Lattice-Based Signature Schemes and Their Sensitivity to Fault Attacks

Lattice-Based Signature Schemes and their Sensitivity to Fault Attacks

Nina Bindel and Johannes Buchmann and Juliane Krämer Technische Universität Darmstadt, Germany Email: {nbindel, buchmann, jkraemer}@cdc.informatik.tu-darmstadt.de

Abstract Due to their high efficiency and their Lattice-based constructions promise to be a valuable strong security properties, lattice-based cryptographic post-quantum replacement for current public-key cryp- schemes seem to be a very promising post-quantum tography because of their broad applicability, their high replacement for currently used public key cryptogra- efficiency, and their strong security properties. However, phy. The security of lattice-based schemes has been when novel cryptographic schemes are brought into prac- deeply analyzed mathematically, whereas little effort has been spent on the analysis against implementa- tice, their mathematical security is not sufficient. Physical tion attacks. attacks which target cryptographic schemes while they are In this paper, we start with the fault analysis of being executed also have to be considered to provide the one of the most important cryptographic primitives: desired level of security. For lattice-based cryptographic signature schemes. We investigate the vulnerabil- schemes, until now, little effort has been spent in analyzing ity and resistance of the currently most efficient their vulnerability against such attacks. While lately the lattice-based signature schemes BLISS (CRYPTO research on side channel attacks has advanced [8], [27], 2013), ring-TESLA (AfricaCrypt 2016), and the GLP there are no results on fault attacks against schemes over scheme (CHES 2012) and their implementations. We general lattices yet1. Hence, the natural question arises consider different kinds of (first-order) randomizing, zeroing, and skipping faults. For each of the signature whether lattice-based primitives and their implementations schemes, we found at least six effective attacks. are vulnerable against fault attacks. To increase the security of lattice-based signature 1) Contribution: In this paper, we start to investigate schemes, we propose countermeasures for each of the vulnerability of lattice-based cryptography towards the respective attacks. fault attacks. We analyze signature schemes and their Keywords. lattice-based cryptography, signature implementations and scrutinize whether certain schemes scheme, fault attack, side channel analysis or instantiations thereof are more vulnerable than others. We consider the signature schemes BLISS [11], ring- I.INTRODUCTION TESLA [1], and the GLP scheme [16], since these are the Since the invention of Shor’s algorithm, which solves most promising ones with respect to efficiency, i.e., run- the discrete logarithm and the integer factorization prob- time, signature sizes, and key sizes. Concerning the faults lem in polynomial time using quantum computation, most that we consider, we focus on first-order fault attacks, of our daily used public key cryptography is on threat as regarding randomizing2, skipping, and zeroing faults. We soon as large enough quantum computers can be built. Due explore the reasons for the vulnerability and resistance, to the expectable development of large quantum computers respectively, of the key generation, sign, and verification in the near future, research on cryptographic construc- algorithms. Furthermore, we propose countermeasures for tions which are secure even in the presence of large each of the developed attacks. quantum computers - called post-quantum cryptography To reduce the number of necessary faults, we propose - has seen a boost in recent years. This is also reflected a hybrid approach of fault attacks and lattice analysis. in two current announcements by the National Security In the three analyzed signature schemes, the secret is a n Agency (NSA) and the National Institute of Standards and polynomial s ∈ Zq[x]/(x + 1) with small coefficients. Technology (NIST): in 2015, NSA advertised lattice-based The hybrid approach allows an attacker to determine not cryptography over elliptic curve cryptography [24] and in 2016, NIST announced to start a standardization process 1A few results for fault attacks on NTRU-lattices and -schemes exist, e.g., [18]. These cannot be transfered to signature schemes over non- for post-quantum cryptography [25]. These developments NTRU lattices which are used nowadays. show that post-quantum cryptography is standing on the 2We do not analyze bit flips separately since they are either covered edge of being used in practical applications. by randomization faults or in practice considered as unrealistic [15]. all, but only a necessary amount of the coefficients of exploit the additional cyclic structure of ideal lattices. the secret with the help of faults such that the remaining However, based on our results, we show that ideal-lattice- lattice problem can be solved mathematically. We gen- based schemes are indeed more vulnerable to zeroing erally analyze how many coefficients of the secret must attacks than schemes over standard lattice. Secondly, we be recovered by fault attacks in order to use the hybrid show that instantiating a scheme with common (ideal-) approach for BLISS, ring-TESLA, and the GLP scheme. lattice problems, i.e., choosing the secret polynomial to We apply this approach on our randomization fault attack. be Gaussian distributed, is less vulnerable than more Our research shows that all examined signature schemes efficient instantiations. For example, the GLP scheme and and their implementations are vulnerable to all three kinds BLISS3 are more vulnerable to randomizing faults since of considered fault attacks, since we find effective attacks the coefficients of the secret polynomial are chosen to against each of them. A summary of the analyzed attacks be in {−1, 0, 1} or {−2, ..., 3}, respectively, instead of and the respective vulnerabilities of the three signature Gaussian distributed as it is done for ring-TESLA. This schemes is given in TableI. Note that certain effects can has already been feared from a theoretical perspective [26] be achieved with different kinds of fault attacks, e.g., some and is now shown in this work from the practical point of variables can be zeroed out both with a zeroing fault and view. a skipping fault. Such fault attacks are only listed once We expect that our fault analysis and the proposed in TableI, but mentioned and explained in all relevant countermeasures are not limited to signature schemes, but sections in the remainder of this paper. that they can easily be transfered to most of the existing lattice-based constructions. TABLE I 2) Organization: In Sec.II, we introduce the analyzed COMPARISON OF THE GLP SCHEME,BLISS, ANDRING-TESLA signature schemes, i.e., GLP, BLISS, and ring-TESLA, WITHRESPECTTOTHEIRVULNERABILITYTOTHEATTACKS DESCRIBED IN THIS PAPER.THETABLESHOWSTHEALGORITHMS and explain the hybrid approach for combined fault attacks WHICH THE FAULT ATTACKS TARGET, I.E., KEY GENERATION (KG), and lattice analyses. In Sec. III, we present randomizing SIGNATURE GENERATION (S), ANDVERIFY (V), ANDIFTHE attacks on all three schemes. Skipping attacks for the same SCHEME IS VULNERABLE TO THE RESPECTIVE ATTACK, I.E., schemes are explained in Sec.IV and in Sec.V, their VULNERABLE G, VULNERABLEWITHAHUGENUMBEROFNEEDED FAULTS (G), NOTVULNERABLE H, NOTAPPLICABLE -. vulnerability towards zeroing faults is investigated. We present countermeasures against the attacks and guidelines Fault Attack Algorithm GLP BLISS ring- Section for fault-attack-resistant implementations in Sec.VI and TESLA conclude in Sec. VII. Rand. of secret S GGH III-A Rand. of error S HHH III-B Rand. of modulus S HHH III-C II.PRELIMINARIES Rand. of randomness S HHH III-D A. Notation Skip of mod-reduction KG H - H IV-A1 k Skip of addition KG GGG IV-A2 Let k ∈ N and n = 2 ∈ N throughout this Skip of rejection S (G)(G)(G) IV-B1 q ∈ q = 1 Skip of addition S GHH IV-B2 paper. We define N to be a prime with Skip of mod-reduction S H - H IV-B3 (mod 2n). We denote by Zq the finite field Z/qZ with Skip of correct-check V GGG IV-C1 representatives in −q/2, q/2 ∩ Z. We write (mod q) Skip of size-check V GGH IV-C2 Zero. of secret KG G - H V-A to denote the unique representative in Zq. Furthermore, n Zero. of randomness S GGG V-B we define the rings R = Z[x]/(x + 1) and Rq = Zero. of hash value S HHH V-C n Pn−1 i Zq[x]/(x + 1) and the sets Rq,[B] = { i=0 aix | Zero. of hash polynomial V GGG V-D ai ∈ [−B,B] ∩ Z} for B ∈ [0, q/2] ∩ Z and Bn,ω = n Pn−1 i 2 o We show that two commonly used tweaks in the con- a = i=0 aix | ai ∈ {0, 1},kak = ω for ω ∈ [0, n]∩ n struction of lattice-based signature schemes, which are Z. We indicate the Euclidean norm of a vector v ∈ R q 2 2 deployed for efficiency reasons, should only be carefully by kvk. Similarly, we define kak = a0 + ... + an−1 for Pn−1 i applied. First, our analysis shows a difference between the a = i=0 aix . We denote polynomials by lower case vulnerability of ideal-lattice-based schemes and standard- letters (e.g., p) and (column) vectors by bold lower case lattice-based schemes with respect to fault attacks. In letters (e.g., v). We write matrices by bold upper case standard-lattice-based schemes the underlying lattice is letters (e.g., M) and the transpose of a matrix M by MT . m×n defined by a uniformly sampled matrix A ∈ Zq , whereas ideal lattices can be defined via a polynomial 3We are aware of the fact that the publicly available implementation of degree n. The resulting additional structure of ideal of BLISS is not to be used for security applications. However, it is one of the most efficient signature scheme implementations. By analyzing lattices leads to much smaller key sizes and better run- this software, the research community still can gain insights about how times. Up to know, mathematical cryptanalysis could not to implement schemes resistant against fault attacks.

