Luccas Ruben J. Constantin-Sukul, Rasmus Ø. Gammelgaard, Alexander N. Henriksen, Diego Aranha

Key recovery on static Kyber based on transient execution attacks

Introduction

Key recovery on static kyber based on transient execution attacks. Explore a key recovery attack on static Kyber via transient execution methods (Gather Data Sampling, Flush+Reload). Reassemble private keys from fragments in under 40 minutes with high success rates.

Abstract

Transient execution attacks on modern processors continue to threaten security by stealing sensitive data from other processes running on the same CPU. A recent example is Downfall, which demonstrated how microarchitecture leakage could reveal short AES keys. We explore the possibility of leaking much longer keys from post-quantum cryptography by combining Gather Data Sampling from Downfall with Flush+Reload to mount a key recovery attack against static Kyber. We reassemble private keys from fragments scattered within random noise by exploiting patterns observed across multiple consecutive loads. The whole attack runs in under 40 minutes with success rate between 60% and 70%, no matter the Kyber security level used by the victim. This underscores the implicit reliance of cryptographic algorithms on the underlying microarchitecture for security.

Review

This paper presents a highly significant contribution to the field of cybersecurity, specifically at the intersection of microarchitectural vulnerabilities and post-quantum cryptography. The authors successfully demonstrate a practical key recovery attack against static Kyber, a leading post-quantum encryption candidate, by extending the principles of transient execution attacks. This work fills a critical gap by showing that sophisticated microarchitectural leakages, previously demonstrated to reveal short symmetric keys (e.g., AES in Downfall), can be effectively scaled to compromise the much longer and complex private keys inherent in PQC schemes. The methodology employed is both novel and sophisticated, leveraging a powerful combination of Gather Data Sampling (GDS) from the Downfall vulnerability alongside the well-established Flush+Reload technique. The core innovation lies in the ability to reassemble Kyber private keys from fragmented data that is initially scattered within random noise. This is achieved by expertly exploiting discernible patterns observed across multiple consecutive loads, showcasing a deep understanding of both the microarchitectural leakage mechanisms and the structure of Kyber keys. The reported attack metrics — under 40 minutes for execution and a 60-70% success rate, regardless of the Kyber security level — underscore the alarming practicality and potency of this vulnerability. The implications of this research are far-reaching, fundamentally challenging the perceived security of current post-quantum cryptographic implementations and emphasizing the inherent fragility introduced by underlying hardware architectures. The paper forcefully "underscores the implicit reliance of cryptographic algorithms on the underlying microarchitecture for security," moving beyond theoretical cryptographic strength to highlight practical implementation risks. This work serves as an urgent call for renewed scrutiny of Kyber deployments, particularly those utilizing static keys, and demands immediate attention from both cryptographic designers and hardware manufacturers to develop more robust, side-channel-resistant solutions against such advanced transient execution threats.

Full Text

Comments

You need to be logged in to post a comment.