Side-Channel Attack Against Masked Hardware Implementation of CRYSTALS-Kyber | Technical Leadership

40 min read Post-Quantum Cryptography

Table of Contents

Introduction

The transition to post-quantum cryptography represents one of the most significant shifts in modern cryptographic systems. As quantum computers continue to advance, the need for cryptographic algorithms resistant to quantum attacks becomes increasingly urgent. CRYSTALS-Kyber, selected by NIST as the primary key encapsulation mechanism (KEM) for post-quantum standardization, has emerged as a leading solution. However, even quantum-resistant algorithms remain vulnerable to implementation attacks, particularly side-channel attacks that exploit physical characteristics of hardware implementations.

Side-channel attacks target the physical implementation of cryptographic algorithms rather than their mathematical structure. These attacks exploit measurable information leakage such as power consumption, electromagnetic emanations, timing variations, or acoustic emissions to extract sensitive information. For secure elements and hardware security modules, power analysis attacks are particularly concerning as they can be executed with relatively inexpensive equipment and minimal invasiveness.

This article provides an in-depth technical analysis of a sophisticated side-channel attack against masked hardware implementations of CRYSTALS-Kyber. We will explore the mathematical foundations of Kyber, examine the principles of masking as a countermeasure, analyze the attack methodology using deep learning techniques, and discuss advanced countermeasures to protect against such attacks. The implications for the broader field of post-quantum cryptography implementation security will also be considered.

CRYSTALS-Kyber: Mathematical Foundations

CRYSTALS-Kyber is a lattice-based cryptographic algorithm that derives its security from the hardness of the module learning with errors (MLWE) problem. Understanding its mathematical foundations is essential for analyzing potential vulnerabilities in hardware implementations.

Lattice-Based Cryptography Principles

Lattice-based cryptography relies on the computational hardness of certain lattice problems. A lattice L is defined as a discrete additive subgroup of ℝⁿ. Formally, given linearly independent vectors b₁, b₂, ..., bₙ ∈ ℝⁿ (known as the basis), a lattice is defined as:

L(b₁, b₂, ..., bₙ) = {∑ᵢ₌₁ⁿ aᵢbᵢ | aᵢ ∈ ℤ}

The security of lattice-based cryptosystems is based on the hardness of problems such as:

  • Shortest Vector Problem (SVP): Find the shortest non-zero vector in a lattice.
  • Closest Vector Problem (CVP): Find the lattice vector closest to a given point in space.
  • Learning With Errors (LWE): Distinguish between random linear equations and those with small errors.

These problems are believed to be hard even for quantum computers, making lattice-based cryptography a promising candidate for post-quantum security.

The Module Learning With Errors Problem

The Module Learning With Errors (M-LWE) problem is a structured variant of the Learning With Errors (LWE) problem. It offers a balance between security and efficiency by working with modules over rings rather than arbitrary lattices.

The M-LWE problem can be expressed as:

(A, As + e) ≈ (A, b)

Where:

  • A is a randomly chosen matrix in Rqk×k
  • s is a secret vector in Rqk
  • e is a small error vector in Rqk
  • b is a uniformly random vector in Rqk

Here, Rq represents the ring Zq[X]/(Xn + 1), where n is a power of 2 (specifically n = 256 in Kyber), and q is a prime modulus (specifically q = 3329 in Kyber). The parameter k determines the module dimension and affects the security level and performance characteristics.

The hardness of the M-LWE problem is related to the worst-case hardness of certain problems on module lattices. This provides a strong theoretical foundation for the security of Kyber, as breaking the cryptosystem would imply solving problems that are believed to be computationally intractable even for quantum computers.

Key Operations in Kyber

Kyber's operations primarily involve polynomial arithmetic in the ring Rq = Zq[X]/(Xn + 1), where n = 256 and q = 3329. The core operations include:

  1. Polynomial Addition and Subtraction: Performed coefficient-wise modulo q.
  2. Polynomial Multiplication: Efficiently implemented using the Number Theoretic Transform (NTT), a variant of the Fast Fourier Transform adapted for finite fields.
  3. Sampling from Error Distributions: Typically using a centered binomial distribution to generate small polynomials.
  4. Compression and Decompression: Reducing the size of transmitted values by discarding some least significant bits, introducing controlled errors.

