CryptoDB
A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM Implementation
| Authors: |
|
|---|---|
| Download: | |
| Abstract: | In this paper, we present a side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 24 traces using a deep neural network created at the profiling stage. The proposed message recovery approach learns a higher-order model directly, without explicitly extracting random masks at each execution. This eliminates the need for a fully controllable profiling device which is required in previous attacks on masked implementations of LWE/LWR-based PKEs/KEMs. We also present a new secret key recovery approach based on maps from error-correcting codes that can compensate for some errors in the recovered message. In addition, we discovered a previously unknown leakage point in the primitive for masked logical shifting on arithmetic shares. |
Video from TCHES 2021
BibTeX
@article{tches-2021-31330,
title={A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM Implementation},
journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
publisher={Ruhr-Universität Bochum},
volume={2021, Issue 4},
pages={676-707},
url={https://tches.iacr.org/index.php/TCHES/article/view/9079},
doi={10.46586/tches.v2021.i4.676-707},
author={Kalle Ngo and Elena Dubrova and Qian Guo and Thomas Johansson},
year=2021
}