A practical key-recovery attack on LWE-based key-encapsulation mechanism schemes using Rowhammer

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as $39\%$ for Saber and approximately $23\%$ for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks

On the Masking-Friendly Designs for Post-Quantum Cryptography

Masking is a well-known and provably secure countermeasure against side-channel attacks. However, due to additional redundant computations, integrating masking schemes is expensive in terms of performance. The performance overhead of integrating masking countermeasures is heavily influenced by the design choices of a cryptographic algorithm and is often not considered during the design phase. In this work, we deliberate on the effect of design choices on integrating masking techniques into lattice-based cryptography. We select Scabbard, a suite of three lattice-based post-quantum key-encapsulation mechanisms (KEM), namely Florete, Espada, and Sable. We provide arbitrary-order masked implementations of all the constituent KEMs of the Scabbard suite by exploiting their specific design elements. We show that the masked implementations of Florete, Espada, and Sable outperform the masked implementations of Kyber in terms of speed for any order masking. Masked Florete exhibits a $73\%$, $71\%$, and $70\%$ performance improvement over masked Kyber corresponding to the first-, second-, and third-order. Similarly, Espada exhibits $56\%$, $59\%$, and $60\%$ and Sable exhibits $75\%$, $74\%$, and $73\%$ enhanced performance for first-, second-, and third-order masking compared to Kyber respectively. Our results show that the design decisions have a significant impact on the efficiency of integrating masking countermeasures into lattice-based cryptography

A practical key-recovery attack on LWE-based key- encapsulation mechanism schemes using Rowhammer

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as 39% for Saber and approximately 23% for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks

Higher-order masked Saber

Side-channel attacks are formidable threats to the cryptosystems deployed in the real world. An effective and provably secure countermeasure against side-channel attacks is masking. In this work, we present a detailed study of higher-order masking techniques for the key-encapsulation mechanism Saber. Saber is one of the lattice-based finalist candidates in the National Institute of Standards of Technology\u27s post-quantum standardization procedure. We provide a detailed analysis of different masking algorithms proposed for Saber in the recent past and propose an optimized implementation of higher-order masked Saber. Our proposed techniques for first-, second-, and third-order masked Saber have performance overheads of 2.7x, 5x, and 7.7x respectively compared to the unmasked Saber. We show that compared to Kyber which is another lattice-based finalist scheme, Saber\u27s performance degrades less with an increase in the order of masking. We also show that higher-order masked Saber needs fewer random bytes than higher-order masked Kyber. Additionally, we adapt our masked implementation to uSaber, a variant of Saber that was specifically designed to allow an efficient masked implementation. We present the first masked implementation of uSaber, showing that it indeed outperforms masked Saber by at least 12% for any order. We provide optimized implementations of all our proposed masking schemes on ARM Cortex-M4 microcontrollers

Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM

Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes -- passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is important to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean ($\mathtt{A2B}$) conversion. We exploit the data dependency of the adder carry chain in $\mathtt{A2B}$ and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform

Study of Metal Resistance Potential of the Cd, Cr Tolerant Alligator Weed

Background – Environmental deterioration due to heavy metal pollution is a major global concern for its immense importance in the ecosystem. Indiscriminate use of heavy metals for rapid urbanization and industrial exploration is a pressing threat to human health. Among this Cd and Cr contamination is most dangerous as these metals directly enter into the food chain due to their higher solubility and mobility. Identification of a metal tolerant native plant species would be helpful to decontaminate Cd and Cr polluted land. In our previous study, field investigations were conducted to evaluate the tolerance potential of Alligator weed to Cd and Cr.Alligator weed [Alternanthera philoxeroides (Mart). Griseb ],is the most widely distributed perennial stoloniferous herb in these contaminated areas in and around Kolkata. Purpose of the study – To establish metal tolerant capacity of the species , different biochemical parameters assessing its metal accumulation capacity and reflecting its detoxification mechanism were studied. For these purpose, the same plant collected from the highest metal contaminated area was grown under laboratory condition with external application of various concentration of Cd and Cr individually and synergistically (0.5, 0.8, 1.0, 1.2, 1.5, 1.8 mM). To estimate the hazardous effects of Cd and Cr on this weed, membrane damage was quantified in form of lipid peroxidation i.e MDA production. The metal uptake and accumulation potential was estimated by measuring the Cd and Cr concentration in root and shoot. Some soil parameters such as Orgnaic Carbon, Cation exchange capacity were also studied to explain the bio availability of metals. Various biochemical parameters such as free proline content, non protein- thiol content and zymogram analysis of antioxidative isozymes (such as, Guiacol peroxidase, superoxide dismutase, glutathione reductase and ascorbate peroxidase) were studied to assess its metal resistant capacity. Result: The acidic pH and enhanced Cation Exchange Capacity of soil made both Cd and Cr more bioavailable with increasing metal concentration. Linear increase in metal uptake and accumulation was recorded upto an optimum level at 1.0 mM, 1.2 mM for Cd and Cr respectively, evident from Translocation Factor > 1. Gradual increase in membrane damage reflected the devastating effect of both Cd and Cr. But enhanced free proline content and non protein thiol content provide enough detoxification capacity to tolerate 1.2 mM Cd, Cr after which biochemical defenses declined. Increased activity of glutathione reductase and superoxide dismutase were well documented in 1.2 mM and 1 mM Cd, Cr treated plants respectively. Overexpression of ascorbate peroxidase, superoxide dismutase and glutathione reductase was evident by the appearance of additional bands with respect to control plants which would provide acute detoxification capacity of the plant to cope up with gradual increasing Cd, Cr contamination. Conclusion: This newly emergent Cd and Cr tolerant plant which can thrive well in highly Cd, Cr contaminated soil under field condition is thought to have the potential for phytoremediation of multiple metal contaminated sites of major polluted cities