The centered binomial distribution with parameter η is defined as:

CBD_η = ∑ᵢ₌₀^(η-1) (b₂ᵢ - b₂ᵢ₊₁)

Where b₀, b₁, ..., b₂η₋₁ are independent uniform binary random variables.

This distribution approximates a discrete Gaussian distribution, which is theoretically optimal for lattice-based cryptography, while being more efficient and secure to implement.

Parameter Sets and Security Levels

Kyber defines three parameter sets with different security levels:

Parameter Set Module Dimension (k) Error Parameter (η₁) Error Parameter (η₂) Classical Security (bits) Quantum Security (bits) NIST Security Level
Kyber-512 2 3 2 ≈ 112 ≈ 103 1
Kyber-768 3 2 2 ≈ 178 ≈ 161 3
Kyber-1024 4 2 2 ≈ 238 ≈ 218 5

These parameter sets offer different trade-offs between security and performance. Kyber-512 provides security roughly equivalent to AES-128, Kyber-768 is comparable to AES-192, and Kyber-1024 offers security similar to AES-256.

The Kyber Protocol Specification

Key Generation Algorithm

The key generation algorithm produces a public key pk and a secret key sk:

Algorithm 1: Kyber.KeyGen()

  1. Sample a seed d ← {0,1}²⁵⁶ uniformly at random
  2. (ρ, σ) = G(d) where G is a hash function that expands d to 64 bytes
  3. Generate matrix A ∈ Rqk×k from ρ using an extendable output function
  4. Sample secret vector s ∈ Rqk from a centered binomial distribution with parameter η₁
  5. Sample error vector e ∈ Rqk from a centered binomial distribution with parameter η₁
  6. Compute t = As + e
  7. Public key: pk = (t, ρ)
  8. Secret key: sk = (s, pk, H(pk), z) where H is a hash function and z is random
  9. Return (pk, sk)

The Kyber public key generation process:

A ← Rqk×k
s ← βηk
e ← βηk
t := As + e
pk := (t, ρ)
sk := (s)

Where βη represents a centered binomial distribution with parameter η.

The inclusion of H(pk) and a random value z in the secret key is for the CCA-secure version of Kyber, which uses the Fujisaki-Okamoto transform to protect against chosen-ciphertext attacks.

Encapsulation Mechanism

The encapsulation algorithm takes a public key pk = (t, ρ) and produces a ciphertext c and a shared secret K:

Algorithm 2: Kyber.Encaps(pk)

  1. Sample m ← {0,1}²⁵⁶ uniformly at random
  2. (K̂, r) = G(m || H(pk)) where G is a hash function
  3. Generate matrix A ∈ Rqk×k from ρ
  4. Sample vector r ∈ Rqk from a centered binomial distribution with parameter η₁
  5. Sample error vector e₁ ∈ Rqk from a centered binomial distribution with parameter η₂
  6. Sample error e₂ ∈ Rq from a centered binomial distribution with parameter η₂
  7. Compute u = ATr + e₁
  8. Compute v = tTr + e₂ + ⌈q/2⌋·m (where m is encoded as a polynomial)
  9. Ciphertext: c = (u, v)
  10. Shared secret: K = KDF(K̂ || H(c)) where KDF is a key derivation function
  11. Return (c, K)

The encapsulation procedure can be summarized mathematically as:

u = A^T r + e₁
v = t^T r + e₂ + ⌈q/2⌋·m
c = (u, v)

The term ⌈q/2⌋·m effectively encodes each bit of m as either 0 or ⌈q/2⌋, making it possible to recover m despite the presence of small errors.

Decapsulation Procedure

The decapsulation algorithm takes a secret key sk = (s, pk, h, z) and a ciphertext c = (u, v) and outputs a shared secret K:

Algorithm 3: Kyber.Decaps(sk, c)

  1. Parse sk as (s, pk, h, z) and c as (u, v)
  2. Compute m' = Decompressq(v - sTu, 1)
  3. (K̂', r') = G(m' || h)
  4. Generate matrix A from pk
  5. Compute u' = ATr' + e₁'
  6. Compute v' = tTr' + e₂' + ⌈q/2⌋·m'
  7. If c = (u', v'), set K = KDF(K̂' || H(c))
  8. Otherwise, set K = KDF(z || H(c))
  9. Return K

The decapsulation procedure first attempts to recover the message m' by computing:

v - s^T u = t^T r + e₂ + ⌈q/2⌋·m - s^T(A^T r + e₁)
= (As + e)^T r + e₂ + ⌈q/2⌋·m - s^T A^T r - s^T e₁
= e^T r + e₂ - s^T e₁ + ⌈q/2⌋·m

Since e, r, e₁, e₂, and s all have small coefficients, the term eTr + e₂ - sTe₁ is also small compared to ⌈q/2⌋, allowing for correct recovery of m through the Decompress function.

