Enhanced Key Mismatch Attacks on Lattice-Based KEMs: Multi-bit Inference and Ciphertext Generalization
摘要
Key Mismatch Attacks (KMA) pose a significant threat to lattice-based key encapsulation mechanisms (KEMs), such as CRYSTALS-Kyber (Kyber), standardized as NIST FIPS 203. Despite advancements in KMA, including multi-positional strategies and enhanced oracles like the Multi-Value Key Mismatch Oracle (MV-KMO), existing methods suffer from high query counts and detectable ciphertexts, limiting their practicality. This paper proposes techniques to enhance KMA efficiency and stealth against Kyber and Saber. First, for CPA-secure KEMs, we propose a multi-bit inference strategy that uses crafted ciphertexts to extract information about multiple private key coefficients per Key Mismatch Oracle (KMO) query, reducing the required queries for Kyber1024 from 2368 to 2268 and for FireSaber from 2623 to 2571. Second, for CCA-secure KEMs, we present a minimal-query KMA method leveraging the Hamming Weight Incremental (HWI) leakage model to recover the full decapsulated message, thereby reducing queries from 2176 to 12 for Kyber1024 and from 2433 to 16 for FireSaber. Third, we develop a stealthy KMA variant for CCA-secure KEMs that reconstructs the noise vector to recover the private key, generating ciphertexts statistically indistinguishable from legitimate ones, as confirmed by entropy and Kullback-Leibler (KL) divergence analyses. These advancements improve KMA performance and covertness, revealing critical vulnerabilities in lattice-based KEMs and informing future cryptographic defenses.