Cryptology ePrint Archive: Report 2018/211

Number "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes

Prasanna Ravi and Shivam Bhasin and Anupam Chattopadhyay

Abstract: This paper proposes a simple single bit flip fault attack applicable to several LWE (Learning With Errors Problem) based lattice based schemes like KYBER, NEWHOPE, DILITHIUM and FRODO which were submitted as proposals for the NIST call for standardisation of post quantum cryptography. We have identified a vulnerability in the usage of nonce, during generation of secret and error components in the key generation procedure. Our fault attack, based on a practical bit flip model (single bit flip to very few bit flips for proposed parameter instantiations) enables us to retrieve the secret key from the public key in a trivial manner. We fault the nonce in order to maliciously use the same nonce to generate both the secret and error components which turns the LWE instance into an exactly defined set of linear equations from which the secret can be trivially solved for using Gaussian elimination.

Category / Keywords: Lattice based cryptography, Digital Signatures, post quantum cryptography

Date: received 19 Feb 2018, last revised 22 Feb 2018

Contact author: PRASANNA RAVI at ntu edu sg

Available format(s): PDF | BibTeX Citation

Note: Capitalized the Title of the paper and hence was asked to be revised. We have revised accordingly.

Version: 20180226:194754 (All versions of this report)

Short URL: ia.cr/2018/211

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]