A side-channel attack on a masked and shuffled software implementation of Saber

Abstract

In this paper, we show that a software implementation of IND-CCA-secure Saber key encapsulation mechanism protected by first-order masking and shuffling can be broken by deep learning-based power analysis. Using an ensemble of deep neural networks trained at the profiling stage, we can recover the session key and the secret key from 257 times N and 24 times 257 times N traces, respectively, where N is the number of repetitions of the same measurement. The value of N depends on the implementation of the algorithm, the type of device under attack, environmental factors, acquisition noise, etc.; in our experiments N = 10 is sufficient for a successful attack. The neural networks are trained on a combination of 80% of traces from the profiling device with a known shuffling order and 20% of traces from the device under attack captured for all-0 and all-1 messages. “Spicing” the training set with traces from the device under attack helps us minimize the negative effect of inter-device variability.