Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM

TL;DR

This paper introduces a novel fault propagation attack on side-channel protected LWE-based KEMs, exploiting the A2B conversion process to recover cryptographic keys, demonstrated on Kyber with practical EM fault testing.

Contribution

It presents the first attack exploiting an algorithmic component designed for masking, revealing vulnerabilities in secure LWE-based cryptographic implementations.

Findings

Successful key recovery on Kyber using the proposed fault attack

Attack exploits the A2B conversion's data dependency to leak information

Validated attack through both simulation and EM fault injection on hardware

Abstract

Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes - passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is important to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean (A2B) conversion. We exploit the data dependency of the adder carry chain in A2B and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform.