Cryptology ePrint Archive: Report 2018/673

Differential Power Analysis of XMSS and SPHINCS

Matthias J. Kannwischer and Aymeric Genęt and Denis Butin and Juliane Krämer and Johannes Buchmann

Abstract: Quantum computing threatens conventional public-key cryptography. In response, standards bodies such as NIST increasingly focus on post-quantum cryptography. In particular, hash-based signature schemes are notable candidates for deployment. No rigorous side-channel analysis of hash-based signature schemes has been conducted so far. This work bridges this gap. We analyse the stateful hash-based signature schemes XMSS and XMSS^MT, which are currently undergoing standardisation at IETF, as well as SPHINCS — the only practical stateless hash-based scheme. While timing and simple power analysis attacks are unpromising, we show that the differential power analysis resistance of XMSS can be reduced to the differential power analysis resistance of the underlying pseudorandom number generator. This first systematic analysis helps to further increase confidence in XMSS, supporting current standardisation efforts. Furthermore, we show that at least a 32-bit chunk of the SPHINCS secret key can be recovered using a differential power analysis attack due to its stateless construction. We present novel differential power analyses on a SHA-2-based pseudorandom number generator for XMSS and a BLAKE-256-based pseudorandom function for SPHINCS-256 in the Hamming weight model. The first attack is not threatening current versions of XMSS, unless a customised pseudorandom number generator is used. The second one compromises the security of a hardware implementation of SPHINCS-256. Our analysis is supported by a power simulator implementation of SHA-2 for XMSS and a hardware implementation of BLAKE for SPHINCS. We also provide recommendations for XMSS implementers.

Category / Keywords: public-key cryptography / Post-quantum cryptography, Hash-based signatures, DPA

Original Publication (in the same form): COSADE 2018

Date: received 12 Jul 2018

Contact author: matthias at kannwischer eu

Available format(s): PDF | BibTeX Citation

Version: 20180713:140750 (All versions of this report)

Short URL: ia.cr/2018/673


[ Cryptology ePrint archive ]