WEKO3
アイテム
Improved Power Analysis on CRYSTALS-Kyber
https://ipsj.ixsq.nii.ac.jp/records/240933
https://ipsj.ixsq.nii.ac.jp/records/24093348019914-f31c-4c68-a4cc-e62351a2f41c
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-CSS2024187.pdf (260.9 kB)
2026年10月15日からダウンロード可能です。
|
Copyright (c) 2024 by the Information Processing Society of Japan
|
|
| 非会員:¥660, IPSJ:学会員:¥330, CSEC:会員:¥0, SPT:会員:¥0, DLIB:会員:¥0 | ||
| Item type | Symposium(1) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2024-10-15 | |||||||||
| タイトル | ||||||||||
| 言語 | en | |||||||||
| タイトル | Improved Power Analysis on CRYSTALS-Kyber | |||||||||
| タイトル | ||||||||||
| 言語 | en | |||||||||
| タイトル | Improved Power Analysis on CRYSTALS-Kyber | |||||||||
| 言語 | ||||||||||
| 言語 | eng | |||||||||
| キーワード | ||||||||||
| 主題Scheme | Other | |||||||||
| 主題 | CRYSTALS-Kyber, Lattice, Side-channel attack, Embedding technique | |||||||||
| 資源タイプ | ||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_5794 | |||||||||
| 資源タイプ | conference paper | |||||||||
| 著者所属 | ||||||||||
| 東京大学 | ||||||||||
| 著者所属 | ||||||||||
| 東京大学/産業技術総合研究所 | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| The University of Tokyo | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| The University of Tokyo / National Institute of Advanced Industrial Science and Technology | ||||||||||
| 著者名 |
Yen-Ting, Kuo
× Yen-Ting, Kuo
× Atsushi, Takayasu
|
|||||||||
| 著者名(英) |
Yen-Ting, Kuo
× Yen-Ting, Kuo
× Atsushi, Takayasu
|
|||||||||
| 論文抄録 | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Kuo and Takayasu (ICISC 2023) proposed a two-step attack on CRYSTALS-Kyber. First, they recovered some portions of secret keys using correlation power analysis (CPA). Next, they showed that the remaining secrets can be recovered by solving the learning with errors (LWE) problem. They used the standard Kannan’s embedding in the second step and concluded that 200 traces in the first step were sufficient for recovering whole secret keys. Later, they improved their second step in SCIS 2024 and showed that 100 traces are sufficient for the first step. The core observation is that, in addition to some portions of secret keys, the first step can recover more portions of noisy secret keys that Kuo and Takayasu did not use in the second step. In this paper, we combine the improved lattice attack with the prediction function proposed by Tosun et al., allowing us to carry out the same attack on masked Kyber. Since the prediction function is an even function, making it impossible to distinguish the sign of each coefficient. However, our lattice attack requires only 59 or 63 absolute values of coefficients to be recovered through CPA, which can be achieved with roughly 700 traces. This shows a significant improvement over previous attacks on the masked version of Kyber. Additionally, we discovered that using a technique called negative correlation, which reduces the ambiguity of negative coefficients, only 50 traces are necessary to achieve full-key recovery on unprotected Kyber. | |||||||||
| 論文抄録(英) | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Kuo and Takayasu (ICISC 2023) proposed a two-step attack on CRYSTALS-Kyber. First, they recovered some portions of secret keys using correlation power analysis (CPA). Next, they showed that the remaining secrets can be recovered by solving the learning with errors (LWE) problem. They used the standard Kannan's embedding in the second step and concluded that 200 traces in the first step were sufficient for recovering whole secret keys. Later, they improved their second step in SCIS 2024 and showed that 100 traces are sufficient for the first step. The core observation is that, in addition to some portions of secret keys, the first step can recover more portions of noisy secret keys that Kuo and Takayasu did not use in the second step. In this paper, we combine the improved lattice attack with the prediction function proposed by Tosun et al., allowing us to carry out the same attack on masked Kyber. Since the prediction function is an even function, making it impossible to distinguish the sign of each coefficient. However, our lattice attack requires only 59 or 63 absolute values of coefficients to be recovered through CPA, which can be achieved with roughly 700 traces. This shows a significant improvement over previous attacks on the masked version of Kyber. Additionally, we discovered that using a technique called negative correlation, which reduces the ambiguity of negative coefficients, only 50 traces are necessary to achieve full-key recovery on unprotected Kyber. | |||||||||
| 書誌情報 |
コンピュータセキュリティシンポジウム2024論文集 p. 1401-1408, 発行日 2024-10-15 |
|||||||||
| 出版者 | ||||||||||
| 言語 | ja | |||||||||
| 出版者 | 情報処理学会 | |||||||||
