Decoding the CRYSTALS-Kyber attack using artificial intelligence: Examination and strategies for resilience ⋆ Maksim Iavich1,*,†, Sergiy Gnatyuk2,† and Assel Mukasheva3,† 1 Caucasus University, 1 Paata Saakadze str., 0102 Tbilisi, Georgia 2 National Aviation University, 1 Liubomyra Huzara ave., 03058 Kyiv, Ukraine 3 Kazakh-British Technical University, 59 Tole Bi str., 050000 Almaty, Kazakhstan Abstract The recent advancements in artificial intelligence and quantum computing pose a significant threat to traditional public key cryptosystems. In this context, Kyber, a post-quantum encryption technique relying on lattice problem hardness, has been standardized. Despite thorough testing by the National Institute of Standards and Technology (NIST), recent investigations expose vulnerabilities in CRYSTALS-Kyber, demonstrating its susceptibility to attacks in non-controlled environments using AI. This study delves into the susceptibility of CRYSTALS-Kyber to side-channel attacks. Based on the study of the reference implementation of Kyber512, it becomes clear that the use of selected ciphertext allows additional functions to be compromised. The successful implementation of the last allows for real-time recovery of the entire secret key in various attack scenarios. Keywords post-quantum cryptography, machine learning, recursive learning, lattices, NIST, Kyber 1 1. Introduction To anticipate the impact of quantum computers on cryptographic security, the National Institute of Standards The impending rise of quantum computing heralds a and Technology (NIST) launched the Post-Quantum transformative era in computing capabilities. Post-quantum Cryptography Standardization Initiative (NIST PQC) in cryptography, or quantum encryption, offers mechanisms 2016. This initiative aims to establish robust cryptographic to protect classical computers from potential threats posed algorithm standards capable of withstanding quantum by quantum computers. These systems provide defense computer attacks and protecting confidential data in the mechanisms against the exponential speed advantage of post-quantum computing era. The project’s approach quantum computers, which exploit the distinctive properties involves soliciting, evaluating, and standardizing quantum- of quantum mechanics. The urgency of this transition is resistant cryptographic algorithms. underscored by the stark contrast between the rapid quantum NIST initiated the process by selecting a group of computing of complex problems and the prolonged execution potential algorithms submitted by the cryptography times required by traditional computers. community. Rigorous testing ensued, focusing on the The development of quantum computing raises resilience of these candidates against quantum attacks. The concerns about the viability of current cryptographic chosen primitives are grounded in linear error-correcting methodologies, particularly those reliant on RSA. RSA, a code decoding and lattices, addressing mathematical widely used public key cryptosystem, relies on the challenges deemed formidable for quantum computers. complexity of mathematical problems such as integer In a significant development, NIST announced in July factorization. However, the advent of large-scale quantum 2022 that CRYSTALS-Kyber would become the new computers equipped with Shor’s algorithm poses a standard for key setup and public key encryption (PKE). significant threat to the security of existing public key This decision underscores its identification as a key cryptographic systems by rapidly solving these encapsulation mechanism (KEM) securing IND-CCA2 in mathematical challenges [1–3]. both classical and quantum models of random oracles. In response to this impending challenge, post-quantum CRYSTALS-Kyber’s security is rooted in the complexity of cryptosystems are being developed to withstand and thwart the module learning with errors (M-LWE) problem, quantum attacks. The evolution of quantum technology introducing unknown noise into linear equations [4, 5]. necessitates the continuous pursuit of resilient post- Furthermore, the prompt inclusion of CRYSTALS-Kyber quantum systems, as conventional asymmetric methods like by the National Security Agency (NSA) in its recommended RSA may prove inadequate in safeguarding private data. cryptographic algorithms for national security applications CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0002-3109-7971 (M. Iavich); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0003-4992-0564 (S. Gnatyuk); ∗ Corresponding author. 