Paper 2018/102
Grafting Trees: a Fault Attack against the SPHINCS framework
Laurent Castelnovi, Ange Martinelli, and Thomas Prest
Abstract
Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the SPHINCS family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks. In this paper, we propose the first fault attack against the framework underlying SPHINCS, Gravity-SPHINCS and SPHINCS+. Our attack allows to forge any message signature at the cost of a single faulted message. Furthermore, the fault model is very reasonable and the faulted signatures remain valid, which renders our attack both stealthy and practical. As the attack involves a non-negligible computational cost, we propose a fine-grained trade-off allowing to lower this cost by slightly increasing the number of faulted messages. Our attack is generic in the sense that it does not depend on the underlying hash function(s) used.
Metadata
- Available format(s)
- Publication info
- Published elsewhere. PQCrypto 2018
- Keywords
- SPHINCSFault attacksHash-based signatures
- Contact author(s)
- thomas prest @ ens fr
- History
- 2018-04-13: revised
- 2018-01-29: received
- See all versions
- Short URL
- https://ia.cr/2018/102
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/102, author = {Laurent Castelnovi and Ange Martinelli and Thomas Prest}, title = {Grafting Trees: a Fault Attack against the {SPHINCS} framework}, howpublished = {Cryptology {ePrint} Archive, Paper 2018/102}, year = {2018}, url = {https://eprint.iacr.org/2018/102} }