2 Via the coefficient embedding, we identify a polynomial a ←$ Rq and b = as + e (mod q). On input µ, the sign n−1 a = a0 + a1x + ... + an−1x ∈ Rq with its coefficient algorithm first samples y1, y2 ←$ Rq,[k]. Afterwards, it T vector a = (a0, . . . , an−1) . Without further mentioning, hashes the most significant bits of ay1 + y2 together with we denote the coefficient vector of a polynomial a ∈ Rq µ. The signature polynomials z1 and z2 are computed. T by a. We define rot(a) = (−an−1, a0, . . . , an−2) and To hide the secret, rejection sampling is applied, i.e., z2 2 n−1 n×n ? Rot(a) = (a, rot(a), rot (a),..., rot (a)) ∈ Zq . is compressed to z2 and the signature is returned only Polynomial multiplication of a, b ∈ Rq is equivalent to with some probability (see [20] for further information the matrix-vector multiplication Rot(a)b in Zq. For values on the rejection sampling). The verification algorithm a, b ∈ , we write a << b if a is much smaller than b. checks the size of z and z? and the equality of c and R 1 2 All logarithms are in base 2. ? H az1 + z2 − bc d,q , µ . Güneysu et al. [16] state the Let d ∈ N, c ∈ Z. We denote by [c]2d the unique repre- parameter set GLP-Set-I with n = 512 and q = 8383489. d d−1 d−1 sentative of c modulo 2 in (−2 , 2 ]∩Z. Let b·ed be This instantiation of the DCK gives a hardness of at least d the rounding operator b·ed : Z → Z, c 7→ (c − [c]2d )/2 . 80 bit [11]. We naturally extend these definitions to vectors and poly- 2) ring-TESLA: The secret key sk is a tuple of three nomials by applying b·e and [·] d to each component d 2 polynomials s, e1, and e2 with small coefficients; the pub- of the vector and to each coefficient of the polynomial, lic key vk consists of the polynomials a1, a2 ←$ Rq, b1 = respectively. We abbreviate v (mod q) by bve . d d,q a1s + e1 (mod q), and b2 = a2s + e2 (mod q). During Let σ ∈ >0. Let Dσ be the discrete Gaussian dis- R signing a message µ, a random polynomial y ←$ Rq,[B] is tribution on Z with standard deviation σ. We denote by sampled. Afterwards, the hash value c0 of the most signif- d ← D the operation of sampling an element d with σ icant bits of the products a1y and a2y and µ is computed distribution D . When writing v ← Dn we mean sampling σ σ and encoded as the polynomial c ∈ Bn,ω. The signature σ each coefficient of a polynomial v Gaussian distributed. of µ consists of c0 and the polynomial z = y + sc. Before For a finite set S, we write s ←$ S to indicate that an returning the signature, rejection sampling is applied. For element s is sampled uniformly at random from S. verification of the signature (c0, z), the size of z and the Let n ≥ k > 0.A k-dimensional lattice Λ is a 0 equality of c and H(ba1z − b1ce , ba2z − b2ce , µ) n d,q d,q discrete additive subgroup of R containing all integer is checked, where c is again the encoded polynomial of linear combinations of k linearly independent vectors c0. Akleylek et al. [1] proposed the parameter set ring- k {b1,..., bk} = B, i.e., Λ = Λ(B) = {Bx | x ∈ Z }. TESLA-II to achieve 128-bit hardness from the underlying The determinant of a lattice is defined by det(Λ(B)) = R-LWE problem: n = 512, σ = 52, q = 39960577. p > det (B B). The basis is not unique for a lattice and 3) BLISS: The key pair is chosen NTRU-like, i.e., the moreover, the determinant of a lattice is independent of the 2g+1 public key is vk = (a1, a2) = 2 f (mod q), q − 2 , basis. Throughout this paper we are mostly concerned with n−1 n where f, g ← F = {P h xi|h ∈ q-ary lattices. Λ ∈ Z is called a q-ary lattice if qZ ⊂ Λ $ d1,d2 i=0 i i m×n {−2, −1, 0, 1, 2}, |{hi = ±1}| = d1, |{hi = ±2}| = d2} for some q ∈ Z. Let A ←$ Zq . We define the q-ary lattices Λ⊥(A) = {x ∈ n | Ax = 0 (mod q)} and and f is invertible modulo q. The secret key sk consists q Z T T Λ (A) = {x ∈ n | ∃s ∈ m s.t. x = A>s (mod q)}. of sk = (s1, s2) = (f, 2g + 1) . Furthermore, the q Z Z T vectors (a1, a2), (s1, s2) , and ξ ∈ Z are chosen such T B. Description of the Lattice-Based Signature Schemes that (a1, a2)(s1, s2) = q = −q (mod 2q), ξ(q − 2) = In this subsection, we recall the signature schemes that 1 (mod 2q), and hence ξ(a1, a2) = (ξa1, 1) (mod 2q). we analyze in this work. We describe the GLP scheme by To sign a message µ, random vectors y1 and y2 are Güneysu et al. [16], ring-TESLA by Akleylek et al. [1], sampled with Gaussian distribution. A hash value c is and BLISS by Ducas et al. [11]. We depict the three computed from the randomness, the public key, ξ, and schemes in AppendixA in Fig.3,4, and5, respectively. the message µ. Afterwards, the value b ←$ {0, 1} is b We follow the notation of the respective figures. chosen, the polynomials z1 = y1 + (−1) s1c and z2 = b The security of the signature schemes is based on the y2+(−1) s2c are computed, rejection sampling is applied, ? ring learning with errors (R-LWE), the ring short integer and z2 is compressed to z2. During verification of the ? ? solution (R-SIS), or the decisional compact knapsack signature (z1, z2, c), the sizes of z1 and z2 and the equality ? (DCK) problem. We give a formal definition of R-LWE in of c and H ξa1z1 + ξqc(mod 2q) d,2q + z2(mod p), µ AppendixB. For a formal definition of DCK and R-SIS are checked. Ducas et al. [11] give two parameter sets we refer to the original works. to achieve 128-bit hardness of the underlying problem: 1) GLP: The secret key consist of two polynomi- BLISS-I with n = 512, σ = 215, q = 12289 and BLISS- als s, e ←$ Rq,[1] with ternary coefficients, i.e., with II with n = 512, σ = 107, q = 12289. Furthermore, we coefficients in {−1, 0, 1}; the public key is a tuple of like to emphasize that in the instantiations BLISS-I and

3 BLISS-II, d2 = 0. Hence, it holds true that In the embedding approach the LWE instance is reduced  to an instance of the unique shortest vector problem {−1, 0, 1} if j = 1,  (uSVP) [3], [4]. To this end, an embedding lattice Λ sj,i ∈ {−1, 1, 3} if j = 2, i = 0, is defined in which the error vector e is embedded.  {−2, 0, 2} if j = 2, i ∈ {1, ..., n − 1}, Following the explanation by Dagdelen et al. [31], we know that a short vector can be found if Pn i Pn i where s1 = s1,ix and s2 = s2,ix . 1 i=0 i=0 dim(Λ) dim(Λ) dim(Λ) Γ(1 + 2 ) 1 δ ≤ √ det(Λ) dim(Λ) , (2) C. Description of the Hybrid Approach of Lattice Analysis ||e||τ π and Fault Attacks where τ ≈ 0.4 is constant and Γ(n) is the gamma function. In this section, we describe how to combine fault attacks Two different ways to define Λ were proposed, which and algorithms that solve lattice problems such as LWE or are described next. During the standard embedding ap- SIS. Via this combination, which we call hybrid approach, proach we apply a uSVP solver on the lattice Λ = we can reduce the number of faults necessary to receive 0! A2 b (m+1)×(n−k+1) the secret drastically. Revealing all coefficients of the Λq (Ast) with Ast = ∈ Zq . secret of a lattice problem with high dimension might 0 1 require a huge amount of fault attacks. Instead, we analyze Hence, dim(Λq(Ast)) = m + 1 and det(Λq(Ast)) = m−n+k that it is sufficient to reveal just enough coefficients with q . Thus, Equation (2) gives the following inequal- the help of faults to solve the remaining instance with ity: algorithms that solve lattice problems, e.g., the embedding m+1 1 Γ(1 + ) (m+1) approach. We describe our hybrid approach for the LWE δm+1 ≤ √ 2 · qk−n−1. (3) π||e|| · τ problem next. We describe the analysis for SIS in the full version of this paper [6]. During the dual embedding approach we apply a ⊥ Let As + e = b (mod q) be an LWE instance, with uSVP solver on the lattice Λ = Λq (AD) with m×n n m 0 m×(n−k+m+1) A ∈ Zq , s ∈ Zq , and e ∈ Zq . Assume that k AD = A2|Im|b ∈ Zq . Hence, coefficients of the secret s are known. W.l.o.g., we can ⊥ ⊥ m dim(Λq (AD)) = n−k+m+1 and det(Λq (AD)) = q . assume that the first k coefficients of s are known, since Thus, Equation (2) gives the samples of an LWE instance can be reordered. Then, n−k+m+1 1 this instance can be written as Γ(1 + ) (n−k+m+1) δn−k+m+1 ≤ 2√ · qk−n−1. (4) T τ · πkek (A1|A2) s1, s2 + e = A1s1 + A2s2 + e = b, Assume that the computations should not run longer than m×k m×(n−k) k a day (resp., a week). By Equation (1) this corresponds with A1 ∈ Zq , A2 ∈ Zq , and s1 ∈ Zq , s2 ∈ n−k 0 0 to the Hermite delta δ1 = 1.0099 (resp., δ2 = 1.0097). Zq . Let b = b − A1s1. Thus, A2s2 + e = b (mod q) defines an LWE instance with the same number m of Finally, given n, m, and δ, we can compute the minimal samples but with a decreased dimension n−k of the secret value for k such that Equation (3) or Equation (4) is vector. fulfilled. To compute the minimal value of k, we first choose the Applying the hybrid approach to BLISS, ring-TESLA, time T (in seconds) how long the LWE solver should run, and the GLP scheme with δ1 shows that it is sufficient e.g., one day T = 86400. Afterwards, we compute the to reveal k = 344, k = 405, and k = 118, respectively, corresponding Hermite delta by the estimation made by instead of all secret coefficients by fault attacks. Given δ2 Linder and Peikert [19] the minimal values are k = 337, k = 389, and k = 105, respectively. Note that the bit-security of the GLP scheme 1.8 log (δ(T )) = . (1) is 80-bit, whereas the proposed instantiations BLISS-I, 2 log (T ) + 110 2 BLISS-II, and ring-TESLA-II give 128 bit of security. We The Hermite delta is a measurement for the quality of explain the derivation of k for each of the three schemes a basis reduction, for more information we refer to [19]. in detail in the full version of this paper [6]. Given n, m, and δ and following the embedding approach proposed in [14], we can compute the value k. We III.RANDOMIZATION FAULTS emphasize that we are aware that the embedding approach A randomization fault randomly changes the value of a is not always the best attack to solve LWE. Nevertheless, variable that is processed in the attacked alorithm, i.e., it yields an upper bound on the number of fault attacks the attacker does not know the value of the variable needed. after the attack, but benefits from knowing that it has