0000-0001-9890-4910 (A. Mukasheva) † These authors contributed equally. © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). miavich@cu.edu.ge (M. Iavich); s.gnatyuk@nau.edu.ua (S. Gnatyuk); a.mukasheva@gmail.com (A. Mukasheva) CEUR Workshop ceur-ws.org ISSN 1613-0073 342 Proceedings highlights its significance in protecting cryptographic 2. Kyber encryption system systems from emerging quantum threats. CRYSTALS-Kyber, renowned for its IND-CCA2 Kyber is recognized as a secure Key Encapsulation security, operates as a KEM in classical and quantum Mechanism (KEM) with IND-CCA2 security, stemming random oracle models, making it immune to adaptive from its ability to address the learning-with-errors (LWE) chosen ciphertext attacks. Its security derives from the problem within module lattices [9]. It has emerged as a severe problem of learning with errors (M-LWE), prominent contender in the NIST Post-Quantum introducing unknown noise into linear equations. Despite Cryptography Project. The proposal outlines three distinct the robust theoretical security foundations of CRYSTALS- parameter sets, meticulously crafted to achieve specific Kyber and other post-quantum Public Key Encryption security levels. Specifically, Kyber-512 aims to provide (PKE)/Key Encapsulation Mechanism (KEM) algorithms, security comparable to AES-128, Kyber-768 targets a level vulnerabilities have surfaced in protected software roughly equivalent to AES-192, and Kyber-1024 aims to implementations. Advanced side-channel analysis match the security level of AES-256 [10]. techniques, particularly those rooted in deep learning, have An effective strategy involves leveraging Kyber in a successfully compromised various versions of CRYSTALS- hybrid mode by integrating it with established “pre- Kyber. These vulnerabilities encompass higher-order quantum” security protocols. For instance, combining masked implementations, first-order software Diffie-Hellman with an elliptic curve capitalizes on the implementations with mask and shuffle, and first-order strengths of both classical and post-quantum cryptography, mask implementations. Identifying these susceptibilities thereby enhancing overall security [11–13]. prompted the development of enhanced defenses against Particular emphasis is placed on recommending the use side-channel attacks, leading to the refinement of of the Kyber-768 parameter set. This selection is grounded CRYSTALS-Kyber implementations. in a thorough analysis indicating that it provides more than Given the well-established vulnerabilities, it is essential 128 bits of security against all recognized conventional and to assess and enhance the resilience of CRYSTALS-Kyber quantum attacks. The decision is underpinned by a highly implementations against side-channel attacks. These conservative assessment, wherein 128 bits of security are attacks exploit data obtained from physically available deemed exceptionally robust, offering resilience against a channels, such as the timing or power consumption of the spectrum of both known and unforeseen threats in the device running the application, posing a significant threat cryptographic landscape. to the security of cryptographic implementations. In the summer of 2022, the NIST selected a candidate Significant progress has been made in the field of side- proposal based on Post-Quantum Cryptography (PQC) for channel analysis, exemplified by Kocher et al.’s standardization, specifically, the CRYSTALS-Kyber. This development of Differential Side-Channel Analysis, which innovative quantum-safe key encapsulation technique falls utilizes differences in physical data. Another noteworthy under the acronym CRYSTALS, representing the advancement is the introduction of Deep Learning-Based Cryptographic Suite for Algebraic Lattices. Side-Channel Analysis, enabling attacks on a diverse array of Kyber, an integral component of CRYSTALS-Kyber, cryptographic systems. Existing defense mechanisms prove stands out as a chosen ciphertext attack (CCA) secure Key inadequate against these sophisticated attacks. Additionally, Encapsulation Mechanism (KEM). Its foundation lies in the Wang et al.’s Error Injection Method has demonstrated selected plaintext attack (CPA) secure Public Key effectiveness in dismantling robust targets, including Encryption (PKE) technique, resulting in a CCAKEM. Figs. CRYSTALS-Kyber’s hardware implementations, by 1 and 2 illustrate the utilization of an adapted version of the transforming non-differential attacks into differential ones. Fujisaki-Okamoto (FO) transform in CPAPKE. The security To mitigate the risks associated with side-channel level of CRYSTALS-Kyber is determined by the rank of the attacks, various countermeasures have been deployed. module k, with the scheme utilizing vectors of ring elements These measures include masking, shuffling, randomized in CRYSTALS-Kyber encompasses three variants for clock, random delay insertion, constant-weight