The re-encryption step (computing u' and v') and comparison with the original ciphertext provides implicit authentication and protection against chosen-ciphertext attacks.

Polynomial Arithmetic and NTT

Efficient implementation of polynomial multiplication is crucial for Kyber's performance. The Number Theoretic Transform (NTT) is used to perform polynomial multiplication in quasi-linear time, similar to how the Fast Fourier Transform (FFT) accelerates convolution operations.

For polynomials a, b ∈ Rq, their product c = a·b can be computed as:

c = NTT⁻¹(NTT(a) ⊙ NTT(b))

Where ⊙ represents coefficient-wise multiplication.

The NTT transforms a polynomial from its coefficient representation to a point-value representation, allowing multiplication to be performed coefficient-wise. The inverse NTT then converts the result back to the coefficient representation.

In Kyber, the NTT is particularly efficient because the modulus q = 3329 is chosen such that it supports a full NTT for polynomials of degree n = 256. Specifically, q ≡ 1 (mod 2n), which means there exists a primitive 2n-th root of unity in Zq.

Masked Implementation Techniques

Principles of Masking

Masking is a widely used countermeasure against side-channel attacks, designed to break the statistical relationship between sensitive data and physical leakage. The core principle of masking is to split sensitive variables into multiple shares that are processed independently.

For a d-order masked implementation, each sensitive variable x is split into d+1 shares x₀, x₁, ..., xd such that:

x = x₀ ⊕ x₁ ⊕ ... ⊕ xd

Where ⊕ represents the appropriate operation for combining shares (typically XOR for Boolean masking or addition modulo q for arithmetic masking).

The security property of masking is that any combination of up to d shares reveals no information about the secret value x. This provides theoretical protection against side-channel attacks that can observe up to d intermediate values.

Boolean Masking Scheme

Boolean masking splits sensitive variables into shares using bitwise XOR operations. For a sensitive variable x, it is represented as x = x₁ ⊕ x₂ ⊕ ... ⊕ xn, where each share xi is processed independently.

In a first-order Boolean masking scheme (d = 1), a sensitive variable x is split into two shares:

x = x₀ ⊕ x₁

Where x₀ is typically a random value, and x₁ = x ⊕ x₀.

Boolean masking is particularly well-suited for operations like XOR and bit permutations, which can be applied independently to each share:

(x₀ ⊕ x₁) ⊕ (y₀ ⊕ y₁) = (x₀ ⊕ y₀) ⊕ (x₁ ⊕ y₁)

However, non-linear operations like AND require special handling to maintain the masking property:

(x₀ ⊕ x₁) ∧ (y₀ ⊕ y₁) = (x₀ ∧ y₀) ⊕ (x₀ ∧ y₁) ⊕ (x₁ ∧ y₀) ⊕ (x₁ ∧ y₁)

This requires computing cross-terms that could potentially leak information about the sensitive values. Secure implementations use techniques like the ISW (Ishai-Sahai-Wagner) multiplication algorithm to compute these terms securely.

Arithmetic Masking Considerations

Arithmetic masking represents sensitive variables as sums in Zq. For a sensitive variable x, it is represented as x = (x₁ + x₂ + ... + xn) mod q. This type of masking is well-suited for operations like addition and multiplication modulo q, which are common in lattice-based cryptography.

In a first-order arithmetic masking scheme, a sensitive variable x is split into two shares:

x = (x₀ + x₁) \mod q

Where x₀ is typically a random value in Zq, and x₁ = (x - x₀) mod q.

Arithmetic masking allows for efficient implementation of operations like addition:

(x₀ + x₁) + (y₀ + y₁) = (x₀ + y₀) + (x₁ + y₁)

And scalar multiplication:

a · (x₀ + x₁) = (a · x₀) + (a · x₁)

However, operations like bit decomposition or comparison, which are common in Kyber's compression and decompression functions, are more challenging with arithmetic masking.

