Skip to main content
SpringerLink
Log in

Faulting Winternitz One-Time Signatures to Forge LMS, XMSS, or \(\text {SPHINCS}^{+}\) Signatures

  • Conference paper
  • First Online:
Post-Quantum Cryptography (PQCrypto 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14154))

Included in the following conference series:

  • 761 Accesses

Abstract

Hash-based signature (HBS) schemes are an efficient method of guaranteeing the authenticity of data in a post-quantum world. The stateful schemes LMS and XMSS and the stateless scheme \(\text {SPHINCS}^{+}\) are already standardised or will be in the near future. The Winternitz one-time signature (WOTS) scheme is one of the fundamental building blocks used in all these HBS standardisation proposals. We present a new fault injection attack targeting WOTS that allows an adversary to forge signatures for arbitrary messages. The attack affects both the signing and verification processes of all current stateful and stateless schemes. Our attack renders the checksum calculation within WOTS useless. A successful fault injection allows at least an existential forgery attack and, in more advanced settings, a universal forgery attack. While checksum computation is clearly a critical point in WOTS, and thus in any of the relevant HBS schemes, its resilience against a fault attack has never been considered. To fill this gap, we theoretically explain the attack, estimate its practicability, and derive the brute-force complexity to achieve signature forgery for a variety of parameter sets. We analyse the reference implementations of LMS, XMSS and \(\text {SPHINCS}^{+}\) and pinpoint the vulnerable points. To harden these implementations, we propose countermeasures and evaluate their effectiveness and efficiency. Our work shows that exposed devices running signature generation or verification with any of these three schemes must have countermeasures in place.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/mcu-tools/mcuboot.

References

  1. Atilano, E., de Grandmaison, A., Heydemann, K., Bouffard, G.: Assessing the effectiveness of MCUboot protections against fault injection attacks

    Google Scholar 

  2. Amiet, D., Leuenberger, L., Curiger, A., Zbinden, P.: FPGA-based SPHINCS\(^+\) implementations: mind the glitch. In: 2020 23rd Euromicro Conference on Digital System Design (DSD), pp. 229–237 (2020)

    Google Scholar 

  3. ANSSI: ANSSI views on the Post-Quantum Cryptography transition (2022). https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/

  4. Aumasson, J.-P.: Too much crypto (2019). https://eprint.iacr.org/2019/1492.pdf

  5. Ban, T.: HW Fault Injection Mitigation - Trusted Firmware M. https://www.trustedfirmware.org/docs/TF-M_fault_injection_mitigation.pdf

  6. Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. Cryptology ePrint Archive, Paper 2011/191 (2011). https://eprint.iacr.org/2011/191

  7. Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_3

    Chapter  Google Scholar 

  8. Bozzato, C., Focardi, R., Palmarini, F.: Shaping the glitch: optimizing voltage fault injection attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 199–224 (2019)

    Article  Google Scholar 

  9. Bos, J.W., Hülsing, A., Renes, J., Van Vredendaal, C.: Rapidly verifiable XMSS signatures, pp. 137–168 (2021)

    Google Scholar 

  10. Bitmain Antminer S19 XP (140Th) profitability (2022). https://www.asicminervalue.com/miners/bitmain/antminer-s19-xp-140th

  11. Brown, D.: Post-quantum cryptography. https://github.com/mcu-tools/mcuboot/discussions/1099?sort=top

  12. BSI: BSI - Technische Richtlinie: Kryptographische Verfahren: Empfehlungen und Schluessellaengen (2022). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile

  13. Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes (2020)

    Google Scholar 

  14. Cisco: Post quantum trust anchors (2019). https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/post-quantum-trust-anchors-wp.pdf

  15. Castelnovi, L., Martinelli, A., Prest, T.: Grafting trees: a fault attack against the SPHINCS framework. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 165–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_8

    Chapter  Google Scholar 

  16. Croley, S.: Hashcat v6.1.1 benchmark on the Nvidia RTX 3090 (2020). https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

  17. Croley, S.: Hashcat v6.2.6 benchmark on the Nvidia RTX 4090 (2022). https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

  18. Fahr, M., et al.: When Frodo Flips: end-to-end key recovery on FrodoKEM via Rowhammer. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, November 2022, pp. 979–993. ACM (2022)

    Google Scholar 

  19. Groot Bruinderink, L., Hülsing, A.: “Oops, i did it again’’ – security of one-time signatures under two-message attacks. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 299–322. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_15

    Chapter  Google Scholar 

  20. IT Security Solutions From Genua Withstand Attacks With Quantum Computers (2020). https://www.genua.eu/knowledge-base/it-security-solutions-from-genua-withstand-attacks-with-quantum-computers

  21. Genêt, A.: On protecting SPHINCS+ against fault attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 80–114 (2023)

    Google Scholar 

  22. Genêt, A., Kannwischer, M.J., Pelletier, H., McLauchlan, A.: Practical fault injection attacks on SPHINCS (2018). https://eprint.iacr.org/2018/674

  23. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LUczQNCw7HA/m/f50WvA3RBAAJ

  24. Gratchoff, J., Timmers, N., Spruyt, A., Chmielewski, L.: Proving the wild jungle jump. Technical report, University of Amsterdam (2015)

    Google Scholar 

  25. Hülsing, A., et al.: SPHINCS+ - submission to the NIST post-quantum project, vol. 3 (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  26. Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle signature scheme (2018). https://datatracker.ietf.org/doc/html/rfc8391

