Curse of Re-encryption: A Generic Power/EM Analysis on Post-Quantum KEMs

This paper presents a side-channel analysis (SCA) on key encapsulation mechanism (KEM) based on the Fujisaki–Okamoto (FO) transformation and its variants. The FO transformation has been widely used in actively securing KEMs from passively secure public key encryption (PKE), as it is employed in most...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IACR transactions on cryptographic hardware and embedded systems Jg. 2022; H. 1; S. 296 - 322
Hauptverfasser: Ueno, Rei, Xagawa, Keita, Tanaka, Yutaro, Ito, Akira, Takahashi, Junko, Homma, Naofumi
Format: Journal Article
Sprache:Englisch
Veröffentlicht: Ruhr-Universität Bochum 19.11.2021
Schlagworte:
Deep learning
Fujisaki–Okamoto transformation
Key encapsulation mechanism
Post-quantum cryptography
Public key encryption
Side-channel analysis
ISSN:2569-2925, 2569-2925
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Abstract This paper presents a side-channel analysis (SCA) on key encapsulation mechanism (KEM) based on the Fujisaki–Okamoto (FO) transformation and its variants. The FO transformation has been widely used in actively securing KEMs from passively secure public key encryption (PKE), as it is employed in most of NIST post-quantum cryptography (PQC) candidates for KEM. The proposed attack exploits side-channel leakage during execution of a pseudorandom function (PRF) or pseudorandom number generator (PRG) in the re-encryption of KEM decapsulation as a plaintext-checking oracle that tells whether the PKE decryption result is equivalent to the reference plaintext. The generality and practicality of the plaintext-checking oracle allow the proposed attack to attain a full-key recovery of various KEMs when an active attack on the underlying PKE is known. This paper demonstrates that the proposed attack can be applied to most NIST PQC third-round KEM candidates, namely, Kyber, Saber, FrodoKEM, NTRU, NTRU Prime, HQC, BIKE, and SIKE (for BIKE, the proposed attack achieves a partial key recovery). The applicability to Classic McEliece is unclear because there is no known active attack on this cryptosystem. This paper also presents a side-channel distinguisher design based on deep learning (DL) for mounting the proposed attack on practical implementation without the use of a profiling device. The feasibility of the proposed attack is evaluated through experimental attacks on various PRF implementations (a SHAKE software, an AES software, an AES hardware, a bit-sliced masked AES software, and a masked AES hardware based on threshold implementation). Although it is difficult to implement the oracle using the leakage from the TI-based masked hardware, the success of the proposed attack against these implementations (even except for the masked hardware), which include masked software, confirms its practicality.
AbstractList This paper presents a side-channel analysis (SCA) on key encapsulation mechanism (KEM) based on the Fujisaki–Okamoto (FO) transformation and its variants. The FO transformation has been widely used in actively securing KEMs from passively secure public key encryption (PKE), as it is employed in most of NIST post-quantum cryptography (PQC) candidates for KEM. The proposed attack exploits side-channel leakage during execution of a pseudorandom function (PRF) or pseudorandom number generator (PRG) in the re-encryption of KEM decapsulation as a plaintext-checking oracle that tells whether the PKE decryption result is equivalent to the reference plaintext. The generality and practicality of the plaintext-checking oracle allow the proposed attack to attain a full-key recovery of various KEMs when an active attack on the underlying PKE is known. This paper demonstrates that the proposed attack can be applied to most NIST PQC third-round KEM candidates, namely, Kyber, Saber, FrodoKEM, NTRU, NTRU Prime, HQC, BIKE, and SIKE (for BIKE, the proposed attack achieves a partial key recovery). The applicability to Classic McEliece is unclear because there is no known active attack on this cryptosystem. This paper also presents a side-channel distinguisher design based on deep learning (DL) for mounting the proposed attack on practical implementation without the use of a profiling device. The feasibility of the proposed attack is evaluated through experimental attacks on various PRF implementations (a SHAKE software, an AES software, an AES hardware, a bit-sliced masked AES software, and a masked AES hardware based on threshold implementation). Although it is difficult to implement the oracle using the leakage from the TI-based masked hardware, the success of the proposed attack against these implementations (even except for the masked hardware), which include masked software, confirms its practicality.
