Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An Improved Two-Step Attack on Lattice-Based Cryptography: A Case Study of Kyber

Kai Wang, Dejun Xu, Jing Tian

TL;DR

This work presents an efficient two-step side-channel attack on Kyber that combines a refined correlation power analysis with a low-dimension lattice attack to recover the full secret key $\mathbf{s}$. By adopting a Modified Hamming Weight leakage model and an optional Kendall's $\tau$ refinement, the CPA step rapidly narrows candidate coefficients using as few as $15$ traces, after which a trial-and-error lattice attack recovers the remaining coefficients via a reduced LWE problem solved with Kannan's embedding. Experimental results on Kyber-512/768/1024 (pqm4 implementations on an STM32 platform) demonstrate full key recovery in about $9$--$10$ minutes, using roughly $11$--$15$ traces per CPA call and a total of $\approx 660$--$900$ traces across $60$ CPA evaluations. The approach is general enough to extend to other lattice-based PQC schemes and highlights practical physical-security concerns for deployment, underscoring the need for masking, shuffling, or other protections at the algorithmic level, albeit with potential throughput and efficiency trade-offs.

Abstract

After three rounds of post-quantum cryptography (PQC) strict evaluations conducted by NIST, CRYSTALS-Kyber was successfully selected in July 2022 and standardized in August 2024. It becomes urgent to further evaluate Kyber's physical security for the upcoming deployment phase. In this brief, we present an improved two-step attack on Kyber to quickly recover the full secret key, s, by using much fewer power traces and less time. In the first step, we use the correlation power analysis (CPA) to obtain a portion of guess values of s with a small number of power traces. The CPA is enhanced by utilizing both Pearson and Kendall's rank correlation coefficients and modifying the leakage model to improve the accuracy. In the second step, we adopt the lattice attack to recover s based on the results of CPA. The success rate is largely built up by constructing a trial-and-error method. We deploy the reference implementations of Kyber-512, -768, and -1024 on an ARM Cortex-M4 target board and successfully recover s in approximately 9~10 minutes with at most 15 power traces, using a Xeon Gold 6342-equipped machine for the attack.

An Improved Two-Step Attack on Lattice-Based Cryptography: A Case Study of Kyber

TL;DR

This work presents an efficient two-step side-channel attack on Kyber that combines a refined correlation power analysis with a low-dimension lattice attack to recover the full secret key . By adopting a Modified Hamming Weight leakage model and an optional Kendall's refinement, the CPA step rapidly narrows candidate coefficients using as few as traces, after which a trial-and-error lattice attack recovers the remaining coefficients via a reduced LWE problem solved with Kannan's embedding. Experimental results on Kyber-512/768/1024 (pqm4 implementations on an STM32 platform) demonstrate full key recovery in about -- minutes, using roughly -- traces per CPA call and a total of -- traces across CPA evaluations. The approach is general enough to extend to other lattice-based PQC schemes and highlights practical physical-security concerns for deployment, underscoring the need for masking, shuffling, or other protections at the algorithmic level, albeit with potential throughput and efficiency trade-offs.

Abstract

After three rounds of post-quantum cryptography (PQC) strict evaluations conducted by NIST, CRYSTALS-Kyber was successfully selected in July 2022 and standardized in August 2024. It becomes urgent to further evaluate Kyber's physical security for the upcoming deployment phase. In this brief, we present an improved two-step attack on Kyber to quickly recover the full secret key, s, by using much fewer power traces and less time. In the first step, we use the correlation power analysis (CPA) to obtain a portion of guess values of s with a small number of power traces. The CPA is enhanced by utilizing both Pearson and Kendall's rank correlation coefficients and modifying the leakage model to improve the accuracy. In the second step, we adopt the lattice attack to recover s based on the results of CPA. The success rate is largely built up by constructing a trial-and-error method. We deploy the reference implementations of Kyber-512, -768, and -1024 on an ARM Cortex-M4 target board and successfully recover s in approximately 9~10 minutes with at most 15 power traces, using a Xeon Gold 6342-equipped machine for the attack.
Paper Structure (10 sections, 6 equations, 6 figures, 2 tables)

This paper contains 10 sections, 6 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Kyber and Number Theoretic Transform in Kyber
  4. Correlation-Based Attack Techniques
  5. Proposed Improved Two-Step Attack
  6. Modified Leakage Model for CPA
  7. Optional Kendall’s tau for CPA
  8. Trial-and-Error Lattice Attack after CPA
  9. Experiments
  10. Conclusion

Figures (6)

  • Figure 1: The architecture of the proposed two-step attack.
  • Figure 2: (a) and (b) present the PCC values for all guessed keys in a $basemul$ call when $D = 15$, for the original and modified models, respectively. (c) shows the $|$PCC$|$ values for all guessed keys, while the blue curve in (d) illustrates the occurrence of false positives.
  • Figure 3: (a) and (b) present the PCC and Ken results, respectively, for a another $basemul$ call when $D = 15$. Similarly, (c) and (d) show the PCC and Ken results for the same $basemul$ call when $D = 11$.
  • Figure 4: The success rate and efficiency of our attack in twenty experiments.
  • Figure :
  • ...and 1 more figures