Researchers found leak in cryptographic algorithm
New and better methods are needed to protect sensitive data from hackers. This is the conclusion KTH researchers made when they managed to break an implementation of CRYSTALS-Kyber, a post quantum cryptography algorithm considered resistant to quantum computer attacks.
To protect sensitive data and secret information, the US National Institute of Standards and Technology (NIST) has recently selected CRYSTALS-Kyber as a new standard for key establishment. To test whether it keeps its promises, KTH researchers Elena Dubrova, Kalle Ngo and Joel Frisk Gärtner subjected CRYSTALS-Kyber to side-channel analyses by looking at the power consumption.
For today’s crypto algorithms to be useful, the algorithm is translated into program code, which runs on a digital processor. During the execution of the encryption-decryption procedures, a side-channel attacker can record the small variation in power consumption. These” power traces” can be analysed to infer the values the processors have manipulated, added, multiplied, stored, etcetera.
“CRYSTALS-Kyber includes special protections ensuring that the actual output of the algorithm do not leak any sensitive data to an attacker. However, as we performed a side-channel attack, we were able to bypass these protections completely”, says Gärtner.
AI is able to see trough
Side-channel attacks are not new, that is why countermeasures are often employed as an attempt to thwart attacks. One of the most prominent of these is known as” masking”. In the masking countermeasure, secret data is split into multiple shares.
Researchers at KTH have shown these power traces to an Artificial Neural Network (ANN) and have taught it to recognise these combined patterns. Effectively showing that an AI is able to easily ‘see through’ this masking. This has major security implications for implementations relying on masking as the sole countermeasure against side-channel analysis.
” With the development of quantum computing, the security of communications is a concern for many organization’s. CRYSTALS-Kyber is just one example of how to protect information. Algorithmic security is only one face of a 2-sided-coin. We need to be aware that AI-assisted side-channel analysis is a powerful tool that can potentially grant superpowers to a hacker”, says Ngo.
At the end of March, the results were presented at the Real World Crypto Symposium in Tokyo .