Fault Attacks on CCA-secure Lattice KEMs

Pessl, Peter; Prokop, Lukáš

doi:10.46586/tches.v2021.i2.37-60

Cited by 26 publications

(40 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A second, more acute problem with the solver from the IndoCrypt paper is that all inequalities are assumed to be correct, but fault-injection setups that supposedly provide these inequalities are not perfectly reliable. Based on a previous report by Pessl and Prokop [PP21a], a 1% error rate is yet to be exceeded. We alter the algorithm such that at least 25% of the inequalities can be incorrect.…”

Section: Contributionsmentioning

confidence: 99%

Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Delvaux

2022

TCHES

View full text Add to dashboard Cite

At Indocrypt 2021, Hermelink, Pessl, and Pöppelmann presented a fault attack against Kyber in which a system of linear inequalities over the private key is generated and solved. The attack requires a laser and is, understandably, demonstrated with simulations—not actual equipment. We facilitate and diversify the attack in four ways, thereby admitting cheaper and more forgiving fault-injection setups. Firstly, the attack surface is enlarged: originally, the two input operands of the ciphertext comparison are covered, and we additionally cover re-encryption modules such as binomial sampling and butterflies in the last layer of the inverse numbertheoretic transform (INTT). This extra surface also allows an attacker to bypass the custom countermeasure that was proposed in the Indocrypt paper. Secondly, the fault model is relaxed: originally, precise bit flips are required, and we additionally support set-to-0 faults, random faults, arbitrary bit flips, and instruction skips. Thirdly, masking and blinding methods that randomize intermediate variables kindly help our attack, whereas the IndoCrypt attack is like most other fault attacks either hindered or unaltered by countermeasures against passive side-channel analysis (SCA). Randomization helps because we randomly fault intermediate prime-field elements until a desired set of values is hit. If these prime-field elements are represented on a circle, which is a common visualization, our attack is analogous to spinning a roulette wheel until the ball lands in a desired set of pockets. Hence, the nickname. Fourthly, we accelerate and improve the error tolerance of solving the system of linear inequalities: run times of roughly 100 minutes are reduced to roughly one minute, and inequality error rates of roughly 1% are relaxed to roughly 25%. Benefiting from the four advances above, we use a reasonably priced ChipWhisperer® board to break a masked implementation of Kyber running on an ARM Cortex-M4 through clock glitching.

show abstract

Section: Contributionsmentioning

confidence: 99%

Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Delvaux

2022

TCHES

View full text Add to dashboard Cite

show abstract

“…Recently, [PP21] and [HPP21] presented fault attacks on several CCA-secure latticebased KEMs, including Kyber. Their attacks can be classified as safe-error attacks [YJ00] in that they inject a specific fault and then observe if decapsulation still returns the correct result.…”

Section: Attack Descriptionmentioning

confidence: 99%

Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography

D’Anvers

Heinz

Pessl

et al. 2022

TCHES

Self Cite

View full text Add to dashboard Cite

Checking the equality of two arrays is a crucial building block of the Fujisaki-Okamoto transformation, and as such it is used in several post-quantum key encapsulation mechanisms including Kyber and Saber. While this comparison operation is easy to perform in a black box setting, it is hard to efficiently protect against side-channel attacks. For instance, the hash-based method by Oder et al. is limited to first-order masking, a higher-order method by Bache et al. was shown to be flawed, and a very recent higher-order technique by Bos et al. suffers in runtime. In this paper, we first demonstrate that the hash-based approach, and likely many similar first-order techniques, succumb to a relatively simple side-channel collision attack. We can successfully recover a Kyber512 key using just 6000 traces. While this does not break the security claims, it does show the need for efficient higher-order methods. We then present a new higher-order masked comparison algorithm based on the (insecure) higher-order method of Bache et al. Our new method is 4.2x, resp. 7.5x, faster than the method of Bos et al. for a 2nd, resp. 3rd, -order masking on the ARM Cortex-M4, and unlike the method of Bache et al., the new technique takes ciphertext compression into account. We prove correctness, security, and masking security in detail and provide performance numbers for 2nd and 3rd-order implementations. Finally, we verify our the side-channel security of our implementation using the test vector leakage assessment (TVLA) methodology.

show abstract

“…[18], [19], [20], [21], [22], [23], [24], [25], [26], [27], [28], [29] and fault attacks e.g. [30], [31], [32], [33], [34], [35], [36], [37], [5], [38] have been demonstrated by the research community on PQC schemes. These include cache attacks, power and EM side-channels, EM and laser injections, clock-glitches and the Rowhammer attack.…”

Section: Introductionmentioning

confidence: 99%

Signature Correction Attack on Dilithium Signature Scheme

Islam¹,

Mus²,

Singh³

et al. 2022

Preprint

View full text Add to dashboard Cite

Motivated by the rise of quantum computers, existing public-key cryptosystems are expected to be replaced by post-quantum schemes in the next decade in billions of devices. To facilitate the transition, NIST is running a standardization process which is currently in its final Round. Only three digital signature schemes are left in the competition, among which Dilithium and Falcon are the ones based on lattices. Besides security and performance, significant attention has been given to resistance against implementation attacks that target side-channel leakage or fault injection response. Classical fault attacks on signature schemes make use of pairs of faulty and correct signatures to recover the secret key which only works on deterministic schemes. To counter such attacks, Dilithium offers a randomized version which makes each signature unique, even when signing identical messages.In this work, we introduce a novel Signature Correction Attack which not only applies to the deterministic version but also to the randomized version of Dilithium and is effective even on constant-time implementations using AVX2 instructions. The Signature Correction Attack exploits the mathematical structure of Dilithium to recover the secret key bits by using faulty signatures and the public-key. It can work for any fault mechanism which can induce single bitflips. For demonstration, we are using Rowhammer induced faults. Thus, our attack does not require any physical access or special privileges, and hence could be also implemented on shared cloud servers. Using Rowhammer attack, we inject bit flips into the secret key s1 of Dilithium, which results in incorrect signatures being generated by the singing algorithm. Since we can find the correct signature using our Signature Correction algorithm, we can use the difference between the correct and incorrect signatures to infer the location and value of the flipped bit without needing a correct and faulty pair. To quantify the reduction in the security level, we perform a thorough classical and quantum security analysis of Dilithium and successfully recover 1,851 bits out of 3,072 bits of secret key s1 for security level 2. Fully recovered bits are used to reduce the dimension of the lattice whereas partially recovered coefficients are used to to reduce the norm of the secret key coefficients. Further analysis for both primal and dual attacks shows that the lattice strength against quantum attackers is reduced from 2 128 to 2 81 while the strength against classical attackers is reduced from 2 141 to 2 89 . Hence, the Signature Correction Attack may be employed to achieve a practical attack on Dilithium (security level 2) as proposed in Round 3 of the NIST post-quantum standardization process.

show abstract

Fault Attacks on CCA-secure Lattice KEMs

Cited by 26 publications

References 13 publications

Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography

Signature Correction Attack on Dilithium Signature Scheme

Contact Info

Product

Resources

About