Cryptology ePrint Archive: Report 2021/840

Fault-Injection Attacks against NIST's Post-Quantum Cryptography Round 3 KEM Candidates

Keita Xagawa and Akira Ito and Rei Ueno and Junko Takahashi and Naofumi Homma

Abstract: We investigate *all* NIST PQC Round~3 KEM candidates from the viewpoint of fault-injection attacks: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE. All KEM schemes use variants of the Fujisaki-Okamoto transformation, so the equality test of re-encryption in decapsulation is critical.

We survey effective key-recovery attacks if we can skip the equality test. We found the existing key-recovery attacks against Kyber, NTRU, Saber, FrodoKEM, HQC, one of two KEM schemes in NTRU Prime, and SIKE. We propose a new key-recovery attack against the other KEM scheme in NTRU Prime. We also report an attack against BIKE that leads to leakage of information of secret keys.

The open-source pqm4 library contains all KEM schemes except Classic McEliece and HQC. We show that giving a single instruction-skipping fault in the decapsulation processes leads to skipping the equality test *virtually* for Kyber, NTRU, Saber, BIKE, and SIKE. We also report the experimental attacks against them. We also report the implementation of NTRU Prime allows chosen-ciphertext attacks freely and the timing side-channel of FrodoKEM reported in Guo, Johansson, and Nilsson (CRYPTO 2020) remains.

Category / Keywords: public-key cryptography / post-quantum cryptography, NIST PQC standardization, KEM, the Fujisaki-Okamoto transformation, fault-injection attacks.

Date: received 20 Jun 2021

Contact author: keita xagawa zv at hco ntt co jp,ito@riec tohoku ac jp,rei ueno a8@tohoku ac jp,junko takahashi fc@hco ntt co jp,homma@riec tohoku ac jp

Available format(s): PDF | BibTeX Citation

Version: 20210621:080102 (All versions of this report)

Short URL: ia.cr/2021/840


[ Cryptology ePrint archive ]