encoding, and different values of k: Kyber-512, Kyber-768, and Kyber-1024, code polymorphism. These countermeasures aim to prevent corresponding to k=2,3, and 4. Given that the target information leakage through physically measurable channels implementations support Kyber-512, this version takes such as time, power consumption, or electromagnetic radiation, precedence. To achieve efficient multiplications in R_q, thereby protecting cryptosystems [6, 7]. CRYSTALS-Kyber employs the Number-Theoretic In conclusion, the development of AI and by means of it Transform (NTT). the escalating sophistication of side-channel attacks The variable K is derived by combining the message and underscores the critical need for continuous evaluation and the hash of the public key with the hash of the CPAPKE.Enc enhancement of cryptographic implementation security [8]. function output, utilizing a key derivation function. In This imperative is particularly pronounced in the domain of simpler terms, the encryption key (K) is generated by post-quantum cryptography algorithms like CRYSTALS- incorporating additional information related to the message Kyber. As the cryptographic landscape evolves, proactive and public key, along with encryption function outputs measures must be taken to stay ahead of emerging threats (CPAPKE.Enc). and fortify the security posture of these vital encryption This approach is described in detail in the definition of techniques. the Kyber.Encaps function. 343 between ′and the public ciphertext c. The algorithm outputs True if c=′and False otherwise. The session key K is generated depending on this Boolean result. The Fujisaki- Okamoto-transform is executed to verify the absence of any alterations made by a potential adversary. Generally, the Kyber mechanism safeguards against attackers attempting to exploit vulnerabilities of encryption-decryption procedures. 3. Side-channel attacks One-time signature schemes are very inconvenient to use because to sign each message, we need to use a different key pair. The problem with such schemes is that they require storing n digesting. For everyday use it is impractical, and we would like a scheme that allows us to store a uniform- sized digest, no matter how many files we have. Merkle Tree Figure 1: CCAPKE algorithms was proposed to solve this problem. By using a binary tree as the root, this approach can replace a large number of The encryption process produces a value of K, and after verification keys with a single public key. A cryptographic decryption (Kyber.Decaps), the returned value of K may hash function and a one-time Lamport or Winternitz remain unchanged after encryption or be a deceptive value, signature scheme are used in this system. depending on the assessment of the potentially malicious A cryptographic system relies on highly intricate ciphertext (c). mathematics, which may give the impression of being impervious to mathematical attacks. However, it remains susceptible to side-channel attacks, first identified by Paul Kocher in 1996, which exploit data leakage while the cryptographic device is operational. This leaked information can manifest in various forms, such as electromagnetic radiation, power consumption, sound waves, or execution time. Systems employing cryptography are vulnerable to side-channel attacks. While many contenders in post-quantum cryptography (PQC) are engineered to withstand direct timing attacks, certain techniques like power and electromagnetic analysis can still expose vulnerabilities. Researchers are actively engaged in exploring and addressing these weaknesses, with NIST Figure 2: CCAKEM algorithms stressing the importance of integrating side-channel resistance into PQC. The ongoing research endeavors to A modification has been implemented to the input r for fortify PQC’s resilience against diverse side-channel attacks CPAPKE.Enc, which is the result of the message and public [14–17]. key hashing as opposed to being an arbitrary value. The Extensive scholarly research has focused on examining objective of this adjustment is to enhance security. the susceptibility of lattice-based Key Encapsulation Error-Based Learning systems, as examples in cases like Mechanisms (KEMs) to various side-channel attacks, with Kyber, are vulnerable to decryption failures. The intentional particular attention on side-channel-assisted chosen- manipulation of these failures by adversaries could ciphertext attacks (CCAs). CCAs are designed to acquire the potentially result in the exposure of sensitive information. secret key and have been the subject of multiple studies. Instances of decryption failures become more pronounced These investigations delve into CCAs targeting different when attackers manipulate covert vectors