Second-Order Side-Channel Attacks on Kyber: Targeting the Masked Hash Function  

作　　者：WANG Ya-Qi HUANG Fan DUAN Xiao-Lin HU Hong-Gang 王亚琦;黄帆;段晓林;胡红钢(中国科学技术大学中国科学院电磁空间信息重点实验室,合肥230027;合肥国家实验室,合肥230088)

机构地区：[1]CAS Key Laboratory of Electromagnetic Space Information,University of Science and Technology of China,Hefei 230027,China [2]Hefei National Laboratory,Hefei 230088,China

出　　处：《密码学报(中英文)》2024年第6期1415-1436,共22页Journal of Cryptologic Research

基　　金：National Natural Science Foundation of China(62472397);Innovation Program for Quantum Science and Technology(2021ZD0302902)。

摘　　要：Recently,several PC oracle based side-channel attacks have been proposed against Kyber.However,most of them focus on unprotected implementations and masking is considered as a counter-measure.In this study,we extend PC oracle based side-channel attacks to the second-order scenario and successfully conduct key-recovery attacks on the first-order masked Kyber.Firstly,we analyze the potential joint information leakage.Inspired by the binary PC oracle based attack proposed by Qin et al.at Asiacrypt 2021,we identify the 1-bit leakage scenario in the masked Keccak implementation.Moreover,we modify the ciphertexts construction described by Tanaka et al.at CHES 2023,extending the leakage scenario from 1-bit to 32-bit.With the assistance of TVLA,we validate these leakages through experiments.Secondly,for these two scenarios,we construct a binary PC oracle based on t-test and a multiple-valued PC oracle based on neural networks.Furthermore,we conduct practical side-channel attacks on masked Kyber by utilizing our oracles,with the implementation running on an ARM Cortex-M4 microcontroller.The demonstrated attacks require a minimum of 15788 and 648 traces to fully recover the key of Kyber768 in the 1-bit leakage scenario and the 32-bit leakage scenario,respectively.Our analysis may also be extended to attack other post-quantum schemes that use the same masked hash function.Finally,we apply the shuffling strategy to the first-order masked imple-mentation of the Kyber and perform leakage tests.Experimental results show that the combination strategy of shuffling and masking can effectively resist our proposed attacks.最近,学术界针对Kyber算法提出了几种基于明文检查预言机(plaintext-checking oracle)的侧信道攻击方法.但大多数攻击方法都针对未受保护的算法实现,且掩码技术被视为一种防御措施.本文将基于明文检查预言机的侧信道攻击方法扩展到了二阶情境,并成功实施了针对一阶掩码Kyber算法的密钥恢复攻击.首先,分析了联合信息泄漏存在的可能性.受到Qin等学者在Asiacrypt 2021提出的二值明文检查预言机攻击方法的启发,在掩码哈希函数Keccak的实现中确定了1比特泄漏情境.改进了Tanaka等学者在CHES 2023中提出的密文构造方式,将泄漏情境从1比特扩展到了32比特,利用TVLA工具实验验证了这些泄漏情境.其次,针对这两种情境构建了基于t检验的二值明文检查预言机以及基于神经网络的多值明文检查预言机.在ARM Cortex-M4微控制器上运行掩码Kyber算法,利用所构造的预言机实施了针对掩码Kyber的实际侧信道攻击.对于1比特泄漏情境和32比特泄漏情境下,所提攻击需要至少15788条和648条能量迹来完全恢复Kyber768的密钥.本文的分析也可以扩展到其他使用相同掩码哈希函数的后量子密码方案.最后,将乱序策略应用于Kyber的一阶掩码实现,并进行泄漏测试.实验结果表明,乱序与掩码的组合策略可以有效抵抗所提出的攻击.

关 键 词：side-channel attack plaintext-checking oracle post-quantum cryptography masked Kyber masked hash function 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]