Abstract
Hash-based signature (HBS) schemes are an efficient method of guaranteeing the authenticity of data in a post-quantum world. The stateful schemes LMS and XMSS and the stateless scheme \(\text {SPHINCS}^{+}\) are already standardised or will be in the near future. The Winternitz one-time signature (WOTS) scheme is one of the fundamental building blocks used in all these HBS standardisation proposals. We present a new fault injection attack targeting WOTS that allows an adversary to forge signatures for arbitrary messages. The attack affects both the signing and verification processes of all current stateful and stateless schemes. Our attack renders the checksum calculation within WOTS useless. A successful fault injection allows at least an existential forgery attack and, in more advanced settings, a universal forgery attack. While checksum computation is clearly a critical point in WOTS, and thus in any of the relevant HBS schemes, its resilience against a fault attack has never been considered. To fill this gap, we theoretically explain the attack, estimate its practicability, and derive the brute-force complexity to achieve signature forgery for a variety of parameter sets. We analyse the reference implementations of LMS, XMSS and \(\text {SPHINCS}^{+}\) and pinpoint the vulnerable points. To harden these implementations, we propose countermeasures and evaluate their effectiveness and efficiency. Our work shows that exposed devices running signature generation or verification with any of these three schemes must have countermeasures in place.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Atilano, E., de Grandmaison, A., Heydemann, K., Bouffard, G.: Assessing the effectiveness of MCUboot protections against fault injection attacks
Amiet, D., Leuenberger, L., Curiger, A., Zbinden, P.: FPGA-based SPHINCS\(^+\) implementations: mind the glitch. In: 2020 23rd Euromicro Conference on Digital System Design (DSD), pp. 229–237 (2020)
ANSSI: ANSSI views on the Post-Quantum Cryptography transition (2022). https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/
Aumasson, J.-P.: Too much crypto (2019). https://eprint.iacr.org/2019/1492.pdf
Ban, T.: HW Fault Injection Mitigation - Trusted Firmware M. https://www.trustedfirmware.org/docs/TF-M_fault_injection_mitigation.pdf
Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. Cryptology ePrint Archive, Paper 2011/191 (2011). https://eprint.iacr.org/2011/191
Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_3
Bozzato, C., Focardi, R., Palmarini, F.: Shaping the glitch: optimizing voltage fault injection attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 199–224 (2019)
Bos, J.W., Hülsing, A., Renes, J., Van Vredendaal, C.: Rapidly verifiable XMSS signatures, pp. 137–168 (2021)
Bitmain Antminer S19 XP (140Th) profitability (2022). https://www.asicminervalue.com/miners/bitmain/antminer-s19-xp-140th
Brown, D.: Post-quantum cryptography. https://github.com/mcu-tools/mcuboot/discussions/1099?sort=top
BSI: BSI - Technische Richtlinie: Kryptographische Verfahren: Empfehlungen und Schluessellaengen (2022). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile
Cooper, D.A., Apon, D.C., Dang, Q.H., Davidson, M.S., Dworkin, M.J., Miller, C.A.: Recommendation for stateful hash-based signature schemes (2020)
Cisco: Post quantum trust anchors (2019). https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/post-quantum-trust-anchors-wp.pdf
Castelnovi, L., Martinelli, A., Prest, T.: Grafting trees: a fault attack against the SPHINCS framework. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 165–184. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_8
Croley, S.: Hashcat v6.1.1 benchmark on the Nvidia RTX 3090 (2020). https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd
Croley, S.: Hashcat v6.2.6 benchmark on the Nvidia RTX 4090 (2022). https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd
Fahr, M., et al.: When Frodo Flips: end-to-end key recovery on FrodoKEM via Rowhammer. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, November 2022, pp. 979–993. ACM (2022)
Groot Bruinderink, L., Hülsing, A.: “Oops, i did it again’’ – security of one-time signatures under two-message attacks. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 299–322. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_15
IT Security Solutions From Genua Withstand Attacks With Quantum Computers (2020). https://www.genua.eu/knowledge-base/it-security-solutions-from-genua-withstand-attacks-with-quantum-computers