and error values, operations within lattice-based KEMs. The scrutinized causing them to surpass the defined parameters in the operations include the Fujisaki–Okamoto (FO) transform, CPAPKE.Enc scheme. message encoding/decoding, error-correcting codes, and By employing a modified variant of the Fujisaki- inverse NTT. Side-channel attacks exploit non-primary Okamoto transform, the procedures of encapsulation and channels, such as power usage or timing, to unveil decapsulation (Kyber.Encaps and Kyber.Decaps) ensure the vulnerabilities. Researchers employed vertical side-channel legitimate generation of random secret and error values, leakage detection to scrutinize the decryption mechanism of with verification incorporated into the decryption process. CRYSTALS-Kyber to identify potential weaknesses in the In terms of ensuring CCA2 security, the CRYSTALS- electrical signals generated during cryptographic operations. Kyber algorithm employs the Fujisaki-Okamoto KYBER-512 exhibits vulnerabilities that enable an transformation. The process is initiated by decrypting the attacker to completely recover the key using simple queries, ciphertext using CPA. Subsequently, a new ciphertext ′is as they can access the content of decrypted messages. The generated through “re-encryption” using CPA encryption investigation focused on the clean and m4 scheme elements, on the message. The process then assesses the equality specifically message encoding and the inverse Number 344 Theoretic Transform (NTT). It is notable that for both clean ∘+1. The choice between arithmetic and Boolean masking and m4 schemes, the secret key can be recovered in just four depends on the specific technique, where “∘” represents and eight searches, respectively. Additionally, researchers different operations. For instance, in arithmetic masking, “∘” have proposed message recovery techniques involving signifies addition, while in Boolean masking, it denotes XOR. cyclic message rotation and targeted permutation of The variable x does not directly partake in the message bits. Even though these methods required (w+1) computation, as operations are conducted independently on traces in the presence of a side-channel weighted Hamming shared resources, theoretically preventing information classifier, it was emphasized that applications employing leakage about x through side channels. Each time a share is anti-masking and anti-shuffling measures could still be processed, it is randomly assigned. Randomization is vulnerable. Conversely, launching attacks on secure typically achieved by distributing random masks 1, 2, …, implementations with shuffling and obfuscation across shares ω, and then computing arithmetic masking necessitated a strong assumption that the attacker could as—(1+2+ ⋯ +) or logical masking as ⊕ 1 ⊕ 2 ⊕ … ⊕. disable countermeasures to create patterns. Furthermore, the researchers proposed a key recovery 5. The analysis of the Attacks using attack based on recovered messages, which would require a set of six specific ciphertexts. It is essential to note that the AI against CRYSTALS-Kyber noise value for KYBER-512 has been increased, and the To standardize post-quantum encryption, CRYSTALS- CRYSTALS-KYBER specification has been adjusted. This Kyber has been officially endorsed by NIST as a public-key implies that a more meticulous preparation of ciphertexts is algorithm. Despite initial beliefs in its resilience against now necessary. side-channel attacks, researchers have successfully identified a vulnerability in its implementation. Utilizing 4. Masking machine learning techniques, the attack specifically focused on power usage as a key element of its strategy [20–25]. The Verkle trees are a powerful upgrade to Merkle trees (Fig. 3) increasing accessibility of measuring and analyzing that allow for much smaller verifications and are more computer hardware power usage has raised concerns about efficient. The structure of the Verkle tree (Fig. 4) is very side-channel attacks as a significant security concern. These similar to the Merkle Patricia tree [15, 18, 19]. attacks exploit energy fluctuations during certain circuits or To enhance the resistance of CRYSTALS-Kyber against processes to obtain detailed information about the system side-channel attacks, masking will be implemented as a or processed data [26]. countermeasure. This strategy involves partitioning a secret A successful side-channel attack was carried out on into multiple partially randomized shares, with “fifth-order” CRYSTALS-Kyber, revealing details about the encryption indicating that the secret is divided into five shares. key, which is one step before decrypting the data. Exploiting Masking obscures the underlying arithmetic behavior of machine learning