Cryptology ePrint Archive: Report 2018/674

Practical Fault Injection Attacks on SPHINCS

Aymeric Genêt and Matthias J. Kannwischer and Hervé Pelletier and Andrew McLauchlan

Abstract: The majority of currently deployed cryptographic public-key schemes are at risk of becoming insecure once large scale quantum computers become practical. Therefore, substitutes resistant to quantum attacks—known as post-quantum cryptography—are required. In particular, hash-based signature schemes appear to be the most conservative choice for post-quantum digital signatures. In this work, we mount the first practical fault attack against hash-based cryptography. The attack was originally proposed by Castelnovi, Martinelli, and Prest [9] and allows the creation of a universal signature forgery that applies to all current standardisation candidates (XMSS, LMS, SPHINCS+, and Gravity-SPHINCS). We perform the attack on an Arduino Due board featuring an ARM Cortex-M3 microprocessor running the original stateless scheme SPHINCS with a focus on practicality. We describe how the attack is mountable with a simple voltage glitch injection on the targeted platform, which allowed us to collect enough faulty signatures to create a universal forgery within seconds. As the attack also applies to stateful schemes, we show how caching one-time signatures can entirely prevent the attack for stateful schemes, such as XMSS and LMS. However, we discuss how protecting stateless schemes, like SPHINCS, SPHINCS+, and Gravity-SPHINCS, is more challenging, as this countermeasure does not apply as efficiently as in stateful schemes.

Category / Keywords: public-key cryptography / SPHINCS, hash-based signature, voltage glitching, fault attack, digital signature

Date: received 12 Jul 2018, last revised 15 Oct 2018

Contact author: matthias at kannwischer eu

Available format(s): PDF | BibTeX Citation

Version: 20181015:144926 (All versions of this report)

Short URL: ia.cr/2018/674


[ Cryptology ePrint archive ]