A group of researchers have clarified what they say is a vulnerability in certain implementations. CRYSTALS-Kyveris one of the cryptographic algorithms the US government chose last year to be quantum resistant.
The exploit is related to a “side-channel attack against the maximum fifth-order mask implementation of CRYSTALS-Kyber on ARM Cortex-M4 CPUs,” Elena Dubrova, Kalle Ngo, and Joel Gärtner from the Royal Institute of Technology KTH said in a paper. I’m here.
CRYSTALS-Kyber is the result of a rigorous multi-year effort by the U.S. National Institute of Standards and Technology (NIST) to identify next-generation cryptographic standards that can withstand significant leaps in computing power. It is one of the post-quantum algorithms.
Side-channel attacks, as the name suggests, involve extracting secrets from cryptosystems through the measurement and analysis of physical parameters. Examples of such parameters are supply current, run time, electromagnetic emissions, etc.
The underlying idea is that the physical effects introduced as a result of cryptographic implementations can be used to decode and deduce sensitive information such as ciphertext and encryption keys.
One common countermeasure to harden cryptographic implementations against physical attacks is masking. This randomizes computations and decouples side-channel information from cryptographic variables that rely on secrets.
“The basic principle of masking is to split each sensitive intermediate variable of a cryptographic algorithm into multiple shares using secret sharing and perform computations on these shares,” said another researcher. group explained in 2016.
“From the moment the input is split until the shared output of the cryptographic algorithm is released, the sharing of sensitive intermediate variables is never combined in such a way that these variables are unmasked. That is, Sensitive variables that are not shared are never revealed.When the computation is finished, the shared output is reconstructed to reveal the unmasked value.”
The attack methods devised by the researchers include a neural network training method called recursive learning, which can recover message bits with high probability.
“Deep-learning-based side-channel attacks can overcome traditional countermeasures such as masking, shuffling, inserting random delays, constant-weight encoding, code polymorphism, and randomized clocks,” said the researchers. .
Discover the latest malware evasion tactics and defense strategies
Ready to demystify the 9 most dangerous misconceptions about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
Researchers have also developed a new message recovery method called cyclic rotation. It manipulates the ciphertext to increase the leakage of message bits, thereby increasing the success rate of message recovery.
“Such methods allow us to train neural networks that can recover message bits from high-order masked implementations with >99% probability,” they added.
When asked for comment, NIST told The Hacker News that the approach does not break the algorithm itself, and that the findings will not affect the CRYSTALS-Kyber standardization process.
“Side-channel research is part of the evaluation and will continue,” NIST’s Dustin Moody told Inside Quantum Technology (IQT) News. “It emphasizes the need to have a protected implementation.”
“Papers exist that use side-channels to attack nearly all cryptographic algorithms. Countermeasures have been developed, and many of the attacks are not realistic or practical in real-world scenarios.”
