Side-Channel Leakage Assessment of SMAUG-T: Exploiting Hamming Weight Patterns in Polynomial-to-Message Conversion
摘要
We evaluate the power side-channel leakage of the lattice-based KEM SMAUG-T, focusing on the polynomial-to-message conversion. Under identical STM32F4 conditions, leakage metrics significantly exceed standard thresholds: TVLA \(|t|=41.07\) , \(SNR=8.96\) , and CPA correlation \(|\rho |=0.934\) . The root cause is the sequential byte-wise construction with repeated STRB stores, which produces a cumulative Hamming-weight “staircase” signature. A parallel evaluation of ML-KEM under identical experimental conditions confirms the same vulnerability pattern, with peak \(SNR=8.21\) and \(|\rho |=0.91\) , showing that this is a systematic issue rather than scheme-specific. Our practical attack exploits this leakage using a lightweight MLP classifier, achieving 95.8% single-byte accuracy with 13k traces and 99.7% accuracy with 256k traces. We further outline deployment-oriented countermeasures: single-write byte assembly, randomized bit-ordering, first-order Boolean masking, and temporal hiding with power balancing. Eliminating repeated stores alone already reduces correlations substantially. These findings highlight a fundamental cumulative Hamming-weight vulnerability in lattice-based KEM implementations and provide concrete guidance for robust deployment.