Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Delvaux, Jeroen

doi:10.46586/tches.v2022.i4.637-660

Cited by 8 publications

(36 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We develop a novel solver to obtain the secret key from linear inequalities obtained from leakage. This solver improves upon the Belief Propagation approach, which has been the de-facto approach in prior works [PP21,HPP21,Del22]. Our solver is easier to understand, more efficient to run and can recover the secret key with less than 2× number of linear inequalities compared to the state-of-the-art.…”

Section: Our Contributionmentioning

confidence: 99%

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Ravi,

Paiva,

Jap

et al. 2024

TCHES

View full text Add to dashboard Cite

In an effort to circumvent the high cost of standard countermeasures against side-channel attacks in post-quantum cryptography, some works have developed low-cost detection-based countermeasures. These countermeasures try to detect maliciously generated input ciphertexts and react to them by discarding the ciphertext or secret key. In this work, we take a look at two previously proposed low-cost countermeasures: the ciphertext sanity check and the decapsulation failure check, and demonstrate successful attacks on these schemes. We show that the first countermeasure can be broken with little to no overhead, while the second countermeasure requires a more elaborate attack strategy that relies on valid chosen ciphertexts. Thus, in this work, we propose the first chosen-ciphertext based side-channel attack that only relies on valid ciphertexts for key recovery. As part of this attack, a third contribution of our paper is an improved solver that retrieves the secret key from linear inequalities constructed using side-channel leakage from the decryption procedure. Our solver is an improvement over the state-of-the-art Belief Propagation solvers by Pessl and Prokop, and later Delvaux. Our method is simpler, easier to understand and has lower computational complexity, while needing less than half the inequalities compared to previous methods.

show abstract

Section: Our Contributionmentioning

confidence: 99%

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Ravi,

Paiva,

Jap

et al. 2024

TCHES

View full text Add to dashboard Cite

show abstract

“…While this attack can be thwarted by shuffling the message decoding operation, Hermelink et al [HPP21] proposed an improved attack that can defeat the shuffling protection, but relies on a slightly stronger fault model of injecting targeted bit flip faults in memory. Delvaux [Del22] further improved the attack of Hermelink et al [HPP21] by expanding the attack surface to several operations within the decapsulation procedure, while also working with a variety of more relaxed fault models. However, their attack requires a tens to thousands of fault to recover the secret key, as they rely on weaker and relaxed fault models.…”

Section: Faulting the Decapsulation Proceduresmentioning

confidence: 99%

Fiddling the Twiddle Constants - Fault Injection Analysis of the Number Theoretic Transform

Ravi

Yang²,

Bhasin³

et al. 2023

TCHES

View full text Add to dashboard Cite

In this work, we present the first fault injection analysis of the Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single fault vulnerability in the NTT, which severely reduces the entropy of its output. This in turn enables us to perform a wide-range of attacks applicable to lattice-based KEMs as well as signature schemes. In particular, we demonstrate novel key recovery and message recovery attacks targeting the key generation and encryption procedure of Kyber KEM. We also propose novel existential forgery attacks targeting deterministic and probabilistic signing procedure of Dilithium, followed by a novel verification bypass attack targeting its verification procedure. All proposed exploits are demonstrated with high success rate using electromagnetic fault injection on optimized implementations of Kyber and Dilithium, from the open-source pqm4 library on the ARM Cortex-M4 microcontroller. We also demonstrate that our proposed attacks are capable of bypassing concrete countermeasures against existing fault attacks on lattice-based KEMs and signature schemes. We believe our work motivates the need for more research towards development of countermeasures for the NTT against fault injection attacks.

show abstract

“…Проте введення точних одиночних помилок інверсії бітів у пам'яті потребує детальної інформації про цільовий пристрій, а також про реалізацію та розширене профілювання цільового пристрою. Нещодавно Del-vaux [25] покращив атаку [11]…”

Section: атаки відновлення ключа -обраний шифротекстunclassified

“…( ( ( )), ( ( ))) (1560, 60) ( ( ( )), ( ( ))) (957, 27) Хоча такий контрзахід здатний виявляти перекошені зашифровані тексти, обрані зашифровані тексти, що використовуються в Оракул_ЗР [6], а також ті, що використовуються в атаках помилками з обраним шифротекстом [11,24,25], є рівномірно випадковими. Це пояснюється тим, що подібні атаки передбачають додавання невеликих помилок до одного коефіцієнта дійсного зашифрованого тексту.…”

Section: захист від атак бічними каналами та помилками з обраним шифр...unclassified

“…Цей контрзахід ґрунтується на аналізі коефіцієнтів полінома зашумленого повідомлення () m v u s       , отриманого під час дешифрування отриманого зашифрованого тексту ct . Для дійсних зашифрованих текстів ми спостерігаємо, що коефіцієнти m розподіляються відповідно до дуже вузького розподілу Гауса поблизу 2 q до [] mi  через помилки, атаки [9,11,25] явно додають 4 q до цільового коефіцієнта дійсного зашифрованого тексту. Таким чином, усі ці атаки працюють шляхом прямого/опосередкованого додавання 4 q до одного з цільових коефіцієнтів полінома повідомлення [] mi  .…”

Section: захист від атак бічними каналами та помилками з обраним шифр...unclassified

See 1 more Smart Citation

Side-channel attacks on CRYSTALS-KYBER, countermeasures and comparison with SKELYA (DSTU 8961-2019)

Derevianko,

Gorbenko

2023

View full text Add to dashboard Cite

Although the mathematical problems used in post-quantum cryptography algorithms appear to be mathematically secure, a class of attacks known as side-channel attacks may prove to be a threat to the security of such algorithms. Side-channel attacks affect the hardware on which the cryptographic algorithm runs, they are not attacks on the algorithm itself. The good news is that side-channel analysis on new post-quantum cryptographic algorithms started early, even before the algorithms were standardized, given that older algorithms still face side-channel problems. Kyber is a lattice-based post-quantum algorithm based on the complexity of the M-LWE problem. Kyber offers a secure public key encryption (PKE) scheme against a chosen plaintext attack (CPA) and a secure key encapsulation mechanism against a chosen ciphertext attack (CCA). This paper provides a study of side-channel and fault-injection attacks on lattice-based schemes, with focus on the Kyber (KEM). Considering the wide range of known attacks, the protection of the algorithm requires the implementation of individual countermeasures. The paper presents and tests a number of countermeasures capable of providing/improving protection against existing SCA/FIA for Kyber KEM. The obtained results show that the presented countermeasures incur a reasonable performance cost. Therefore, the use of special countermeasures in real implementations of lattice-based schemes, either alone or as an augmentation of general countermeasures, is necessary.

show abstract

Roulette: A Diverse Family of Feasible Fault Attacks on Masked Kyber

Cited by 8 publications

References 12 publications

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Defeating Low-Cost Countermeasures against Side-Channel Attacks in Lattice-based Encryption

Fiddling the Twiddle Constants - Fault Injection Analysis of the Number Theoretic Transform

Side-channel attacks on CRYSTALS-KYBER, countermeasures and comparison with SKELYA (DSTU 8961-2019)

Contact Info

Product

Resources

About