On the Security of Lattice-Based Fiat-Shamir Signatures in the Presence of Randomness Leakage
Yuejun Liu,Yongbin Zhou,Shuo Sun,Tianyu Wang,Rui Zhang,Jingdian Ming
DOI: https://doi.org/10.1109/tifs.2020.3045904
IF: 7.231
2021-01-01
IEEE Transactions on Information Forensics and Security
Abstract:Leakages during the signing process, including partial key exposure and partial (or complete) randomness exposure, may be devastating for the security of digital signatures. In this work, we investigate the security of lattice-based Fiat-Shamir signatures in the presence of randomness leakage. To this end, we present a generic key recovery attack that relies on minimum leakage of randomness, and then theoretically connect it to a variant of Integer-LWE (ILWE) problem. The ILWE problem, introduced by Bootle et al. at Asiacrypt 2018, is to recover the secret vector s given polynomially many samples of the form $({text{a}}, langle {text{a}}, {text{s}} rangle + text {e}) in mathbb {Z}^{text {n}+1}$ , and it is solvable if the error $text {e} in mathbb {Z}$ is not superpolynomially larger than the inner product $langle {text{a}}, {text{s}} rangle $ . However, in our variant (we call the variant FS-ILWE problem in this paper), ${text{a}}in mathbb {Z}^{text {n}}$ is a sparse vector whose coefficients are NOT independent any more, and e is related to a and s as well. We prove that the FS-ILWE problem can be solved in polynomial time, and present an efficient algorithm to solve it. Our generic key recovery method directly implies that many lattice-based Fiat-Shamir signatures will be totally broken with one (deterministic or probabilistic) bit of randomness leakage per signature. Our attack has been validated by experiments on two NIST PQC signatures Dilithium and qTESLA. For example, as to Dilithium-III of 125-bit quantum security, the secret key will be recovered within 10 seconds over an ordinary PC desktop, with about one million signatures. Similar-y, key recovery attacks on Dilithium under other parameters and qTESLA will be completed within 20 seconds and 31 minutes respectively. In addition, we also present a non-profiled attack to show how to obtain the required randomness bit in practice through power analysis attacks on a proof-of-concept implementation of polynomial addition. The experimental results confirm the practical feasibility of our method.
computer science, theory & methods,engineering, electrical & electronic