Advertisement

Grafting Trees: A Fault Attack Against the SPHINCS Framework

  • Laurent Castelnovi
  • Ange Martinelli
  • Thomas Prest
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)

Abstract

Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the sphincs family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks.

In this paper, we propose the first fault attack against the framework underlying sphincs, gravity-sphincs and \(\textsc {sphincs} ^+\). Our attack allows to forge any message signature at the cost of a single faulted message. Furthermore, the fault model is very reasonable and the faulted signatures remain valid, which renders our attack both stealthy and practical. As the attack involves a non-negligible computational cost, we propose a fine-grained trade-off allowing to lower this cost by slightly increasing the number of faulted messages. Our attack is generic in the sense that it does not depend on the underlying hash function(s) used.

Notes

Acknowledgements

We would like to thank the anonymous PQCrypto reviewers for their helpful comments. We also thank Andreas Hülsing, whose insightful advices helped us make our attack simpler, more generic and more powerful. Finally, we acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ.

References

  1. [AE17a]
    Aumasson, J.-P., Endignoux, G.: Clarifying the subset-resilience problem. Cryptology ePrint Archive, Report 2017/909 (2017). https://eprint.iacr.org/2017/909
  2. [AE17b]
    Aumasson, J.-P., Endignoux, G.: Improving stateless hash-based signatures. Cryptology ePrint Archive, Report 2017/933 (2017). https://eprint.iacr.org/2017/933
  3. [BBK16]
    Bindel, N., Buchmann, J.A., Krämer, J.: Lattice-Based Signature Schemes and Their Sensitivity to Fault Attacks (2016)Google Scholar
  4. [BDE+17]
    Bernstein, D.J., Dobraunig, C., Eichlseder, M., Fluhrer, S., Gazdag, S.-L., Hülsing, A., Kampanakis, P., Kölbl, S., Lange, T., Lauridsen, M.M., Mendel, F., Niederhagen, R., Rechberger, C., Rijneveld, J., Schwabe, P.: SPHINCS+ (2017). https://sphincs.org/
  5. [BDH11]
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_8CrossRefGoogle Scholar
  6. [BDK+07]
    Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72738-5_3CrossRefGoogle Scholar
  7. [BDL97]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_4Google Scholar
  8. [BDS08]
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88403-3_5CrossRefGoogle Scholar
  9. [BG15]
    Blömer, J., Günther, P.: Singular curve point decompression attack. In: FDTC, pp. 71–84. IEEE Computer Society (2015)Google Scholar
  10. [BGS15]
    Bagheri, N., Ghaedi, N., Sanadhya, S.K.: Differential fault analysis of SHA-3. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 253–269. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-26617-6_14CrossRefGoogle Scholar
  11. [BHH+15]
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_15Google Scholar
  12. [EFGT16]
    Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-abort faults on lattice-based fiat-shamir and hash-and-sign signatures. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 140–158. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-69453-5_8CrossRefGoogle Scholar
  13. [GBH16]
    Bruinderink, L.G., Hülsing, A.: “Oops, i did it again” - security of one-time signatures under two-message attacks. IACR Cryptology ePrint Archive (2016). http://eprint.iacr.org/2016/1042
  14. [Gol86]
    Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_8Google Scholar
  15. [GW17]
    Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_6CrossRefGoogle Scholar
  16. [HBB12]
    Hülsing, A., Busold, C., Buchmann, J.: Forward secure signatures on smart cards. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 66–80. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-35999-6_5CrossRefGoogle Scholar
  17. [HH11]
    Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA1 compression function. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, 29 September 2011, pp. 54–62 (2011)Google Scholar
  18. [HRB13]
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40588-4_14CrossRefGoogle Scholar
  19. [HRS16]
    Hülsing, A., Rijneveld, J., Schwabe, P.: ARMed SPHINCS - computing a 41 KB signature in 16 KB of RAM. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 446–470. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49384-7_17CrossRefGoogle Scholar
  20. [Lam79]
    Lamport, L.: Constructing digital signatures from a one way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory (1979)Google Scholar
  21. [Mer90]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_21CrossRefGoogle Scholar
  22. [MKAA16]
    Mozaffari-Kermani, M., Azarderakhsh, R., Aghaie, A.: Fault detection architectures for post-quantum cryptographic stateless hash-based secure signatures benchmarcked on ASIC. ACM Trans. Embed. Comput. Syst. 16(2), 59 (2016)CrossRefGoogle Scholar
  23. [NIS16]
    NIST. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
  24. [RED+08]
    Rohde, S., Eisenbarth, T., Dahmen, E., Buchmann, J., Paar, C.: Fast hash-based signatures on constrained devices. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 104–117. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85893-5_8CrossRefGoogle Scholar
  25. [Rom90]
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC, pp. 387–394. ACM (1990)Google Scholar
  26. [Son14]
    Song, F.: A note on quantum security for post-quantum cryptography. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 246–265. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_15Google Scholar
  27. [Ti17]
    Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_7CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Laurent Castelnovi
    • 1
  • Ange Martinelli
    • 2
  • Thomas Prest
    • 2
  1. 1.Alten Sud-OuestLabègeFrance
  2. 2.Thales Communications & SecurityGennevilliersFrance

Personalised recommendations