Differential fault attacks on deterministic lattice signatures

Leon Groot Bruinderink; Peter Pessl

doi:10.13154/tches.v2018.i3.21-43

Differential fault attacks on deterministic lattice signatures

Leon Groot Bruinderink, Peter Pessl

Research output: Contribution to journal › Article › Academic › peer-review

29 Downloads (Pure)

Abstract

In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect.
Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.

Original language	English
Pages (from-to)	21-43
Number of pages	23
Journal	IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)
Volume	2018
Issue number	3
DOIs	https://doi.org/10.13154/tches.v2018.i3.21-43
Publication status	Published - 3 Sep 2018

Keywords

Differential fault attacks
post-quantum cryptography
lattice-based cryptography
digital signatures

Access to Document

10.13154/tches.v2018.i3.21-43

published versionFinal published version, 614 KB

Fingerprint Dive into the research topics of 'Differential fault attacks on deterministic lattice signatures'. Together they form a unique fingerprint.

Cite this

@article{9ae8193779164456aec8e2b234c1e33b,

title = "Differential fault attacks on deterministic lattice signatures",

abstract = "In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect.Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.",

keywords = "Differential fault attacks, post-quantum cryptography, lattice-based cryptography, digital signatures",

author = "Bruinderink, {Leon Groot} and Peter Pessl",

year = "2018",

month = sep,

day = "3",

doi = "10.13154/tches.v2018.i3.21-43",

language = "English",

volume = "2018",

pages = "21--43",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)",

issn = "2569-2925",

publisher = "Ruhr-University Bochum",

number = "3",

}

TY - JOUR

T1 - Differential fault attacks on deterministic lattice signatures

AU - Bruinderink, Leon Groot

AU - Pessl, Peter

PY - 2018/9/3

Y1 - 2018/9/3

N2 - In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect.Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.

AB - In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect.Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.

KW - Differential fault attacks

KW - post-quantum cryptography

KW - lattice-based cryptography

KW - digital signatures

U2 - 10.13154/tches.v2018.i3.21-43

DO - 10.13154/tches.v2018.i3.21-43

M3 - Article

VL - 2018

SP - 21

EP - 43

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)

SN - 2569-2925

IS - 3

ER -