Paper 2018/102

Grafting Trees: a Fault Attack against the SPHINCS framework

Laurent Castelnovi, Ange Martinelli, and Thomas Prest


Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the SPHINCS family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks. In this paper, we propose the first fault attack against the framework underlying SPHINCS, Gravity-SPHINCS and SPHINCS+. Our attack allows to forge any message signature at the cost of a single faulted message. Furthermore, the fault model is very reasonable and the faulted signatures remain valid, which renders our attack both stealthy and practical. As the attack involves a non-negligible computational cost, we propose a fine-grained trade-off allowing to lower this cost by slightly increasing the number of faulted messages. Our attack is generic in the sense that it does not depend on the underlying hash function(s) used.

Available format(s)
Publication info
Published elsewhere. PQCrypto 2018
SPHINCSFault attacksHash-based signatures
Contact author(s)
thomas prest @ ens fr
2018-04-13: revised
2018-01-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Laurent Castelnovi and Ange Martinelli and Thomas Prest},
      title = {Grafting Trees: a Fault Attack against the {SPHINCS} framework},
      howpublished = {Cryptology ePrint Archive, Paper 2018/102},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.