Advertisement

Differential Power Analysis of XMSS and SPHINCS

  • Matthias J. Kannwischer
  • Aymeric Genêt
  • Denis Butin
  • Juliane Krämer
  • Johannes Buchmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10815)

Abstract

Quantum computing threatens conventional public-key cryptography. In response, standards bodies such as NIST increasingly focus on post-quantum cryptography. In particular, hash-based signature schemes are notable candidates for deployment. No rigorous side-channel analysis of hash-based signature schemes has been conducted so far. This work bridges this gap. We analyse the stateful hash-based signature schemes XMSS and \(\text {XMSS}^{MT}\), which are currently undergoing standardisation at IETF, as well as SPHINCS—the only practical stateless hash-based scheme. While timing and simple power analysis attacks are unpromising, we show that the differential power analysis resistance of XMSS can be reduced to the differential power analysis resistance of the underlying pseudorandom number generator. This first systematic analysis helps to further increase confidence in XMSS, supporting current standardisation efforts. Furthermore, we show that at least a 32-bit chunk of the SPHINCS secret key can be recovered using a differential power analysis attack due to its stateless construction. We present novel differential power analyses on a SHA-2-based pseudorandom number generator for XMSS and a BLAKE-256-based pseudorandom function for SPHINCS-256 in the Hamming weight model. The first attack is not threatening current versions of XMSS, unless a customised pseudorandom number generator is used. The second one compromises the security of a hardware implementation of SPHINCS-256. Our analysis is supported by a power simulator implementation of SHA-2 for XMSS and a hardware implementation of BLAKE for SPHINCS. We also provide recommendations for XMSS implementers.

Keywords

Post-quantum cryptography Hash-based signatures DPA 

Notes

Acknowledgments

We would like to thank Hervé Pelletier and Roman Korkikian from Kudelski Group for their help and expertise in the practical verification of the DPA on BLAKE-256. This work has been co-funded by the German Research Foundation (DFG) as part of project BU 630/28-1, and as part of projects P1 and S6 within the CRC 1119 CROSSING.

References

  1. 1.
    Aumasson, J.-P., Meier, W., Phan, R.C.-W., Henzen, L.: The Hash Function BLAKE. Information Security and Cryptography. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44757-4CrossRefzbMATHGoogle Scholar
  2. 2.
    Belaïd, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: SECRYPT 2013, pp. 230–241. SciTePress (2013)Google Scholar
  3. 3.
    Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_15CrossRefGoogle Scholar
  4. 4.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_8CrossRefGoogle Scholar
  5. 5.
    Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88403-3_5CrossRefGoogle Scholar
  6. 6.
    Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006).  https://doi.org/10.1007/11941378_25CrossRefGoogle Scholar
  7. 7.
    Buchmann, J.A., Lauter, K.E., Mosca, M.: Postquantum cryptography – state of the art. IEEE Secur. Priv. 15(4), 12–13 (2017)CrossRefGoogle Scholar
  8. 8.
    Butin, D.: Hash-based signatures: state of play. IEEE Secur. Priv. 15(4), 37–43 (2017)CrossRefGoogle Scholar
  9. 9.
    Castelnovi, L., Martinelli, A., Prest, T.: Grafting trees: a fault attack against the SPHINCS framework. Cryptology ePrint Archive, Report 2018/102 (2018). https://eprint.iacr.org/2018/102CrossRefGoogle Scholar
  10. 10.
    Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005).  https://doi.org/10.1007/11586821_8CrossRefGoogle Scholar
  11. 11.
    Eisenbarth, T., von Maurich, I., Ye, X.: Faster hash-based signatures with bounded leakage. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 223–243. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_12CrossRefGoogle Scholar
  12. 12.
    Genêt, A.: Hardware attacks against hash-based cryptographic algorithms. Technical report, École polytechnique fédérale de Lausanne (2017). Master thesisGoogle Scholar
  13. 13.
    Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38553-7_10CrossRefGoogle Scholar
  14. 14.
    Hülsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: Internet-draft: XMSS: extended hash-based signatures (2018). https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signatures/
  15. 15.
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40588-4_14CrossRefGoogle Scholar
  16. 16.
    Kannwischer, M.J.: Physical attack vulnerability of hash-based signature schemes. Technical report, Technische Universität Darmstadt (2017), Master thesis. https://www.cdc.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_CDC/Documents/theses/Matthias_Kannwischer.master.pdf
  17. 17.
    Kannwischer, M.J., Genêt, A., Butin, D., Krämer, J., Buchmann, J.: GitHub repositories for DPA code of SHA-256 PRNG and BLAKE-256 PRF. https://github.com/hbs-sca
  18. 18.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. RFC 2104 (1997). http://www.ietf.org/rfc/rfc2104.txt
  19. 19.
    Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International CSL (1979). https://www.microsoft.com/en-us/research/publication/constructing-digital-signatures-one-way-function/
  20. 20.
    Lee, M., Song, J.E., Choi, D., Han, D.: Countermeasures against power analysis attacks for the NTRU public key cryptosystem. IEICE Trans. 93–A(1), 153–163 (2010)CrossRefGoogle Scholar
  21. 21.
    Maurand, R., Jehl, X., Kotekar-Patil, D., Corna, A., Bohuslavskyi, H., Laviéville, R., Hutin, L., Barraud, S., Vinet, M., Sanquer, M., De Franceschi, S.: A CMOS silicon spin qubit. Nat. Commun. 7, 13575 (2016)CrossRefGoogle Scholar
  22. 22.
    von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 266–282. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_16CrossRefGoogle Scholar
  23. 23.
    McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77535-5_23CrossRefGoogle Scholar
  24. 24.
    McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, S.-L., Butin, D., Buchmann, J.: State management for hash-based signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 244–260. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-49100-4_11CrossRefGoogle Scholar
  25. 25.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_21CrossRefGoogle Scholar
  26. 26.
    National Institute of Standards and Technology: FIPS PUB 180-4: Secure hash standard (2015). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
  27. 27.
    NIST computer security division: Post-quantum cryptography standardization – call for proposals announcement (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization
  28. 28.
    PQCRYPTO Project: Initial recommendations of long-term secure post-quantum systems (2015). https://pqcrypto.eu.org/docs/initial-recommendations.pdf
  29. 29.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Silverman, J.H., Whyte, W.: Timing attacks on NTRUEncrypt via variation in the number of hash calls. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 208–224. Springer, Heidelberg (2006).  https://doi.org/10.1007/11967668_14CrossRefGoogle Scholar
  31. 31.
    Standaert, F., Pereira, O., Yu, Y., Quisquater, J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. In: Sadeghi, A.R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security-Foundations and Practice. Information Security and Cryptography, pp. 99–134. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14452-3_5CrossRefGoogle Scholar
  32. 32.
    Taha, M., Schaumont, P.: Differential power analysis of MAC-Keccak at any key-length. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 68–82. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-41383-4_5CrossRefGoogle Scholar
  33. 33.
    Zohner, M., Kasper, M., Stöttinger, M., Huss, S.A.: Side channel analysis of the SHA-3 finalists. In: DATE 2012, pp. 1012–1017. IEEE (2012)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Matthias J. Kannwischer
    • 1
    • 2
  • Aymeric Genêt
    • 3
    • 4
  • Denis Butin
    • 1
  • Juliane Krämer
    • 1
  • Johannes Buchmann
    • 1
  1. 1.TU DarmstadtDarmstadtGermany
  2. 2.University of SurreyGuildfordUK
  3. 3.EPFLLausanneSwitzerland
  4. 4.Kudelski GroupCheseaux-sur-LausanneSwitzerland

Personalised recommendations