Breaking DPA-protected Kyber via the pair-pointwise multiplication

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14330%2F24%3A00135460" target="_blank" >RIV/00216224:14330/24:00135460 - isvavai.cz</a>

Výsledek na webu

<a href="http://dx.doi.org/10.1007/978-3-031-54773-7_5" target="_blank" >http://dx.doi.org/10.1007/978-3-031-54773-7_5</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/978-3-031-54773-7_5" target="_blank" >10.1007/978-3-031-54773-7_5</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Breaking DPA-protected Kyber via the pair-pointwise multiplication

Popis výsledku v původním jazyce

We introduce a novel template attack for secret key recovery in Kyber, leveraging side-channel information from polynomial multiplication during decapsulation. Conceptually, our attack exploits that Kyber’s incomplete number-theoretic transform (NTT) causes each secret coefficient to be used multiple times, unlike when performing a complete NTT. Our attack is a single trace known ciphertext attack that avoids machine-learning techniques and instead relies on correlation-matching only. Additionally, our template generation method is very simple and easy to replicate, and we describe different attack strategies, varying on the number of templates required. Moreover, our attack applies to both masked implementations as well as designs with multiplication shuffling. We demonstrate its effectiveness by targeting a masked implementation from the mkm4 repository. We initially perform simulations in the noisy Hamming-Weight model and achieve high success rates with just 13316 templates while tolerating noise values up to σ=0.3. In a practical setup, we measure power consumption and notice that our attack falls short of expectations. However, we introduce an extension inspired by known online template attacks, enabling us to recover 128 coefficient pairs from a single polynomial multiplication. Our results provide evidence that the incomplete NTT, which is used in Kyber-768 and similar schemes, introduces an additional side-channel weakness worth further exploration.

Název v anglickém jazyce

Breaking DPA-protected Kyber via the pair-pointwise multiplication

Popis výsledku anglicky

We introduce a novel template attack for secret key recovery in Kyber, leveraging side-channel information from polynomial multiplication during decapsulation. Conceptually, our attack exploits that Kyber’s incomplete number-theoretic transform (NTT) causes each secret coefficient to be used multiple times, unlike when performing a complete NTT. Our attack is a single trace known ciphertext attack that avoids machine-learning techniques and instead relies on correlation-matching only. Additionally, our template generation method is very simple and easy to replicate, and we describe different attack strategies, varying on the number of templates required. Moreover, our attack applies to both masked implementations as well as designs with multiplication shuffling. We demonstrate its effectiveness by targeting a masked implementation from the mkm4 repository. We initially perform simulations in the noisy Hamming-Weight model and achieve high success rates with just 13316 templates while tolerating noise values up to σ=0.3. In a practical setup, we measure power consumption and notice that our attack falls short of expectations. However, we introduce an extension inspired by known online template attacks, enabling us to recover 128 coefficient pairs from a single polynomial multiplication. Our results provide evidence that the incomplete NTT, which is used in Kyber-768 and similar schemes, introduces an additional side-channel weakness worth further exploration.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2024

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

22nd International Conference on Applied Cryptography and Network Security, ACNS 2024

ISBN

9783031547720

ISSN

0302-9743

e-ISSN

1611-3349

Počet stran výsledku

30

Strana od-do

101-130

Název nakladatele

Springer

Místo vydání

Abu Dhabi

Místo konání akce

Abu Dhabi, United Arab Emirates

Datum konání akce

1. 1. 2024

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

001206023700005