4 been changed within a certain range. Depending on the chosen to be ternary. Furthermore, we assume that the attacker’s abilities, the fault targets the whole variable or attack changes up to r consecutive coefficients instead of only some bytes or bits of it [29]. We analyze the effects of only a single coefficient of the secret. This is generally a randomization fault targeting the secret polynomial (Sec- considered to be a more realistic scenario [15]. tion III-A), the error polynomial (Section III-B), the mod- Assume that an attacker changes r consecutive co- ulus (Section III-C), and the randomness (Section III-D) efficients of the secret s, i.e., s0 = s + ε with ε = Pj+r i 0 during the signature generation. i=j εix , 0 ≤ j < n where all εi, si ∈ {−1, 0, 1}. The attack consists of three steps: inducing a random- A. Randomization of the Secret Polynomial ization fault, querying a signature on some message, 0 0 ? 0 ? 0 In 1996, Bao et al. introduced a method to attack sig- i.e., σ = (z1, z2, c) = (s c + y, z2, c) with s being nature schemes with binary secret keys [5]. In particular, the faulty secret, and analyzing the output by running a they show how to attack RSA, the ElGamal scheme, software implementation of the algorithm GeneralBao(·) and Schnorr signature schemes. In this section, we first that is depicted in Fig.1. The attacker repeats those three describe how to adjust the attack from [5] to lattice-based steps until sufficiently many coefficients of the secret are Schnorr-like signature schemes instantiated with binary determined such that the hybrid approach described in secret over standard lattices. Afterwards, we describe a Sec. II-C can be applied. more evolved attack on the GLP scheme. The algorithm GeneralBao(·) gets as input the public Take b = As + e (mod q) with s ∈ {0, 1}n and key, a signature of a message µ, and two lists: the list n e ← χ, where χ is some error distribution over Z . secret where the determined coefficients of the secret The public key is (A, b) and the secret key consists are saved and the list determined where the information of (s, e). The signature of a message µ is computed as whether or not a coefficient is already determined is saved. follows: choose randomness y, compute the hash value The algorithm GeneralBao(·) returns updated lists secret c = H(bAyed,q , µ), compute z = sc + y, and return and determined. σ = (z, c). Let α be the difference between the secret s and the 0 Pn−1 i Assume one coefficient of s is changed via a fault faulty secret s , i.e., α = i=0 αix is a polynomial 0 0 T attack, i.e., the secret s = (s1, ..., si−1, si, si+1, ..., sn) is with αi ∈ {−2, −1, 0, 1, 2}. The attacker checks whether 0 0 0 used to generate a signature. Hence, σ = (z , c) = (s c + H(baz1 + z2 − bc − aαced,q , µ) = c with αi, ..., αi+r ∈ y, c) is returned as faulty signature of µ. Now, an attacker {−2, −1, 0, 1, 2} for i ∈ {0, ..., n − 1 − r}. Thereby, the 0 checks whether H Az − bc − Avi,αc , µ = c, attacker gains information about the value and index of d,q 0 where vi,α is the zero vector except that the i-th entry si. The possible values for si, si, and αi are shown in is equal to α ∈ {−1, 0, 1}. Depending on the value of α TableII. and the index i, the attacker can determine the value of TABLE II si: 0 POSSIBLE COMBINATIONS FOR THE COEFFICIENTS OF s, s , AND α.  0  0 then si = si, run attack again, 0  si 0 0 0 1 1 1 -1 -1 -1 If α = 1 then s = 1, i si 0 1 -1 0 1 -1 0 1 -1  0 −1 then si = 0. αi = si − si 0 -1 1 1 0 2 -1 -2 0 Hence, in case of a successful fault attack, i.e., s 6= s0 , i i As indicated by Fig.1, the procedure GeneralBao(·) an attacker finds out one coefficient of the secret for each distinguishes between five different cases for each coef- injected fault. To our knowledge, there is no lattice-based ficient of α once the correct values of α , ..., α are signature scheme instantiated over binary LWE. However, 0 n−1 found. recent results on the hardness of binary LWE [2], [10], [21] show an interest in this instantiation and also a lattice-   2 then si = −1, based encryption scheme with binary secret was recently  −2 then s = 1, proposed [9]. With our description above we stand in line  i with those being cautious about instantiations of schemes If αi = 1 then si = 1 or si = 0, with binary LWE.  −1 then si = −1 or si = 0, 1) Applying the Attack to the GLP Scheme: In this  0  0 then si = s . section we describe a generalization of the attack by i Bao et al. [5] to ternary secret keys, i.e., to secret keys In the latter cases, the attacker can not determine si with coefficients in {−1, 0, 1}. We explain the attack by uniquely. Let sj be a coefficient which was changed during applying it to the GLP scheme, since its secret key is a fault attack such that αj,1 = αj = ±1. Assume that sj is

5 changed again by another fault attack with difference αj,2. two bits, this corresponds to four changed coefficients, Then the attacker can determine sj uniquely if αj,1 6= αj,2 i.e., r = 4. Hence, solving the following equation for m and αj,2 6= 0. The list determined is used for exactly this gives us the number of m = 151 (expected) needed faults purpose: to remember which coefficients were changed but to determine k = 118 coefficients of the secret s: could not be determined uniquely. m X 2r 512 − ij−1 · ≥ k, 9 512 GeneralBao(·): j=1 ? Input: σ = (z1, z2 , c), µ, vk = (a, b), list determined, list secret; with i0 = 0. In case r = 1, the expected number of needed signature σ is computed with a faulty secret fault attacks to uniquely determine k = 118 coefficients of Output: determined, secret s is m = 604. Hence, the generalization to targeting more 1 poly α = 0 #α = Pn−1 α xi i=0 i coefficients is not only more realistic, but also needs a 2 For i ∈ {0, ..., n − 1}: much smaller number of fault attacks. On the other hand 3 For αi ∈ {0, −2, −1, 1, 2}: 4 For α ∈ {0, −2, −1, 1, 2}: the runtime of the software to find the polynomial α is i+1 r 5 ... longer, since it takes 512 · 5 times the runtime of the 6 For α ∈ {0, −2, −1, 1, 2}: hash query for every fault attack. i+r 7 If H(baz1 + z2 − bc − aαced,q , µ) = c : 2) Application to BLISS: As described in Sec. II-B3, 8 For j ∈ {i, ..., i + r}: the secret keys of the instantiations BLISS-I and 4 9 If αj = 2 : BLISS-II are two polynomials s1, s2 with ternary-like 10 secret[j] = −1, determined[j] = 2 instantiation. Therefore, the attack on the 128-bit instanti- 11 If αj = −2 : ations of BLISS can be described in a similar manner as 12 secret[j] = 1, determined[j] = 2 it was done for the GLP scheme. 13 If αj = −1 : As before, assume r coefficients are changed during 14 If determined[j] = 1: 15 secret[j] = 0, determined[j] = 2 a fault attack. We assume that the coefficients of the 16 Else: faulty secret polynomial(s) are in the set {−3, ..., 3}, 17 determined[j] = −1 since it can be assumed that each coefficient is saved Pn−1 i 18 If αj = 1 : in three bits. Let α = i=0 αix . Given a faulty sig- ? 19 If determined[j] = −1 : nature σ = (z1, z2, c) of the message µ, the attacker 20 secret[j] = 0, determined[j] = 2 runs an algorithm similar to GeneralBao(·), Fig.1. The 21 Else: only difference is that the values of α lie in different 22 determined[j] = 1 intervals: in case the fault was induced on s1, the at- 23 Return determined, secret ? tacker checks H bξa1z1 + ξqc − ξαced,2q + z2, µ = c

