Abstract
In this paper, we extend the applicability of differential fault attacks to lattice-based cryptography. We show how two deterministic lattice-based signature schemes, Dilithium and qTESLA, are vulnerable to such attacks. In particular, we demonstrate that single random faults can result in a nonce-reuse scenario which allows key recovery. We also expand this to fault-induced partial nonce-reuse attacks, which do not corrupt the validity of the computed signatures and thus are harder to detect.Using linear algebra and lattice-basis reduction techniques, an attacker can extract one of the secret key elements after a successful fault injection. Some other parts of the key cannot be recovered, but we show that a tweaked signature algorithm can still successfully sign any message. We provide experimental verification of our attacks by performing clock glitching on an ARM Cortex-M4 microcontroller. In particular, we show that up to 65.2% of the execution time of Dilithium is vulnerable to an unprofiled attack, where a random fault is injected anywhere during the signing procedure and still leads to a successful key-recovery.
Highlights
Large-scale quantum computing is a major threat to currently used public-key cryptosystems
We show the applicability of differential fault attacks on deterministic lattice-based signature schemes
We focus on Dilithium, but all our attacks apply to qTESLA as well
Summary
Large-scale quantum computing is a major threat to currently used public-key cryptosystems. As implementations are evaluated in terms of both security and performance, they should be made resistant to such attacks with minimal costs In this regard, an interesting property of many lattice-based signature schemes is that they make use of the classic Fiat-Shamir transform [FS86]. Signature schemes built using the Fiat-Shamir transform, such as ECDSA, have a well-known caveat: signing requires a nonce and reuse for different messages leads to trivial key recovery. The nonce is derived by hashing the message and the key, which leads to each input having a unique signature Both Dilithium and qTESLA3 use this approach and follow in the footsteps of proposals such as EdDSA [BDL+11] and deterministic ECDSA [Por13].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
