kyber
Abstract
The NIST Post-Quantum Cryptography (PQC) standardization has entered its fourth round, underscoring the critical importance of addressing side-channel attacks (SCA), a dominant threat in real-world cryptographic implementations, especially on embedded devices. This paper presents a novel chosen-ciphertext side-channel attack against CRYSTALS-Kyber (standardized as ML-KEM) implementations with Fisher-Yates shuffled polynomial reduction. We propose an efficient and fault-tolerant key recovery algorithm that, by crafting malicious ciphertexts, induces changes in the Hamming weight distribution of an intermediate polynomial's coefficients (the output of the shuffled polynomial reduction during decapsulation), enabling recovery of secret key coefficients from these changes. To ensure robustness, we propose an error-correction strategy that leverages the Hamming weight classifier's behavior to constrain and shrink the correction search space, maintaining effectiveness even with less accurate classifiers or in low-SNR environments. A Multi-Layer Perceptron (MLP) is employed for Hamming weight classification from side-channel traces, achieving 97.11% accuracy. We combine statistical analysis with explainable deep learning for precise trace segmentation during pre-processing. Experimental results demonstrate full key recovery with only an average of $10 + 354 \times 3$ ciphertext queries and a success rate of 97.98%, reducing the adversarial effort by 95.36% compared to contemporary bit-flip techniques. Although shuffling aims to disrupt temporal correlations, our results show that statistical features persist and leak through shuffled implementations. This work reveals enduring SCA risks in shuffled implementations and informs a broader reassessment of PQC side-channel resilience.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Public-key cryptographypost-quantum cryptographyCRYSTALS-Kyberside-channel attackpolynomial reductionshuffle
- Contact author(s)
-
floyd haozhang @ zju edu cn
lucas zw ye @ zju edu cn
tengwang0318 @ gmail com
zhang_ym_b @ zju edu cn
wang_tianyu @ zju edu cn
wangchengxuan @ zju edu cn
huangkejie @ zju edu cn - History
- 2025-10-21: last of 2 revisions
- 2025-10-20: received
- See all versions
- Short URL
- https://ia.cr/2025/1956
- License
-
CC BY-NC
BibTeX
@misc{cryptoeprint:2025/1956,
author = {Hao Zhang and Zewen Ye and Teng Wang and Yuanming Zhang and Tianyu Wang and Chengxuan Wang and Kejie Huang},
title = {A Chosen-Ciphertext Side-Channel Attack on Shuffled {CRYSTALS}-Kyber},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1956},
year = {2025},
url = {https://eprint.iacr.org/2025/1956}
}