SwePub
Sök i LIBRIS databas

  Extended search

onr:"swepub:oai:DiVA.org:kth-339267"
 

Search: onr:"swepub:oai:DiVA.org:kth-339267" > Secret Key Recovery...

  • 1 of 1
  • Previous record
  • Next record
  •    To hitlist

Secret Key Recovery Attack on Masked and Shuffled Implementations of CRYSTALS-Kyber and Saber

Backlund, Linus (author)
KTH,Elektronik och inbyggda system
Ngo, Kalle (author)
KTH,Elektronik och inbyggda system
Gärtner, Joel (author)
KTH,Matematik (Avd.)
show more...
Dubrova, Elena (author)
KTH,Elektronik och inbyggda system
show less...
 (creator_code:org_t)
Springer Nature, 2023
2023
English.
In: Applied Cryptography and Network Security Workshops - ACNS 2023 Satellite Workshops, ADSC, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. - : Springer Nature. ; , s. 159-177
Related links:
https://urn.kb.se/re...
show more...
https://doi.org/10.1...
show less...
  • Conference paper (peer-reviewed)
Abstract Subject headings
Close  
  • Shuffling is a well-known countermeasure against side-channel attacks. It typically uses the Fisher-Yates (FY) algorithm to generate a random permutation which is then utilized as the loop iterator to index the processing of the variables inside the loop. The processing order is scrambled as a result, making side-channel attacks more difficult. Recently, a side-channel attack on a masked and shuffled implementation of Saber requiring 61,680 power traces to extract the long-term secret key was reported. In this paper, we present an attack that can recover the long-term secret key of Saber from 4,608 traces. The key idea behind the 13-fold improvement is to recover FY indexes directly, rather than by extracting the message Hamming weight and bit flipping, as in the previous attack. We capture a power trace during the execution of the decryption algorithm for a given ciphertext, recover FY indexes 0 and 255, and extract the corresponding two message bits. Then, we modify the ciphertext to cyclically rotate the message, capture a power trace, and extract the next two message bits with FY indexes 0 and 255. In this way, all message bits can be extracted. By recovering messages contained in k∗ l chosen ciphertexts constructed using a new method based on error-correcting codes of length l, where k is the module rank, we recover the long-term secret key. To demonstrate the generality of the presented approach, we also recover the secret key from a masked and shuffled implementation of CRYSTALS-Kyber, which NIST recently selected as a new public-key encryption and key-establishment algorithm to be standardized.

Subject headings

TEKNIK OCH TEKNOLOGIER  -- Elektroteknik och elektronik -- Signalbehandling (hsv//swe)
ENGINEERING AND TECHNOLOGY  -- Electrical Engineering, Electronic Engineering, Information Engineering -- Signal Processing (hsv//eng)

Keyword

CRYSTALS-Kyber
Post-quantum cryptography
Power analysis
Public-key cryptography
Saber
Side-channel attack

Publication and Content Type

ref (subject category)
kon (subject category)

To the university's database

  • 1 of 1
  • Previous record
  • Next record
  •    To hitlist

Find more in SwePub

By the author/editor
Backlund, Linus
Ngo, Kalle
Gärtner, Joel
Dubrova, Elena
About the subject
ENGINEERING AND TECHNOLOGY
ENGINEERING AND ...
and Electrical Engin ...
and Signal Processin ...
Articles in the publication
Applied Cryptogr ...
By the university
Royal Institute of Technology

Search outside SwePub

Wikipedia about the author:
Linus_Backlund
Backlund, Linus
en

Kungliga biblioteket hanterar dina personuppgifter i enlighet med EU:s dataskyddsförordning (2018), GDPR. Läs mer om hur det funkar här.
Så här hanterar KB dina uppgifter vid användning av denna tjänst.

 
pil uppåt Close

Copy and save the link in order to return to this view