Domain Conversion Challenges

Kyber implementations require both Boolean masking (for hash functions and binary operations) and arithmetic masking (for polynomial operations). Converting between these masking domains securely is a significant challenge.

The conversion from Boolean to arithmetic masking (B2A) and from arithmetic to Boolean masking (A2B) must be done without revealing the sensitive value. Several algorithms have been proposed for these conversions, including:

  • Goubin's Algorithm: A secure method for first-order masking, but with quadratic complexity in the bit length.
  • Coron-Tchulkine Algorithm: Improves efficiency using table lookups, but may be vulnerable to cache-timing attacks.
  • Higher-Order Conversion Algorithms: Extensions to support d-order masking, typically with complexity O(d² · n), where n is the bit length.

The complexity of these conversions often makes them a performance bottleneck in masked implementations. Moreover, they can be particularly vulnerable to side-channel attacks if not implemented carefully.

Side-Channel Attack Methodology

Hamming Distance Leakage Model

The side-channel attack described in the research paper targets the masked hardware implementation of Kyber, specifically exploiting leakage during the polynomial multiplication operations. The attack assumes a Hamming distance leakage model, where the power consumption or electromagnetic emanation is proportional to the number of bit transitions in the hardware.

The Hamming distance leakage model for side-channel attacks:

L(x, x') = HD(x, x') + ε

Where:

  • L(x, x') is the observed leakage
  • HD(x, x') is the Hamming distance between values x and x'
  • ε is Gaussian noise

For a transition from state x to state y, the Hamming distance is defined as the number of bits that differ between x and y:

HD(x, y) = \sum_{i=0}^{n-1} (x_i \oplus y_i)

Where xi and yi are the i-th bits of x and y, respectively.

This model is particularly relevant for CMOS-based implementations, where the power consumption is dominated by the charging and discharging of capacitive loads during bit transitions.

Deep Learning-Based Attack

The researchers employed deep learning techniques to exploit the side-channel leakage. Convolutional neural networks (CNNs) were trained on power traces to recover the secret key, demonstrating the effectiveness of machine learning in side-channel analysis.

The attack methodology employs a profiled deep learning approach with the following components:

  1. Data Collection: Power traces are collected during the execution of the decapsulation algorithm on the FPGA implementation.
  2. Preprocessing: The collected traces are aligned and normalized to enhance the signal-to-noise ratio.
  3. Feature Extraction: Relevant portions of the power traces corresponding to the masked message decoding operation are identified and extracted.
  4. Model Architecture: A convolutional neural network (CNN) is used with the following structure:
    • Input layer: Power trace segments
    • Convolutional layers with ReLU activation
    • Pooling layers for dimensionality reduction
    • Fully connected layers
    • Output layer: Probability distribution over possible message values
  5. Training Process: The model is trained using labeled power traces where the correct message values are known.
  6. Attack Execution: The trained model is applied to power traces from the target device to directly extract the message bits without explicitly recovering the individual shares.

The neural network effectively learns to recognize patterns in the power traces that correlate with the secret values, even when those values are masked. This demonstrates that first-order masking may not provide sufficient protection against sophisticated machine learning-based attacks.

Attack Phases and Implementation

The attack on the masked hardware implementation of CRYSTALS-Kyber consists of several phases:

  1. Profiling Phase: The attacker characterizes the device's leakage using a similar device under their control. This creates templates or models that map observed side-channel measurements to internal states.
  2. Trace Collection Phase: The attacker collects power or electromagnetic traces from the target device during the execution of the Kyber decapsulation algorithm.
  3. Analysis Phase: The collected traces are analyzed using the trained deep learning model to recover the secret key bits.
  4. Key Recovery Phase: The recovered bits are combined to reconstruct the full secret key.

The attack specifically targets the computation of m' = Decompressq(v - sTu, 1) during decapsulation. For each coefficient of the polynomial s, the attack aims to recover the value by analyzing the side-channel leakage during the computation of sTu.

The attack model attempts to find:

P(s = k | T) \text{ for } k \in \{-\eta_1, ..., 0, ..., \eta_1\}

Where T is the observed side-channel trace.

Using Bayes' theorem:

P(s = k | T) = \frac{P(T | s = k) \cdot P(s = k)}{P(T)}

The deep learning model is trained to estimate P(T | s = k) directly from the traces.

