Fault-Injection Attacks against NIST's Post-Quantum Cryptography Round 3 KEM Candidates

Keita Xagawa; Akira Ito; Rei Ueno; Junko Takahashi; Naofumi Homma

Paper 2021/840

Fault-Injection Attacks against NIST's Post-Quantum Cryptography Round 3 KEM Candidates

Keita Xagawa, Akira Ito, Rei Ueno, Junko Takahashi, and Naofumi Homma

Abstract

We investigate __all__ NIST PQC Round 3 KEM candidates from the viewpoint of fault-injection attacks: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE. All KEM schemes use variants of the Fujisaki-Okamoto transformation, so the equality test with re-encryption in decapsulation is critical. We survey effective key-recovery attacks when we can skip the equality test. We found the existing key-recovery attacks against Kyber, NTRU, Saber, FrodoKEM, HQC, one of two KEM schemes in NTRU Prime, and SIKE. We propose a new key-recovery attack against the other KEM scheme in NTRU Prime. We also report an attack against BIKE that leads to leakage of information of secret keys. The open-source pqm4 library contains all KEM schemes except Classic McEliece and HQC. We show that giving a single instruction-skipping fault in the decapsulation processes leads to skipping the equality test __virtually__ for Kyber, NTRU, Saber, BIKE, and SIKE. We also report the experimental attacks against them. We also report the implementation of NTRU Prime allows chosen-ciphertext attacks freely and the timing side-channel of FrodoKEM reported in Guo, Johansson, and Nilsson (CRYPTO 2020) remains, while there are no such bugs in their NIST PQC Round 3 submissions.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: A major revision of an IACR publication in ASIACRYPT 2021
Keywords: post-quantum cryptography NIST PQC standardization KEM the Fujisaki-Okamoto transformation fault-injection attacks.
Contact author(s): keita xagawa zv @ hco ntt co jp
ito @ riec tohoku ac jp
rei ueno a8 @ tohoku ac jp
junko takahashi fc @ hco ntt co jp
homma @ riec tohoku ac jp
History: 2021-09-17: last of 2 revisions; 2021-06-21: received; See all versions
Short URL: https://ia.cr/2021/840
License: CC BY

BibTeX

@misc{cryptoeprint:2021/840,
      author = {Keita Xagawa and Akira Ito and Rei Ueno and Junko Takahashi and Naofumi Homma},
      title = {Fault-Injection Attacks against NIST's Post-Quantum Cryptography Round 3 KEM Candidates},
      howpublished = {Cryptology ePrint Archive, Paper 2021/840},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/840}},
      url = {https://eprint.iacr.org/2021/840}
}