### Differential Fault Attacks on Deterministic Lattice Signatures

Leon Groot Bruinderink and Peter Pessl

##### Abstract

In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect. Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.

Note: Newest revision corrects a statement regarding applicable countermeasures.

Available format(s)
Category
Implementation
Publication info
A minor revision of an IACR publication in TCHES 2018
Keywords
differential fault attackspost-quantum cryptographylattice-based cryptographydigital signatures
Contact author(s)
peter pessl @ iaik tugraz at
History
2018-10-31: last of 2 revisions
See all versions
Short URL
https://ia.cr/2018/355

CC BY

BibTeX

@misc{cryptoeprint:2018/355,
author = {Leon Groot Bruinderink and Peter Pessl},
title = {Differential Fault Attacks on Deterministic Lattice Signatures},
howpublished = {Cryptology ePrint Archive, Paper 2018/355},
year = {2018},
note = {\url{https://eprint.iacr.org/2018/355}},
url = {https://eprint.iacr.org/2018/355}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.