Fault Attacks on CCA-Secure Lattice KEMs

Explore fault attacks on CCA-secure lattice-based Key Encapsulation Mechanisms (KEMs) in this 45-minute talk by Peter Pessl at the Workshop on Attacks in Cryptography, held in conjunction with Crypto 2021. Delve into the implementation security of lattice KEMs, focusing on Kyber and Saber. Examine the LPR encryption scheme, Fujisaki-Okamoto transformation, and the process of attacking an FO-KEM. Investigate effective and ineffective faults in the decoder, with a specific look at Kyber's decoding routine. Learn about extracting information through faulting the decoder, gathering inequalities, and solving for the key. Conclude with a discussion on potential countermeasures against these attacks.

Intro
What's that all about?
Status: Implementation Security of Lattice KEM
Kyber, Saber: High-Level Similarities
Our Attack
The LPR Encryption Scheme: Noisy ElGamal
Correctness and Decoding
Fujisaki-Okamoto: CPA PKE
Attacking an FO-KEM
Effective vs. Inflective Faults
(In)Effective Faults in the Decoder
Kyber's Decoding Routine
Faulting the Decoder
Extracting Information
Gathering Inequalities
Solving for the key
Solving Approach
Countermeasures?