Differential Power Analysis of XMSS and SPHINCS

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)


Quantum computing threatens conventional public-key cryptography. In response, standards bodies such as NIST increasingly focus on post-quantum cryptography. In particular, hash-based signature schemes are notable candidates for deployment. No rigorous side-channel analysis of hash-based signature schemes has been conducted so far. This work bridges this gap. We analyse the stateful hash-based signature schemes XMSS and \(\text {XMSS}^{MT}\), which are currently undergoing standardisation at IETF, as well as SPHINCS—the only practical stateless hash-based scheme. While timing and simple power analysis attacks are unpromising, we show that the differential power analysis resistance of XMSS can be reduced to the differential power analysis resistance of the underlying pseudorandom number generator. This first systematic analysis helps to further increase confidence in XMSS, supporting current standardisation efforts. Furthermore, we show that at least a 32-bit chunk of the SPHINCS secret key can be recovered using a differential power analysis attack due to its stateless construction. We present novel differential power analyses on a SHA-2-based pseudorandom number generator for XMSS and a BLAKE-256-based pseudorandom function for SPHINCS-256 in the Hamming weight model. The first attack is not threatening current versions of XMSS, unless a customised pseudorandom number generator is used. The second one compromises the security of a hardware implementation of SPHINCS-256. Our analysis is supported by a power simulator implementation of SHA-2 for XMSS and a hardware implementation of BLAKE for SPHINCS. We also provide recommendations for XMSS implementers.


Post-quantum cryptography Hash-based signatures DPA 



We would like to thank Hervé Pelletier and Roman Korkikian from Kudelski Group for their help and expertise in the practical verification of the DPA on BLAKE-256. This work has been co-funded by the German Research Foundation (DFG) as part of project BU 630/28-1, and as part of projects P1 and S6 within the CRC 1119 CROSSING.


  1. 1.
    Aumasson, J.-P., Meier, W., Phan, R.C.-W., Henzen, L.: The Hash Function BLAKE. Information Security and Cryptography. Springer, Heidelberg (2014). Scholar
  2. 2.
    Belaïd, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: SECRYPT 2013, pp. 230–241. SciTePress (2013)Google Scholar
  3. 3.
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). Scholar
  4. 4.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). Scholar
  5. 5.
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). Scholar
  6. 6.
    Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). Scholar
  7. 7.
    Buchmann, J.A., Lauter, K.E., Mosca, M.: Postquantum cryptography – state of the art. IEEE Secur. Priv. 15(4), 12–13 (2017)CrossRefGoogle Scholar
  8. 8.
    Butin, D.: Hash-based signatures: state of play. IEEE Secur. Priv. 15(4), 37–43 (2017)CrossRefGoogle Scholar
  9. 9.
    Castelnovi, L., Martinelli, A., Prest, T.: Grafting trees: a fault attack against the SPHINCS framework. Cryptology ePrint Archive, Report 2018/102 (2018). Scholar
  10. 10.
    Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). Scholar
  11. 11.
    Eisenbarth, T., von Maurich, I., Ye, X.: Faster hash-based signatures with bounded leakage. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 223–243. Springer, Heidelberg (2014). Scholar
  12. 12.
    Genêt, A.: Hardware attacks against hash-based cryptographic algorithms. Technical report, École polytechnique fédérale de Lausanne (2017). Master thesisGoogle Scholar
  13. 13.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). Scholar
  14. 14.
    Hülsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: Internet-draft: XMSS: extended hash-based signatures (2018).
  15. 15.
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). Scholar
  16. 16.
    Kannwischer, M.J.: Physical attack vulnerability of hash-based signature schemes. Technical report, Technische Universität Darmstadt (2017), Master thesis.
  17. 17.
    Kannwischer, M.J., Genêt, A., Butin, D., Krämer, J., Buchmann, J.: GitHub repositories for DPA code of SHA-256 PRNG and BLAKE-256 PRF.
  18. 18.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. RFC 2104 (1997).
  19. 19.
    Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International CSL (1979).
  20. 20.
    Lee, M., Song, J.E., Choi, D., Han, D.: Countermeasures against power analysis attacks for the NTRU public key cryptosystem. IEICE Trans. 93–A(1), 153–163 (2010)CrossRefGoogle Scholar
  21. 21.
    Maurand, R., Jehl, X., Kotekar-Patil, D., Corna, A., Bohuslavskyi, H., Laviéville, R., Hutin, L., Barraud, S., Vinet, M., Sanquer, M., De Franceschi, S.: A CMOS silicon spin qubit. Nat. Commun. 7, 13575 (2016)CrossRefGoogle Scholar
  22. 22.
    von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 266–282. Springer, Cham (2014). Scholar
  23. 23.
    McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007). Scholar
  24. 24.
    McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.: State management for hash-based signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 244–260. Springer, Cham (2016). Scholar
  25. 25.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). Scholar
  26. 26.
    National Institute of Standards and Technology: FIPS PUB 180-4: Secure hash standard (2015).
  27. 27.
    NIST computer security division: Post-quantum cryptography standardization – call for proposals announcement (2017).
  28. 28.
    PQCRYPTO Project: Initial recommendations of long-term secure post-quantum systems (2015).
  29. 29.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Silverman, J.H., Whyte, W.: Timing attacks on NTRUEncrypt via variation in the number of hash calls. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 208–224. Springer, Heidelberg (2006). Scholar
  31. 31.
    Standaert, F., Pereira, O., Yu, Y., Quisquater, J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. In: Sadeghi, A.R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security-Foundations and Practice. Information Security and Cryptography, pp. 99–134. Springer, Heidelberg (2010). Scholar
  32. 32.
    Taha, M., Schaumont, P.: Differential power analysis of MAC-Keccak at any key-length. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 68–82. Springer, Heidelberg (2013). Scholar
  33. 33.
    Zohner, M., Kasper, M., Stöttinger, M., Huss, S.A.: Side channel analysis of the SHA-3 finalists. In: DATE 2012, pp. 1012–1017. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.TU DarmstadtDarmstadtGermany
  2. 2.University of SurreyGuildfordUK
  3. 3.EPFLLausanneSwitzerland
  4. 4.Kudelski GroupCheseaux-sur-LausanneSwitzerland

Personalised recommendations