Chosen Ciphertext k-Trace Attacks on Masked CCA2 Secure Kyber

Single-trace attacks are a considerable threat to implementations of classic public-key schemes, and their implications on newer lattice-based schemes still not well understood. Two recent works have presented successful single-trace targeting the Number Theoretic Transform (NTT), which is at heart many schemes. However, these either require quite powerful side-channel adversary or restricted specific scenarios such as encryption ephemeral secrets. It an open question if can be performed by simpler adversaries while more common scenarios. In this paper, we answer positively. First, present method for crafting ring/module-LWE ciphertexts that result in sparse polynomials input inverse NTT computations, independent used private key. We then demonstrate how sparseness incorporated into attack, thereby significantly improving noise resistance attack compared previous works. The effectiveness our shown use-case CCA2 secure Kyber k-module-LWE, where k ? {2, 3, 4}. Our k-trace long-term secret handle up ? ? 1.2 noisy Hamming weight leakage model, also masked implementations. A 2k-trace variant Kyber1024 even allows 2.2 case, with traces allowing us recover keys 2.7. variants tolerance depending parameter set, ranging from 0.5 0.7. As comparison, similar setting were only 0.5.