A side-channel attack on a masked IND-CCA secure saber KEM implementation

Kalle Ngo; Elena Dubrova; Qian Guo; Thomas Johansson

doi:10.46586/tches.v2021.i4.676-707

A side-channel attack on a masked IND-CCA secure saber KEM implementation

Kalle Ngo, Elena Dubrova, Qian Guo, Thomas Johansson

KTH Royal Institute of Technology

Forskningsoutput: Tidskriftsbidrag › Artikel i vetenskaplig tidskrift › Peer review

Sammanfattning

In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.

Originalspråk	engelska
Sidor (från-till)	676-707
Tidskrift	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volym	2021
Nummer	4
DOI	https://doi.org/10.46586/tches.v2021.i4.676-707
Status	Published - 2021

Bibliografisk information

Publisher Copyright:
© 2021, Ruhr-University of Bochum. All rights reserved.

Ämnesklassifikation (UKÄ)

Datavetenskap (Datalogi)

Tillgång till dokument

10.46586/tches.v2021.i4.676-707

Lightweight Cryptography for Autonomous Vehicles
Johansson, T. (Forskare) & Guo, Q. (Forskare)
2020/08/01 → 2023/12/31
Projekt: Forskning

Citera det här

@article{3cc7371e3ef7415c864bd7f88212894b,

title = "A side-channel attack on a masked IND-CCA secure saber KEM implementation",

abstract = "In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.",

keywords = "Deep learning, LWE/LWR-based KEM, Post-quantum cryptography, Power analysis, Public-key cryptography, Saber KEM, Side-channel attack",

author = "Kalle Ngo and Elena Dubrova and Qian Guo and Thomas Johansson",

year = "2021",

doi = "10.46586/tches.v2021.i4.676-707",

language = "English",

volume = "2021",

pages = "676--707",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

publisher = "Ruhr-University of Bochum",

number = "4",

}

TY - JOUR

T1 - A side-channel attack on a masked IND-CCA secure saber KEM implementation

AU - Ngo, Kalle

AU - Dubrova, Elena

AU - Guo, Qian

AU - Johansson, Thomas

PY - 2021

Y1 - 2021

N2 - In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.

AB - In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares.

KW - Deep learning

KW - LWE/LWR-based KEM

KW - Post-quantum cryptography

KW - Power analysis

KW - Public-key cryptography

KW - Saber KEM

KW - Side-channel attack

U2 - 10.46586/tches.v2021.i4.676-707

DO - 10.46586/tches.v2021.i4.676-707

M3 - Article

AN - SCOPUS:85118420523

SN - 2569-2925

VL - 2021

SP - 676

EP - 707

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 4

ER -

A side-channel attack on a masked IND-CCA secure saber KEM implementation

Sammanfattning

Bibliografisk information

Ämnesklassifikation (UKÄ)

Tillgång till dokument

Fingeravtryck

Projekt

Lightweight Cryptography for Autonomous Vehicles

Citera det här