to enable the system to capitalize on the cryptographic algorithms, offering additional protection side-channel facilitated the attack. Considering that against side-channel threats. machine learning is not commonly used in security Masking serves as a prominent defense mechanism research, this achievement is remarkable. Thus, it’s notable against power and electromagnetic side-channel that machine learning can be misused, and businesses must investigations. Essentially, this method entails randomly be vigilant about the potential security threats it may pose. dividing a concealed value into several shares, each Even though the attack on CRYSTALS-Kyber was processed independently at every stage of the algorithm. successful, this does not mean that it is completely unusable. Their outcomes are then combined to generate the final We need to be aware of the possible security threats that result. Operating within the masking domain prevents the machine learning can pose to use these types of attacks. The leakage of sensitive variable x’s information, as it is never algorithm remains secure. directly utilized. In an ω-order masking scheme, a sensitive variable x is divided into ω+1 share, denoted as x=1 ∘ 2 ∘ … Figure 3: Merkle Tree example 345 Earlier research has utilized artificial intelligence (AI) to The initial presentation of the attack by Dubrova et al. compromise first, second, and third-order masked Kyber focused on Kyber’s first-order masking, extending the implementations. However, breaking higher-order masked function masked_poly_frommsg() to incorporate higher- implementations using traditional AI training and profiling order masking. Further exploration is intended to assess the techniques proved challenging. Dubrova et al. overcame this power consumption of the presented method, particularly challenge by employing a novel form of deep learning and during Kyber’s re-encryption phase. This phase targets the rotations on intercepted messages, thereby increasing the decapsulation stage, where the shared key is retrieved and leakiness of the bits and enhancing the likelihood of a undergoes a re-encapsulation process for verification of any successful attack [25–28]. alterations in the ciphertext. Figure 4: Verkle Tree example In this re-encryption process, the secret or the antecedent of by utilizing “more leakage” of bit locations, extracting bit the shared key is meticulously stored bit by bit into a values with a higher probability. polynomial. Specifically, the 256-bit secret is transformed The attack employs the cyclic rotation method due to into a polynomial modulo q = 3329 with 256 coefficients. In the uneven distribution of leakage from this transformation, the ith coefficient is (q+1)/2 if the ith bit Masked_poly_frommsg(). This irregularity is evidenced by is 1, and 0 otherwise. Although the function may seem a 9% dissimilarity in the successful recovery probability simple, creating a masked version poses a challenge due to between 0 and 7 bits. Furthermore, this approach is the inherent method of generating shares of the secret, facilitated by the fact that modular LWEs are ring LWEs involving xor-ing together, and adding shares to form the extensions, enabling the alteration of encrypted texts by hypothetical polynomial. cyclically alternating messages. By changing the last 6 bits In contrast to previous studies, the AI incorporates to the first and second bits in each byte, the attack non- recursive learning at the profiling stage. Training an cyclically modifies the message three times to 2 bits. This implementation with a w-order mask involves replicating strategy allows for more efficient transmission of the weights of the input batch normalization layer from the information by bits without excessive time consumption −1 model trained on the implementation with a (w – 1)- compared to other looping approaches. order mask. Subsequently, the layer is expanded to By manipulating the corresponding ciphertext, it introduce an additional share, creating the initial network. becomes possible to perform a message rotation. In Recursive learning comes into play when w>3, and the AI CRYSTALS-Kyber, a ciphertext c=(u,v) is composed of undergoes training using a network with a standard random polynomials in the ring ℤ [ ]/(256+1). To obtain a negacyclic weight distribution when w≤3. rotation of the message, it is necessary to multiply u and v By utilizing cut-and-join training traces byte-wise, two by the indeterminate X, under the condition that c is universal models, 0 and 1, are derived. These models capture constructed accurately. However, it’s important to note that the most powerful leaks, paying special attention to the first the Decode (-y) and Decode (y) operations