Paper 2018/211

Number "Not Used" Once - Practical fault attack on pqm4 implementations of NIST candidates

Prasanna Ravi, Debapriya Basu Roy, Shivam Bhasin, Anupam Chattopadhyay, and Debdeep Mukhopadhyay

Abstract

In this paper, we demonstrate practical fault attacks over a number of lattice based schemes, in particular NewHope, Kyber, Frodo, Dilithium which are based on the hardness of the Learning with Errors (LWE) problem. One of the common traits of all the considered LWE schemes is the use of nonces as domain separators to sample the secret components of the LWE instance. We show that simple faults targeting the usage of nonce can result in a nonce-reuse scenario which allows key recovery and message recovery attacks. To the best of our knowledge, we propose the first practical fault attack on lattice-based Key encapsulation schemes secure in the CCA model. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations of the aforementioned schemes taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4. We use the instruction skip fault model, which is very practical and popular in microcontroller based implementations. Our attack requires to inject a very few number of faults (numbering less than 10 for recommended parameter sets) and can be repeated with a 100% accuracy with our Electromagnetic fault injection setup.

Note: Revising the paper with new content added.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Lattice based cryptographyfault attacksnonce reuseKey Exchange schemesKyberNewHopeDilithiumFrodo
Contact author(s)
PRASANNA RAVI @ ntu edu sg
History
2019-03-13: last of 3 revisions
2018-02-26: received
See all versions
Short URL
https://ia.cr/2018/211
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/211,
      author = {Prasanna Ravi and Debapriya Basu Roy and Shivam Bhasin and Anupam Chattopadhyay and Debdeep Mukhopadhyay},
      title = {Number "Not Used" Once - Practical fault attack on pqm4 implementations of NIST candidates},
      howpublished = {Cryptology ePrint Archive, Paper 2018/211},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/211}},
      url = {https://eprint.iacr.org/2018/211}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.