In this work, we demonstrate generic and practical EM side-channel assisted chosen ciphertext attacks over multiple LWE/LWR-based Public Key Encryption (PKE) Encapsulation Mechanisms (KEM) secure in the model (IND-CCA security). We show that information can be efficiently utilized to instantiate a plaintext checking oracle, which provides binary about output of decryption, typically concealed within IND-CCA PKE/KEMs, thereby enabling our attacks. Firstly, identified EM-based vulnerabilities...

In this work, we present a systematic study of Side-Channel Attacks (SCA) and Fault Injection (FIA) on structured lattice-based schemes, with main focus Kyber Key Encapsulation Mechanism (KEM) Dilithium signature scheme, which are leading candidates in the NIST standardization process for Post-Quantum Cryptography (PQC). Through our study, attempt to understand underlying similarities differences between existing attacks while classifying them into different categories. Given wide variety...

In this work, we propose generic and novel adaptations to the binary Plaintext-Checking (PC) oracle based side-channel attacks for Kyber KEM. These operate in a chosen-ciphertext setting, are fairly easy mount on given target, as attacker requires very minimal information about target device. However, these have an inherent disadvantage of requiring few thousand traces perform full key recovery. This is due fact that typically work by recovering single bit secret per query/trace. respect,...

In this work, we propose generic and practical side-channel attacks for message recovery in post-quantum lattice-based public key encryption (PKE) encapsulation mechanisms (KEM). The targeted schemes are based on the well known Learning With Errors (LWE) Rounding (LWR) problem include three finalists six semi-finalist candidates of ongoing NIST's standardization process cryptography. Notably, to exploit inherent <italic xmlns:mml="http://www.w3.org/1998/Math/MathML"...

In this work, we present the first fault injection analysis of Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single vulnerability NTT, which severely reduces entropy its output. This turn enables us to perform wide-range attacks applicable KEMs as well particular, demonstrate novel recovery message...

This paper presents KyberSlash1 and KyberSlash2 – two timing vulnerabilities in several implementations (including the official reference code) of Kyber Post-Quantum Key Encapsulation Mechanism, recently standardized as ML-KEM. We demonstrate exploitability both on popular platforms: Raspberry Pi 2 (Arm Cortex-A7) Arm Cortex-M4 microprocessor. secret keys are reliably recovered within minutes for a few hours KyberSlash1. responsibly disclosed these to maintainers various libraries they have...

In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. particular, extend practicality skip-addition attacks through exploitation determinism in Dilithium and qTESLA schemes, which are two leading candidates for NIST standardization post-quantum cryptography. We show that single targeted faults injected signing procedure allow to recover an important portion secret key. Though do not all key elements, propose a novel forgery...

In an effort to circumvent the high cost of standard countermeasures against side-channel attacks in post-quantum cryptography, some works have developed low-cost detection-based countermeasures. These try detect maliciously generated input ciphertexts and react them by discarding ciphertext or secret key. this work, we take a look at two previously proposed countermeasures: sanity check decapsulation failure check, demonstrate successful on these schemes. We show that first countermeasure...

Ensuring communication security in real-time automotive networks is of paramount importance given the sensitivity exchanged information and highly safety critical nature its operation. The first step towards ensuring to securely authenticate all computational nodes through use authentication protocols based on public-key cryptography. But, traditional cryptographic primitives we today are believed be breakable by large scale quantum computers future. Thus, NIST currently running a global...

Recent work has shown that Side-Channel Attacks (SCA) and Fault (FA) can be combined, forming an extremely powerful adversarial model, which bypass even some strongest protections against both FA SCA. However, such form of combined attack comes with practical challenges - 1) a profiled setting multiple fault locations is needed; 2) models are restricted to single-bit set-reset/flips; 3) the input needs repeated several times. In this paper, we propose new strategy called SCA-NFA works in...

Digital security practitioners are facing enormous challenge in face of the growing repertoire physical attacks, e.g., Side Channel Attack (SCA) and Fault Injection (FIA). Countermeasures to such threats usually very different nature come with a significant performance penalty. While FIA countermeasures rely on fault-detecting sensors or concurrent error detection schemes, SCA based data masking dual-rail logic circuits. Recently, low-overhead countermeasure has been proposed that utilises...

In this work, we propose the first hardware implementation of Classic McEliece protected with countermeasures against Side-Channel Attacks (SCA) and Fault Injection (FIA). Mceliece is one leading candidates for Key Encapsulation Mechanisms (KEMs) in ongoing round 4 NIST standardization process post-quantum cryptography. particular, implement a range generic SCA FIA, particularly vulnerable operations such as additive Fast Fourier Transform (FFT) Gaussian elimination, that have been targeted...

Elliptic curve cryptography (ECC) is a public key cryptosystem which widely used for different real world applications. With the introduction of side-channel attacks, there growing concern regarding security such implementations. Indeed, attacks have been reported to break even theoretically secure ciphers due exploit in physical leakage. The non-profiled especially are considered more serious than profiled counterpart, as former can work almost black box setting. Several proposed, however,...