An Improved Two-Step Attack on Lattice-Based Cryptography: A Case Study of Kyber

TL;DR

This paper presents an improved two-step side-channel attack on Kyber, a post-quantum cryptography scheme, demonstrating efficient key recovery with fewer traces and less time, raising security concerns for its deployment.

Contribution

The paper introduces a novel two-step attack combining enhanced correlation power analysis and lattice attack, reducing the resources needed to recover Kyber's secret key.

Findings

Successful key recovery in 9-10 minutes

Requires at most 15 power traces

Effective on multiple Kyber parameter sets

Abstract

After three rounds of post-quantum cryptography (PQC) strict evaluations conducted by NIST, CRYSTALS-Kyber was successfully selected in July 2022 and standardized in August 2024. It becomes urgent to further evaluate Kyber's physical security for the upcoming deployment phase. In this brief, we present an improved two-step attack on Kyber to quickly recover the full secret key, s, by using much fewer power traces and less time. In the first step, we use the correlation power analysis (CPA) to obtain a portion of guess values of s with a small number of power traces. The CPA is enhanced by utilizing both Pearson and Kendall's rank correlation coefficients and modifying the leakage model to improve the accuracy. In the second step, we adopt the lattice attack to recover s based on the results of CPA. The success rate is largely built up by constructing a trial-and-error method. We deploy the reference implementations of Kyber-512, -768, and -1024 on an ARM Cortex-M4 target board and successfully recover s in approximately 9~10 minutes with at most 15 power traces, using a Xeon Gold 6342-equipped machine for the attack.