Genêt, A.: On protecting SPHINCS+ against fault attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 80–114 (2023)
Genêt, A., Kannwischer, M.J., Pelletier, H., McLauchlan, A.: Practical fault injection attacks on SPHINCS (2018). https://eprint.iacr.org/2018/674
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LUczQNCw7HA/m/f50WvA3RBAAJ
Gratchoff, J., Timmers, N., Spruyt, A., Chmielewski, L.: Proving the wild jungle jump. Technical report, University of Amsterdam (2015)
Hülsing, A., et al.: SPHINCS+ - submission to the NIST post-quantum project, vol. 3 (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle signature scheme (2018). https://datatracker.ietf.org/doc/html/rfc8391
Hauschild, F., Garb, K., Auer, L., Selmke, B., Obermaier, J.: ARCHIE: A QEMU-Based framework for architecture-independent evaluation of faults. In: 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), pp. 20–30 (2021)
Hülsing, A., Kudinov, M.: Recovering the tight security proof of \(SPHINCS^{+}\). Cryptology ePrint Archive, Paper 2022/346 (2022). https://eprint.iacr.org/2022/346
Heyszl, J., et al.: Investigating profiled side-channel attacks against the DES key schedule. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 22–72 (2020)
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10
Kumar, V.B.Y., Gupta, N., Chattopadhyay, A., Kasper, M., Krauß, C., Niederhagen, R.: Post-quantum secure boot. In: 2020 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1582–1585 (2020)
Kudinov, M., Hülsing, A., Ronen, E., Yogev, E.: SPHINCS+C: compressing SPHINCS+ with (almost) no cost. Cryptology ePrint Archive, Paper 2022/778 (2022). https://eprint.iacr.org/2022/778
Kampanakis, P., Panburana, P., Curcio, M., Shroff, C., Alam, M.: Post-quantum LMS and SPHINCS+ hash-based signatures for UEFI secure boot, p. 22 (2021)
Moody, D., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022)
MCUboot documentation. https://docs.mcuboot.com/
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
McGrew, D., Fluhrer, S., Curcio, M.: Leighton-Micali hash-based signatures (2019). https://datatracker.ietf.org/doc/html/rfc8554
O’Flynn, C.: MIN()imum failure: EMFI attacks against USB stacks. In: 13th USENIX Workshop on Offensive Technologies (WOOT 2019), Santa Clara, CA, August 2019. USENIX Association (2019)
Obermaier, J., Specht, R., Sigl, G.: Fuzzy-glitch: a practical ring oscillator based clock glitch attack. In: 2017 International Conference on Applied Electronics (AE), pp. 1–6 (2017)
Philipoom, J.: Request for feedback on possible SPHINCS+ variant (2022). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LUczQNCw7HA/m/f50WvA3RBAAJ
Raimbault, G.: Welcome to a new generation of future-proof TPMs: OPTIGA TPM SLB 9672 (2022). https://www.infineon.com/dgdl/Infineon-OPTIGA-TPM-SLB9672.pdf?fileId=8ac78c8b7e7122d1017f071c3f6b00d2
Roth, T.: TrustZone-M(eh): Breaking ARMv8-M’s security (2019)
Sondero: Hashcat v5.1.0 benchmark on the Intel(R) Core(TM) i7-9700K (2019). https://hashcat.net/forum/thread-9042-post-47927.html#pid47927
Selmke, B., Zinnecker, K., Koppermann, P., Miller, K., Heyszl, J., Sigl, G.: Locked out by latch-up? An empirical study on laser fault injection into Arm Cortex-M processors. In: 2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), Amsterdam, Netherlands, September 2018, pp. 7–14. IEEE (2018)
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_8
Wang, W., Jungk, B., Wälde, J., Deng, S., Gupta, N., Szefer, J., Niederhagen, R.: XMSS and embedded systems. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 523–550. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_21
Wagner, A., Oberhansl, F., Schink, M.: To be, or not to be stateful: post-quantum secure boot using hash-based signatures. In: Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, ASHES 2022, pp. 85–94. Association for Computing Machinery, New York (2022)
Acknowledgements
This work was partly funded by the German Federal Ministry of Education and Research (BMBF) in the project APRIORI under grant number 16KIS1390.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wagner, A., Wesselkamp, V., Oberhansl, F., Schink, M., Strieder, E. (2023). Faulting Winternitz One-Time Signatures to Forge LMS, XMSS, or \(\text {SPHINCS}^{+}\) Signatures. In: Johansson, T., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2023. Lecture Notes in Computer Science, vol 14154. Springer, Cham. https://doi.org/10.1007/978-3-031-40003-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-031-40003-2_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40002-5
Online ISBN: 978-3-031-40003-2
eBook Packages: Computer ScienceComputer Science (R0)