132 research outputs found
Number Not Used Once - Practical fault attack on pqm4 implementations of NIST candidates
In this paper, we demonstrate practical fault attacks over a number of lattice based schemes, in particular NewHope, Kyber, Frodo, Dilithium which are based on the hardness of the Learning with Errors (LWE) problem. One of the common traits of all the considered LWE schemes is the use of nonces as domain separators to sample the secret components of the LWE instance. We show that simple faults targeting the usage of nonce can result in a nonce-reuse scenario which allows key recovery and message recovery attacks. To the best of our knowledge, we propose the first practical fault attack on lattice-based Key encapsulation schemes secure in the CCA model. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations of the aforementioned schemes taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4. We use the instruction skip fault model, which is very practical and popular in microcontroller based implementations. Our attack requires to inject a very few number of faults (numbering less than 10 for recommended parameter sets) and can be repeated with a 100% accuracy with our Electromagnetic fault injection setup
A practical key-recovery attack on LWE-based key-encapsulation mechanism schemes using Rowhammer
Physical attacks are serious threats to cryptosystems deployed in the real
world. In this work, we propose a microarchitectural end-to-end attack
methodology on generic lattice-based post-quantum key encapsulation mechanisms
to recover the long-term secret key. Our attack targets a critical component of
a Fujisaki-Okamoto transform that is used in the construction of almost all
lattice-based key encapsulation mechanisms. We demonstrate our attack model on
practical schemes such as Kyber and Saber by using Rowhammer. We show that our
attack is highly practical and imposes little preconditions on the attacker to
succeed. As an additional contribution, we propose an improved version of the
plaintext checking oracle, which is used by almost all physical attack
strategies on lattice-based key-encapsulation mechanisms. Our improvement
reduces the number of queries to the plaintext checking oracle by as much as
for Saber and approximately for Kyber768. This can be of
independent interest and can also be used to reduce the complexity of other
attacks
Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities
The rise of quantum computers exposes vulnerabilities in current public key
cryptographic protocols, necessitating the development of secure post-quantum
(PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches,
covering the constructional design, structural vulnerabilities, and offer
security assessments, implementation evaluations, and a particular focus on
side-channel attacks. We analyze global standardization processes, evaluate
their metrics in relation to real-world applications, and primarily focus on
standardized PQ schemes, selected additional signature competition candidates,
and PQ-secure cutting-edge schemes beyond standardization. Finally, we present
visions and potential future directions for a seamless transition to the PQ
era
Drop by Drop you break the rock - Exploiting generic vulnerabilities in Lattice-based PKE/KEMs using EM-based Physical Attacks
We report an important implementation vulnerability exploitable through physical attacks for message recovery
in five lattice-based public-key encryption schemes (PKE) and Key Encapsulation Mechanisms (KEM) -
NewHope, Kyber, Saber, Round5 and LAC that are currently competing in the second round of NIST\u27s standardization process for post-quantum cryptography. The reported vulnerability exists in the message decoding function which
is a fundamental kernel present in lattice-based PKE/KEMs and further analysis of the implementations
in the public pqm4 library revealed that the message decoding function is implemented in a similar manner
in all the identified schemes and thus they all share the common side-channel vulnerability that leaks
individual bits of the secret message. We demonstrate that the identified vulnerability can be
exploited through a number of practical electromagnetic side-channel attacks, fault attacks and
combined attacks on implementations from the pqm4 library running on the ARM Cortex-M4
microcontroller. As a key contribution, we also demonstrate the first practical EM-based combined
side-channel and fault attack on lattice-based PKE/KEMs
Side-channel Assisted Existential Forgery Attack on Dilithium - A NIST PQC candidate
The recent lattice-based signature scheme Dilithium, submitted as part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) package, is one of a number of strong candidates submitted for the NIST standardisation process of post-quantum cryptography. The Dilithium signature scheme is based on the Fiat-Shamir paradigm and can be seen as a variant of the Bai-Galbraith scheme (BG) combined with several improvements from previous ancestor lattice-based schemes like GLP and BLISS signature schemes. One of the main features of Dilithium is the compressed public-key, which is a rounded version of the LWE instance. This implies that Dilithium is not breakable with the knowledge of only the secret or the error of the LWE instance, unlike its ancestor lattice-based signature schemes. In this paper, we investigate the security of Dilithium against a combination of side-channel and classical attacks. Side-channel attacks on schoolbook and optimised polynomial multiplication algorithms in the signing procedure are shown to extract the secret component of the LWE instance, which is just one among the multiple components of the secret-key of Dilithium. We then propose an alternative signing procedure, through which it is possible to forge signatures with only the extracted portion of the secret-key, without requiring the knowledge of all its elements. Thus showing that Dilithium too breaks on just knowing the secret portion of the LWE instance, similar to previous lattice-based schemes
Algorithmic Security is Insufficient: A Comprehensive Survey on Implementation Attacks Haunting Post-Quantum Security
This survey is on forward-looking, emerging security concerns in post-quantum
era, i.e., the implementation attacks for 2022 winners of NIST post-quantum
cryptography (PQC) competition and thus the visions, insights, and discussions
can be used as a step forward towards scrutinizing the new standards for
applications ranging from Metaverse, Web 3.0 to deeply-embedded systems. The
rapid advances in quantum computing have brought immense opportunities for
scientific discovery and technological progress; however, it poses a major risk
to today's security since advanced quantum computers are believed to break all
traditional public-key cryptographic algorithms. This has led to active
research on PQC algorithms that are believed to be secure against classical and
powerful quantum computers. However, algorithmic security is unfortunately
insufficient, and many cryptographic algorithms are vulnerable to side-channel
attacks (SCA), where an attacker passively or actively gets side-channel data
to compromise the security properties that are assumed to be safe
theoretically. In this survey, we explore such imminent threats and their
countermeasures with respect to PQC. We provide the respective, latest
advancements in PQC research, as well as assessments and providing visions on
the different types of SCAs
A practical key-recovery attack on LWE-based key- encapsulation mechanism schemes using Rowhammer
Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as 39% for Saber and approximately 23% for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks
- …