Author Homma, Naofumi
Tanaka, Yutaro
Ueno, Rei
Takahashi, Junko
Xagawa, Keita
Ito, Akira
Author_xml – sequence: 1
  givenname: Rei
  surname: Ueno
  fullname: Ueno, Rei
– sequence: 2
  givenname: Keita
  surname: Xagawa
  fullname: Xagawa, Keita
– sequence: 3
  givenname: Yutaro
  surname: Tanaka
  fullname: Tanaka, Yutaro
– sequence: 4
  givenname: Akira
  surname: Ito
  fullname: Ito, Akira
– sequence: 5
  givenname: Junko
  surname: Takahashi
  fullname: Takahashi, Junko
– sequence: 6
  givenname: Naofumi
  surname: Homma
  fullname: Homma, Naofumi
BookMark eNqFkNtKAzEURYMoWGu_wfmBmeYymUwEH0qpbbHFC_oc0kyiKW1SkqnSvzdOFcQXn87hwNrssy7AqfNOA3CFYFFWtK6GrXrTsXjHEOPCogLzKicYn4AephXPMcf09Nd-DgYxriGEmEKKGO-B2Xgfos68yZ50rp0Kh11rvbvORtlUOx2syh78hw7DyTIbObk5RBsz79IxtvnjXrp2v83uJst4Cc6M3EQ9-J598HI7eR7P8sX9dD4eLXJFKME5LWvOCVfclIoxiihmBNcVIaomjVkxylnJaaPoikjFsEG44ibVrxPeaFiRPpgfcxsv12IX7FaGg_DSiu7gw6uQobVqowUnGlJMjIZKlimiRpAgImtYEyQJMynr5pilgo8xaCOUbeXX_22QdiMQFJ1l0VkWnWVhkUiWRbKcePaH_-nzH_kJqzyDHw
CitedBy_id crossref_primary_10_1007_s13389_025_00375_7
crossref_primary_10_1109_TIFS_2025_3550061
crossref_primary_10_1007_s11416_024_00527_z
crossref_primary_10_1109_TC_2022_3197074
crossref_primary_10_1145_3603170
crossref_primary_10_1109_TCAD_2025_3550443
crossref_primary_10_1007_s13389_022_00288_9
crossref_primary_10_1109_TC_2025_3547610
crossref_primary_10_1007_s13369_023_08341_3
crossref_primary_10_1007_s13389_023_00315_3
crossref_primary_10_1145_3611670
crossref_primary_10_62056_aesgbnja5
ContentType Journal Article
DBID AAYXX
CITATION
DOA
DOI 10.46586/tches.v2022.i1.296-322
DatabaseName CrossRef
DOAJ Directory of Open Access Journals
DatabaseTitle CrossRef
DatabaseTitleList
CrossRef
Database_xml – sequence: 1
  dbid: DOA
  name: DOAJ Open Access Full Text
  url: https://www.doaj.org/
  sourceTypes: Open Website
DeliveryMethod fulltext_linktorsrc
EISSN 2569-2925
EndPage 322
ExternalDocumentID oai_doaj_org_article_93e0523fe0ca4698810313a80831a37f
10_46586_tches_v2022_i1_296_322
GroupedDBID AAFWJ
AAYXX
AFPKN
ALMA_UNASSIGNED_HOLDINGS
CITATION
GROUPED_DOAJ
M~E
ID FETCH-LOGICAL-c3532-5489939c9f4c7751527328633c83dfb7597495dc5b3ac72f1269f5698c35de063
IEDL.DBID DOA
ISSN 2569-2925
IngestDate Tue Oct 14 19:00:11 EDT 2025
Sat Nov 29 02:10:49 EST 2025
Tue Nov 18 21:26:09 EST 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 1
Language English
License https://creativecommons.org/licenses/by/4.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c3532-5489939c9f4c7751527328633c83dfb7597495dc5b3ac72f1269f5698c35de063
OpenAccessLink https://doaj.org/article/93e0523fe0ca4698810313a80831a37f
PageCount 27
ParticipantIDs doaj_primary_oai_doaj_org_article_93e0523fe0ca4698810313a80831a37f
crossref_citationtrail_10_46586_tches_v2022_i1_296_322
crossref_primary_10_46586_tches_v2022_i1_296_322
PublicationCentury 2000
PublicationDate 2021-11-19
PublicationDateYYYYMMDD 2021-11-19
PublicationDate_xml – month: 11
  year: 2021
  text: 2021-11-19
  day: 19
PublicationDecade 2020
PublicationTitle IACR transactions on cryptographic hardware and embedded systems
PublicationYear 2021
Publisher Ruhr-Universität Bochum
Publisher_xml – name: Ruhr-Universität Bochum
SSID ssj0002505179
Score 2.3947108
Snippet This paper presents a side-channel analysis (SCA) on key encapsulation mechanism (KEM) based on the Fujisaki–Okamoto (FO) transformation and its variants. The...
