Paper 2022/919
Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking
Abstract
In this paper, we present the first side-channel attack on a higher-order masked implementation of an IND-CCA secure lattice-based key encapsulation mechanism (KEM). Our attack exploits a vulnerability in the procedure for the arithmetic to Boolean conversion which we discovered. On the example of Saber KEM, we demonstrate successful message and secret key recovery attacks on the second- and third-order masked implementations running on a different device than the profiling one. In our experiments, we use the latest publicly available higher-order masked implementation of Saber KEM in which all known vulnerabilities are patched. The presented approach is not specific to Saber and can be potentially applied to other lattice-based PKE and KEM algorithms, including CRYSTALS-Kyber which has been recently selected for standardization by NIST.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Public-key cryptography Post-quantum cryptography Saber KEM LWE/LWR-based KEM Side-channel attack Power analysis
- Contact author(s)
-
kngo @ kth se
ruize @ kth se
dubrova @ kth se
nilspa @ kth se - History
- 2022-07-14: approved
- 2022-07-14: received
- See all versions
- Short URL
- https://ia.cr/2022/919
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/919,
author = {Kalle Ngo and Ruize Wang and Elena Dubrova and Nils Paulsrud},
title = {Side-Channel Attacks on Lattice-Based {KEMs} Are Not Prevented by Higher-Order Masking},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/919},
year = {2022},
url = {https://eprint.iacr.org/2022/919}
}
