esDynamic
Manage your attack workflows in a powerful and collaborative platform.
Expertise Modules
Executable catalog of attacks and techniques.
Infrastructure
Integrate your lab equipment and remotely manage your bench.
Lab equipments
Upgrade your lab with the latest hardware technologies.
Side Channel Attacks
Evaluate cryptography algorithms from data acquitition to result visualisation.
Fault Injection Attacks
Laser, Electromagnetic or Glitch to exploit a physical disruption.
Security Failure Analysis
Explore photoemission and thermal laser stimulation techniques.
Evaluation Lab
Our team is ready to provide expert analysis of your hardware.
Starter Kits
Build know-how via built-in use cases developed on modern chips.
Cybersecurity Training
Grow expertise with hands-on training modules guided by a coach.
esReverse
Static, dynamic and stress testing in a powerful and collaborative platform.
Extension: Intel x86, x64
Dynamic analyses for x86/x64 binaries with dedicated emulation frameworks.
Extension: ARM 32, 64
Dynamic analyses for ARM binaries with dedicated emulation frameworks.
Penetration Testing
Identify and exploit system vulnerabilities in a single platform.
Vulnerability Research
Uncover and address security gaps faster and more efficiently.
Code Audit & Verification
Effectively detect and neutralise harmful software.
Digital Forensics
Collaboratively analyse data to ensure thorough investigation.
Software Assessment
Our team is ready to provide expert analysis of your binary code.
Cybersecurity training
Grow expertise with hands-on training modules guided by a coach.
Semiconductor
Security Labs
Governmental agencies
Academics
Why eShard?
Our team
Careers
Youtube
Gitlab
Github
Welcome to the Expert Review series, where we delve into the dynamic world of cybersecurity to bring you unbiased and detailed analyses from seasoned professionals. This is a field where the flow of information is both complex and unremitting, and we believe expert analysis is indispensable. It's this expertise that transforms data into understanding, and intricate research findings into actionable insights.
In this edition, we are honored to feature a distinguished panel of experts, each bringing unique and invaluable insights to our discussion. Together, we will be dissecting the paper "Breaking DPA-protected Kyber via the pair-pointwise multiplication", offering our unique perspectives and expert analysis.
ย
The research paper, โBreaking DPA-protected Kyber via the pair-pointwise multiplicationโ authored by Estuardo Alpirez Bock of Xiphera LTD, Finland; Gustavo Banegas from Qualcomm France SARL, France; Chris Brzuska and Kirthivaasan Puniamurthy of Aalto University, Finland; alongside ลukasz Chmielewski, and Milan ล orf from Masaryk University, Czech Republic, was published on April 18, 2023, in the International Association for Cryptologic Research (IACR) Cryptology ePrint Archive.
This particular research paper was chosen for review due to its focus on a cutting-edge topic in cybersecurity: the vulnerability of DPA (Differential Power Analysis)-protected Kyber, a new standard coming from the NIST Post-Quantum Cryptography standardization project. The studyโs exploration into the pair-pointwise multiplication aspect of Kyber provides valuable insights into potential security weaknesses in the implementation of what is considered a leading algorithm for future cryptographic standards.
ย
The authors observed that pair-pointwise polynomial multiplication, as a result of an incomplete NTT transformation in Kyber, results in significant side-channel leakage. Consequently, they decided to try to exploit this leakage in an attack in order to deduce the secret key coefficients.
ย
The paper claims that the attack also applies to protected Kyber implementations. This attack was enabled by a technical choice made by Kyber designers for Round 2 of the NIST PQC competition in 2019. Kyber changed its modulus parameter from
ย
The paper proposes a kind of template attack targeting the pair-pointwise multiplication of the secret key and ciphertext in the NTT domain. The attack can be adapted for different types of implementations, and could potentially be applied to other Kyber-like algorithms, of which there are many. Other types of attack targeting masked implementations of Kyber have been previously studied and published. However, this attack is uniquely straightforward to understand and implement. Since it is a relatively simple attack, it can be considered more of a potential threat, and therefore work should be done to develop countermeasures to protect against such an attack.
ย
The authors of the paper ran a partial experiment to try to prove that the attack works. The attack is incomplete in the sense that no recovery of secret key coefficients is demonstrated. The practicality of the attack might suffer from the particular profiling method used, during which templates are only made for single-coefficient secret keys. This strategy assumes that there is no dependency between the power consumption of operations computing on any two secret key coefficients. This is a strong assumption that may not hold in practice, depending on the implementation and platform.
However, the main purpose of the article is more to prove theoretically that there are simple attacks that can exploit leakage from multiple operations in a single trace. The simplicity of the profiling phase contributes to the practicability of the attack in the real world.
It should also be noted that the paper assumes Hamming Weight leakage, which may not be valid on all implementations. The question of possible portability in another leakage model is an open question.
ย
As the coming NIST Key Encapsulation Mechanism (KEM) standard FIPS 203 is based on Kyber, any and all cryptanalysis and side-channel analysis is very relevant. The impact is significant, and it can be felt in the immediate future. For instance in the article, an attack is proposed that can be applied to implementations of Kyber that use masking and shuffling protections - meaning new and/or different protection methods should be implemented to ensure this particular side-channel leakage can not be exploited by an attacker.
ย
It's clear that the journey into the realm of Post-Quantum Cryptography (PQC) is just beginning. Every day brings new information and fresh research papers that further deepen our understanding of this quickly-evolving field. We are committed to analyzing these developments and offering insights to ensure you remain well-informed and prepared for the challenges ahead. Consider this review the first of many more insightful explorations to come. Stay tuned.