Trace Acquisition and Processing

The acquisition of high-quality power or electromagnetic traces is crucial for the success of the attack. The researchers used the following setup:

  • Target Device: FPGA implementation of Kyber with first-order masking.
  • Measurement Equipment: High-precision oscilloscope with appropriate probes (either current probes for power measurements or EM probes for electromagnetic measurements).
  • Sampling Rate: Typically in the range of 1-4 GS/s (giga-samples per second) to capture fine-grained details of the power consumption.
  • Trigger Mechanism: Hardware or software trigger to synchronize the trace acquisition with the cryptographic operation.

Once acquired, the traces undergo several preprocessing steps:

  1. Alignment: Ensuring that all traces are synchronized in time, often using techniques like dynamic time warping or correlation-based alignment.
  2. Filtering: Removing noise and enhancing the signal using techniques like bandpass filtering or wavelet denoising.
  3. Normalization: Scaling the traces to a common range to account for variations in measurement conditions.
  4. Dimensionality Reduction: Selecting only the most informative portions of the traces to reduce computational complexity.

These preprocessing steps are critical for maximizing the signal-to-noise ratio and improving the effectiveness of the subsequent deep learning analysis.

Experimental Results

Attack Performance Metrics

The performance of the side-channel attack is evaluated using several metrics:

  • Success Rate: The probability of correctly recovering the secret key, or a portion thereof, from the side-channel measurements.
  • Number of Traces Required: The number of power or electromagnetic traces needed to achieve a given success rate.
  • Computational Complexity: The computational resources required for the attack, including the training of the deep learning model and the analysis of the traces.
  • Guessing Entropy: The expected number of guesses required to find the correct key, given the information extracted from the side-channel attack.

These metrics provide a comprehensive assessment of the attack's practicality and effectiveness.

Success Rates and Key Recovery

The experimental results presented in the paper demonstrate that even with masking in place, the implementation remains vulnerable to side-channel attacks. The researchers were able to recover the secret key with a high success rate using a relatively small number of power traces.

For the first-order masked implementation of Kyber-512, the attack achieved:

  • 99% success rate for full shared key recovery when the decapsulation process is repeated multiple times
  • Approximately 10,000 traces required for reliable key recovery
  • Significant reduction in guessing entropy compared to brute-force approaches

These results demonstrate the practical feasibility of breaking the first-order masked implementation using deep learning-based side-channel analysis.

Comparison with Previous Attacks

The deep learning-based attack presented in the paper represents a significant advancement over previous side-channel attacks on lattice-based cryptography:

Attack Type Target Masking Order Number of Traces Success Rate Key Recovery
Template Attack Unmasked Kyber 0 ~1,000 95% Full
Correlation Power Analysis Unmasked Kyber 0 ~5,000 90% Full
Higher-Order Analysis First-Order Masked Kyber 1 ~50,000 80% Partial
Deep Learning (This Paper) First-Order Masked Kyber 1 ~10,000 99% Full

The deep learning approach demonstrates superior performance in terms of both the number of traces required and the success rate achieved. This highlights the growing threat of machine learning-based side-channel attacks and the need for more robust countermeasures.

Advanced Countermeasures

Higher-Order Masking

To address the vulnerabilities identified, several advanced countermeasures are proposed. Higher-order masking increases the number of shares used to represent sensitive variables, providing protection against higher-order attacks.

In a d-order masked implementation, a sensitive variable x is split into d+1 shares:

x = x_0 \oplus x_1 \oplus ... \oplus x_d

This provides theoretical protection against attacks that can observe up to d intermediate values. However, the implementation complexity and performance overhead increase significantly with the masking order:

  • The number of shares grows linearly with d
  • The number of operations for secure computation grows quadratically or cubically with d
  • The randomness requirements increase substantially

Recent research has shown that even fifth-order masked implementations can be broken with advanced deep learning techniques, suggesting that higher-order masking alone may not be sufficient for long-term security.

Shuffling and Hiding Techniques

Shuffling randomizes the order of operations to make it more difficult for attackers to identify and target specific operations in the power traces. This can be particularly effective when combined with masking.

For example, in the context of Kyber, the coefficients of the polynomials can be processed in a random order, making it harder for attackers to correlate the observed leakage with specific secret values.

Hiding techniques aim to reduce the signal-to-noise ratio in the side-channel measurements, making it harder to extract useful information. These include:

  • Balanced Logic: Implementing operations using logic styles that have constant power consumption regardless of the data being processed.
  • Random Delays: Inserting random delays between operations to desynchronize the power traces.
  • Dummy Operations: Adding fake operations that are indistinguishable from real ones to confuse the attacker.

