Cryptology ePrint Archive: Report 2021/840

Fault-Injection Attacks against NIST's Post-Quantum Cryptography Round 3 KEM Candidates

Keita Xagawa and Akira Ito and Rei Ueno and Junko Takahashi and Naofumi Homma

Abstract: We investigate __all__ NIST PQC Round 3 KEM candidates from the viewpoint of fault-injection attacks: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE. All KEM schemes use variants of the Fujisaki-Okamoto transformation, so the equality test with re-encryption in decapsulation is critical.

We survey effective key-recovery attacks when we can skip the equality test. We found the existing key-recovery attacks against Kyber, NTRU, Saber, FrodoKEM, HQC, one of two KEM schemes in NTRU Prime, and SIKE. We propose a new key-recovery attack against the other KEM scheme in NTRU Prime. We also report an attack against BIKE that leads to leakage of information of secret keys.

The open-source pqm4 library contains all KEM schemes except Classic McEliece and HQC. We show that giving a single instruction-skipping fault in the decapsulation processes leads to skipping the equality test __virtually__ for Kyber, NTRU, Saber, BIKE, and SIKE. We also report the experimental attacks against them. We also report the implementation of NTRU Prime allows chosen-ciphertext attacks freely and the timing side-channel of FrodoKEM reported in Guo, Johansson, and Nilsson (CRYPTO 2020) remains, while there are no such bugs in their NIST PQC Round 3 submissions.

Category / Keywords: public-key cryptography / post-quantum cryptography, NIST PQC standardization, KEM, the Fujisaki-Okamoto transformation, fault-injection attacks.

Original Publication (with major differences): IACR-ASIACRYPT-2021

Date: received 20 Jun 2021, last revised 17 Sep 2021

Contact author: keita xagawa zv at hco ntt co jp, ito at riec tohoku ac jp, rei ueno a8 at tohoku ac jp, junko takahashi fc at hco ntt co jp, homma at riec tohoku ac jp

Available format(s): PDF | BibTeX Citation

Version: 20210917:082153 (All versions of this report)

Short URL: ia.cr/2021/840


[ Cryptology ePrint archive ]