Pushing the Limits of Generic Side-Channel Attacks on LWE-based KEMs - Parallel PC Oracle Attacks on Kyber KEM and Beyond

IACR Trans. Cryptogr. Hardw. Embed. Syst. Pub Date : 2023-03-06 DOI:10.46586/tches.v2023.i2.418-446

Gokulnath Rajendran, P. Ravi, Jan-Pieter D'Anvers, S. Bhasin, A. Chattopadhyay

{"title":"Pushing the Limits of Generic Side-Channel Attacks on LWE-based KEMs - Parallel PC Oracle Attacks on Kyber KEM and Beyond","authors":"Gokulnath Rajendran, P. Ravi, Jan-Pieter D'Anvers, S. Bhasin, A. Chattopadhyay","doi":"10.46586/tches.v2023.i2.418-446","DOIUrl":null,"url":null,"abstract":"In this work, we propose generic and novel adaptations to the binary Plaintext-Checking (PC) oracle based side-channel attacks for Kyber KEM. These attacks operate in a chosen-ciphertext setting, and are fairly generic and easy to mount on a given target, as the attacker requires very minimal information about the target device. However, these attacks have an inherent disadvantage of requiring a few thousand traces to perform full key recovery. This is due to the fact that these attacks typically work by recovering a single bit of information about the secret key per query/trace. In this respect, we propose novel parallel PC oracle based side-channel attacks, which are capable of recovering a generic P number of bits of information about the secret key in a single query/trace. We propose novel techniques to build chosen-ciphertexts so as to efficiently realize a parallel PC oracle for Kyber KEM. We also build a multi-class classifier, which is capable of realizing a practical side-channel based parallel PC oracle with very high success rate. We experimentally validated the proposed attacks (upto P = 10) on the fastest implementation of unprotected Kyber KEM in the pqm4 library. Our experiments yielded improvements in the range of 2.89× and 7.65× in the number of queries, compared to state-of-the-art binary PC oracle attacks, while arbitrarily higher improvements are possible for a motivated attacker, given the generic nature of the proposed attacks. We further conduct a thorough study on applicability to different scenarios, based on the presence/absence of a clone device, and also partial key recovery. Finally, we also show that the proposed attacks are able to achieve the lowest number of queries for key recovery, even for implementations protected with low-cost countermeasures such as shuffling. Our work therefore, concretely demonstrates the power of PC oracle attacks on Kyber KEM, thereby stressing the need for concrete countermeasures such as masking for Kyber and other lattice-based KEMs.","PeriodicalId":13186,"journal":{"name":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","volume":"27 1","pages":"418-446"},"PeriodicalIF":0.0000,"publicationDate":"2023-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i2.418-446","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

In this work, we propose generic and novel adaptations to the binary Plaintext-Checking (PC) oracle based side-channel attacks for Kyber KEM. These attacks operate in a chosen-ciphertext setting, and are fairly generic and easy to mount on a given target, as the attacker requires very minimal information about the target device. However, these attacks have an inherent disadvantage of requiring a few thousand traces to perform full key recovery. This is due to the fact that these attacks typically work by recovering a single bit of information about the secret key per query/trace. In this respect, we propose novel parallel PC oracle based side-channel attacks, which are capable of recovering a generic P number of bits of information about the secret key in a single query/trace. We propose novel techniques to build chosen-ciphertexts so as to efficiently realize a parallel PC oracle for Kyber KEM. We also build a multi-class classifier, which is capable of realizing a practical side-channel based parallel PC oracle with very high success rate. We experimentally validated the proposed attacks (upto P = 10) on the fastest implementation of unprotected Kyber KEM in the pqm4 library. Our experiments yielded improvements in the range of 2.89× and 7.65× in the number of queries, compared to state-of-the-art binary PC oracle attacks, while arbitrarily higher improvements are possible for a motivated attacker, given the generic nature of the proposed attacks. We further conduct a thorough study on applicability to different scenarios, based on the presence/absence of a clone device, and also partial key recovery. Finally, we also show that the proposed attacks are able to achieve the lowest number of queries for key recovery, even for implementations protected with low-cost countermeasures such as shuffling. Our work therefore, concretely demonstrates the power of PC oracle attacks on Kyber KEM, thereby stressing the need for concrete countermeasures such as masking for Kyber and other lattice-based KEMs.

查看原文本刊更多论文

突破基于lwe的KEM的通用侧信道攻击的极限——对Kyber KEM及其他KEM的并行PC Oracle攻击

在这项工作中，我们提出了针对基于二进制明文检查(PC) oracle的Kyber KEM侧信道攻击的通用和新颖的适应性。这些攻击在选定的密文设置中操作，并且相当通用且易于安装在给定目标上，因为攻击者需要关于目标设备的非常少的信息。然而，这些攻击有一个固有的缺点，即需要几千条跟踪才能执行完整的密钥恢复。这是因为这些攻击通常通过每个查询/跟踪恢复有关密钥的单个信息来工作。在这方面，我们提出了一种新的基于并行PC oracle的侧信道攻击，它能够在单个查询/跟踪中恢复关于密钥的通用P位信息。为了有效地实现Kyber KEM的并行PC预言机，我们提出了一种新的选择密文构建技术。我们还建立了一个多类分类器，该分类器能够实现一个实用的基于侧信道的并行PC oracle，并且成功率很高。我们在pqm4库中对未受保护的Kyber KEM的最快实现进行了实验验证(最高P = 10)。与最先进的二进制PC oracle攻击相比，我们的实验在查询数量上提高了2.89倍到7.65倍，而考虑到所提议攻击的一般性质，对于有动机的攻击者来说，可能会有更高的改进。我们进一步深入研究了基于存在/不存在克隆设备以及部分密钥恢复的不同场景的适用性。最后，我们还展示了所提出的攻击能够实现最低数量的键恢复查询，甚至对于使用低成本对策(如变换)保护的实现也是如此。因此，我们的工作具体地展示了PC oracle攻击Kyber KEM的能力，从而强调了对Kyber和其他基于格子的KEM进行屏蔽等具体对策的必要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Trans. Cryptogr. Hardw. Embed. Syst.

自引率

0.00%

发文量