Paper 2024/1883

A Fault Analysis on SNOVA

Gustavo Banegas, Inria Saclay - Île-de-France Research Centre, Computer Science Laboratory of the École Polytechnique
Ricardo Villanueva-Polanco, Technology Innovation Institute
Abstract

SNOVA, a post-quantum signature scheme with compact key sizes, is a second-round NIST candidate. This paper conducts a fault analysis of SNOVA, targeting permanent and transient faults during signature generation. We propose fault injection strategies that exploit SNOVA's structure, enabling key recovery with as few as 22 to 68 faulty signatures, depending on security levels. A novel fault-assisted reconciliation attack is introduced that effectively extracts the secret key space by solving a quadratic polynomial system. Simulations reveal that transient or permanent faults in signature generation can severely compromise security. We also suggest a lightweight countermeasure to mitigate fault attacks with minimal overhead. Our findings emphasize the need for fault-resistant mechanisms in post-quantum schemes like SNOVA.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Physical attackFault-attackSNOVAMQ-based cryptography
Contact author(s)
gustavo @ cryptme in
ricardo polanco @ tii ae
History
2025-02-13: last of 2 revisions
2024-11-19: received
See all versions
Short URL
https://ia.cr/2024/1883
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1883,
      author = {Gustavo Banegas and Ricardo Villanueva-Polanco},
      title = {A Fault Analysis on {SNOVA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1883},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1883}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.