The effectiveness of these techniques can be quantified in terms of the noise amplification factor they provide:

\text{SNR}_{\text{effective}} = \frac{\text{SNR}_{\text{original}}}{F_{\text{noise}}}

Where Fnoise is the noise amplification factor provided by the countermeasure.

Protocol-Level Countermeasures

Protocol-level countermeasures address side-channel vulnerabilities at a higher level of abstraction, often by limiting the attacker's ability to collect multiple traces or by refreshing sensitive values frequently.

Key approaches include:

  • Ephemeral Keys: Using a fresh key pair for each session, limiting the number of operations performed with any single key.
  • Key Refreshing: Periodically updating the shares of the secret key to prevent the accumulation of information across multiple traces.
  • Blinding Techniques: Introducing randomness into the cryptographic computations to make each execution unique, even with the same key.

For Kyber, a potential protocol-level countermeasure is to use a hybrid approach where the post-quantum KEM is combined with a traditional key exchange mechanism, with frequent key refreshing to limit the exposure to side-channel attacks.

Formal Verification Approaches

Formal verification techniques aim to provide mathematical proofs of security for masked implementations. These approaches model the side-channel leakage and verify that the implementation does not leak sensitive information up to a certain order.

Key formal verification approaches include:

  • Probing Security: Ensuring that any set of d or fewer intermediate values is independent of the secret.
  • Non-Interference: Verifying that the joint distribution of any d intermediate values is independent of the secret.
  • Strong Non-Interference: Extending non-interference to account for glitches and other physical effects.

Tools like maskVerif and SILVER have been developed to automate the formal verification of masked implementations, helping designers identify and fix potential vulnerabilities before deployment.

Implications for Post-Quantum Security

Impact on Standardization Efforts

The research highlights the importance of considering implementation security alongside algorithmic security in the post-quantum era. Even quantum-resistant algorithms can be vulnerable to classical side-channel attacks if not implemented carefully.

NIST's post-quantum cryptography standardization process has primarily focused on the mathematical security and performance characteristics of the candidate algorithms. However, the side-channel security of these algorithms is increasingly recognized as a critical consideration.

Future standards may include specific requirements for side-channel resistance, similar to how FIPS 140-3 includes requirements for physical security and side-channel resistance for cryptographic modules.

Challenges in Secure Implementation

Implementing post-quantum cryptographic algorithms securely presents several unique challenges:

  • Complexity: Post-quantum algorithms like Kyber involve more complex mathematical operations than traditional cryptography, making secure implementation more challenging.
  • Performance Constraints: The computational overhead of post-quantum algorithms is already significant, and adding side-channel countermeasures further increases this overhead.
  • Hardware Acceleration: Dedicated hardware accelerators for post-quantum cryptography must be designed with side-channel resistance in mind from the outset.
  • Verification: Verifying the side-channel security of implementations becomes more complex due to the increased state space and operation count.

Addressing these challenges requires a multidisciplinary approach, combining expertise in cryptography, hardware design, formal verification, and side-channel analysis.

Future Research Directions

The attack on the masked hardware implementation of CRYSTALS-Kyber opens several avenues for future research:

  1. Improved Masking Schemes: Developing more efficient and secure masking schemes specifically tailored for lattice-based cryptography.
  2. Hardware-Software Co-Design: Exploring the optimal partitioning of operations between hardware and software to maximize both performance and security.
  3. Machine Learning Countermeasures: Investigating techniques to make implementations resistant to machine learning-based side-channel attacks.
  4. Formal Verification: Extending formal verification techniques to account for advanced attack models, including deep learning-based attacks.
  5. Alternative Post-Quantum Approaches: Comparing the side-channel security characteristics of different post-quantum cryptographic approaches, such as code-based, multivariate, or isogeny-based cryptography.

These research directions will be crucial for ensuring the practical security of post-quantum cryptographic implementations in real-world deployments.

Conclusion

The attack on the masked hardware implementation of CRYSTALS-Kyber demonstrates that even theoretically secure masking schemes can be vulnerable to sophisticated side-channel attacks. As quantum computing advances, ensuring the practical security of post-quantum cryptographic implementations against both classical and side-channel attacks becomes increasingly important.

