On Protecting SPHINCS+ Against Fault Attacks

被引:0
作者
Genêt A. [1 ,2 ]
机构
[1] EPFL, Lausanne
[2] Nagra Kudelski Group, Cheseaux-sur-Lausanne
来源
IACR Transactions on Cryptographic Hardware and Embedded Systems | 2023年 / 2023卷 / 02期
关键词
countermeasures; fault attack; hash-based cryptography; post-quantum signature; SPHINCS+;
D O I
10.46586/tches.v2023.i2.80-114
中图分类号
学科分类号
摘要
SPHINCS+ is a hash-based digital signature scheme that was selected by NIST in their post-quantum cryptography standardization process. The establishment of a universal forgery on the seminal scheme SPHINCS was shown to be feasible in practice by injecting a fault when the signing device constructs any non-top subtree. Ever since the attack has been made public, little effort was spent to protect the SPHINCS family against attacks by faults. This paper works in this direction in the context of SPHINCS+ and analyzes the current algorithms that aim to prevent fault-based forgeries. First, the paper adapts the original attack to SPHINCS+ reinforced with randomized signing and extends the applicability of the attack to any combination of faulty and valid signatures. Considering the adaptation, the paper then presents a thorough analysis of the attack. In particular, the analysis shows that, with high probability, the security guarantees of SPHINCS+ significantly drop when a single random bit flip occurs anywhere in the signing procedure and that the resulting faulty signature cannot be detected with the verification procedure. The paper shows both in theory and experimentally that the countermeasures based on caching the intermediate W-OTS+ s offer a marginally greater protection against unintentional faults, and that such countermeasures are circumvented with a tolerable number of queries in an active attack. Based on these results, the paper recommends real-world deployments of SPHINCS+ to implement redundancy checks. © 2023, Ruhr-University of Bochum. All rights reserved.
引用
收藏
页码:80 / 114
页数:34
相关论文
共 25 条
[1]  
Aumasson Jean-Phillippe, Endignoux Guillaume, Gravity-SPHINCS, (2017)
[2]  
Amiet Dorian, Leuenberger Lukas, Curiger Andreas, Zbinden Paul, FPGA-based SPHINCS<sup>+</sup> implementations: Mind the glitch, 23rd Euromicro Conference on Digital System Design, DSD 2020, pp. 229-237, (2020)
[3]  
Barenghi Alessandro, Bertoni Guido Marco, Breveglieri Luca, Pellicioli Mauro, Pelosi Gerardo, Injection technologies for fault attacks on microprocessors, Fault Analysis in Cryptography, Information Security and Cryptography, pp. 275-293, (2012)
[4]  
Boneh Dan, DeMillo Richard A., Lipton Richard J., On the importance of checking cryptographic protocols for faults (extended abstract), EUROCRYPT’97, volume 1233 of LNCS, pp. 37-51, (1997)
[5]  
Bruinderink Leon Groot, Hulsing Andreas, Oops, I did it again”-security of one-time signatures under two-message attacks, SAC 2017, volume 10719 of LNCS, pp. 299-322, (2017)
[6]  
Bernstein Daniel J., Hopwood Daira, Hulsing Andreas, Lange Tanja, Niederhagen Ruben, Papachristodoulou Louiza, Schneider Michael, Schwabe Peter, Wilcox-O'Hearn Zooko, SPHINCS: Practical stateless hash-based signa-tures, EUROCRYPT 2015, Part I, volume 9056 of LNCS, pp. 368-397, (2015)
[7]  
Bernstein Daniel J., Hulsing Andreas, Kolbl Stefan, Niederhagen Ruben, Rijneveld Joost, Schwabe Peter, The SPHINCS<sup>+</sup> signature framework, ACM CCS 2019, pp. 2129-2146, (2019)
[8]  
Bruinderink Leon Groot, Pessl Peter, Differential fault attacks on de-terministic lattice signatures, IACR TCHES, 2018, 3, pp. 21-43, (2018)
[9]  
Castelnovi Laurent, Martinelli Ange, Prest Thomas, Grafting trees: A fault attack against the SPHINCS framework, Post-Quantum Cryptography-9th International Conference, PQCrypto 2018, pp. 165-184, (2018)
[10]  
Corrado Charles J., The exact distribution of the maximum, minimum and the range of multinomial/dirichlet and multivariate hypergeometric frequencies, Stat. Comput, 21, 3, pp. 349-359, (2011)
123