Paper 2024/138

Correction Fault Attacks on Randomized CRYSTALS-Dilithium

Elisabeth Krahmer, Ruhr University Bochum
Peter Pessl, Infineon Technologies (Germany)
Georg Land, Ruhr University Bochum
Tim Güneysu, Ruhr University Bochum

After NIST’s selection of Dilithium as the primary future standard for quantum-secure digital signatures, increased efforts to understand its implementation security properties are required to enable widespread adoption on embedded devices. Concretely, there are still many open questions regarding the susceptibility of Dilithium to fault attacks. This is especially the case for Dilithium’s randomized (or hedged) signing mode, which, likely due to devastating implementation attacks on the deterministic mode, was selected as the default by NIST. This work takes steps towards closing this gap by presenting two new key-recovery fault attacks on randomized/hedged Dilithium. Both attacks are based on the idea of correcting faulty signatures after signing. A successful correction yields the value of a secret intermediate that carries information on the key. After gathering many faulty signatures and corresponding correction values, it is possible to solve for the signing key via either simple linear algebra or lattice-reduction techniques. Our first attack extends a previously published attack based on an instruction-skipping fault to the randomized setting. Our second attack injects faults in the matrix A, which is part of the public key. As such, it is not sensitive to side-channel leakage and has, potentially for this reason, not seen prior analysis regarding faults. We show that for Dilithium2, the attacks allow key recovery with as little as 1024 and 512 faulty signatures, respectively, with each signature generated by injecting a single targeted fault. We also demonstrate how our attacks can be adapted to circumvent several popular fault countermeasures with a moderate increase in the computational runtime and the number of required faulty signatures. These results are verified using both simulated faults and clock glitches on an ARM-based microcontroller. The presented attacks demonstrate that also randomized Dilithium can be subject to diverse fault attacks, that certain countermeasures might be easily bypassed, and that potential fault targets reach beyond side-channel sensitive operations. Still, many further operations are likely also susceptible, implying the need for increased analysis efforts in the future.

Available format(s)
Attacks and cryptanalysis
Publication info
fault injection attackDilithiumpost-quantum cryptography
Contact author(s)
elisabeth krahmer @ rub de
peter pessl @ infineon com
mail @ georg land
tim gueneysu @ rub de
2024-01-31: approved
2024-01-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elisabeth Krahmer and Peter Pessl and Georg Land and Tim Güneysu},
      title = {Correction Fault Attacks on Randomized {CRYSTALS}-Dilithium},
      howpublished = {Cryptology ePrint Archive, Paper 2024/138},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.