Single-trace attacks are a considerable threat to implementations of classic public-key schemes, and their implications on newer lattice-based schemes are still not well understood.
Two recent works have presented successful single-trace attacks targeting the Number Theoretic Transform (NTT), which is at the heart of many lattice-based schemes.
However, these attacks either require a quite powerful side-channel adversary or are restricted to specific scenarios such as the encryption of ephemeral secrets.
It is still an open question if such attacks can be performed by simpler adversaries while targeting more common public-key scenarios.

360 Mobile Vision - North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

In this paper, we answer this question positively.
First, we present a method for crafting ring/module-LWE ciphertexts that result in sparse polynomials at the input of inverse NTT computations, independent of the used private key.
We then demonstrate how this sparseness can be incorporated into a side-channel attack, thereby significantly improving noise resistance of the attack compared to previous works.
The effectiveness of our attack is shown on the use-case of CCA2 secure Kyber $k$-module-LWE, where $kin{2,3,4}$.
Our $k$-trace attack on the long-term secret can handle noise up to a $sigma leq 1.2$ in the noisy Hamming weight leakage model, also for masked implementations.
A $2k$-trace variant for Kyber1024 even allows noise $sigma leq 2.2$ also in the masked case, with more traces allowing us to recover keys up to $sigma leq 2.7$.
Single-trace attack variants have a noise tolerance depending on the Kyber parameter set, ranging from $sigma leq 0.5$ to $sigma leq 0.7$.
As a comparison, similar previous attacks in the masked setting were only successful with $sigma leq 0.5$.

By admin