for αi1 , ..., αir ∈ {−4, ..., 4} for i1, ..., ir ∈ {0, ..., n − 1}. In case the fault was induced on s , the attacker Fig. 1. Algorithm to compute coefficients of the secret given a 2 signature computed with a faulty secret where maximal r of the ? checks H bξa1z1 + ξqc − αced,2q + z2, µ = c for coefficients are changed by a randomization fault 5 αi1 , ..., αir ∈ {−5, ..., 5} for i1, ..., ir ∈ {0, ..., n−1} . As As described in Sec. II-C, at most k = 118 coefficients in the attack against the GLP scheme, sometimes the secret of s have to be determined via fault attacks to compute coefficients can be determined uniquely. The probability the whole secret via the hybrid approach. Hence, next we that a coefficient of s1 (resp., s2) is determined uniquely analyze the expected number of faults that we have to is 2/21 (resp., 4/21). We assume again that the indices of induce to determine k = 118 coefficients of s. We assume the changed coefficients are distributed uniformly random that the index of the first of the r changed coefficients is over the original coefficients. Hence, we roughly estimate chosen uniformly random in {0, ..., n−1}. Since r << n, the expected number of needed fault attacks by we assume that the changed (and hence the determined) m X r 1024 − ij−1 coefficients are uniformly distributed over all coefficients · ≥ k, 7 1024 s0, ..., sn−1. Assume the j-th fault attack is induced after j=1 ij coefficients have already been determined uniquely. with i0 = 0 and notations as in Sec. III-A1. Hence, with Then the number of newly determined coefficients after 2 512−ij−1 4 the j-th fault attack is given by 9 r n , since n is the For the higher-security instantiations BLISS-III and BLISS-IV, number of coefficients of s and following TableII, the d2 ∈ {0.03, 0.06}, i.e., there are a very few coefficients outside {−1, 0, 1}. Hence, extending our attack to those instantiations will probability that a coefficient is changed such that it can increase the run time, but the attack still weakens the security. 5 be determined uniquely is 2/9. Assume the fault attack To be exact, in case the fault was induced on s2, the attacker checks targets one byte. Since each coefficient can be saved in the hash values for α0 ∈ {−4, ..., 6} and α1, ..., αn−1 ∈ {−5, ..., 5}.

6 r = 1 an expected number of m = 2934 faults is needed that even higher-order skipping faults against a real-word to determine k = 344 (see Sec. II-C) coefficients of the cryptographic implementation are practical, the relevance secret (with r = 4 an expected number of m = 733 is of this kind of fault attacks has recently been strength- needed). We conclude that the attack is less efficient on ened [7]. BLISS than on the GLP scheme, but it is still applicable. We analyze different ways to exploit skipping faults 3) Application to ring-TESLA: The coefficients of the during the key generation (Section IV-A), the signature Pn−1 i secret s = i=0 six of ring-TESLA are chosen with generation (Section IV-B), and the verification algorithm Gaussian distributed. Hence, the possible values of α (Section IV-C). In the majority of cases, we explain the would be in a very large range. Even if we assume that fault attacks using the implementations of the signature the coefficients are with high probability bounded by schemes. Therefore, we use the publicly available soft- |si| ≤ σ (with σ = 52 for instantiation ring-TESLA-I), ware, i.e., we use the C++-implementation of BLISS [12], the number of needed fault attacks would be huge. Hence, the C-implementation of the GLP scheme [17], and the C- this attack does not seem to be a threat for ring-TESLA in implementation of ring-TESLA [1]. Since the implementa- particular and for instantiations with Gaussian distribution tion of ring-TESLA and the GLP scheme use the benefits in general. of the AVX instructions, we sometimes also consider the X86 assembly code of respective code lines. B. Randomization of the Error Polynomial A similar attack as described in Sec. III-A could be A. During Key Generation used to compute the (secret) error polynomial e. Leaking In this section we describe two possible skipping attacks e is as bad as leaking s, since s can be computed easily during the key generation. once e is known. Moreover, the success probability of 1) Skipping the Modulus Reduction: Let A ← n×m, most of the mathematical lattice analyses would increase $ Zq and s, e are chosen with some distribution over n and since those algorithms also benefit from reducing the key Z m, respectively. Afterwards compute b = As+e without space from {−1, 0, 1} to {−1, 0} or {0, 1}. However, the Z reducing modulo q. Solving SVP or CVP in the lattice GLP scheme is not vulnerable to this variant because of Λ = {v ∈ n | Aw = v for some w ∈ m} is most often its compression and rounding functions, since then the Z Z much easier than solving the same problem in Λ (A), equation H(az + z − bc − aαxic , µ) = c holds for q 1 2 d,q since det(Λ) ≥ det(Λ (A)), especially in case A is several values of α. Hence, α can not be determined. q invertible. Hence, skipping the modulo operation during Nevertheless, we mention this attack to raise awareness the key generation algorithm seems to be a security flaw. during the construction and instantiation of schemes. For However, this fault attack is already prevented in the three example, instantiating ring-TESLA (which does not come considered signature schemes. We use the implementation with such a compression function) over ternary LWE of the GLP scheme to explain the prevention. should be considered very carefully. As indicated by Listing1, the value t (corresponding C. Randomization of the Modulus to b in our notation) is computed without the reduction The randomization of the modulus does not seem to step. The modulo operation is performed in the subroutine reveal any information that helps to forge signatures, poly_pack. Skipping Line 78 of Listing1 thwarts the because the value of the faulty modulus would remain modulo reduction. Afterwards, only the least 32 bits of unknown. Furthermore, key and signature generation of (the faulty) t are saved in r. Hence, skipping Line 78 lattice-based signature schemes are randomized at several leads to a randomization fault on b which does not reveal points by construction. Hence, tools like the Chinese secret information. remainder theorem do not give access to the secret. 48 poly_mul_a(t, s1); 49 poly_add_nored(t, t, s2); D. Randomization of the Randomness 51 poly_pack(pk, t); [...] As expected, also the randomization of the random 71 void poly_pack(unsigned char r[3*POLY_DEG], const poly f) values, e.g., the product ay (or similar) or the hash output 72 { c, does not reveal information that the attacker can use 73 int i; 74 signed long long t; to forge signatures, because such values look like (or are) 75 for(i=0;i> 8) & 0xff; 81 r[3*i+2] = (t >> 16) & 0xff; lected lines of the program code. This can, for example, 82 } be achieved via CPU clock glitching [7]. By showing 83 }

7 B. During Signature Generation Listing 1. C code of the GLP scheme for the computation of the public The signature generation of the schemes that we con- value b = as + e in the subroutine crypto_sign_keypair and of the modulus operation and compression in the subroutine poly_pack; sider in this paper is rather simple since it is a short se- the value t corresponds to the value b, the value s1 corresponds to s, quence of (polynomial) additions and multiplications. Fur- and s2 corresponds to e in our notation. thermore, the signature generation is randomized. Hence, 2) Skipping the Addition: We explain the following there are not many skipping operations which lead to in- attack using examples from the C-implementation of the formation about the secret key. We describe two skipping GLP scheme. However, the attack can also be successfully attacks during the sign algorithm in this section. applied to ring-TESLA and BLISS. Details about the 1) Skipping the Rejection Condition: Lyubashevsky attacks against ring-TESLA or BLISS can be found in first applied rejection sampling (introduced by von Neu- the full version of this paper [6]. mann [30]) to lattice-based signature schemes to assure that signatures are statistically independent of the secret In the GLP implementation, the public key is computed used to generate them. Thus, learning-the-parallelepiped- as follows, see Listing1: first a and s are multiplied attacks introduced by Nguyen and Regev [23] and im- and saved in the value b (Line 48). Afterwards, the error proved by Ducas and Nguyen [13] are prevented. Ducas e is added to b (Line 49). Hence, skipping the second and Nguyen need roughly 8000 signatures to reveal the operation yields b = as and an attacker can easily recover secret. In case of BLISS, ring-TESLA, and the GLP s by Gaussian reduction. Note that skipping Line 48 in scheme, the rejection sampling is implemented as an if- Listing1 results in an unallocated variable b, triggering condition, which would have to be skipped in order to a segmentation fault. Hence, no (predictable) information circumvent the rejection sampling. Skipping this rejection- is returned which could be used by an attacker. sampling-condition in many runs of the sign algorithm Considering the assembly code6 of the addition, see might introduce the same security flaw as used by the Listing2, one can see that in Line 962 the command attacks described in [23] and [13]. Since these attacks poly_add_nored@PLT is called. Hence, skipping this exploit the special structure of NTRU-lattices, BLISS line results in b = as as described above. might be especially vulnerable because its keys are chosen 958 .loc 1 49 0 in an NTRU-like manner. However, to find out the exact 959 1254 4C89E2 movq %r12, %rdx 960 1257 4C89F6 movq %r14, %rsi number of needed faults, the mentioned attacks have to 961 125a 4C89F7 movq %r14, %rdi be adapted to BLISS, ring-TESLA, and the GLP scheme, 962 25d E8000000 call poly_add_nored@PLT 962 00 and to be simulated, which we leave for future work. 2) Skipping the Addition of the Randomness: In the Listing 2. Assembly code corresponding to Line 49 in Listing1 of the GLP implementation. C-implementation of the GLP scheme, z1 and z2 of the signature are computed in two steps: first s (resp., e) and Skipping Line 962 (or Line 49 in Listing1) yields b = as c are multiplied. Afterwards, sc and y1 (resp., ec and y2) instead of b = as + e. Hence, although the attacker can are added, as can be seen in Listing3. Hence, skipping compute s, the error vector e will remain unknown. In Line 108 (resp., Line 120) in Listing3 yields z1 = sc the GLP scheme, however, e is used to compute z2. Next (resp., z2 = ec). we describe how an attacker can forge signatures anyway: 95 poly_setrandom_maxk(y1); the attacker chooses randomness y1, y2, computes the hash 96 poly_setrandom_maxk(y2); [...] value c for a message µ, z1 = y1 + sc, and z2 = y2 107 poly_mul(z1,c,s1); (instead of z2 = y2 + ec). The attacker applies rejection 108 poly_add_nored(z1,z1,y1); ? 109 poly_coeffreduce(z1); sampling and compresses z2 to z2 as usual and returns ? [...] the signature σ = (z1, z2, c). The verify algorithm accepts 119 poly_mul(z2,c,s2); this signature σ as we show in the following. Due to 120 poly_add_nored(z2,z2,y2); ? 121 poly_coeffreduce(z2); the rejection sampling, z1, z2 ∈ Rq,[k−32]. Furthermore, ? Listing 3. C code of the GLP implementation for the computation of it holds that az1 + z2 − tc = baz1 + z2 − tced,q = d,q the signature values z1 and z2. basc + ay1 + y2 − asced,q = bay1 + y2ed,q. Thus, by skipping a single line an attacker can reveal s and also As before, the assembly code of the respective code forge a signature for any message µ. lines corresponds to jumping to another operation. Hence, this attack gives the same result as zeroing the whole randomness as described in Sec. V-B, i.e., by skipping 6 We create a description of the code written in C in assembly one line an attacker knows the secret key. code via the command /usr/bin/gcc -Wall -g -O3 -c -Wa,-a,-ad -shared -fPIC file.c -o libfile.so > A similar attack is not possible in case of the BLISS or assemblyoutputoffile.lst the ring-TESLA implementation. We explain the reason

