Paper 2024/1522
Mind the Faulty Keccak: A Practical Fault Injection Attack Scheme Apply to All Phases of ML-KEM and ML-DSA
Abstract
ML-KEM and ML-DSA are NIST-standardized lattice-based post-quantum cryptographic algorithms. In both algorithms, Keccak is the designated hash algorithm extensively used for deriving sensitive information, making it a valuable target for attackers. In the field of fault injection attacks, few works targeted Keccak, and they have not fully explored its impact on the security of ML-KEM and ML-DSA. Consequently, many attacks remain undiscovered. In this article, we first identify various fault vulnerabilities of KECCAK that determine the (partial) output by manipulating the control flow under a practical loop-abort model. Then, we systematically analyze the impact of a faulty Keccak output and propose six attacks against ML-KEM and five attacks against ML-DSA, including key recovery, signature forgery, and verification bypass. These attacks cover the key generation, encapsulation, decapsulation, signing, and verification phases, making our scheme the first to apply to all phases of ML-KEM and ML-DSA. The proposed attacks are validated on the C implementations of the PQClean library’s ML-KEM and ML-DSA running on embedded devices. Experiments show that the required loop-abort faults can be realized on ARM Cortex-M0+, M3, M4, and M33 microprocessors with low-cost electromagnetic fault injection settings, achieving a success rate of 89.5%. Once the fault injection is successful, all proposed attacks can succeed with a probability of 100%.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Post-Quantum CryptographyFault Injection AttackKeccakKyberDilithiumARM Cortex-M
- Contact author(s)
-
18588297218 @ sjtu edu cn
jintongyu @ sjtu edu cn
shipeiqu @ sjtu edu cn
xiaolinzhang @ sjtu edu cn
happy_lxw @ sjtu edu cn
zcsjtu @ sjtu edu cn
dwgu @ sjtu edu cn - History
- 2025-02-13: last of 2 revisions
- 2024-09-27: received
- See all versions
- Short URL
- https://ia.cr/2024/1522
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1522, author = {Yuxuan Wang and Jintong Yu and Shipei Qu and Xiaolin Zhang and Xiaowei Li and Chi Zhang and Dawu Gu}, title = {Mind the Faulty Keccak: A Practical Fault Injection Attack Scheme Apply to All Phases of {ML}-{KEM} and {ML}-{DSA}}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1522}, year = {2024}, url = {https://eprint.iacr.org/2024/1522} }