may yield two bits of each message byte. Furthermore, the labels “0” dissimilar values, introducing the possibility of errors, and “1” are assigned to message bits, and the AI is trained to particularly with specific ciphertexts employed in attempts directly recover the message without eliminating the to recover the secret key [29]. random masks. The code iterates over the portions of the two shares, As detailed in the attacks described in this paper, after generating a mask for each bit: 0xffff for 1, and 0 for 0. This rotating the message three times, the last six bits of each mask can be applied to increase the polynomial share by byte are moved to the positions of the initial two bits. This (q+1)/2, requiring slightly more energy to treat a 1. This approach increases the probability of success of the attack function will leak information without the need for AI. This vulnerability in the pattern was recognized as problematic 346 in 2016, raising concerns about a potential risk to Kyber in devices such as desktops, servers, and mobile phones. Even 2020. To mitigate this [30], processing multiple bits with 1 GHz embedded processors, performing simple side- simultaneously is a recommended countermeasure. channel attacks to analyze power consumption becomes an Dubrova et al., the authors, do not assert that this is a extremely complex task, requiring thousands of traces and radically innovative approach to the attack. Instead, they a high-performance oscilloscope placed directly next to the increase the attack’s effectiveness by training the neural processor. This physical access to the server provides network and optimizing the utilization of numerous traces broader attack vectors, simply connecting the oscilloscope through alterations in the sent ciphertext. to the memory bus. Dubrova et al. conducted the proposed attack using an Power-side channel attacks are typically considered ARM Cortex-M4 CPU together with STM32F415-RGT6 impractical, except for highly sensitive applications. device, a CW308 UFO board, and a 24MHz target board- However, under specific circumstances, throttling can CW308T-STM32F4. Power consumption measurements potentially transform an exceptionally potent power side- were carried out with high accuracy up to 10 bits at a channel attack into a remote timing attack. It’s important to frequency of 24 MHz. note that the current situation is far from resembling such To train the neural networks, Dubrova et al. collected an attack [33]. 150,000 power traces to decrypt various ciphertexts using Moreover, this attack is neither particularly potent nor the same KEM keypair. While this approach is somewhat surprising. In practical terms, whether a masked unusual for a real-world attack, as KEM key pairs for key implementation reveals its secrets or not is inconsequential. agreements are typically non-durable, nevertheless it has The critical question is the level of difficulty involved in valid applications for long-term KEM key pairs, as well as executing such attacks in real-world scenarios. Articles such ECH, HPKE, and authentication [31]. as this one help manufacturers in assessing the number of Training is a crucial step as devices of the same make countermeasures needed to make such attacks prohibitively and model may exhibit significantly different power traces expensive. even when executing identical code. Neural networks undergo training to target “shares”, representing 6. Protection measures implementations with varying security levels. The progression begins with attacking a five-share Minimizing the exposure duration of the application’s secret implementation as the initial step to a six-share key serves as the most effective defense against a majority implementation. Executing their methodology requires of existing attacks. The attack becomes more challenging as extracting one-fifth of the 150,000 power traces against a the secret key is disclosed fewer times. If a secret key is used six-share execution, then repeating the process with a five- only once, the attacker can only utilize the message share execution, and so forth. The scenario where a device recovery attack once. However, this approach may permits an attacker to manipulate share numbers appears introduce other challenges, such as the need to generate a improbable. The authors initiate the actual attack by substantial number of secret keys or the elimination of asserting that, under optimal conditions, there is a 0.127% secret key usage altogether. probability of recovering the shared key. However, they do The success of the given attack relies on the repeated not furnish specific figures for single-trace assaults execution of the decapsulation procedure. The attack can be involving more