On Protecting SPHINCS+ Against Fault Attacks
SPHINCS+ is a hash-based digital signature scheme that was selected by NIST in their post-quantum cryptography standardization process. The establishment of a universal forgery on the seminal scheme SPHINCS was shown to be feasible in practice by injecting a fault when the signing device constructs...
Main Author: | |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2023-03-01
|
Series: | Transactions on Cryptographic Hardware and Embedded Systems |
Subjects: | |
Online Access: | https://tches.iacr.org/index.php/TCHES/article/view/10278 |
_version_ | 1811158064891428864 |
---|---|
author | Aymeric Genêt |
author_facet | Aymeric Genêt |
author_sort | Aymeric Genêt |
collection | DOAJ |
description |
SPHINCS+ is a hash-based digital signature scheme that was selected by NIST in their post-quantum cryptography standardization process. The establishment of a universal forgery on the seminal scheme SPHINCS was shown to be feasible in practice by injecting a fault when the signing device constructs any non-top subtree. Ever since the attack has been made public, little effort was spent to protect the SPHINCS family against attacks by faults. This paper works in this direction in the context of SPHINCS+ and analyzes the current algorithms that aim to prevent fault-based forgeries.
First, the paper adapts the original attack to SPHINCS+ reinforced with randomized signing and extends the applicability of the attack to any combination of faulty and valid signatures. Considering the adaptation, the paper then presents a thorough analysis of the attack. In particular, the analysis shows that, with high probability, the security guarantees of SPHINCS+ significantly drop when a single random bit flip occurs anywhere in the signing procedure and that the resulting faulty signature cannot be detected with the verification procedure. The paper shows both in theory and experimentally that the countermeasures based on caching the intermediate W-OTS+s offer a marginally greater protection against unintentional faults, and that such countermeasures are circumvented with a tolerable number of queries in an active attack. Based on these results, the paper recommends real-world deployments of SPHINCS+ to implement redundancy checks.
|
first_indexed | 2024-04-10T05:16:53Z |
format | Article |
id | doaj.art-4d208025f79744cb992e94a569ce45ff |
institution | Directory Open Access Journal |
issn | 2569-2925 |
language | English |
last_indexed | 2024-04-10T05:16:53Z |
publishDate | 2023-03-01 |
publisher | Ruhr-Universität Bochum |
record_format | Article |
series | Transactions on Cryptographic Hardware and Embedded Systems |
spelling | doaj.art-4d208025f79744cb992e94a569ce45ff2023-03-08T15:37:34ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252023-03-012023210.46586/tches.v2023.i2.80-114On Protecting SPHINCS+ Against Fault AttacksAymeric Genêt0EPFL, Lausanne, Switzerland; Nagra Kudelski Group, Cheseaux-sur-Lausanne, Switzerland SPHINCS+ is a hash-based digital signature scheme that was selected by NIST in their post-quantum cryptography standardization process. The establishment of a universal forgery on the seminal scheme SPHINCS was shown to be feasible in practice by injecting a fault when the signing device constructs any non-top subtree. Ever since the attack has been made public, little effort was spent to protect the SPHINCS family against attacks by faults. This paper works in this direction in the context of SPHINCS+ and analyzes the current algorithms that aim to prevent fault-based forgeries. First, the paper adapts the original attack to SPHINCS+ reinforced with randomized signing and extends the applicability of the attack to any combination of faulty and valid signatures. Considering the adaptation, the paper then presents a thorough analysis of the attack. In particular, the analysis shows that, with high probability, the security guarantees of SPHINCS+ significantly drop when a single random bit flip occurs anywhere in the signing procedure and that the resulting faulty signature cannot be detected with the verification procedure. The paper shows both in theory and experimentally that the countermeasures based on caching the intermediate W-OTS+s offer a marginally greater protection against unintentional faults, and that such countermeasures are circumvented with a tolerable number of queries in an active attack. Based on these results, the paper recommends real-world deployments of SPHINCS+ to implement redundancy checks. https://tches.iacr.org/index.php/TCHES/article/view/10278SPHINCS fault attackcountermeasurespost-quantum signaturehash-based cryptography |
spellingShingle | Aymeric Genêt On Protecting SPHINCS+ Against Fault Attacks Transactions on Cryptographic Hardware and Embedded Systems SPHINCS fault attack countermeasures post-quantum signature hash-based cryptography |
title | On Protecting SPHINCS+ Against Fault Attacks |
title_full | On Protecting SPHINCS+ Against Fault Attacks |
title_fullStr | On Protecting SPHINCS+ Against Fault Attacks |
title_full_unstemmed | On Protecting SPHINCS+ Against Fault Attacks |
title_short | On Protecting SPHINCS+ Against Fault Attacks |
title_sort | on protecting sphincs against fault attacks |
topic | SPHINCS fault attack countermeasures post-quantum signature hash-based cryptography |
url | https://tches.iacr.org/index.php/TCHES/article/view/10278 |
work_keys_str_mv | AT aymericgenet onprotectingsphincsagainstfaultattacks |