 Hello and welcome to our talk on the paper, fault attacks on CCA secure lattice cams. My name is Peter Bessel, and this paper was joined work with Lukas Polkop. So you're probably well aware that NIST is currently running a standardization process for post quantum cryptography. This standardization process is currently in the third and kind of final round. And amongst the finalists are three lattice-based key encapsulation mechanisms, cams, namely kyber and true and saber. And NIST is expected to pick one of these three for standardization by the end of this year. So these three finalists are kind of a nice fit for resource constrained embedded devices. They have quite a good runtime. But the problem is of course performance isn't everything because embedded devices are put somewhere in the field. They are accessible to attackers and thus susceptible to implementation attacks. So what's the status of implementation attacks on these lattice-based cams? Well, for side channel attacks, there is already some stuff known, some stuff published. So we have seen various attacks and also some first protected in terms of masked implementations available. Now the situation for fault attacks is quite a bit different. There is very little published work on fault attacks on lattice-based cams and also hardly any public information on how to achieve protections against potential fault attacks. And since NIST is expected to pick a scheme for standardization quite soon, this is something we have to look into. Now what's also interesting about these lattice-based cams is that some of them share quite a lot of similarities as least if viewed from a high level. For instance, Kyber and Saber can be seen as descendants of a scheme by Lubaszewski, Pajka and Rosen, the LPR encryption scheme. So this is a CPA secure public key encryption scheme based on where the security is based on the ring-lining with error problem. So this scheme is only, so this LPR scheme and its descendants are only CPA secure and to get a CCA secure key encapsulation mechanism, both Kyber and Saber employ some variant of the Fujisaki or Kamoto transform. And what this transform essentially does is during de-capsulation you take the ciphertext, you decrypt the ciphertext to get some message M, then you re-encrypt the ciphertext using a randomness that is a deterministically derived. And then you check if this re-encrypted ciphertext matches the received ciphertext. And only if these two ciphertexts match, then you release the true shared secret K and otherwise if they don't match, then you assume that the ciphertext was manipulated that you received in some form and then you return for instance a random shared secret or an error signal or something like that. Now, we've seen constructions like that somewhere different as well because what this is, decrypt, encrypt and check, if the same comes out again, this is essentially also a fault countermeasure that we often use in symmetric key cryptography for instance, we decrypt, encrypt and check if we get the same input again. So the question is, can we still do attacks on such schemes even with this kind of inherent fault protection in place? And the answer, as you may have guessed from the title of the talk is yes, because we show that attacks are still possible and practical. So this Fujisaki Okamoto transform is a fault deterrent that might make faults harder but it's not a countermeasure as such. Our attack works as follows. So we've introduced a fault at a specific spot then we observe, does the decapsulation fail or does it still return the correct value? So this is kind of like a safe error attack. The outcome, so the information does it fail or not carries information on the private key. We gather this information over many invocations over many faulted decapsulations and we finally solve for the key. We attack Kyber and New Hope, so two schemes and we have to fault at least 6,500 decapsulations but we also say that there's a high probability that such attacks can also be extended to other similar schemes. So to explain how this attack works I have to give a brief introduction to LPR. So this LPR encryption scheme I always like to describe it as a noisy Elgamar scheme. So this works as follows. It uses, it works with elements in a polynomial ring RQ where all coefficients are taken, modulo sum Q can be a prime but doesn't have to be a prime number. Key generation works as follows. First two polynomials S and E are sampled where all coefficients follow a narrow error distribution. Ky, for instance Kyber uses a binomial distribution between for instance minus two and plus two. Then a second polynomial A is sampled where the coefficients are drawn uniformly from ZQ and the public key B is computed as A times S plus E. For encryption you again sample three polynomials from this error distribution. So you sample R, E1 and E2 then you compute the two ciphertext components U and V and you encode, you add the message onto the second ciphertext component V by encoding it and you can do this for instance by taking each message bit as one coefficient and multiplying this bit with Q half. So you either add zero for a zero bit or Q half for a one bit. And for the encryption you compute M prime equals V minus U times the secret key S and this works because if you do back substitution you get that this M prime is M times Q over two so the encoded message plus R times E minus E1S plus E2 so plus an additional error term but all these polynomials involved in this error term are sampled from this small error distribution. So we can say that M prime is approximately M times Q half and this might look something like an end up figure below where we show an exemplary distribution of all the coefficients in this M prime. So we have two kind of gaussians not truly gaussians but kind of and we have one such peak, one such gaussians centered around zero so these are all the zero bits and one distribution centered around Q half so these are all the one bits and these distributions are far enough apart such that a decoder can then work out if a noisy bit is actually a zero bit or a one bit. And this scheme or a variant of this scheme can then be plugged into this FOO transform to get a chosen ciphertext secure key encapsulation mechanism where again there is the question where can we now inject a fault so that we can actually attack this? Some people have already suggested to attack this final equality check so to check if two ciphertexts are identically and to fold it in such a way that always you get the one path off of this multiplexer this would then re-enable chosen ciphertext attacks but again this is already known and also this comparison is often quite a small part of the runtime so you can throw lots of countermeasures at it and it won't make a lot of a dent. Now a faulting in these three middle components also doesn't help us a lot because if we assume that the attacker generated the ciphertext meaning that he runs, honestly runs and encapsulation then he already knows all the values that are processed in these three boxes because this is essentially just encapsulation again though re-encryption it uses the exact same values and of course faulting a known value doesn't really help us a lot. So finally we can fault the decryption which is also kind of the most logically real part because it involves the secret key. The problem is in fault attacks we often think of it in a way that okay we inject a fault and we get some disturbed result and we use this disturbed result to compute backwards and derive information on the key. Here