The security of the Fiat--Shamir scheme in the presence of transient hardware faults

Abstract

Implementation cryptanalysis has emerged as a realistic threat for cryptographic systems. It consists of two classes of attacks: fault-injection and side-channel attacks. In this work, we examine the resistance of the Fiat--Shamir scheme to fault-injection attacks, since Fiat--Shamir is a popular scheme for “light” consumer devices, such as smartcards, in a wide range of consumer services. We prove that an existing attack, known as the Bellcore attack, is incomplete. We propose an extension to the protocol that proactively secures Fiat--Shamir systems from the Bellcore attack and we prove its strength. Finally, we introduce a new attack model, which, under stronger assumptions, can derive the secret keys from both the original Fiat--Shamir scheme as well as its proposed extension. Our approach demonstrates that countermeasures for implementation cryptanalysis must be carefully designed and that deployed systems must include appropriate protection mechanisms for all known attacks and be flexible enough to incorporate countermeasures for new ones.