Abstract
NIST’s post-quantum standardization effort very recently entered its final round. This makes studying the implementation-security aspect of the remaining candidates an increasingly important task, as such analyses can aid in the final selection process and enable appropriately secure wider deployment after standardization. However, lattice-based key-encapsulation mechanisms (KEMs), which are prominently represented among the finalists, have thus far received little attention when it comes to fault attacks.Interestingly, many of these KEMs exhibit structural similarities. They can be seen as variants of the encryption scheme of Lyubashevsky, Peikert, and Rosen, and employ the Fujisaki-Okamoto transform (FO) to achieve CCA2 security. The latter involves re-encrypting a decrypted plaintext and testing the ciphertexts for equivalence. This corresponds to the classic countermeasure of computing the inverse operation and hence prevents many fault attacks.In this work, we show that despite this inherent protection, practical fault attacks are still possible. We present an attack that requires a single instruction-skipping fault in the decoding process, which is run as part of the decapsulation. After observing if this fault actually changed the outcome (effective fault) or if the correct result is still returned (ineffective fault), we can set up a linear inequality involving the key coefficients. After gathering enough of these inequalities by faulting many decapsulations, we can solve for the key using a bespoke statistical solving approach. As our attack only requires distinguishing effective from ineffective faults, various detection-based countermeasures, including many forms of double execution, can be bypassed.We apply this attack to Kyber and NewHope, both of which belong to the aforementioned class of schemes. Using fault simulations, we show that, e.g., 6,500 faulty decapsulations are required for full key recovery on Kyber512. To demonstrate practicality, we use clock glitches to attack Kyber running on a Cortex M4. As we argue that other schemes of this class, such as Saber, might also be susceptible, the presented attack clearly shows that one cannot rely on the FO transform’s fault deterrence and that proper countermeasures are still needed.
Highlights
The search for quantum secure replacements of RSA and DLP-based cryptosystems is in full swing
We skip a single instruction in the decoder and observe if this fault leads to a decoding error and is detected by the re-encryption process, or if the correct plaintext is still computed despite the injected skip
Multiplication of polynomials a, b in some ring R is denoted as a · b or ab. (Coefficient-wise) sampling from a probability distribution is represented with ←, deterministic assignments with =, and equality tests with ==
Summary
The search for quantum secure replacements of RSA and DLP-based cryptosystems is in full swing. Analyzing potential side-channel vulnerabilities and respective countermeasures is an important task, as stated by NIST In this context, it is interesting that many lattice-based KEMs have lots of similarities, at least on higher abstraction levels. The plaintext (or shared key) is discarded This re-encryption after decryption corresponds to computing an inverse operation and can be seen as an instance of a classic countermeasure against fault attacks. We skip a single instruction in the decoder and observe if this fault leads to a decoding error and is detected by the re-encryption process (effective fault), or if the correct plaintext is still computed despite the injected skip (ineffective fault) This single bit of information can be used to construct a linear inequality over the key.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
