Fault-Injection Attacks Against NIST’s Post-Quantum Cryptography Round 3 KEM Candidates

Xagawa, Keita; Ito, Akira; Ueno, Rei; Takahashi, Jun; Homma, Naofumi

doi:10.1007/978-3-030-92075-3_2

Cited by 21 publications

(15 citation statements)

References 58 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…has similar query complexity as the attacks in [29] and [11], it is different to mitigate than the one previous SIDH fault attack, known as Ti's attack [25], can be combined with the side-channel attack in [26] to achieve full key recovery in SIKE.…”

Section: Discussionmentioning

confidence: 99%

“…Nevertheless, the new attack in this paper and the ones from [26] and [29] use valid public keys such that R = (P − Q ) always holds, and thus our attack is completely immune to Tasso et al's countermeasure and any other variant of it.…”

Section: Instances E3mentioning

confidence: 96%

“…The faults were injected by clock glitching, which forced the ChipWhisperer card to skip an instruction. In [29], the authors report a instruction-skipping generic fault attack that targets all NIST PQC Round 3 KEM candidates including SIKE. The attack was executed on a ChipWhisperer cw308 UFO base-board, which permits faultinjection attacks using clock glitching.…”

Section: Instances E3mentioning

confidence: 99%

“…It is conceivable that we can adapt the attacks of [2,29] to our setting, but in our case we should rather focus on perturbing the memory locations where the imaginary parts of the coefficient A are stored.…”

Section: Instances E3mentioning

confidence: 99%

“…Generic fault injection and side-channel attacks against the Fujisaki-Okamotobased key encapsulation mechanism were presented in [29,26]. In [26, §4.3], the authors applied the attack of [11] to SIKE.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Faulty isogenies: a new kind of leakage

Adj¹,

Chi-Domínguez²,

Mateu³

et al. 2022

Preprint

View full text Add to dashboard Cite

In SIDH and SIKE protocols, public keys are defined over quadratic extensions of prime fields. We present in this work a projective invariant property characterizing affine Montgomery curves defined over prime fields. We then force a secret 3-isogeny chain to repeatedly pass through a curve defined over a prime field in order to exploit the new property and inject zeros in the A-coefficient of an intermediate curve to successfully recover the isogeny chain one step at a time. Our results introduce a new kind of fault attacks applicable to SIDH and SIKE.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Instances E3mentioning

confidence: 96%

Section: Instances E3mentioning

confidence: 99%

Section: Instances E3mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Faulty isogenies: a new kind of leakage

Adj¹,

Chi-Domínguez²,

Mateu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

A Systematic Approach and Analysis of Key Mismatch Attacks on Lattice-Based NIST Candidate KEMs

Qin¹,

Zhang²,

Pan³

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Fault-Enabled Chosen-Ciphertext Attacks on Kyber

Hermelink¹,

Pessl²,

Pöppelmann³

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

NIST's PQC standardization process is in the third round, and a first final choice between one of three remaining lattice-based keyencapsulation mechanisms is expected by the end of 2021. This makes studying the implementation-security aspect of the candidates a pressing matter. However, while the development of side-channel attacks and corresponding countermeasures has seen continuous interest, fault attacks are still a vastly underdeveloped field. In fact, a first practical fault attack on lattice-based KEMs was demonstrated just very recently by Pessl and Prokop. However, while their attack can bypass some standard fault countermeasures, it may be defeated using shuffling, and their use of skipping faults makes it also highly implementation dependent. Thus, the vulnerability of implementations against fault attacks and the concrete need for countermeasures is still not well understood. In this work, we shine light on this problem and demonstrate new attack paths. Concretely, we show that the combination of fault injections with chosen-ciphertext attacks is a significant threat to implementations and can bypass several countermeasures. We state an attack on Kyber which combines ciphertext manipulation-flipping a single bit of an otherwise valid ciphertext-with a fault that "corrects" the ciphertext again during decapsulation. By then using the Fujisaki-Okamoto transform as an oracle, i.e., observing whether or not decapsulation fails, we derive inequalities involving secret data, from which we may recover the private key. Our attack is not defeated by many standard countermeasures such as shuffling in time or Boolean masking, and the fault may be introduced over a large execution-time interval at several places. In addition, we improve a known recovery technique to efficiently and practically recover the secret key from a smaller number of inequalities compared to the previous method.

show abstract

Fault-Injection Attacks Against NIST’s Post-Quantum Cryptography Round 3 KEM Candidates

Cited by 21 publications

References 58 publications

Faulty isogenies: a new kind of leakage

Faulty isogenies: a new kind of leakage

A Systematic Approach and Analysis of Key Mismatch Attacks on Lattice-Based NIST Candidate KEMs

Fault-Enabled Chosen-Ciphertext Attacks on Kyber

Contact Info

Product

Resources

About