TY - JOUR
T1 - Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber
AU - Xu, Zhuang
AU - Pemberton, Owen
AU - Sinha Roy, Sujoy
AU - Oswald, David
AU - Yao, Wang
AU - Zheng, Zhiming
PY - 2021/10/27
Y1 - 2021/10/27
N2 - Lattice-based cryptography, as an active branch of post-quantum cryptography (PQC), has drawn great attention from side-channel analysis researchers in recent years. Despite the various side-channel targets examined in previous studies, detail on revealing the secret-dependent information efficiently is less studied. In this paper, we propose adaptive EM side-channel attacks with carefully constructed ciphertexts on Kyber, which is a finalist of NIST PQC standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require fewer traces and avoid building complex templates. We practically evaluate our methods using both a reference implementation and the ARM-specific implementation in pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret key with between eight and 960 traces, depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures.
AB - Lattice-based cryptography, as an active branch of post-quantum cryptography (PQC), has drawn great attention from side-channel analysis researchers in recent years. Despite the various side-channel targets examined in previous studies, detail on revealing the secret-dependent information efficiently is less studied. In this paper, we propose adaptive EM side-channel attacks with carefully constructed ciphertexts on Kyber, which is a finalist of NIST PQC standardization project. We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis. Compared to prior research, our techniques require fewer traces and avoid building complex templates. We practically evaluate our methods using both a reference implementation and the ARM-specific implementation in pqm4 library. For the reference implementation, we target the leakage of the output of the inverse NTT computation and recover the full key with only four traces. For the pqm4 implementation, we develop a message-recovery attack that leads to extraction of the full secret key with between eight and 960 traces, depending on the compiler optimization level. We discuss the relevance of our findings to other lattice-based schemes and explore potential countermeasures.
KW - chosen-ciphertext attack
KW - Computers
KW - Cryptography
KW - Elliptic curve cryptography
KW - Kyber
KW - Lattice-based cryptography
KW - Quantum computing
KW - Resistance
KW - Search problems
KW - side-channel analysis
KW - Side-channel attacks
UR - http://www.scopus.com/inward/record.url?scp=85118577862&partnerID=8YFLogxK
U2 - 10.1109/TC.2021.3122997
DO - 10.1109/TC.2021.3122997
M3 - Article
SN - 1557-9956
JO - IEEE Transactions on Computers
JF - IEEE Transactions on Computers
ER -