than two shares. hindered by limiting the number of decryptions of the same Side-channel attacks demonstrate increased success ciphertext with a single secret key. It may be necessary to when multiple traces of the same decapsulation are allow multiple retries to accommodate occasional employed. The authors introduce a clever twist by rotating communication errors. the ciphertext instead of using identical traces of the Alternatively, stronger defenses against power analysis message. This strategic rotation, particularly when four attacks, such as the proposed duplication by clock identical traces are involved, elevates the likelihood of randomization approach, can be considered. This approach success to 78%, compared to a two-share implementation. involves two identical cores: a main cryptographic core and Even with a 0.5% chance, the six-share implementation a dummy cryptographic core, constituting the protected remains strong. Remarkably, 87% of the shared key can be realization. Despite using different private and public key recovered with 20 traces from the six-share implementation. pairs, these cores operate on two different random clocks For each w-order masked realization, 2500 messages are while receiving identical input data. This technique offers randomly selected, resulting in a total of 10,000 traces for several camouflage benefits, including fault immunity, zero each message, including three 2-bit cyclic message rotations clock cycle overhead, universal coverage, and increased in each trace. In the absence of cyclic rotations, the resistance to replay attacks. likelihood of message recovery is 0.127%. However, this probability significantly increases to 78.866% with the 7. Conclusions introduction of cyclic rotations. For a single trace on a fifth- Because of the increased power of AI technologies, the order masked implementation using cyclic rotations, the CRYSTALS-Kyber key encapsulation system faces recovery probability is 0.56%, rising to 54.53% with three increasing challenges from sophisticated side-channel traces, and peaking at 87.085% with five traces respectively attacks. Recent research reveals vulnerabilities even in [31, 32]. environments with strong security measures, highlighting In hardware terms, the device may resemble a smart the necessity for ongoing defensive improvements. card in some aspects, but it is quite different from high-end Essential countermeasures to bolster cryptographic systems 347 include Masking and shuffling. As we transition into the [12] A. Bessalov, et al., Modeling CSIKE Algorithm on post-quantum era, evaluating algorithms for both Non-Cyclic Edwards Curves, in: Workshop on mathematical robustness and resistance to external attacks Cybersecurity Providing in Information and becomes crucial. Telecommunication Systems, vol. 3288 (2022) 1–10 Rather than completely disrupting a new encryption [13] A. Bessalov, et al., Implementation of the CSIDH system, AI serves as a valuable tool for managing noisy data Algorithm Model on Supersingular Twisted and and detecting its weaknesses. There is a fundamental Quadratic Edwards Curves, in: Workshop on difference between a power side-channel attack and a direct Cybersecurity Providing in Information and cryptographic violation. The actual attack is based on a Telecommunication Systems, vol. 3187, no. 1 (2022) surprisingly small number of traces; however, it is still 302–309. possible to effectively use extremely noisy traces for deep [14] M. Iavich, et al., Use of Content-Filtering Method for learning training. An intriguing aspect of this debate is the Hardware Vulnerabilities Identification System, in: limited availability of feasible, simple, affordable, and IEEE 4th International Conference on Advanced effective defenses to counter these attacks through channels Information and Communication Technologies of power. We plan to improve the existing scheme, using (AICT) (2021). provided by us recommendations. [15] R. Megrelishvili, et al., Post-Quantum Key Exchange Protocol using High Dimensional Matrix, in: Acknowledgments International Conference on Information Technologies, vol. 2145 (2018) 83–87/ This work was supported by Shota Rustaveli National [16] Z.-D. Zhang, et al., Study on the Convective Heat Science Foundation of Georgia (SRNSF) [STEM – 22 –1076]. Transfer Characteristics of Supercritical CO2 in Mini- Channels under Unilateral Heating Conditions for References Application in a Compact Solar Receiver, Int. J. Heat [1] D. Aggarwal, U. Maurer, Breaking RSA Generically is Mass Transfer. 