  27. Hauschild, F., Garb, K., Auer, L., Selmke, B., Obermaier, J.: ARCHIE: A QEMU-Based framework for architecture-independent evaluation of faults. In: 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), pp. 20–30 (2021)

    Google Scholar 

  28. Hülsing, A., Kudinov, M.: Recovering the tight security proof of \(SPHINCS^{+}\). Cryptology ePrint Archive, Paper 2022/346 (2022). https://eprint.iacr.org/2022/346

  29. Heyszl, J., et al.: Investigating profiled side-channel attacks against the DES key schedule. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 22–72 (2020)

    Article  Google Scholar 

  30. Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10

    Chapter  Google Scholar 

  31. Kumar, V.B.Y., Gupta, N., Chattopadhyay, A., Kasper, M., Krauß, C., Niederhagen, R.: Post-quantum secure boot. In: 2020 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1582–1585 (2020)

    Google Scholar 

  32. Kudinov, M., Hülsing, A., Ronen, E., Yogev, E.: SPHINCS+C: compressing SPHINCS+ with (almost) no cost. Cryptology ePrint Archive, Paper 2022/778 (2022). https://eprint.iacr.org/2022/778

  33. Kampanakis, P., Panburana, P., Curcio, M., Shroff, C., Alam, M.: Post-quantum LMS and SPHINCS+ hash-based signatures for UEFI secure boot, p. 22 (2021)

    Google Scholar 

  34. Moody, D., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022)

    Google Scholar 

  35. MCUboot documentation. https://docs.mcuboot.com/

  36. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  37. McGrew, D., Fluhrer, S., Curcio, M.: Leighton-Micali hash-based signatures (2019). https://datatracker.ietf.org/doc/html/rfc8554

  38. O’Flynn, C.: MIN()imum failure: EMFI attacks against USB stacks. In: 13th USENIX Workshop on Offensive Technologies (WOOT 2019), Santa Clara, CA, August 2019. USENIX Association (2019)

    Google Scholar 

  39. Obermaier, J., Specht, R., Sigl, G.: Fuzzy-glitch: a practical ring oscillator based clock glitch attack. In: 2017 International Conference on Applied Electronics (AE), pp. 1–6 (2017)

    Google Scholar 

  40. Philipoom, J.: Request for feedback on possible SPHINCS+ variant (2022). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LUczQNCw7HA/m/f50WvA3RBAAJ

  41. Raimbault, G.: Welcome to a new generation of future-proof TPMs: OPTIGA TPM SLB 9672 (2022). https://www.infineon.com/dgdl/Infineon-OPTIGA-TPM-SLB9672.pdf?fileId=8ac78c8b7e7122d1017f071c3f6b00d2

  42. Roth, T.: TrustZone-M(eh): Breaking ARMv8-M’s security (2019)

    Google Scholar 

  43. Sondero: Hashcat v5.1.0 benchmark on the Intel(R) Core(TM) i7-9700K (2019). https://hashcat.net/forum/thread-9042-post-47927.html#pid47927

  44. Selmke, B., Zinnecker, K., Koppermann, P., Miller, K., Heyszl, J., Sigl, G.: Locked out by latch-up? An empirical study on laser fault injection into Arm Cortex-M processors. In: 2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), Amsterdam, Netherlands, September 2018, pp. 7–14. IEEE (2018)

    Google Scholar 

  45. Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_8

    Chapter  Google Scholar 

  46. Wang, W., Jungk, B., Wälde, J., Deng, S., Gupta, N., Szefer, J., Niederhagen, R.: XMSS and embedded systems. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 523–550. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_21

    Chapter  Google Scholar 

  47. Wagner, A., Oberhansl, F., Schink, M.: To be, or not to be stateful: post-quantum secure boot using hash-based signatures. In: Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, ASHES 2022, pp. 85–94. Association for Computing Machinery, New York (2022)

    Google Scholar 

Download references

Acknowledgements

This work was partly funded by the German Federal Ministry of Education and Research (BMBF) in the project APRIORI under grant number 16KIS1390.

Author information

Authors and Affiliations

  1. Fraunhofer Institute for Applied and Integrated Security (AISEC), Garching near Munich, Germany

    Alexander Wagner, Felix Oberhansl, Marc Schink & Emanuele Strieder

  2. Technical University of Munich, Munich, Germany

    Alexander Wagner, Vera Wesselkamp, Marc Schink & Emanuele Strieder

Authors
  1. Alexander Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vera Wesselkamp
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Felix Oberhansl
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marc Schink
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Emanuele Strieder
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Wagner .

Editor information

Editors and Affiliations

  1. Lund University, Lund, Sweden

    Thomas Johansson

  2. National Institute of Standards and Technology, Gaithersburg, MD, USA

    Daniel Smith-Tone

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wagner, A., Wesselkamp, V., Oberhansl, F., Schink, M., Strieder, E. (2023). Faulting Winternitz One-Time Signatures to Forge LMS, XMSS, or \(\text {SPHINCS}^{+}\) Signatures. In: Johansson, T., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2023. Lecture Notes in Computer Science, vol 14154. Springer, Cham. https://doi.org/10.1007/978-3-031-40003-2_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-40003-2_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-40002-5

  • Online ISBN: 978-3-031-40003-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation