Skip to main content
SpringerLink
Log in

Fault-Injection Attacks Against NIST’s Post-Quantum Cryptography Round 3 KEM Candidates

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2021 (ASIACRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13091))

Abstract

We investigate all NIST PQC Round 3 KEM candidates from the viewpoint of fault-injection attacks: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime, and SIKE. All KEM schemes use variants of the Fujisaki-Okamoto transformation, so the equality test with re-encryption in decapsulation is critical.

We survey effective key-recovery attacks when we can skip the equality test. We found the existing key-recovery attacks against Kyber, NTRU, Saber, FrodoKEM, HQC, one of two KEM schemes in NTRU Prime, and SIKE. We propose a new key-recovery attack against the other KEM scheme in NTRU Prime. We also report an attack against BIKE that leads to leakage of information of secret keys.

The open-source pqm4 library contains all KEM schemes except Classic McEliece and HQC. We show that giving a single instruction-skipping fault in the decapsulation processes leads to skipping the equality test virtually for Kyber, NTRU, Saber, BIKE, and SIKE. We also report the experimental attacks against them. We also report the implementation of NTRU Prime allows chosen-ciphertext attacks freely and the timing side-channel of FrodoKEM reported in Guo, Johansson, and Nilsson (CRYPTO 2020) remains, while there are no such bugs in their NIST PQC Round 3 submissions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/Call-for-Proposals.

  2. 2.

    The plaintext space is a set of n-dimensional vectors whose Hamming weight is t.

  3. 3.

    We use 2021 Jun. 5 version. https://github.com/mupq/pqm4/commit/8d3384d879b10619c8c36947e4be6ab13ec6d268.

  4. 4.

    We report it in https://github.com/mupq/pqm4/issues/195.

  5. 5.

    pqm4 noticed this issue. See https://github.com/mupq/pqm4/issues/161.

  6. 6.

    If \(\mathsf {mask} = 0\), then we have \(m' \leftarrow m'\). Otherwise, we have \(m' \leftarrow s\).

  7. 7.

    When \(q = 6q'+1\), \(\mathsf {Round}([-(q-1)/2,(q-1)/2]) \in [-(q-1)/2,(q-1)/2]\).

  8. 8.

    ‘NTRU LPRime Core’ in the specification.

  9. 9.

    https://developer.arm.com/documentation/100166/0001. See https://developer.arm.com/documentation/100166/0001/Programmers-Model/Instruction-set-summary/Table-of-processor-instructions?lang=en for instruction set.

  10. 10.

    The source code of these functions is https://github.com/mupq/pqm4/blob/master/crypto_kem/sntrup761/m4f/kem.c.

  11. 11.

    https://github.com/mupq/pqm4/blob/master/crypto_kem/frodokem640shake/m4/kem.c.

  12. 12.

    https://github.com/mupq/pqm4/blob/master/crypto_kem/saber/m4f/kem.c.

  13. 13.

    https://github.com/mupq/pqm4/blob/master/crypto_kem/bikel1/m4f/kem.c.

  14. 14.

    https://github.com/mupq/pqm4/blob/master/crypto_kem/sikep434/m4/sike.inc.

  15. 15.

    In practice, we may need more queries than the values shown in the table, because the value of the secret key may occasionally carry an error due to an inserted fault. For simplicity, we ignore such situations here.

  16. 16.

    On Saber and Kyber, we have trade-offs between the number of expected queries and efficiency. In this table, we use \(\ell = 1\).

References

  1. ISO/IEC 18033-2:2006 information technology – security techniques – encryption algorithms – part 2: asymmetric ciphers (2006). https://www.iso.org/standard/37971.html

  2. Abdalla, M., Benhamouda, F., Pointcheval, D.: Public-key encryption indistinguishable under plaintext-checkable attacks. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 332–352. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_15

    Chapter  MATH  Google Scholar 

  3. Aggarwal, D., Maurer, U.: Breaking RSA generically is equivalent to factoring. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 36–53. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_2

    Chapter  Google Scholar 

  4. Aguilar Melchor, C., et al.: HQC. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  5. Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC 1997, pp. 284–293. ACM Press, May 1997

    Google Scholar 

  6. Alagic, G., et al.: NISTIR 8309: status report on the second round of the NIST post-quantum cryptography standardization process, July 2020

    Google Scholar 

  7. Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  8. Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16

    Chapter  MATH  Google Scholar 

  9. Aragon, N., et al.: BIKE. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  10. Băetu, C., Durak, F.B., Huguenin-Dumittan, L., Talayhan, A., Vaudenay, S.: Misuse attacks on post-quantum cryptosystems. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 747–776. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_26

    Chapter  Google Scholar 

  11. Barenghi, A., Bertoni, G., Perrinello, E., Pelosi, G.: Low voltage fault attacks on the RSA cryptosystem. In: FDTC 2009. IEEE Computer Society (2009)

    Google Scholar 

  12. Barenghi, A., Breveglieri, L., Koren, I., Pelosi, G., Regazzoni, F.: Countermeasures against fault attacks on software implemented AES: effectiveness and cost. In: WESS 2010 (2010)

    Google Scholar 

  13. Bellare, M. (ed.): CRYPTO 2000, LNCS, vol. 1880. Springer, Heidelberg, August 2000. https://doi.org/10.1007/3-540-44598-6

  14. Bernstein, D.J., et al.: NTRU Prime. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  15. Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare [13], pp. 131–146 (2000)

    Google Scholar 

  16. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259

    Chapter  Google Scholar 

  17. Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3

    Chapter  MATH  Google Scholar 

  18. Blömer, J., Günther, P.: Singular curve point decompression attack. In: FDTC 2015, pp. 71–84. IEEE Computer Society (2015)

    Google Scholar 

  19. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  20. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)

    Article  MathSciNet  Google Scholar 

  21. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054117

    Chapter  Google Scholar 

  22. Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  23. Cheon, J.H., Takagi, T. (eds.): ASIACRYPT 2016, Part I. LNCS, vol. 10031. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6

    Book  MATH  Google Scholar 

  24. Coron, J.-S., Kizhvatov, I.: An efficient method for random delay generation in embedded software. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 156–170. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_12

    Chapter  MATH  Google Scholar 

  25. Costello, C.: The case for SIKE: a decade of the supersingular isogeny problem. Cryptology ePrint Archive, Report 2021/543 (2021). https://eprint.iacr.org/2021/543

  26. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  Google Scholar 

  27. D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  28. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  29. Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12

    Chapter  Google Scholar 

  30. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  Google Scholar 

  31. Ding, J., Deaton, J., Schmidt, K., Vishakha, Zhang, Z.: A simple and practical key reuse attack on NTRU cryptosystem. Cryptology ePrint Archive, Report 2019/1022 (2019). https://eprint.iacr.org/2019/1022

  32. Endo, S., Homma, N., Hayashi, Y., Takahashi, J., Fuji, H., Aoki, T.: A multiple-fault injection attack by adaptive timing control under black-box conditions and a countermeasure. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 214–228. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10175-0_15

    Chapter  MATH  Google Scholar 

  33. Endo, S., Sugawara, T., Homma, N., Aoki, T., Satoh, A.: An on-chip glitchy-clock generator for testing fault injection attacks. J. Crypt. Eng. 1(4), 265–270 (2011)

    Article  Google Scholar 

  34. Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016/085 (2016). https://eprint.iacr.org/2016/085

  35. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener [78], pp. 537–554 (1999)

    Google Scholar 

  36. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013)

    Article  MathSciNet  Google Scholar 

  37. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon and Takagi [23], pp. 63–91 (2016)

    Google Scholar 

  38. Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_13

    Chapter  Google Scholar 

  39. Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon and Takagi [23], pp. 789–815 (2016)

    Google Scholar 

  40. Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_2

    Chapter  Google Scholar 

  41. Hayashi, Y., Homma, N., Sugawara, T., Mizuki, T., Aoki, T., Sone, H.: Non-invasive trigger-free fault injection method based on intentional electromagnetic interference. In: Proceedings of The Non-Invasive Attack Testing Workshop - NIAT 2011, September 2011

    Google Scholar 

  42. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

    Chapter  MATH  Google Scholar 

  43. Howe, J., Prest, T., Apon, D.: SoK: how (not) to design and implement post-quantum cryptography. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 444–477. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75539-3_19

    Chapter  Google Scholar 

  44. Huguenin-Dumittan, L., Vaudenay, S.: Classical misuse attacks on NIST round 2 PQC. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020, Part I. LNCS, vol. 12146, pp. 208–227. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57808-4_11

    Chapter  Google Scholar 

  45. Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  46. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2

    Chapter  MATH  Google Scholar 

  47. Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-Secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4

    Chapter  Google Scholar 

  48. Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21

    Chapter  Google Scholar 

  49. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: post-quantum crypto library for the ARM Cortex-M4 (2021). https://github.com/mupq/pqm4

  50. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  51. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener [78], pp. 388–397 (1999)

    Google Scholar 

  52. Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part III. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24

    Chapter  Google Scholar 

  53. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

  54. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  55. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. The deep space network progress report 42–44, Jet Propulsion Laboratory, California Institute of Technology, January/February 1978. https://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF

  56. Misoczki, R., Tillich, J., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: ISIT 2013, pp. 2069–2073. IEEE (2013)

    Google Scholar 

  57. Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  58. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory 15(2), 159–166 (1986)

    MathSciNet  MATH  Google Scholar 

  59. Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13

    Chapter  Google Scholar 

  60. Pessl, P., Prokop, L.: Fault attacks on CCA-secure lattice KEMs. IACR TCHES 2021(2), 37–60 (2021). https://tches.iacr.org/index.php/TCHES/article/view/8787

  61. Qin, Y., Cheng, C., Ding, J.: An efficient key mismatch attack on the NIST second round candidate Kyber. Cryptology ePrint Archive, Report 2019/1343 (2019). https://eprint.iacr.org/2019/1343

  62. Qin, Y., Cheng, C., Zhang, X., Pan, Y., Hu, L., Ding, J.: A systematic approach and analysis of key mismatch attacks on CPA-secure lattice-based NIST candidate KEMs. Cryptology ePrint Archive, Report 2021/123 (2021). https://eprint.iacr.org/2021/123

  63. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35

    Chapter  Google Scholar 

  64. Ravi, P., Ezerman, M.F., Bhasin, S., Chattopadhyay, A., Roy, S.S.: Will you cross the threshold for me? - Generic side-channel assisted chosen-ciphertext attacks on NTRU-based KEMs. Cryptology ePrint Archive, Report 2021/718 (2021). https://eprint.iacr.org/2021/718

  65. Ravi, P., Roy, S.S.: Side-channel analysis of lattice-based PQC candidates. NIST PQC Round 3 Seminars (2021). https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline/round-3-seminars

  66. Ravi, P., Roy, S.S., Chattopadhyay, A., Bhasin, S.: Generic side-channel attacks on CCA-secure lattice-based PKE and KEMs. IACR TCHES 2020(3), 307–335 (2020). https://tches.iacr.org/index.php/TCHES/article/view/8592

  67. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)

    MathSciNet  MATH  Google Scholar 

  68. Saha, D., Mukhopadhyay, D., RoyChowdhury, D.: A diagonal fault attack on the advanced encryption standard. Cryptology ePrint Archive, Report 2009/581 (2009). https://eprint.iacr.org/2009/581

  69. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

    Chapter  MATH  Google Scholar 

  70. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020)

    Google Scholar 

  71. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press, November 1994

    Google Scholar 

  72. Shoup, V.: Using hash functions as a hedge against chosen ciphertext attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 275–288. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_19

    Chapter  Google Scholar 

  73. Singh, S.: The Code Book. Fourth Estate (1999)

    Google Scholar 

  74. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_2

    Chapter  Google Scholar 

  75. Takahashi, A., Tibouchi, M.: Degenerate fault attacks on elliptic curve parameters in openssl. In: Euro S&P 2019, pp. 371–386. IEEE (2019)

    Google Scholar 

  76. Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016-B, Part II. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8

    Chapter  MATH  Google Scholar 

  77. Vacek, J., Václavek, J.: Key mismatch attack on ThreeBears, Frodo and Round5. In: Hong, D. (ed.) ICISC 2020. LNCS, vol. 12593, pp. 182–198. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68890-5_10

    Chapter  Google Scholar 

  78. Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1

    Book  MATH  Google Scholar 

  79. Yen, S.M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)

    Article  Google Scholar 

  80. Sung-Ming, Y., Kim, S., Lim, S., Moon, S.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_31

    Chapter  Google Scholar 

  81. Zhang, X., Cheng, C., Qin, Y., Ding, R.: Small leaks sink a great ship: an evaluation of key reuse resilience of PQC third round finalist NTRU-HRSS. Cryptology ePrint Archive, Report 2021/168 (2021). https://eprint.iacr.org/2021/168. To appear in ICICS 2021

Download references

Acknowledgment

The authors would like to thank to anonymous reviewers of Asiacrypt 2021 for their helpful and insightful comments.

Author information

Authors and Affiliations

  1. Tohoku University, 2–1–1 Katahira, Aoba-ku, Sendai-shi, 980-8577, Japan

    Akira Ito, Rei Ueno & Naofumi Homma

  2. PRESTO, Japan Science and Technology Agency, 4–1–8 Honcho, Kawaguchi, Saitama, 332-0012, Japan

    Rei Ueno

  3. NTT Social Informatics Laboratories, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585, Japan

    Keita Xagawa & Junko Takahashi

  4. CREST, Japan Science and Technology Agency, 4–1–8 Honcho, Kawaguchi, Saitama, 332-0012, Japan

    Naofumi Homma

Authors
  1. Keita Xagawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Akira Ito
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rei Ueno
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junko Takahashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Naofumi Homma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Keita Xagawa , Akira Ito , Rei Ueno , Junko Takahashi or Naofumi Homma .

Editor information

Editors and Affiliations

  1. NTT Corporation, Tokyo, Japan

    Mehdi Tibouchi

  2. Nanyang Technological University, Singapore, Singapore

    Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xagawa, K., Ito, A., Ueno, R., Takahashi, J., Homma, N. (2021). Fault-Injection Attacks Against NIST’s Post-Quantum Cryptography Round 3 KEM Candidates. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13091. Springer, Cham. https://doi.org/10.1007/978-3-030-92075-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92075-3_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92074-6

  • Online ISBN: 978-3-030-92075-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation