Paper 2025/606
An attack on ML-DSA using an implicit hint
Abstract
The security of ML-DSA, like most signature schemes, is partially based on the fact that the nonce used to generate the signature is unknown to any attacker. In this work, we exhibit a lattice-based attack that is possible if the nonces share implicit or explicit information. From a collection of signatures whose nonces share certain coefficients, it is indeed possible to build a collection of non full-rank lattices. Intersecting them, we show how to create a low-rank lattice that contains one of the polynomials of the secret key, which in turn can be recovered using lattice reduction techniques.
There are several interpretations of this result: firstly, it can be seen as a generalization of a fault-based attack on BLISS presented at SAC'16 by Thomas Espitau et al. Alternatively, it can be understood as a side-channel attack on ML-DSA, in the case where an attacker is able to recover only one of the coefficients of the nonce used during the generation of the signature. For ML-DSA-II, we show that
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. SAC25
- Keywords
- ML-DSAside-channel attackslattice-based cryptanalysis.
- Contact author(s)
-
paco azevedo-oliveira @ thalesgroup com
jordan beraud @ uvsq fr
louis goubin @ uvsq fr - History
- 2025-04-08: approved
- 2025-04-03: received
- See all versions
- Short URL
- https://ia.cr/2025/606
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/606,
author = {Paco Azevedo-Oliveira and Jordan Beraud and Louis Goubin},
title = {An attack on {ML}-{DSA} using an implicit hint},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/606},
year = {2025},
url = {https://eprint.iacr.org/2025/606}
}