On the Masking-Friendly Designs for Post-Quantum Cryptography

Masking is a well-known and provably secure countermeasure against side-channel attacks. However, due to additional redundant computations, integrating masking schemes is expensive in terms of performance. The performance overhead of integrating masking countermeasures is heavily influenced by the design choices of a cryptographic algorithm and is often not considered during the design phase. In this work, we deliberate on the effect of design choices on integrating masking techniques into lattice-based cryptography. We select Scabbard, a suite of three lattice-based post-quantum key-encapsulation mechanisms (KEM), namely Florete, Espada, and Sable. We provide arbitrary-order masked implementations of all the constituent KEMs of the Scabbard suite by exploiting their specific design elements. We show that the masked implementations of Florete, Espada, and Sable outperform the masked implementations of Kyber in terms of speed for any order masking. Masked Florete exhibits a $73\%$, $71\%$, and $70\%$ performance improvement over masked Kyber corresponding to the first-, second-, and third-order. Similarly, Espada exhibits $56\%$, $59\%$, and $60\%$ and Sable exhibits $75\%$, $74\%$, and $73\%$ enhanced performance for first-, second-, and third-order masking compared to Kyber respectively. Our results show that the design decisions have a significant impact on the efficiency of integrating masking countermeasures into lattice-based cryptography

Serum testosterone levels in type 2 diabetes mellitus

Introduction: Diabetes mellitus is a multifactorial disease which is characterised by hyperglycaemia, dyslipidaemia, involves various organ systems, and results in various long-term complications. Several studies have suggested that men with low testosterone levels are at a greater risk of developing type 2 diabetes mellitus, and that low testosterone levels may even predict the onset of diabetes. Recent studies have shown that a low serum testosterone level is strongly associated with an increased likelihood of the metabolic syndrome. Aim: To compare the serum total testosterone levels in type 2 diabetes mellitus patients with that of non-diabetic healthy controls. Material and Methods: The study was conducted in OPD of Medical College, Kolkata. In the present study 50 men aged 35-55 years who were diagnosed as type 2 diabetes mellitus patients and confirmed by the estimation of fasting plasma glucose (≥126mg/dl), post prandial blood glucose (≥200mg/dl) and HbA1C (≥6.5%) were selected, 50 healthy age and BMI matched individuals, were selected as controls. Patients with a known history of hypogonadism, panhypopituitarism, hyperthyroidism, patients taking exogenous testosterone and glucocorticoids, patients suffering from chronic debilitating disease, such as renal failure, cardiac failure, liver cirrhosis, or HIV, were excluded from the study. The laboratory investigations included evaluation of serum testosterone levels, fasting and postprandial blood glucose, with the levels of HbA1c and Creatinine. Statistical analysis was performed using SPSS 20.0. Results are represented as mean±SD and number (%). Pearson’s correlation test was performed to measure the linear dependence of the study parameters. Results: Serum Total Testosterone level of diabetic group was 3.51±1.26ng/ml, which was found significantly lower than control group with serum total testosterone level 5.88±2.34ng/ml, (p-value < 0.0001). Conclusion: This study has shown that there is a significant reduction in serum total testosterone levels in type 2 diabetes mellitus patients

Rh(II)-Catalyzed Synthesis of <i>N</i>‑Aryl 2‑pyridone Using 2‑Oxypyridine and Diazonaphthoquinone Via 1,6-Benzoyl Migratory Rearrangement

A Rh(II)-catalyzed simple and efficient synthesis of N-arylated 2-pyridone derivatives is described using 2-oxypyridine and diazonaphthoquinone as coupling partners. The reaction proceeds through the insertion of the nitrogen atom of the 2-oxypyridine derivative into quinoid carbene and subsequent 1,6-benzoyl migratory rearrangement. The reaction is broadened with sufficient scope and has the potential to offer axially chiral N-arylated 2-pyridone derivatives under suitable asymmetric conditions

Rh(II)-Catalyzed Synthesis of <i>N</i>‑Aryl 2‑pyridone Using 2‑Oxypyridine and Diazonaphthoquinone Via 1,6-Benzoyl Migratory Rearrangement

A Rh(II)-catalyzed simple and efficient synthesis of N-arylated 2-pyridone derivatives is described using 2-oxypyridine and diazonaphthoquinone as coupling partners. The reaction proceeds through the insertion of the nitrogen atom of the 2-oxypyridine derivative into quinoid carbene and subsequent 1,6-benzoyl migratory rearrangement. The reaction is broadened with sufficient scope and has the potential to offer axially chiral N-arylated 2-pyridone derivatives under suitable asymmetric conditions