CryptoDB
When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is, we induce the FrodoKEM software to output a higher-error PK, (A,B=AS+E), where the error E is modified by Rowhammer. Then, we perform a decryption failure attack, using a variety of publicly-accessible supercomputing resources running on the order of only 200,000 core-hours. We delicately attenuate the decryption failure rate to ensure that the adversary's attack succeeds practically, but so honest users cannot easily detect the manipulation. Achieving this public key "poisoning" requires an extreme engineering effort, as FrodoKEM's KeyGen runs on the order of 8 milliseconds. (Prior Rowhammer-assisted attacks against cryptography require as long as 8 hours of persistent access.) In order to handle this real-world timing condition, we require a wide variety of prior and brand new, low-level engineering techniques, including e.g. memory massaging algorithms -- i.e. "Feng Shui" -- and a precisely-targeted performance degradation attack on SHAKE. |
| Video: | https://youtu.be/rf63D1fdOJM?t=1608 |
BibTeX
@misc{rwc-2023-35435,
title={When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer},
note={Video at \url{https://youtu.be/rf63D1fdOJM?t=1608}},
howpublished={Talk given at RWC 2023},
author={Michael Fahr Jr. and Hunter Kippen and Andrew Kwong and Thinh Dang and Jacob Lichtinger and Dana Dachman-Soled and Daniel Genkin and Alexander H. Nelson and Ray Perlner and Arkady Yerukhimovich and Daniel Apon},
year=2023
}