Cryptology ePrint Archive: Report 2018/211

Number "Not Used" Once - Practical fault attack on pqm4 implementations of NIST candidates

Prasanna Ravi and Debapriya Basu Roy and Shivam Bhasin and Anupam Chattopadhyay and Debdeep Mukhopadhyay

Abstract: In this paper, we demonstrate practical fault attacks over a number of lattice based schemes, in particular NewHope, Kyber, Frodo, Dilithium which are based on the hardness of the Learning with Errors (LWE) problem. One of the common traits of all the considered LWE schemes is the use of nonces as domain separators to sample the secret components of the LWE instance. We show that simple faults targeting the usage of nonce can result in a nonce-reuse scenario which allows key recovery and message recovery attacks. To the best of our knowledge, we propose the first practical fault attack on lattice-based Key encapsulation schemes secure in the CCA model. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations of the aforementioned schemes taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4. We use the instruction skip fault model, which is very practical and popular in microcontroller based implementations. Our attack requires to inject a very few number of faults (numbering less than 10 for recommended parameter sets) and can be repeated with a 100% accuracy with our Electromagnetic fault injection setup.

Category / Keywords: public-key cryptography / Lattice based cryptography, fault attacks, nonce reuse, Key Exchange schemes, Kyber, NewHope, Dilithium, Frodo

Date: received 19 Feb 2018, last revised 12 Mar 2019

Contact author: PRASANNA RAVI at ntu edu sg

Available format(s): PDF | BibTeX Citation

Note: Revising the paper with new content added.

Version: 20190313:045836 (All versions of this report)

Short URL: ia.cr/2018/211


[ Cryptology ePrint archive ]