A research group has exposed a weakness in CRYSTALS-Kyber, an encryption algorithm that the U.S. National Institute of Standards and Technology (NIST) adopted. The other algorithms the institute adopted were CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures. The NIST chose these algorithms as quantum-resistant for the organization.
However, Elena Dubrova, Kalle Ngo, and Joel Gartner of the KTH Royal Institute of Technology shared their research findings. They stated that side-channel attacks up to the fifth-order masked implementations of CRYSTAL-Kyber in ARM Cortex-M4 CPU.
Side-channel attacks and encryption algorithms
A side-channel attack involves extracting embedded secrets from a system, using measurement, and analyzing its physical parameters. Electromagnetic emission, supply current, and execution time are some parameters. The side-channel attack targets vital information such as encryption keys and private data on the target system.
Masking is one of the popular countermeasures for side-channel attacks. It scrambles computation and isolates the side-channel information from secret-dependent cryptographic variables. Sensitive variables in the cryptographic algorithm are split into multiple parts using secret sharing.
However, deep-learning-based side-channel attacks might be challenging to contain and overcomes countermeasures such as masking, code polymorphism, and shuffling. But the researchers unraveled a new message recovery method called cyclic rotation that controls ciphertexts and increases the success rate of message recovery.
NIST shared its thoughts on cyclic rotation as a solution to side-chain attacks. According to NIST, the cyclic rotation method allows the training of neural networks that can recover a message bit with a probability as high as 99% for masked implementations.
Also, they stated that this approach does not affect the algorithm, and the research results will not influence the standardization process of CRYSTALS-Kyber.
The need for encryption algorithms
Data theft is a concern in the 21st century as hackers tamper with sensitive information and steal identities. Statistics from The Software Alliance reveal that cybercriminals stole 423 million identities in 2015. By 2017, these figures spiked to 7.9 billion records creating tensions worldwide. Proper encryption is an effective solution to this problem.
Encryption is simply encoding data to prevent unauthorized access by making it unreadable. Only authorized parties have an access key to unscramble data after encryption. These techniques are used to combat data theft as it makes it very difficult for hackers and safeguards users’ privacy.
An encryptor replaces letters, numbers, and symbols with other special characters to create a cipher. A cipher is a group of characters representing original data. Only an encryptor holds the keys to decoding a cipher.
The encryption process can be handled manually but is tedious. On the other hand, the software can scramble the data with an algorithm and create an encryption key. Symmetric and asymmetric encryption are the two main encryption categories available.
Symmetric encryption is common, and one key serves for both encryption and decryption. It saves time and cost to create a secure key to encrypt data. This key is transferred to the end user for decryption.
Asymmetric encryption is a process that creates two different keys: a public key and a private key. Neither of these keys works the same way. Users can share the public keys with anyone, while the private keys are for those meant to access the data.
The U.S. National Institute of Standards and Technology (NIST) has created the cyclic rotation mechanism to protect against sidechain attacks. Proper encryption is critical for data protection as technology and cyber security advance.
Symmetric and asymmetric encryption are the broad categories covering most encryption methods available for users.