Grafting Trees: A Fault Attack Against the SPHINCS Framework

  • Laurent Castelnovi
  • Ange Martinelli
  • Thomas Prest
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the sphincs family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks.

In this paper, we propose the first fault attack against the framework underlying sphincs, gravity-sphincs and \(\textsc {sphincs} ^+\). Our attack allows to forge any message signature at the cost of a single faulted message. Furthermore, the fault model is very reasonable and the faulted signatures remain valid, which renders our attack both stealthy and practical. As the attack involves a non-negligible computational cost, we propose a fine-grained trade-off allowing to lower this cost by slightly increasing the number of faulted messages. Our attack is generic in the sense that it does not depend on the underlying hash function(s) used.



We would like to thank the anonymous PQCrypto reviewers for their helpful comments. We also thank Andreas Hülsing, whose insightful advices helped us make our attack simpler, more generic and more powerful. Finally, we acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ.


  1. [AE17a]
    Aumasson, J.-P., Endignoux, G.: Clarifying the subset-resilience problem. Cryptology ePrint Archive, Report 2017/909 (2017).
  2. [AE17b]
    Aumasson, J.-P., Endignoux, G.: Improving stateless hash-based signatures. Cryptology ePrint Archive, Report 2017/933 (2017).
  3. [BBK16]
    Bindel, N., Buchmann, J.A., Krämer, J.: Lattice-Based Signature Schemes and Their Sensitivity to Fault Attacks (2016)Google Scholar
  4. [BDE+17]
    Bernstein, D.J., Dobraunig, C., Eichlseder, M., Fluhrer, S., Gazdag, S.-L., Hülsing, A., Kampanakis, P., Kölbl, S., Lange, T., Lauridsen, M.M., Mendel, F., Niederhagen, R., Rechberger, C., Rijneveld, J., Schwabe, P.: SPHINCS+ (2017).
  5. [BDH11]
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). Scholar
  6. [BDK+07]
    Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). Scholar
  7. [BDL97]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). Scholar
  8. [BDS08]
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). Scholar
  9. [BG15]
    Blömer, J., Günther, P.: Singular curve point decompression attack. In: FDTC, pp. 71–84. IEEE Computer Society (2015)Google Scholar
  10. [BGS15]
    Bagheri, N., Ghaedi, N., Sanadhya, S.K.: Differential fault analysis of SHA-3. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 253–269. Springer, Cham (2015). Scholar
  11. [BHH+15]
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). Scholar
  12. [EFGT16]
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based fiat-shamir and hash-and-sign signatures. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 140–158. Springer, Cham (2017). Scholar
  13. [GBH16]
    Bruinderink, L.G., Hülsing, A.: “Oops, i did it again” - security of one-time signatures under two-message attacks. IACR Cryptology ePrint Archive (2016).
  14. [Gol86]
    Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987). Scholar
  15. [GW17]
    Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). Scholar
  16. [HBB12]
    Hülsing, A., Busold, C., Buchmann, J.: Forward secure signatures on smart cards. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 66–80. Springer, Heidelberg (2013). Scholar
  17. [HH11]
    Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA1 compression function. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, 29 September 2011, pp. 54–62 (2011)Google Scholar
  18. [HRB13]
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). Scholar
  19. [HRS16]
    Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS - computing a 41 KB signature in 16 KB of RAM. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016). Scholar
  20. [Lam79]
    Lamport, L.: Constructing digital signatures from a one way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory (1979)Google Scholar
  21. [Mer90]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). Scholar
  22. [MKAA16]
    Mozaffari-Kermani, M., Azarderakhsh, R., Aghaie, A.: Fault detection architectures for post-quantum cryptographic stateless hash-based secure signatures benchmarcked on ASIC. ACM Trans. Embed. Comput. Syst. 16(2), 59 (2016)CrossRefGoogle Scholar
  23. [NIS16]
    NIST. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016).
  24. [RED+08]
    Rohde, S., Eisenbarth, T., Dahmen, E., Buchmann, J., Paar, C.: Fast hash-based signatures on constrained devices. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 104–117. Springer, Heidelberg (2008). Scholar
  25. [Rom90]
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC, pp. 387–394. ACM (1990)Google Scholar
  26. [Son14]
    Song, F.: A note on quantum security for post-quantum cryptography. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 246–265. Springer, Cham (2014). Scholar
  27. [Ti17]
    Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Laurent Castelnovi
    • 1
  • Ange Martinelli
    • 2
  • Thomas Prest
    • 2
  1. 1.Alten Sud-OuestLabègeFrance
  2. 2.Thales Communications & SecurityGennevilliersFrance

Personalised recommendations