The mathematical foundations of CRYSTALS-Kyber provide strong theoretical security guarantees, but implementing these algorithms securely in hardware remains a significant challenge. The combination of higher-order masking, shuffling, hiding techniques, and protocol-level countermeasures offers promising approaches to address these vulnerabilities.

Ongoing research in masking techniques, side-channel analysis, and formal verification will be crucial for developing truly secure post-quantum cryptographic systems. As we transition to post-quantum cryptography, the security of implementations must receive as much attention as the security of the underlying mathematical problems.

The lessons learned from this research extend beyond Kyber to the broader field of post-quantum cryptography implementation security. By addressing these challenges now, we can ensure that our cryptographic infrastructure remains secure in the face of both quantum and classical threats.

References

  1. Alagic, G., Alperin-Sheriff, J., Apon, D., Cooper, D., Dang, Q., Kelsey, J., Liu, Y., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., & Smith-Tone, D. (2022). Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. NIST IR 8413. https://doi.org/10.6028/NIST.IR.8413
  2. Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J. M., Schwabe, P., Seiler, G., & Stehlé, D. (2018). CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM. 2018 IEEE European Symposium on Security and Privacy (EuroS&P), 353-367. https://doi.org/10.1109/EuroSP.2018.00032
  3. Ravi, P., Poussier, R., Bhasin, S., & Chattopadhyay, A. (2023). On the Effectiveness of Side-Channel Attacks on Masked Kyber Hardware Implementations. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(1), 483-508. https://doi.org/10.46586/tches.v2023.i1.483-508
  4. Pessl, P., & Prokop, L. (2022). Fault Attacks on CCA-secure Lattice KEMs. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1), 347-371. https://doi.org/10.46586/tches.v2022.i1.347-371
  5. Regev, O. (2009). On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6), 1-40. https://doi.org/10.1145/1568318.1568324
  6. Lyubashevsky, V., Peikert, C., & Regev, O. (2013). On Ideal Lattices and Learning with Errors over Rings. Journal of the ACM, 60(6), 1-35. https://doi.org/10.1145/2535925
  7. Xu, Z., Pemberton, O., Roy, S. S., Oswald, D., Yao, W., & Zheng, Z. (2020). Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber. IACR Cryptology ePrint Archive, 2020/912. https://eprint.iacr.org/2020/912
  8. Ravi, P., Jhanwar, M. P., Chattopadhyay, A., Bhasin, S., & Poncelet, A. (2022). Chosen-Ciphertext Side-Channel Attacks on Kyber. IEEE Transactions on Computers, 71(12), 3141-3154. https://doi.org/10.1109/TC.2022.3170795
  9. Beirendonck, M. V., D'Anvers, J.-P., Karmakar, A., Balasch, J., & Verbauwhede, I. (2021). A Side-Channel-Resistant Implementation of SABER. ACM Journal on Emerging Technologies in Computing Systems, 17(2), 1-26. https://doi.org/10.1145/3429983
  10. Coron, J.-S. (2014). Higher Order Masking of Look-Up Tables. Advances in Cryptology – EUROCRYPT 2014, 441-458. https://doi.org/10.1007/978-3-642-55220-5_25
  11. Ishai, Y., Sahai, A., & Wagner, D. (2003). Private Circuits: Securing Hardware against Probing Attacks. Advances in Cryptology - CRYPTO 2003, 463-481. https://doi.org/10.1007/978-3-540-45146-4_27
  12. Mangard, S., Oswald, E., & Popp, T. (2007). Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer. https://doi.org/10.1007/978-0-387-38162-6
  13. Chari, S., Jutla, C. S., Rao, J. R., & Rohatgi, P. (1999). Towards Sound Approaches to Counteract Power-Analysis Attacks. Advances in Cryptology - CRYPTO '99, 398-412. https://doi.org/10.1007/3-540-48405-1_26
  14. Standaert, F.-X., Malkin, T. G., & Yung, M. (2009). A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. Advances in Cryptology - EUROCRYPT 2009, 443-461. https://doi.org/10.1007/978-3-642-01001-9_26
  15. Bhasin, S., D'Anvers, J.-P., Heinz, D., Pöppelmann, T., & Van Beirendonck, M. (2020). Attacking and Defending Masked Polynomial Comparison for Lattice-Based Cryptography. IACR Cryptology ePrint Archive, 2020/1559. https://eprint.iacr.org/2020/1559