Beware of Keccak: Practical Fault Attacks on SHA-3 to Compromise Kyber and Dilithium on ARM Cortex-M Devices

Yuxuan Wang; Jintong Yu; Shipei Qu; Xiaolin Zhang; Xiaowei Li; Chi Zhang; Dawu Gu

Paper 2024/1522

Beware of Keccak: Practical Fault Attacks on SHA-3 to Compromise Kyber and Dilithium on ARM Cortex-M Devices

Yuxuan Wang

, Shanghai Jiao Tong University

Jintong Yu, Shanghai Jiao Tong University

Shipei Qu, Shanghai Jiao Tong University

Xiaolin Zhang, Shanghai Jiao Tong University

Xiaowei Li, Shanghai Jiao Tong University

Chi Zhang, Shanghai Jiao Tong University

Dawu Gu, Shanghai Jiao Tong University

Abstract

Keccak acts as the hash algorithm and eXtendable-Output Function (XOF) specified in the NIST standard drafts for Kyber and Dilithium. The Keccak output is highly correlated with sensitive information. While in RSA and ECDSA, hash-like components are only used to process public information, such as the message. The importance and sensitivity of hash-like components like Keccak are much higher in Kyber and Dilithium than in traditional public-key cryptography. However, few works study Keccak regarding the physical security of Kyber and Dilithium. In this paper, we propose a practical fault attack scheme on Keccak to compromise Kyber and Dilithium on ARM Cortex-M devices. Specifically, by injecting loop-abort faults in the iterative assignments or updates of Keccak, we propose six attacks that can set the Keccak output to a known value. These attacks can be exploited to disrupt the random number expansion or other critical processes in Kyber and Dilithium, thereby recovering sensitive information derived from the Keccak output. In this way, we propose eight attack strategies on Kyber and seven on Dilithium, achieving key recovery, signature forgery, and verification bypass. To validate the practicality of the proposed attack strategies, we perform fault characterization on five real-world devices belonging to four different series (ARM Cortex-M0+, M3, M4, and M33). The success rate is up to 89.5%, demonstrating the feasibility of loop-abort faults. This paper also provides a guide for reliably inducing loop-abort faults on ARM Cortex-M devices using electromagnetic fault injection. We further validate our complete attacks on Kyber and Dilithium based on the official implementations, achieving a success rate of up to 55.1%. The results demonstrate that the excessive use of Keccak in generating and computing secret information leads to severe vulnerabilities. Our work can potentially be migrated to other post-quantum cryptographic algorithms that use Keccak, such as Falcon, BIKE, and HQC.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: Post-Quantum Cryptography Fault Injection Attack Keccak Kyber Dilithium ARM Cortex-M
Contact author(s): 18588297218 @ sjtu edu cn
jintongyu @ sjtu edu cn
shipeiqu @ sjtu edu cn
xiaolinzhang @ sjtu edu cn
happy_lxw @ sjtu edu cn
zcsjtu @ sjtu edu cn
dwgu @ sjtu edu cn
History: 2024-09-30: approved; 2024-09-27: received; See all versions
Short URL: https://ia.cr/2024/1522
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1522,
      author = {Yuxuan Wang and Jintong Yu and Shipei Qu and Xiaolin Zhang and Xiaowei Li and Chi Zhang and Dawu Gu},
      title = {Beware of Keccak: Practical Fault Attacks on {SHA}-3 to Compromise Kyber and Dilithium on {ARM} Cortex-M Devices},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1522},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1522}
}