Following NIST’s standardization of the Kyber post-quantum key encapsulation mechanism (KEM), its physical security—particularly against side-channel attacks—remains insufficiently evaluated. Method: This work proposes a novel, efficient lattice-assisted side-channel attack. First, we design an enhanced correlation power analysis (CPA) integrating both Pearson and Kendall rank correlation coefficients, coupled with a customized leakage model, enabling high-precision partial secret-key recovery from ≤15 power traces. Second, we establish a two-stage key-recovery framework synergizing CPA with lattice basis reduction (LBR), augmented by trial-and-error validation to fully recover the secret vector **s** for Kyber-512/768/1024. Results: Evaluated on an ARM Cortex-M4 platform, the attack completes in just 9–10 minutes—significantly outperforming prior physical attacks. Key contributions include: (i) the first CPA variant fusing dual rank correlation metrics; and (ii) a tightly integrated side-channel–lattice attack paradigm that drastically reduces both trace count and runtime overhead.

After three rounds of post-quantum cryptography (PQC) strict evaluations conducted by NIST, CRYSTALS-Kyber was successfully selected in July 2022 and standardized in August 2024. It becomes urgent to further evaluate Kyber's physical security for the upcoming deployment phase. In this brief, we present an improved two-step attack on Kyber to quickly recover the full secret key, s, by using much fewer power traces and less time. In the first step, we use the correlation power analysis (CPA) to obtain a portion of guess values of s with a small number of power traces. The CPA is enhanced by utilizing both Pearson and Kendall's rank correlation coefficients and modifying the leakage model to improve the accuracy. In the second step, we adopt the lattice attack to recover s based on the results of CPA. The success rate is largely built up by constructing a trial-and-error method. We deploy the reference implementations of Kyber-512, -768, and -1024 on an ARM Cortex-M4 target board and successfully recover s in approximately 9~10 minutes with at most 15 power traces, using a Xeon Gold 6342-equipped machine for the attack.