however we have the problem if we inject a fault such that this M, this message is changed then of course the re-encryption will lead to a different ciphertext and meaning that we will always return a random shared secret and there's of course no information on the secret key on some random value. So we have to do it, think of it a little bit differently because if we think about it the only recoverable information really that we get is this secret key correct? So did we follow this one path in this multiplexer? Are both ciphertexts the same? Or is it some random? So we're the two ciphertexts differently. And this information, this distinction, correct K versus a random K has to carry some information on the key. Now where can we inject the fault such that we have a chance to still get the correct key? So it is still the same M and that it also carries information on the key. Well, we found a place in the decoder. Remember that this decoder recovers the message M from this noisy M prime for each coefficient. It takes input values between zero and Q that outputs a single bit, zero or one. So even if we shoot in there randomly then we have a 50% chance to get the same bit out of it. But of course we can't do it randomly. We have to do it a little bit more cleverly. So we use the assumption that the attacker runs the encapsulation honest manner and he sends the ciphertext meaning that he knows just shared secret and all intermediates that are computed during encapsulation and also during re-encryption. Now if we have a look at this equation which turned up during decryption M prime equals M times Q half plus RE minus E1S plus E2. Now a lot of these terms that are in there are known to the attacker, namely the message RE1 and E2. And only two polynomials in there E and S are unknown and this is the secret key. So this means if we learn some information on this M prime apart from the fact if it decodes to a zero or a one then we have information that is linear in the secret key. Okay, but how can we learn something about this M prime using a fault? Well for that we have to look at the decoder how it is actually implemented and for this we use the reference implementation of Kiber's decoder. It works as follows. It takes an input A between zero and Q. It multiplies this input by two. So this is just a scaling of the axis. Then it adds Q over two. So this is just a shift of the axis. It divides by Q the value. So this and then the least significant bit is returned. This is this and with the constant one. And if you follow the distributions here so the solid lines belong to a bit zero and the dashed lines to a bit one. And you can clearly see that all bits are correctly decoded. But what happens if we skip this one step this addition with Q over two? Well, now we have the following situation that for the positive part of this error distributions of this kind of gaussians these are still correctly decoded because if you have a look at the green solid line it still decodes to a one. The green dash to a zero. The green dash line decodes to a one. But the negative parts on the left of the distribution they are incorrectly decoded. So a one gets decoded to a zero and a zero gets decoded to a one. And this also means that if we decode to a correct value to an incorrect value then of course the re-encryption will say yeah this ciphertext was incorrect and we'll reject and we will get a random shared secret. So we can say that this error term this RE minus E1S plus E2 and the EVE coefficient so this is the coefficient where we injected the fault. We can say that this linear equation is larger or equal to zero if the fault which we call ineffective so which means that we injected the fault but we still get the correct K out of it. And on the other hand we can say that this linear equation is negative if the fault was effective meaning that we injected the fault and it really changed something up and the incorrect bit was returned and since the FO detects that something is incorrect we get a random shared secret K. So we now gather such so what we have now is an inequality so on the left we have some thing which is linear in the key and then we get is this larger than or equal to zero or smaller than zero so a linear inequality. So we now gather many such inequalities and we get one inequality per faulted decapsulation so we generate many ciphertexts we send it to the device inject one fault per call and we get one inequality out of it. And we gather these inequalities in some manner and we can actually write these inequalities in a matrix vector form so we exploit this so we use this linear property that this is linear so we write E times S in this vector and the non coefficients this R1 and E1 in the left matrix and then we have instead of equals we have this vector which contains smaller or greater than. And now this problem here of recovering E and S using this left matrix and this right vector with the E2s in it well if you replace this vector with the in equal signs with the larger and smaller signs with approximate signs then this is essentially a linear decoding problem that's where we already have several algorithms to tackle such decoding algorithms. And for this reason we use technique that is also known from decoding we use belief propagation. I'll skip over many details which are involved in this kind of decoding process. So we decode this code and we find E and S we attacked this implementation for Kyber and New Hope so this shows that this attack works for multiple schemes and we also attacked a masked decoder implementation so of course masking as such is not a faulting countermeasure but more a side channel countermeasure but still since our this attack is implementation specific and we skip over an instruction it's we had a look if attacks still work. We determined the success rates of the attacks via simulations so we determined the success rate as a function of the number of faulted decapsulation and of course for and you can see the outcome below so of course for larger more secure parameter sets we need more faults for Kyber and for the smallest parameter set Kyber 512 we need about 6,000 faults and for the largest parameter set we need like 13,000 faults to get a good success rate but to show that this attack is also really practically we actually ran this attack so we ran Kyber 512 on a microcontroller injected clock glitches in this microcontroller and we successfully recovered the key on this microcontroller so okay in conclusion what we have here we demonstrated that attacks even on FO transformer key encapsulation mechanisms are practical so the Fujisaki Okamoto transform might be a fault deterrent it makes attacks harder but attacks are still possible we applied this attack on Kyber and New Hope but similar attacks for other schemes likely exist so for schemes that are very similar in there from a high level view point which are descendants of LPR and use an AV variant of the FO transform also I'd like to highlight that what I described here is a very specific instance of this attack so we have to skip this one very specific instruction but it's very likely that attacks also work on other positions so skipping over other instructions or using a bit flip somewhere or a data corruption instead of a skip or whatever so this just means that it won't suffice to protect this one specific instruction so to conclude finally we put all our code online you can have a look at the attack code run the simulations yourself and have a look if you're interested so this is then the end of my talk thank you for your interest