8 on the example of ring-TESLA. Explanations for BLISS checks are implemented as if-conditions for each entry can be found in the full version of this paper [6]. of c, see as an example the respective lines of the GLP In the implementation of ring-TESLA the value sc is implementation in Listing5. added to the value y as can be seen in Listing4. Hence, 184 for(i=0;i<20;i++) skipping Line 323 in Listing4 yields z = y (the value 185 if(sm[i] != h[i]) 186 goto fail; vec_y is the output value in the implementation). Since the randomness changes for every run of the sign algorithm, Listing 5. C Code of the correctness check in the GLP scheme; sm[0],...,sm[19] corresponds to c and h corresponds to c0 in the attacker does not learn anything about the secret. our notation; goto fail corresponds to not accepting a signature. 323 poly_add(vec_y, vec_y, Sc); Therefore, the skip has to be realized as a jump out of Listing 4. C Code of ring-TESLA for the addition of sc and y. the for-loop after the first iteration. Hence, the invalid signature is accepted as long as c, z , and z? are chosen 3) Skipping the Modulus Reduction: Skipping the re- 1 2 such that c[0] = c0[0]. duction modulo q during the signature generation does 2) Skipping the Size Check: We explain this attack by not reveal information about the secret since during the the example of the GLP scheme. It can similarly be ap- computation of z = y + sc (the only value that is returned plied to BLISS, while ring-TESLA is resistant to this kind and depending on the secret) no modulo reduction is of fault attack. The attack works as follows: the attacker computed in all of the signature schemes. Moreover, the chooses y , y ← R and computes the hash value modulo operation is computed very often during the sign 1 2 $ q,[k] c for some self-chosen message. Afterwards, the attacker algorithm, i.e., it is rather difficult to skip all the modulo computes z = a−1(ay + bc) (recall that the polynomial operations during the computation via fault attacks. 1 1 a is invertible) and z2 = y2. Easy computation shows C. During Verification that as long as the size check is skipped, the signature ? To prevent the installation of malicious malware it is σ = (z1, z2, c) is accepted. In case of GLP the size check if not enough to use cryptographic signatures for software is again implemented as a simple -condition. This is updates. It is also necessary to ensure that the verification also the case for BLISS, but by construction of the verify if of these signatures is computed correctly [28]. Hence, we algorithm, two -conditions have to be checked for z1 as analyze fault attacks during the verification algorithm in indicated by Fig.5. However, the attack does not work for this section. We identify two ways to force the acceptance ring-TESLA for the following reason: to accept the signa- 0 0 of an invalid signature for any message µ via skipping ture (z, c) the equation c = H w1 d,q , w2 d,q , µ has 0 attacks. In all three signature schemes that are considered to hold. Therefore wi d,q = baiz − biced,q = baiyed,q in this paper, the verify algorithm consists essentially has be fulfilled for i = 1, 2, i.e., the signature value z of computing a hash value c0, checking whether this is has to fulfill two equations during the verification. During the same as the input value c (called the correctness the attack the value z would be uniquely computed via ? check), and checking whether z (resp., z1 and z2) are a1 or a2. Hence, the probability that z would fulfill both small enough (called the size check). Note that we do equations is very small. not consider skipping the computation of the encoding function of the hash value c, since this would lead to V. ZEROING FAULTS an unallocated value. However, we consider zeroing c in Zeroing fault attacks assume that the attacker can set Sec. V-D. a whole variable or a part thereof to zero. We present 1) Skipping the Correctness Check: An adversary zeroing attacks during the key generation, the sign, and the chooses c uniformly at random and chooses z (reps., z1 verify algorithm. Although it has often been questioned if ? and z2) small enough and of the expected form (e.g., this is a realistic attack scenario, zeroing faults have been correct number of zero-coefficients), such that the size realized in practice [22]. In certain cases, zeroing attacks check goes through. Afterwards, the attacker computes the can be realized with skipping attacks, which is why we hash value c0. Hence, skipping the correctness check yields refer to SectionIV in the respective cases. an acceptance of the (invalid) signature of any message. In the software of ring-TESLA, the correctness check is A. Zeroing the Secret or Error During Key Generation implemented as the following single if-condition: Zeroing the error polynomial can be implemented as 378 if(memcmp(c,c_sig,32)) return -1; skipping addition operations during the key generation. Hence, we refer to Sec. IV-A for more information. where c_sig corresponds to c0 in our notation and Similarly, one can zero the secret polynomial. Assume returning -1 corresponds to not accepting a signature. that during the key generation a zeroing fault is induced In case of BLISS and the GLP scheme, the correctness such that s = 0, hence the value b = e (mod q) is

