Transactions on Cryptographic Hardware and Embedded Systems, Volume 2021
Fault Attacks on CCA-secure Lattice KEMs
Matlab and C sources used for simulations, includes attacks for Kyber (v2, all parameter sets) and NewHope512. The scripts are currently set up to execute a single attack on Kyber512 using 7500 faults and NewHope512 using 15000 faults, but can be easily configured for other scenarios.
ccontains programs used to generate linear inequalities. The programs are based on the reference implementations of Kyber and NewHope; simulated faults are injected at the positions described in the paper. The program then generates the resulting inequalities and dumps them into files.
matlabconstains the scripts used for solving the linear inequalities and recovering the key. First calls the appropriate program to generate the inequalities, then parses the files, and then runs the solving approach described in the paper.
- Matlab with the Parallel Processing Toolbox (tested with R2018b and R2020b)
- at least 64GB RAM
How to run
For attacks on Kyber, run the following (same for NewHope):
- open the
- run the matlab script kyber_attack.m (with the
matlabfolder as current directory)
Important configuration parameters
The first section of the Matlab scripts contains several configuration options. Some of the most important ones are:
kyberkselects the used kyber parameter set. Valid options are 2 (Kyber512), 3 (Kyber768), and 4 (Kyber1024).
faultrangeselects the number of faults for the sweep. Ranges used for the reported simulations can be found in the comments. Currently set up to run tests with a fixed number of faults (7500 for Kyber and 15000 for NewHope).
maxiterationssets the maximum number of iterations for the statistical solving method.
repeatsdetermines how many experiments to run per fault quantity (for determining the success rate). Currently set to 1.
plotsallows to turn on analysis plots, which show the current status of key recovery (current rank of the correct key for each coefficient, current probability of the correct key coefficient).
storeswitches on the storage of results in the file
result.mat(needed when multiple simulations are performed, i.e., in a sweep)