219 (2024) 124839. Equivalent to Factoring, Advances in Cryptology- [17] M. Iavich, et al., Lattice based Merkle, in: International EUROCRYPT 2009: 28th Annual International Conference on Information Technologies, vol. 2470 Conference on the Theory and Applications of (2019) 13–16. Cryptographic Techniques (2009). [18] V. Kharchenko, I. Chyrka, Detection of Airplanes on [2] D. R. L. Brown, Breaking RSA May Be as Difficult as the Ground using YOLO Neural Network, Factoring, J. Cryptology, 29 (2016) 220–241. doi: International Conference on Mathematical Methods 10.1007/s00145-014-9192-y. in Electromagnetic Theory (2018) 294–297. [3] M. Sharma, et al., Leveraging the Power of Quantum [19] A. Bessalov, et al., Multifunctional CRS Encryption Computing for Breaking RSA Encryption, Cyber- Scheme on Isogenies of Non-Supersingular Edwards Physical Systems 7(2) (2021) 73–92. Curves, in: Workshop on Classic, Quantum, and Post- [4] R. Avanzi, et al., Crystals-Kyber, NIST, Tech. Rep. Quantum Cryptography, vol. 3504 (2023) 12–25. (2017). [20] O. Solomentsev, M. Zaliskyi, Method of Sequential [5] E. Dubrova, et al., Breaking a Fifth-Order Masked Estimation of Statistical Distribution Parameters in Implementation of Crystals-Kyber by Copy-Paste, in: Control Systems Design, in: IEEE 3rd International 10th ACM Asia Public-Key Cryptography Workshop Conference on Methods and Systems of Navigation (2023). and Motion Control (2014) 135–138. [6] F.-X. Standaert, Introduction to Side-Channel Attacks, [21] S. Tynymbayev, et al., Modular Reduction based on Secure Integrated Circuits and Systems (2010) 27–42. the Divider by Blocking Negative Remainders, News [7] M. Randolph, W. Diehl, Power Side-Channel Attack of the National Academy of Sciences of the Republic Analysis: A Review of 20 Years of Study for the of Kazakhstan, Series of Geology and Technical Layman, Cryptography, 4(2) (2020). Sciences 2(434) (2019) 238–248. doi: [8] O. Mykhaylova, et al., Person-of-Interest Detection on 10.32014/2019.2518-170x.60. Mobile Forensics Data—AI-Driven Roadmap, in: [22] S. Gnatyuk, et al., New Secure Block Cipher for Workshop on Cybersecurity Providing in Information Critical Applications: Design, Implementation, Speed and Telecommunication Systems, CPITS, vol. 3654 and Security Analysis, Advances in Intelligent (2024) 239–251. Systems and Computing (2020) 93–104. [9] J. Bos, et al., CRYSTALS-Kyber: a CCA-Secure [23] A. Celik, et al., Implementation of CRYSTALS-Kyber Module-Lattice-based KEM, IEEE European Post-Quantum Algorithm using RISC-V Processor, Symposium on Security and Privacy (EuroS&P) (2018). 30th IEEE International Conference on Electronics, [10] W. Guo, S. Li, L. Kong, An Efficient Implementation of Circuits and Systems (ICECS) (2023) 1–4. Kyber, IEEE Transactions on Circuits and Systems II: [24] A. Bessalov, et al., Modeling CSIKE Algorithm on Express Briefs, 69(3) (2021) 1562–1566. Non-Cyclic Edwards Curves, in: Cybersecurity [11] A. Bessalov, V. Sokolov, S. Abramov, Efficient Providing in Information and Telecommunication Commutative PQC Algorithms on Isogenies of Systems, vol. 3288 (2022) 1–10. Edwards Curves, Cryptography 8(3), iss. 38 (2024) 1– [25] S. Gnatyuk, et al., Method of Algorithm Building for 17. doi:10.3390/cryptography8030038. Modular Reducing by Irreducible Polynomial, in: 16th International Conference on Control, Automation and 348 Systems (2016) 1476–1479. doi: 10.1109/ iccas.2016.7832498. [26] A. Bessalov, et al., Implementation of the CSIDH Algorithm Model on Supersingular Twisted and Quadratic Edwards Curves, in: Cybersecurity Providing in Information and Telecommunication Systems, vol. 3187 (2022) 302–309. [27] O. Solomentsev, et al., Sequential Procedure of Changepoint Analysis during Operational Data Processing, in: IEEE Workshop on Microwave Theory and Techniques in Wireless Communications (2020) 168–171. [28] S. Jendral, et al., Breaking SCA-Protected CRYSTALS- Kyber with a Single Trace, IEEE International Symposium on Hardware Oriented Security and Trust (HOST) (2024) 70–73. [29] C. Papamanthou, et al., Streaming Authenticated Data Structures, Advances in Cryptology—EUROCRYPT (2013) 353–370. doi: 10.1007/978-3-642-38348-9_22. [30] A. Bessalov, et al., CSIKE-ENC Combined Encryption Scheme with Optimized Degrees of Isogeny Distribution, in: Cybersecurity Providing in Information and Telecommunication Systems, vol. 3421 (2023) 36–45. [31] Y. Ji, etb al., A Side-Channel Attack on a Hardware Implementation of CRYSTALS-Kyber, IEEE European Test Symposium (ETS) (2023) 1–5. [32] D. S. Hegde, et al, Rapid Prototyping of CRYSTALS- Kyber Primitives on FPGA using Python-only HW- SW Flow, 28th International Symposium on VLSI Design and Test (VDAT) (2024) 1–6. [33] J. Zhang et al., Super-K: A Superscalar CRYSTALS- KYBER Processor based on Efficient Arithmetic Array, IEEE Transactions on Circuits and Systems II: Express Briefs, 71(9) (2024) 4286–4290. doi: 10.1109/ TCSII.2024.3382772. 349