Number “Not Used” Once - Practical Fault Attack on pqm4 Implementations of NIST Candidates

  • Prasanna RaviEmail author
  • Debapriya Basu Roy
  • Shivam Bhasin
  • Anupam Chattopadhyay
  • Debdeep Mukhopadhyay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)


In this paper, we demonstrate practical fault attacks over a number of lattice-based schemes, in particular NewHope, Kyber, Frodo, Dilithium which are based on the hardness of the Learning with Errors (LWE) problem. One of the common traits of all the considered LWE schemes is the use of nonces as domain separators to sample the secret components of the LWE instance. We show that simple faults targeting the usage of nonce can result in a nonce-reuse scenario which allows key recovery and message recovery attacks. To the best of our knowledge, we propose the first practical fault attack on lattice-based Key encapsulation schemes secure in the CCA model. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations of the aforementioned schemes taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4. We use the instruction skip fault model, which is very practical and popular in microcontroller based implementations. Our attack requires to inject a very few number of faults (numbering less than 10 for recommended parameter sets) and can be repeated with a 100% accuracy with our Electromagnetic fault injection setup.


  1. 1.
    Suppressed for blind reviewGoogle Scholar
  2. 2.
    Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 44–60. Springer, Cham (2016). Scholar
  3. 3.
    Alkim, E., et al.: Algorithm specifcations and supporting documentation (2017)Google Scholar
  4. 4.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange-a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)Google Scholar
  5. 5.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). Scholar
  6. 6.
    Avanzi, R., et al.: Crystals-kyber algorithm specifications and supporting documentation (2017)Google Scholar
  7. 7.
    Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 105–114. IEEE (2011)Google Scholar
  8. 8.
    Bindel, N., Buchmann, J., Krämer, J.: Lattice-based signature schemes and their sensitivity to fault attacks. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 63–77. IEEE (2016)Google Scholar
  9. 9.
    Bos, J., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. Technical report, National Institute of Standards and Technology (2017).
  10. 10.
    Bruinderink, L.G., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). Scholar
  11. 11.
    Bruinderink, L.G., Pessl, P.: Differential fault attacks on deterministic lattice signatures. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3) (2018).
  12. 12.
    Bushing, S., Sven, M.: Console hacking 2010: PS3 epic fail. In: Talk at 27th Chaos Communication Congress (2010)Google Scholar
  13. 13.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). Scholar
  14. 14.
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based fiat-shamir and hash-and-sign signatures. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 140–158. Springer, Cham (2017). Scholar
  15. 15.
    Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Side-channel attacks on bliss lattice-based signatures: exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1857–1874. ACM (2017)Google Scholar
  16. 16.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). Scholar
  17. 17.
    Howe, J., Khalid, A., Rafferty, C., Regazzoni, F., O’Neill, M.: On practical discrete Gaussian samplers for lattice-based cryptography. IEEE Trans. Comput. 67, 322–334 (2016)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Lyubashevsky, V.,et al.: CRYSTALS-Dilithium. Technical report, National Institute of Standards and Technology (2017).
  20. 20.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)MathSciNetCrossRefGoogle Scholar
  21. 21.
    NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016).
  22. 22.
    Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). Scholar
  23. 23.
    Pessl, P.: Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 153–170. Springer, Cham (2016). Scholar
  24. 24.
    Preskill, J.: Reliable quantum computers. Proc. R. Soc. Lond. A Math. Phys. Eng. Sci. 454, 385–410 (1998). The Royal SocietyCrossRefGoogle Scholar
  25. 25.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Shor, P.W.: Polynomial time algorithms for discrete logarithms and factoring on a quantum computer. In: Adleman, L.M., Huang, M.-D. (eds.) ANTS 1994. LNCS, vol. 877, pp. 289–289. Springer, Heidelberg (1994). Scholar
  27. 27.
    Trichina, E., Korkikyan, R.: Multi fault laser attacks on protected CRT-RSA. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 75–86. IEEE (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Prasanna Ravi
    • 1
    • 2
    Email author
  • Debapriya Basu Roy
    • 3
  • Shivam Bhasin
    • 1
  • Anupam Chattopadhyay
    • 2
  • Debdeep Mukhopadhyay
    • 3
  1. 1.Temasek LaboratoriesNanyang Technological UniversitySingaporeSingapore
  2. 2.School of Computer Science and EngineeringNanyang Technological UniversitySingaporeSingapore
  3. 3.Indian Institute of TechnologyKharagpurIndia

Personalised recommendations