Significant research efforts have been dedicated to designing cryptographic algorithms that are quantum-resistant. The motivation is clear: robust quantum computers, once available, will render current cryptographic standards vulnerable. Thus, we need new Post-Quantum Cryptography (PQC) algorithms, and, due to the inherent complexity of such algorithms, there is also a demand to accelerate them in hardware. In this paper, we show that PQC hardware accelerators can be backdoored by two different adversaries located in the chip supply chain. We propose REPQC, a sophisticated reverse engineering algorithm that can be employed to confidently identify hashing operations (i.e., Keccak) within the PQC accelerator - the location of which serves as an anchor for finding secret information to be leaked. Armed with REPQC, an adversary proceeds to insert malicious logic in the form of a stealthy Hardware Trojan Horse (HTH). Using Dilithium as a study case, our results demonstrate that HTHs that increase the accelerator's layout density by as little as 0.1\% can be inserted without any impact on the performance of the circuit and with a marginal increase in power consumption. An essential aspect is that the entire reverse engineering in REPQC is automated, and so is the HTH insertion that follows it, empowering adversaries to explore multiple HTH designs and identify the most suitable one.

翻译：大量研究工作致力于设计抗量子密码算法。其动机显而易见：一旦强大的量子计算机问世，现有密码标准将变得脆弱不堪。因此，我们需要新型后量子密码算法，且由于此类算法固有的复杂性，还需要通过硬件对其进行加速。本文证明，芯片供应链中的两类不同攻击者可对后量子密码硬件加速器植入后门。我们提出REPQC——一种精密的逆向工程算法，该算法能可靠地识别后量子密码加速器中的哈希运算单元（即Keccak），其位置可作为寻找待泄露秘密信息的锚点。借助REPQC，攻击者进而能以硬件木马的形式插入恶意逻辑。以Dilithium为例的研究表明：即使仅将加速器版图密度增加0.1%的硬件木马，也可在不影响电路性能且仅产生可忽略功耗增量的条件下被植入。关键在于，REPQC中整个逆向工程过程已实现自动化，其后续的硬件木马插入同样完全自动化，这使得攻击者能够探索多种木马设计并确定最优方案。