9 returned and the attacker knows the error polynomial c(ik). Hence, the attacker receives the following system of jk e. In case of the GLP scheme this is enough to forge equations, which can be solved uniquely: signatures: in case of the GLP scheme, the attacker, know- T (i1) (in0 ) T C · (s0, ..., sn−1) = (z , ..., z ) , (5) ing e, can compute a (valid) signature for any message j1 jn0 µ y , y ← R c ←   by choosing 1 2 $ q,[k] and computing (i1) (i1) (i1) (i1) ? cj ... c0 −cn−1 ... −cj +1 H(bay1 + y2ed,q , µ), z2 = y2 +ec, and its compression z2  1 1  with C =  ...... . as usual. Then z1 = y1 with y1 ←$ Rq,[k−32] (instead of   c(in0 ) ... c(in0 ) −c(in0 ) ... −c(in0 ) z1 = y1 + sc). As in Sec. IV-A, easy computation shows jn0 0 n−1 jn0 +1 ? that (z1, z2, c) will be accepted by the verify algorithm. Next we describe how an attacker can find out which In case of ring-TESLA, signatures cannot be forged in a coefficients of the randomness were changed to zero similar manner, because a signature (c, z) has to fulfill two during the i-th fault attack. The equation z(i) = sc(i) +y(i) (i) (i) (i) equations in order to be verified correctly: ba1z − b1ced,q is equivalent to z = Rot(s)c + y . To simplify the (i) (i) and ba2z − b2ced,q. This only occurs if and only if e1c = explanation we assume w.l.o.g. that c0 = ... = cω−1 = 1 (i) (i) e2c, which is very unlikely. The attack is not applicable to and cω = ... = cn−1 = 0. Hence, we can write BLISS since the public value aq = 0 if one of the secret (i) (i) polynomials f, g is set to zero. Hence, the attacker gains z0 =s0 − sn−1 + ... − sn−ω + y0 not additional information. (i) (i) z1 =s1 + s0 − sn−2 + ... − sn−ω+1 + y1 In the publicly available software implementation of ... (6) GLP and ring-TESLA, the key generation and the sign (i) (i) algorithm do not test whether the keys are of the correct zn−1 =sn−1 + sn−2 + ... + sn−ω−1 + yn−1. form. Thus, the respective attacks would not be detected (i) (i) (i) in the currently available implementations. We define zj = ςj +yj for j = 0, ..., n−1. Since sj ← D√σ, the expectation value of |sj| is given by E[|sj|] = σ 2/π for j = 0, ..., n − 1. Furthermore, since kck = ω, B. Zeroing the Randomness During the Signature Gener- √ ς(i) ωσ ation j is Gaussian distributed with standard deviation (i) p and E[|ςj |] = 2ω/πσ. Via the triangle inequality it In the following, we describe a zeroing attack on the holds that randomness of the signature generation. First, we describe p (i) (i) p the attack on ring-TESLA. Afterwards, we describe sim- B/2 − 2ω/πσ ≤ E[|ςj + yj |] ≤ 2ω/πσ + B/2. ilar attacks on BLISS and the GLP scheme. For the parameter set ring-TESLA-II, i.e., with B = 222 − 1) Description of the Attack Against ring-TESLA: (i) 1, ω = 19, and σ = 52,E[|z |] is given by Throughout this section we use the following notation: j n−1 j  let the secret polynomial be s = P s x . Let (i) j=0 j 102, if y = 0, (1) (1) (m) (m) E[|z(i)|] ≈ j (z , c ), ..., (z , c ) be signatures for any mes- j 21 (i) (i) Pn−1 (i) j (i) Pn−1 (i) j 2 , if yj 6= 0. sages with z = j=0 zj x and c = j=0 cj x (i) where cj ∈ {0, 1} for i = 1, ..., m. Furthermore, let Since the difference between the expectation values is y(1), ..., y(m) be the faulty randomnesses with y(i) = very large, we assume that the attacker can unambiguously Pn−1 (i) j determine whether or not y(i) was changed to zero. j=0 yj x . Finally, let r ∈ {1, ..., n} be the number j of coefficients that are changed to zero during the fault The number of needed zeroing faults strongly depends attack. We assume that the coefficients are changed block- on the value r. Let m be the number of necessary (i) (i) wise, i.e., the coefficients yj , ..., yj+r are changed for successful fault inductions to reveal the secret and let S be i ∈ {1, ..., m} and j ∈ {0, ..., n − 1}, and the attacker the set of equations which will be part of Equation (5). We cannot control which block of r coefficients is set to zero. assume that every successful fault induction adds r new The idea of the attack is as follows: first the at- equations to the set S, since the hash value c changes for tacker induces a zeroing fault on the randomness and every sign query. Hence, solving the following equation checks which of the coefficients were changed to zero for m gives the number of necessary faults: (we explain later in this section how this is done). m 1 X 1 1 The attacker collects equations with y(i) = 0, i.e., · r − (k − 1) − ≥ n. (7) j 3 2n 2r (i) (i) T (i) k=1 (sj, ..., s0, −sn−1, ..., −sj+1)(c0 , ..., cn−1) = zj . The 0 3n attacker repeats those steps until the set of n ≥ n Thus, m ≥ r−1/2r , where the factor 3 comes from the collected equations is sufficient, i.e., every coefficient of rejection probability of 0.34 stated in [1]. Assume the s0, ..., sn−1 is at least once multiplied with a non-zero attacker can set 12 bytes to zero, i.e., r = 4 since each

10 coefficient of y can be saved in three bytes, then m = 384. one specific random value does not reveal information to For r = 1, we get m = 1536. successfully forge signatures. In case r = n, i.e., the complete randomness can be set to zero, only a single successful fault attack is D. Zeroing Fault During the Verification Algorithm necessary, since then the linear system of equations in In this subsection, we describe a zeroing attack on the Equation (6) can be solved uniquely with high probability. polynomial computed from the hash value c using the The reason is that the rows of a rotation matrix are Z- pseudo code of ring-TESLA. This attack works similarly linearly independent and ±s0, ..., ±sn−1 are independent on the GLP scheme and BLISS since they use the same random variables with high probability. mechanism as it is used in ring-TESLA, although this is 2) Application to BLISS or the GLP Scheme: The not made explicit in their pseudo code. attack can also be applied on BLISS and the GLP scheme. The goal of the attacker is to force the verify algorithm Assume that the zeroing fault was induced on y1 of the to accept a (unvalid) signature for a message µ. To this 0 GLP scheme. As explained above, we can recover s. end, the attacker chooses z ←$ Rq,[B−U], computes c ← Afterwards, we can compute e by e = t − as. Because of H(ba1zed,q , ba2zed,q , µ), and returns (c, z) as signature the compression function the attack is not effective if y2 is of µ. During the verify algorithm, first the value c ← faulty. Due to the compression algorithm, a maximum of F (c0) is computed. Assume c was set to zero during a 00 six coefficients are in the final signature for the proposed fault attacks. Hence, w1 = a1z and w2 = a2z, and c ← 0 00 instantiation. Similarly, we can assume that the zeroing H(ba1zed,q , ba2zed,q , µ). Thus, c = c and the signature fault was induced on y1 during the sign algorithm of is accepted. BLISS. As explained above, we can then recover s1 and VI.COUNTERMEASURESAND GUIDELINES we can recover s2 by s2 = a1s1. For similar reasons as for the GLP scheme, the attack does not work effectively We describe countermeasures to prevent fault attacks for in case y2 instead of y1 is faulty. each kind of attack described in this paper. Additionally to 3) Application to Signature Schemes over Standard- our guidelines, we refer to the intensive literature about Lattices: The attack is far less efficient and only appli- countermeasures in general [29]. Note that it is crucial cable for r = n when applied to schemes defined over that a countermeasure can not be easily circumvented by standard lattices instead of ideal lattices. another fault attack. Hence, implementations of counter- Let r = n, i.e., the randomness is equal to the zero measures should always consider preventions against all vector. Let the notation and assumptions be as described three kinds of attacks. above. Then the following system of equations gives n·m A. Countermeasures Against Randomization Faults equations and n2 unknowns and can be solved uniquely: One way to prevent the randomization attack described T T z(1), ...., z(m) = Rot(s) c(1), ..., c(m) . in Sec. III is to check the correctness of the secret key. As long as the randomization fault is not implemented as Still it is less efficient than in the ring setting, since the a skipping attack, it can be prevented by simple correct- attacker needs to induce at least 3n zeroing faults (again ness checks or comparisons. Our approach is somewhat the factor 3 comes from the rejection probability). In −1 different: let a be the inverse polynomial of a in Rq, the ring setting with the same assumption r = n, the s0 be the faulty secret, s be the original secret, and attacker needs to induce (on average) three zeroing faults let b0 = as0 + e (mod q). Instead of Line8 of the successfully. −1 0 GLP scheme (see Fig.3), we compute z1 = a (b − In case r < n, the attack is in general not applicable 0 b)c + s c + y1 = sc + y1. Hence, we always return a to signature schemes over standard lattices, since the signature generated with the correct secret key even if multiplication of matrices is not commutative, a condition the fault attack described in Sec. III occurred. As long as that we need in Equation (5). implemented with respect to the guidelines mentioned in the next section, this countermeasure should not induce C. Zeroing the Hash Value During the Signature Gener- vulnerabilities against the described skipping or zeroing ation attacks. A disadvantage of this countermeasure is that Zeroing the hash value c during the sign algorithm does the public key b has to be given as input, i.e., the key not lead to more information about the secret key since sizes are increased. Furthermore, the inverse of a has to only the product sc occurs in the final signature. Hence, be computed. Similarly to the protection of the secret the attacker only gets access to the randomness, which polynomial, the error term could be protected if necessary. changes for every run of the sign algorithm in BLISS, Our analysis in Sec. III indicates that aggressive instan- ring-TESLA, and the GLP scheme. Hence, knowledge of tiations such as DCK or NTRU are more vulnerable to

