Go to DBLP homepageBeware of Keccak: Practical Fault Attacks on SHA-3 to Compromise Kyber and Dilithium on ARM Cortex-M Devices
Abstract: ML-KEM and ML-DSA are NIST-standardized lattice-based post-quantum cryptographic algorithms. In both algorithms, KECCAK is the designated hash algorithm and extendable-output function. It is extensively used for deriving sensitive information, making it a valuable target for attackers. In the field of fault injection attacks, few works targeted KECCAK, and they have not fully explored its potential as a general component. Consequently, many attacks remain undiscovered. This article systematically analyzes methods for recovering keys, forging signatures, and bypassing verification by utilizing (partially) recovered KECCAK outputs, presenting six attacks against ML-KEM and five attacks against ML-DSA, significantly expanding the capabilities and applicability of attacks through faulting KECCAK. These attacks cover the key generation, encapsulation, decapsulation, signing, and verification phases, making our scheme the first to apply to all phases of ML-KEM and ML-DSA. To support these upper-layer attacks, we propose various customized fault attacks on KECCAK, which manipulate the control flow through loop-abort faults to recover the (partial) output. The proposed attacks are validated on the C implementations of the PQClean library’s ML-KEM and ML-DSA running on embedded devices. Experiments show that loop-abort faults can be induced using electromagnetic fault injection on ARM Cortex-M microprocessors from multiple series, achieving a success rate of 89.5%. Furthermore, once the fault injection is successful, the proposed attacks can succeed with a probability of 100%.
Loading