Paper 2023/1674

Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM

Suparna Kundu, KU Leuven
Siddhartha Chowdhury, Indian Institute of Technology Kharagpur
Sayandeep Saha, université catholique de louvain
Angshuman Karmakar, KU Leuven, Indian Institute of Technology Kanpur
Debdeep Mukhopadhyay, Indian Institute of Technology Kharagpur
Ingrid Verbauwhede, KU Leuven

Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes -- passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is important to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean ($\mathtt{A2B}$) conversion. We exploit the data dependency of the adder carry chain in $\mathtt{A2B}$ and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform.

Available format(s)
Attacks and cryptanalysis
Publication info
Post-quantum cryptographyFault attackKey-encapsulation mechanismMasked implementationA2B conversion
Contact author(s)
suparna kundu @ esat kuleuven be
2023-10-30: approved
2023-10-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Suparna Kundu and Siddhartha Chowdhury and Sayandeep Saha and Angshuman Karmakar and Debdeep Mukhopadhyay and Ingrid Verbauwhede},
      title = {Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1674},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.