International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM

Authors:
Suparna Kundu , COSIC, KU Leuven, Leuven, Belgium
Siddhartha Chowdhury , Indian Institute of Technology Kharagpur, Kharagpur, India
Sayandeep Saha , Université catholique de Louvain, Ottignies-Louvain-la-Neuve, Belgium
Angshuman Karmakar , COSIC, KU Leuven, Leuven, Belgium; Indian Institute of Technology Kanpur, Kanpur, India
Debdeep Mukhopadhyay , Indian Institute of Technology Kharagpur, Kharagpur, India
Ingrid Verbauwhede , COSIC, KU Leuven, Leuven, Belgium
Download:
DOI: 10.46586/tches.v2024.i2.844-869
URL: https://tches.iacr.org/index.php/TCHES/article/view/11449
Search ePrint
Search Google
Abstract: Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes – passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is mportant to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean (A2B) conversion. We exploit the data dependency of the adder carry chain in A2B and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux [Del22]). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform.
BibTeX
@article{tches-2024-34072,
  title={Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 2},
  pages={844-869},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11449},
  doi={10.46586/tches.v2024.i2.844-869},
  author={Suparna Kundu and Siddhartha Chowdhury and Sayandeep Saha and Angshuman Karmakar and Debdeep Mukhopadhyay and Ingrid Verbauwhede},
  year=2024
}