Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes - passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is important to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean (A2B) conversion. We exploit the data dependency of the adder carry chain in A2B and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform.

翻译：后量子密码算法，尤其是基于带错误学习（LWE）问题的算法，近期已遭受多种物理攻击。尽管这些攻击大致可分为两类——被动侧信道攻击与主动故障攻击，但由于此类算法固有的复杂性，攻击策略呈现显著差异。因此，探索更多攻击面对于最终确保这些算法的安全部署至关重要。同时，检验已有防护对策的鲁棒性同样具有重要意义。本文针对基于LWE的密钥封装机制（KEM）的侧信道安全掩码实现，提出了一种利用故障传播的新型故障攻击。该攻击的根源在于一种广泛用于启用掩码功能的算法修改，即算术到布尔（A2B）转换。我们利用了A2B中加法器进位链的数据依赖性，在存在（任意阶）掩码的情况下提取敏感信息。为证明该信息泄露的可利用性，我们展示了针对Kyber的密钥恢复攻击，尽管类似泄露也存在于Saber等其他方案中。针对Kyber的攻击聚焦于解封装模块，并利用置信传播（BP）进行密钥恢复。据我们所知，这是首次利用为简化掩码而引入的算法组件（而非仅如Delvaux所做的那样仅利用掩码引入的随机性来获取预期故障）发起的攻击。最后，我们对运行在STM32平台上的开源一阶安全Kyber实现，分别进行了仿真与电磁（EM）故障注入的实际验证。