CRYSTALS-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized. It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of CRYSTALS-Kyber’s implementations to side-channel attacks. The unprotected and first-order masked software implementations have been already analysed. In this paper, they present deep learning-based message recovery attacks on the ω-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU for ω ≤ 5. The main contribution is a new neural network training method called recursive learning. In the attack on an ω-order masked implementation, they start training from an artificially constructed neural network M ω whose weights are partly copied from a model M ω−1 trained on the (ω − 1)-order masked implementation, and then extended to one more share. Such a method allows them to train neural networks that can recover a message bit with the probability above 99% from high-order masked implementations.
Read more https://packetstormsecurity.com/files/171138/2022-1713.pdf