11 randomization attacks. Hence, instantiating BLISS or the to prevent the skipping attack presented in Sec. IV-A2. GLP scheme over ring-LWE or ring-SIS would strengthen The goal of this attack is to skip operations during the key the security of those schemes with respect to fault attacks. generation algorithm such that the public key is not of the Most probably this would lead to a serious efficiency correct form. A faulty b can either be b = as+e ( mod q), penalty. b = as (mod q), b = e (mod q), or b = 0. To prevent returning a faulty b, the additional computations shown in B. Countermeasures Against Skipping Faults Fig.2 should be implemented for the GLP scheme (and We describe countermeasures to prevent the skipping similarly for ring-TESLA and BLISS). In case b is not attacks presented in Sec.IV. One way to prevent skipping faults addressing the addition in general is to define a new variable to save the resulting sum, e.g., Listing6. Skipping Line 49 of 1 b = as + e (mod q) the countermeasure in Listing6 does not lead to a suc- 2 u ←$ Zq cessful attack since the value b2 would not be allocated kt−ask+u 3 ν = kek+u and a segmentation fault would be triggered. Hence, no 4 If s = νs ∧ e = νe: information about the secret is revealed. 5 Return sk = (νs, νe) // original // countermeasure 6 Else: 48 poly_mul_a(b, s); poly_mul_a(b1, s); 7 Restart key generation 49 poly_add_nored(b,b,e); poly_add_nored(b2,b1,e); Listing 6. Comparison of the original code of the GLP scheme and Fig. 2. Pseudo code of a countermeasure to check whether the key an example of a countermeasure against skipping the addition during pair is generated correctly: the returned key pair is either of the correct key generation. form or the secret and the public key do not correspond to each other. A different approach which prevents skipping attacks in certain cases is to add secret information to random information and not the other way around, e.g., use the faulty, ν = 1 and the correct elements s, e are returned. code shown on the bottom of Listing7 instead of the In case b is faulty, no security flaw occurs because even original GLP code. Hence, skipping Line 108b in Listing7 if Line4 is skipped, the secret and the public key do not results in z = y instead of z = y + as. Since y 1 1 1 1 1 correspond to each other. Hence, at worst the signer uses changes for every sign query, the attacker does not gain the invalid keys to sign messages which can not be verified information about the secret. This is already realized in with the corresponding faulty b. the implementations of BLISS and ring-TESLA. // original Due to (Gaussian) sampling of elements, it is rather 95a poly_setrandom_maxk(y1); difficult to induce a skipping fault to skip the rejection [...] 107a poly_mul(z1,c,s1); sampling at the right time. Nevertheless, it is advisable to 108a poly_add_nored(z1,z1,y1); make sure that rejection sampling is applied correctly. In 109a poly_coeffreduce(z1); case of ring-TESLA and the GLP scheme the rejection //countermeasure sampling is implemented as an if-condition such that 95b poly_setrandom_maxk(z1); [...] the signature is returned if the if-condition is true. In 107b poly_mul(v1,c,s1); assembly code this means, that the signature is returned 108b poly_add_nored(z1,z1,v1); 109b poly_coeffreduce(z1); if the zero flag is equal to 1. Hence, when the if- Listing 7. Comparison of the original code of the GLP scheme and condition is skipped by fault, a signature is returned if an example of a countermeasure against skipping the addition of the and only if the zero flag was set equal to 1 in an earlier randomness during signature generation. computation. It is reasonable to assume that this happens Since our analysis focuses on (and our countermeasures with probability 0.5. Hence, formulating the if-condition protect against) first order fault attacks we assume that an as it is done for ring-TESLA and the GLP scheme does not attack can not know the content of the cache and induce a prevent the skipping attack completely, but it doubles the skipping fault at the same time. Hence, the countermeasure (expected) number of necessary fault injections. In case described above should prevent first order fault attacks. of the BLISS implementation, the rejection sampling is However, a stronger adversary might know the content of implemented as if-condition(s) such that a signature is the cache, skip Line 95b, and hence can compute s1. We rejected if the if-condition holds true. Hence, skipping leave the analysis of this scenario for future work. this if-condition means to skip the rejection sampling. Besides the countermeasures mentioned above, it should Reformulating the if-condition as it is done for ring- be ensured that only correctly formed or totally random TESLA and the GLP scheme would make this skipping keys are returned. In the following, we describe a method attack much more complicated.

12 C. Countermeasures Against Zeroing Faults We state that the three signature schemes and their Zeroing faults can often be categorized as randomiza- implementations behave rather similar under fault attacks. tion or skipping faults. Hence, zeroing faults can often be However, the different instantiations of the schemes lead prevented by the countermeasures described in Sec. VI-A to different vulnerabilities. BLISS and the GLP scheme and VI-B. are more vulnerable to a randomization attack during the key generation because of their aggressive instantiation Assuming that the zeroing fault is not caused by skip- with ternary secret and error. Moreover, our analysis ping or randomizing faults, we can prevent a zeroing shows that ideal-lattice-based schemes are in general more attack by simply checking whether the values of the secret vulnerable to zeroing attacks during the sign algorithm or error polynomial (Sec. V-A), the randomness during than standard-lattice-based schemes. We propose effective signing (Sec. V-B), the hash value (Sec. V-C), or the countermeasures for each of the analyzed attacks. Most encoding polynomial (Sec. V-D) are zero, since we only of them are very efficient, since they do not require time- consider first-order faults in this paper. consuming computations. VII.CONCLUSION Future Work. This work is a starting point for fault analysis of lattice-based cryptography. It is not compre- In this paper, we analyzed the lattice-based signa- hensive, e.g., we did not analyze underlying algebraic ture schemes BLISS, ring-TESLA, and the GLP scheme computations such as polynomial multiplications and we and their implementations with respect to fault attacks. did not consider fault attacks targeting these underlying Furthermore, we presented countermeasures against the computations, e.g., we did not analyze the effects of described attacks. Hereby, we considered three types of zeroing attacks on the most (or least) significant bits of faults: randomization, skipping, and zeroing faults. polynomial coefficients or the modulus. For nine of the 15 considered attacks at least one of In addition to these ideas for deeper fault analysis, we the three schemes was vulnerable. We summarize our leave for future work to compare the original implementa- results in TableI. All three schemes are vulnerable against tions with implementations that take our countermeasures zeroing faults during the sign algorithm, against zeroing into account and to verify the effectiveness of the proposed faults during the verification, against skipping faults dur- measures by a software simulation. Moreover, since this ing the key generation, against two kinds of skipping faults work focuses on theoretical fault analysis, the practical during the verification algorithm, and (to a variable extent) realization of the proposed attacks remains to be done. against skipping faults during the signature generation algorithm. Moreover, the GLP scheme is vulnerable to an additional skipping attack during the sign algorithm and REFERENCES an additional zeroing attack during the key generation. [1] S. Akleylek, N. Bindel, J. Buchmann, J. Krämer, and G. A. Mar- In Table III, we recall the (expected) minimal number of son, “An efficient lattice-based signature scheme with provably successful faults needed for the respective fault attacks. secure instantiation,” in International Conference on Cryptology – AFRICACRYPT 2016, D. Pointcheval, T. Rachidi, and A. Nitaj, Eds. Springer, 2016, pp. 44–60.1,3,7, 10, 15 TABLE III [2] M. R. Albrecht, C. Cid, J. Faugère, R. Fitzpatrick, and L. Perret, COMPARISON OF THE GLP SCHEME,BLISS, ANDRING-TESLA “Algebraic algorithms for LWE problems,” Cryptology ePrint WITHRESPECTTOTHEEXPECTEDNUMBEROFSUCCESSFUL Archive, Report 2014/1018, 2014.5 FAULTS SUCH THAT THE FAULT ATTACK SUCCEEDS.THE TABLE [3] M. R. Albrecht, R. Fitzpatrick, and F. Göpfert, “On the efficacy of SHOWS THE ALGORITHMS WHICH THE FAULT ATTACKS TARGET, solving LWE by reduction to unique-svp,” in Information Security I.E., KEY GENERATION (KG), SIGNATURE GENERATION (S), AND and Cryptology - ICISC 2013, 2013, pp. 293–310.4 VERIFY (V).IFTHESCHEMEISVULNERABLETOTHERESPECTIVE [4] S. Bai and S. D. Galbraith, “An improved compression technique ATTACK, THE NUMBER OF NECESSARY SUCCESSFUL FAULTS IS for signatures based on learning with errors,” in Topics in GIVEN, OTHERWISEWEWRITE -. Cryptology - CT-RSA 2014, 2014, pp. 28–47.4 [5] F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, Fault Attack Algorithm GLP BLISS ring- and T. Ngair, “Breaking public key cryptosystems on tamper TESLA resistant devices in the presence of transient faults,” in Security Rand. of secret, r = 4 S 151 733 - Protocols: 5th International Workshop Paris, France, B. Christian- Skip of addition KG 1 1 1 son, B. Crispo, M. Lomas, and M. Roe, Eds. Springer, 1998, Skip of rejection S ? ? ? pp. 115–124.5 Skip of addition S 1 - - [6] N. Bindel, J. Buchmann, and J. Krämer, “Lattice-based signature Skip of correct-check V 1 1 1 schemes and their sensitivity to fault attacks,” Cryptology ePrint Skip of size-check V 1 1 - Archive, Report 2016/415, 2016.4,8,9 Zero. of secret KG 1 - - Zero. of randomness, r = 1 S 1 27 1 7Since the rejection sampling is applied independently from the Zero. of hash polynomial V 1 1 1 randomness.

