The RoT Has Set In | FORTRESS Expert Review #1

🕒 3 mins

Introduction

Welcome to the first edition of the FORTRESS Expert Review series, where, together with members of FORTRESS, we delve into the world of embedded post-quantum cryptography to provide you with detailed analyses on the matter.

Hash functions play an important role in making many Post-Quantum Cryptography (PQC) schemes secure and efficient enough. In particular, the NIST-standardized ML-KEM (FIPS 203) and ML-DSA (FIPS 204) post-quantum cryptographic algorithms recommend the use of the Keccak hash function and its derivatives (FIPS 202). In this review, we take a look at a novel single-fault injection attack proposed by Wang et al. (2025) on these PQC schemes under the catchy name “Mind the faulty Keccak”.

About the paper (TL;DR)

In this paper from Wang et al. (2025), a loop-abort fault model is demonstrated on a software implementation of Keccak to interrupt the sponge construction’s control flow and set its output to a fully or partially known value. This, in a massive snowball effect, allows breaking all phases of ML-KEM and ML-DSA, namely the key generation, encapsulation, decapsulation, signing and verification.

Let’s dive in!

Our Expert Review

What was studied?

In all phases of ML-KEM and ML-DSA, Keccak is used to derive crucial assets e.g., during private seed generation, key derivation and sampling. Setting one of these assets to a fixed value known to the adversary is enough to easily compromise the security of the targeted phase.

To achieve this, the authors, under a loop-abort fault model, propose three distinct attack methodologies targeting the Keccak primitive:

  1. Skipping the absorption zeroizes the input, setting the output to a deterministic  pre-known value.
  2. Skipping the Keccak-f permutation makes the output equal to the padded input, which can be useful when a portion of the input is public.
  3. Skipping the squeezing forces the output to an uninitialized array, which defaults to all zeros in certain compilation settings.

By systematically exploiting these foundational Keccak vulnerabilities, the study proposes six fault injection attacks on ML-KEM and five on ML-DSA scattered across all of their phases, enabling severe exploits such as private key recovery, session key recovery, signature forgery, and verification bypass.

The attacks were successfully demonstrated using Electromagnetic Fault Injection (EMFI) on the unprotected C implementation of Keccak from the PQClean library running on various Cortex-M MCUs.

Why is it important?

This research is significant because it demonstrates the importance of a secure implementation of Keccak in the context of PQC. In fact, it showed that the fault attack surface of ML-KEM and ML-DSA is broader than previously understood, enabling sensitive data recovery across all algorithms of those schemes through a single fault injection on Keccak.

By directly targeting the underlying Keccak’s control flow, these attacks successfully circumvent popular countermeasures like shuffling. Even a hardened Keccak hardware accelerator mustn’t be driven by a vulnerable software library, in which case the CPU would be the target. Consequently, developers must rigorously secure all components of hash implementations against physical attacks and not treat them as invulnerable black boxes.

Which new insights have been contributed, and how significant are they?

This paper brings a novel single-fault injection attack targeting Keccak that is so generic it can be applied across all phases of various PQC schemes. While the authors illustrate two use-cases of their attacks on ML-KEM and ML-DSA, they can be easily extended to other schemes like FrodoKEM or HQC

How practical are the results?

In practice, the attacks were executed using a low-cost Electromagnetic Fault Injection (EMFI) setup on five ARM Cortex-M microprocessors, namely Cortex-M0+, M3, M4, and M33 architectures. Their results showed a high fault induction rate with success rates ranging from 11.6% to 46.0% and a guaranteed exploit success, proving that the attacks are in fact practical.

Beyond the examples demonstrated in the paper, it seems likely that many future implementations will be threatened by these attacks. In particular due to control flow disruption being commonly observed during most fault injection campaigns. As such, going forward, we expect hardware security evaluators to systematically include dedicated tests to verify the feasibility of these attacks on every ML-KEM and ML-DSA implementation.

When is the impact expected?

This work introduces a new and urgent consideration for any security evaluation of a device implementing ML-DSA, ML-KEM or any post-quantum schemes relying on Keccak. This research will undoubtedly drive new efforts to design more comprehensive and efficient fault countermeasures for Keccak and post-quantum cryptography in general. The impact will certainly be felt in the immediate future!

 

What’s next?

Stay tuned for more write-ups on other modern embedded cryptography articles in the upcoming episodes of the FORTRESS Expert Review.