SourceID doaj
crossref
SourceType Open Website
Enrichment Source
Index Database
StartPage 296
SubjectTerms Deep learning
Fujisaki–Okamoto transformation
Key encapsulation mechanism
Post-quantum cryptography
Public key encryption
Side-channel analysis
Title Curse of Re-encryption: A Generic Power/EM Analysis on Post-Quantum KEMs
URI https://doaj.org/article/93e0523fe0ca4698810313a80831a37f
Volume 2022
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVAON
  databaseName: DOAJ Open Access Full Text
  customDbUrl:
  eissn: 2569-2925
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002505179
  issn: 2569-2925
  databaseCode: DOA
  dateStart: 20180101
  isFulltext: true
  titleUrlDefault: https://www.doaj.org/
  providerName: Directory of Open Access Journals
– providerCode: PRVHPJ
  databaseName: ROAD: Directory of Open Access Scholarly Resources
  customDbUrl:
  eissn: 2569-2925
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0002505179
  issn: 2569-2925
  databaseCode: M~E
  dateStart: 20180101
  isFulltext: true
  titleUrlDefault: https://road.issn.org
  providerName: ISSN International Centre
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1NS8NAEF1EPHgRRcX6xR68pk2y2WzWWy0pBWmpotDbkmx2oKCp9Au8-NudSdJST714ySFkQni7OzMvDO8x9lBISKAA8EAjXcUOPPNINt2LhC1UkYcubswm1GiUTCZ6vGP1RTNhtTxwDVxHC0d_LsH5NiO3w4R8CUSWkENWJhRQ9sWuZ4dMUQ6mwo5brR7oirDKxh0CYdFeI9kP21Nkhjr2RBj-KUc7qv1VeemfspOmL-Td-nvO2IErz9mgRyMWfAb81Xm4nebf1QF_5F1eyUVPLR-Ty1knHfKNugiflZwceL2XFYK2-uTP6XBxwd776Vtv4DXWB54VUpA7AfIgoa2GyColyXtWhEkshE1EAbkiGqBlYWUuMqtCCMJYg0R4MLxw2HZcssNyVrorxnOtikBmNnE-ROBneSABokgqP8dMmECLxRsEjG10wcme4sMgP6igMxV0poLOTAOD0BmErsX8beBXLY2xP-SJIN4-TtrW1Q1ccdOsuNm34tf_8ZIbdhzSdAoN9Olbdricr9wdO7Lr5XQxv682E16HP-kvUTjK1A
linkProvider Directory of Open Access Journals
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Curse+of+Re-encryption%3A+A+Generic+Power%2FEM+Analysis+on+Post-Quantum+KEMs&rft.jtitle=IACR+transactions+on+cryptographic+hardware+and+embedded+systems&rft.au=Rei+Ueno&rft.au=Keita+Xagawa&rft.au=Yutaro+Tanaka&rft.au=Akira+Ito&rft.date=2021-11-19&rft.pub=Ruhr-Universit%C3%A4t+Bochum&rft.eissn=2569-2925&rft.volume=2022&rft.issue=1&rft_id=info:doi/10.46586%2Ftches.v2022.i1.296-322&rft.externalDBID=DOA&rft.externalDocID=oai_doaj_org_article_93e0523fe0ca4698810313a80831a37f
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2569-2925&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2569-2925&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2569-2925&client=summon