Paper 2023/1731

A practical key-recovery attack on LWE-based key- encapsulation mechanism schemes using Rowhammer

Puja Mondal, Indian Institute of Technology Kanpur
Suparna Kundu, KU Leuven, Belgium
Sarani Bhattacharya, Indian Institute of Technology Kharagpur
Angshuman Karmakar, Indian Institute of Technology Kanpur
Ingrid Verbauwhede, KU Leuven, Belgium

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as 39% for Saber and approximately 23% for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. ACNS 2024
Post-quantum cryptographyKey-encapsulation mechanismmicro-architecture attacksRowhammerSaberKyber
Contact author(s)
pujamondal22 @ iitk ac in
suparna kundu @ esat kuleuven be
sarani @ cse iitkgp ac in
angshuman @ cse iitk ac in
ingrid verbauwhede @ esat kuleuven be
2023-11-13: approved
2023-11-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Puja Mondal and Suparna Kundu and Sarani Bhattacharya and Angshuman Karmakar and Ingrid Verbauwhede},
      title = {A practical key-recovery attack on LWE-based key- encapsulation mechanism schemes using Rowhammer},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1731},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.