After three rounds of post-quantum cryptography (PQC) strict evaluations conducted by the national institute of standards and technology (NIST), CRYSTALS-Kyber has successfully been selected and drafted for standardization from the mid of 2022. It becomes urgent to further evaluate Kyber's physical security for the upcoming deployment phase. In this paper, we present an improved two-step attack on Kyber to quickly recover the full secret key, s, by using much fewer energy traces and less time. In the first step, we use the correlation power analysis (CPA) attack to obtain a portion of guess values of s with a small number of energy traces. The CPA attack is enhanced by utilizing both the Pearson and Kendall's rank correlation coefficients and modifying the leakage model to improve the accuracy. In the second step, we adopt the lattice attack to recover s based on the results of CPA. The success rate is largely built up by constructing a trail-and-error method. We implement the proposed attack for the reference implementation of Kyber512 (4 128-value groups of s) on ARM Cortex-M4 and successfully recover a 128-value group of s in about 9 minutes using a 16-core machine. Additionally, in that case, we only cost at most 60 CPA guess values for a group and 15 power traces for a guess.

翻译：在美国国家标准与技术研究院（NIST）完成三轮严格的后量子密码（PQC）评估后，CRYSTALS-Kyber已于2022年中成功入选并进入标准化草案阶段。在即将到来的部署阶段，进一步评估Kyber的物理安全性变得尤为迫切。本文提出一种改进的两步攻击方法，能够以显著更少的能量迹和更短的时间快速恢复完整密钥s。第一步，我们采用相关性能量分析（CPA）攻击，利用少量能量迹获取s的部分猜测值。该CPA攻击通过同时使用皮尔逊与肯德尔秩相关系数，并改进泄漏模型以提升准确性。第二步，我们基于CPA的结果采用格攻击来恢复s。通过构建试错方法，攻击成功率得到大幅提升。我们在ARM Cortex-M4平台上对Kyber512参考实现（s的4组128值）实施了所提出的攻击，使用16核机器成功在约9分钟内恢复了一组128值的s。此外，在该案例中，每组s最多仅需60个CPA猜测值，且每个猜测值仅需15条能量迹。