Paper 2024/1883

A Fault Analysis on SNOVA

Gustavo Banegas, Inria Saclay - Île-de-France Research Centre, Computer Science Laboratory of the École Polytechnique
Ricardo Villanueva-Polanco, Technology Innovation Institute
Abstract

SNOVA, a post-quantum signature scheme with compact key sizes, is a second-round NIST candidate. This paper conducts a fault analysis of SNOVA, targeting permanent and transient faults during signature generation. We propose fault injection strategies that exploit SNOVA's structure, enabling key recovery with as few as $22$ to $68$ faulty signatures, depending on security levels. A novel fault-assisted reconciliation attack is introduced that effectively extracts the secret key space by solving a quadratic polynomial system. Simulations reveal that transient or permanent faults in signature generation can severely compromise security. We also suggest a lightweight countermeasure to mitigate fault attacks with minimal overhead. Our findings emphasize the need for fault-resistant mechanisms in post-quantum schemes like SNOVA.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Physical attackFault-attackSNOVAMQ-based cryptography
Contact author(s)
gustavo @ cryptme in
ricardo polanco @ tii ae
History
2025-02-13: last of 2 revisions
2024-11-19: received
See all versions
Short URL
https://ia.cr/2024/1883
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1883,
      author = {Gustavo Banegas and Ricardo Villanueva-Polanco},
      title = {A Fault Analysis on {SNOVA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1883},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1883}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.