Sökning: id:"swepub:oai:DiVA.org:kth-339267" >
Secret Key Recovery...
Secret Key Recovery Attack on Masked and Shuffled Implementations of CRYSTALS-Kyber and Saber
-
- Backlund, Linus (författare)
- KTH,Elektronik och inbyggda system
-
- Ngo, Kalle (författare)
- KTH,Elektronik och inbyggda system
-
- Gärtner, Joel (författare)
- KTH,Matematik (Avd.)
-
visa fler...
-
- Dubrova, Elena (författare)
- KTH,Elektronik och inbyggda system
-
visa färre...
-
(creator_code:org_t)
- Springer Nature, 2023
- 2023
- Engelska.
-
Ingår i: Applied Cryptography and Network Security Workshops - ACNS 2023 Satellite Workshops, ADSC, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. - : Springer Nature. ; , s. 159-177
- Relaterad länk:
-
https://urn.kb.se/re...
-
visa fler...
-
https://doi.org/10.1...
-
visa färre...
Abstract
Ämnesord
Stäng
- Shuffling is a well-known countermeasure against side-channel attacks. It typically uses the Fisher-Yates (FY) algorithm to generate a random permutation which is then utilized as the loop iterator to index the processing of the variables inside the loop. The processing order is scrambled as a result, making side-channel attacks more difficult. Recently, a side-channel attack on a masked and shuffled implementation of Saber requiring 61,680 power traces to extract the long-term secret key was reported. In this paper, we present an attack that can recover the long-term secret key of Saber from 4,608 traces. The key idea behind the 13-fold improvement is to recover FY indexes directly, rather than by extracting the message Hamming weight and bit flipping, as in the previous attack. We capture a power trace during the execution of the decryption algorithm for a given ciphertext, recover FY indexes 0 and 255, and extract the corresponding two message bits. Then, we modify the ciphertext to cyclically rotate the message, capture a power trace, and extract the next two message bits with FY indexes 0 and 255. In this way, all message bits can be extracted. By recovering messages contained in k∗ l chosen ciphertexts constructed using a new method based on error-correcting codes of length l, where k is the module rank, we recover the long-term secret key. To demonstrate the generality of the presented approach, we also recover the secret key from a masked and shuffled implementation of CRYSTALS-Kyber, which NIST recently selected as a new public-key encryption and key-establishment algorithm to be standardized.
Ämnesord
- TEKNIK OCH TEKNOLOGIER -- Elektroteknik och elektronik -- Signalbehandling (hsv//swe)
- ENGINEERING AND TECHNOLOGY -- Electrical Engineering, Electronic Engineering, Information Engineering -- Signal Processing (hsv//eng)
Nyckelord
- CRYSTALS-Kyber
- Post-quantum cryptography
- Power analysis
- Public-key cryptography
- Saber
- Side-channel attack
Publikations- och innehållstyp
- ref (ämneskategori)
- kon (ämneskategori)