Chosen-Ciphertext Clustering Attack on CRYSTALS-KYBER Using the Side-Channel Leakage of Barrett Reduction

This study proposes a chosen-ciphertext side-channel attack against a lattice-based key encapsulation mechanism (KEM), the third-round candidate of the national institute of standards and technology (NIST) standardization project. Unlike existing attacks that target operations, such as inverse NTT a...

Full description

Saved in:
Bibliographic Details
Published inIEEE internet of things journal Vol. 9; no. 21; pp. 21382 - 21397
Main Authors Sim, Bo-Yeon, Park, Aesun, Han, Dong-Guk
Format Journal Article
LanguageEnglish
Published Piscataway IEEE 01.11.2022
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Algorithms
Barrett reduction
chosen-ciphertext attack (CCA)
Clustering
Encoding-Decoding
Encryption
Internet of Things
key decapsulation mechanism
lattice-based cryptography
Leakage
Libraries
Microcontrollers
NIST
Optimization
Public key
side-channel attack (SCA)
Signal to noise ratio
Transforms
Online AccessGet full text

Cover

More Information
Summary:This study proposes a chosen-ciphertext side-channel attack against a lattice-based key encapsulation mechanism (KEM), the third-round candidate of the national institute of standards and technology (NIST) standardization project. Unlike existing attacks that target operations, such as inverse NTT and message encoding/decoding, we target <inline-formula> <tex-math notation="LaTeX">\mathsf {Barrett~reduction} </tex-math></inline-formula> in the decapsulation phase of <inline-formula> <tex-math notation="LaTeX">\mathsf {CRYSTALS{-}KYBER} </tex-math></inline-formula> to obtain a secret key. We show that a sensitive variable-dependent leakage of <inline-formula> <tex-math notation="LaTeX">\mathsf {Barrett~reduction} </tex-math></inline-formula> exposes an entire secret key. The results of experiments conducted on the ARM Cortex-M4 microcontroller accomplish a success rate of 100%. We only need six chosen ciphertexts for <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER512} </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER768} </tex-math></inline-formula> and eight chosen ciphertexts for <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER1024} </tex-math></inline-formula>. We also show that the <inline-formula> <tex-math notation="LaTeX">\mathsf {m4} </tex-math></inline-formula> scheme of the <inline-formula> <tex-math notation="LaTeX">\mathsf {pqm4} </tex-math></inline-formula> library, an implementation with the ARM Cortex-M4 specific optimization (typically in assembly), is vulnerable to the proposed attack. In this scheme, six, nine, and twelve chosen ciphertexts are required for <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER512} </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER768} </tex-math></inline-formula>, and <inline-formula> <tex-math notation="LaTeX">\mathsf {KYBER1024} </tex-math></inline-formula>, respectively.
ISSN:2327-4662
2327-4662
DOI:10.1109/JIOT.2022.3179683