13 [7] J. Blömer, R. G. da Silva, P. Günther, J. Krämer, and J. Seifert, [27] M.-J. O. Saarinen, “Arithmetic coding and blinding countermea- “A practical second-order fault attack against a real-world pairing sures for ring-lwe,” Cryptology ePrint Archive, Report 2016/276, implementation,” in 2014 Workshop on Fault Diagnosis and 2016.1 Tolerance in Cryptography, FDTC 2014, 2014, pp. 123–136.7 [28] J. Seifert, “On authenticated computing and rsa-based authentica- [8] L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, “Flush, tion,” in Proceedings of the 12th ACM Conference on Computer gauss, and reload – a cache attack on the bliss lattice-based and Communications Security, CCS 2005, 2005, pp. 122–127.9 signature scheme,” Cryptology ePrint Archive, Report 2016/300, [29] I. Verbauwhede, D. Karaklajic, and J. Schmidt, “The fault attack 2016.1 jungle - A classification model to guide you,” in 2011 Workshop [9] J. Buchmann, F. Göpfert, T. Güneysu, T. Oder, and T. Pöppel- on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, mann, “High-performance and lightweight lattice-based public- 2011, pp. 3–8.5, 11 key encryption,” in To appear in IoTPTS 2016.5 [30] J. von Neumann, “Various techniques used in connection with [10] J. Buchmann, F. Göpfert, R. Player, and T. Wunderer, “On random digits,” in Monte Carlo Method, ser. National Bureau of the hardness of lwe with binary error: Revisiting the hybrid Standards Applied Mathematics Series, A. S. Householder, G. E. lattice-reduction and meet-in-the-middle attack,” in International Forsythe, and H. H. Germond, Eds., 1951, vol. 12, pp. 36–38.8 Conference on Cryptology AFRICACRYPT 2016. Springer, [31] Özgür Dagdelen, R. E. Bansarkhani, F. Göpfert, T. Güneysu, 2016, pp. 24–43.5 T. Oder, T. Pöppelmann, A. H. Sánchez, and P. Schwabe, [11] L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice “High-speed signatures from standard lattices,” in Progress in signatures and bimodal gaussians,” in Advances in Cryptology - Cryptology – LATINCRYPT 2014, D. F. Aranha and A. Menezes, CRYPTO 2013, 2013, pp. 40–56.1,3, 15 Eds., vol. 8895. Springer, 2015, pp. 84–103.4 [12] L. Ducas and T. Lepoint, “Bliss: Bimodal lattice signature schemes,” http://bliss.di.ens.fr/.7 APPENDIX [13] L. Ducas and P. Q. Nguyen, “Learning a zonotope and more: Cryptanalysis of ntrusign countermeasures,” in Advances in A. Signature Schemes Cryptology - ASIACRYPT 2012 - 18th International Conference In this section we depict the signature schemes GLP, on the Theory and Application of Cryptology and Information ring-TESLA, and BLISS in Fig.3,4, and5, respectively. Security, Beijing, China, December 2-6, 2012. Proceedings, 2012, pp. 433–450.8 [14] N. Gama and P. Q. Nguyen, “Predicting lattice reduction,” in KeyGen(1λ) : Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of 1 s, e ←$ Rq,[1] Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. 2 a ←$ Rq Proceedings, 2008, pp. 31–51.4 3 b ← as + e (mod q) [15] C. Giraud and E. W. Knudsen, “Fault attacks on signature 4 sk ← (s, e), vk ← (a, b) schemes,” in Information Security and Privacy: 9th Australasian 5 Return (sk, vk) Conference, ACISP, 2004, pp. 478–491.1,5 [16] T. Güneysu, V. Lyubashevsky, and T. Pöppelmann, “Practical Sign(µ; a, s, e) : lattice-based cryptography: A signature scheme for embedded systems,” in Cryptographic Hardware and Embedded Systems - 6 y1, y2 ←$ Rq,[k] CHES 2012, 2012, pp. 530–547.1,3, 14 7 c ← H bay1 + y2ed,q , µ [17] G. Güneysu, T. Oder, T. Pöppelmann, and P. Schwabe, “Software 8 z ← y + sc speed records for lattice-based signatures,” https://cryptojedi.org/ 1 1 9 crypto/index.shtml#lattisigns.7 z2 ← y2 + ec [18] A. A. Kamal and A. M. Youssef, “Fault analysis of the ntruen- 10 If z1, z2 ∈/ Rk−32: crypt cryptosystem,” IEICE Transactions, vol. 94-A, no. 4, pp. 11 Restart ? 1156–1158, 2011.1 12 Else: z2 ← compress(az1 − tc, z2, p, k − 32) [19] R. Lindner and C. Peikert, “Better key sizes (and attacks) for ? 13 Return (z1, z2 , c) ? lwe-based encryption,” in Topics in Cryptology - CT-RSA 2011, Verify(µ; z1, z2 , c; a, b) 2011, pp. 319–339.4 14 0 ? [20] V. Lyubashevsky, “Lattice signatures without trapdoors,” in c ← H baz1 + z2 − bced,q , µ 0 ? Advances in Cryptology - EUROCRYPT 2012, 2012, pp. 738– 15 If c = c ∧ z1, z2 ∈ Rk−32: 755.3 16 Return 1 [21] D. Micciancio and C. Peikert, “Hardness of SIS and LWE with 17 Else: Return 0 small parameters,” in Advances in Cryptology - CRYPTO 2013, 2013, pp. 21–39.5 Fig. 3. Specification of the GLP scheme by Güneysu et al. [16]. The [22] D. Naccache, P. Q. Nguyen, M. Tunstall, and C. Whelan, “Ex- rounding operator b·e corresponds to the function used in the original perimenting with faults, lattices and the DSA,” in Public Key d,q paper with d = log (k), where k is the parameter used in [16]. For Cryptography - PKC 2005, 2005, pp. 16–28.9 2 detailed information about the system parameters and the procedure [23] O. Nguyen, Phong Q.and Regev, “Learning a parallelepiped: compress, we refer to the original work. Cryptanalysis of ggh and ntru signatures,” pp. 271–288, 2006. 8 [24] N. S. A. (NSA), “Cryptography today,” https://www.nsa.gov/ia/ programs/suiteb_cryptography/, Aug 19, 2015.1 B. The Ring Learning with Errors Problem (R-LWE) [25] N. I. of Standards and T. (NIST), “Post-quantum cryptography: In this section, we recall the ring learning with errors Nist’s plan for the future,” https://pqcrypto2016.jp/data/pqc2016_ problem (R-LWE). We start by defining the LWE distri- nist_announcement.pdf, Aug 19, 2015.1 [26] C. Peikert, “How (not) to instantiate ring-lwe,” Cryptology ePrint bution and then state the ring variants of the search and Archive, Report 2016/351, 2016.2 the decisional learning with errors problem.

14 KeyGen(1λ) : 1 a1, a2 ←$ Rq n 2 s, e1, e2 ← Dσ 3 If checkE(e1) = 0 ∨ checkE(e2) = 0 4 Restart 5 b1 ← a1s + e1 (mod q) 6 b2 ← a2s + e2 (mod q) 7 sk ← (s, e1, e2), vk ← (b1, b2) 8 Return (sk, vk)

Sign(µ; a1, a2, s, e1, e2) : λ 9 y ←$ Rq,[B] KeyGen(1 )

10 v1 ← a1y (mod q) 1 f, g ←$ Fd1,d2 2 11 v ← a y (mod q) 2 If Nλ(S) ≥ 5C (dδ1ne + 4d4δ2ne)κ 2 2 0 3 Restart 12 c ← H bv1ed,q , bv2ed,q , µ 4 a = (2g + 1)/f (mod q) 13 c ← F (c0) q 5 f 14 z ← y + sc If not invertible 6 Restart 15 w1 ← v1 − e1c (mod q) T T 7 (s1, s2) ← (f, 2g + 1) 16 w2 ← v2 − e2c (mod q) 8 (a1, a2) = (2aq, q − 2)(mod 2q) 17 If |[w ] d |, |[w ] d | ∈/ R d ∨z 6∈ R : 1 2 2 2 2 −L B−U 9 sk ← (s , s )T , vk ← (a , a ) 18 Restart 1 2 1 2 10 Return (sk, vk) 19 Return (z, c0)

T 0 Sign(µ; A = (a1, q − 2); S = (s1, s2) ) : Verify(µ; z, c ; a1, a2, b1, b2) 20 c ← F (c0) 11 y1, y2 ← Dσ 0 12 u = ξa1y1 + y2(mod 2q) 21 w1 ← a1z − b1c (mod q) 0 22 w ← a z − b c (mod q) 13 c ← H bued,2q , µ 2 2 2 00 0 0 14 b ← {0, 1} 23 c ← H w1 , w2 , µ $ d,q d,q b 24 c0 = c00 ∧ z ∈ R 15 z1 ← y1 + (−1) s1c If B−U : b 25 Return 1 16 z2 ← y2 + (−1) s2c 26 Else: Return 0 17 Continue with probability 1/ν ? 18 z2 ← bued,2q − bu − z2ed,2q mod p ? Fig. 4. Specification of the scheme ring-TESLA by Akleylek et al. [1]. 19 Return (z1, z2 , c) For detailed information about the system parameters and the procedure checkE, we refer to the original work. ? Verify(µ; A = (a1, q − 2); z1, z , c) 2 20 0 ? c ← H ξa1z1 + ξqc(mod 2q) d,2q + z2 (mod p), µ 0 d ? d ? Definition 1 (Learning with Errors Distribution): Let 21 If c = c ∧ ||(z1|2 z2 )||2 ≤ B2 ∧ ||(z1|2 z2 )||∞ ≤ B∞: 22 Return 1 n, q > 0 be integers, s ∈ Rq, and χ be a distribution 23 Else: Return 0 over R. We define by Ds,χ the R-LWE distribution which outputs (a, ha, si + e) ∈ Rq × Rq, where a ←$ Rq and Fig. 5. Specification of the scheme BLISS by Ducas et al. [11]. For e ← χ. detailed information about the system parameters and the definition

Definition 2 (Ring Learning with Errors Problem): Let of Nλ(·), we refer to the original work. The set Fd1,d2 is defined Pn−1 i k as Fd ,d = {h = hix |hi ∈ {−2, −1, 0, 1, 2}, |{hi ∈ n, q > 0 be integers and n = 2 for some k ∈ >0 and 1 2 i=0 N {−1, 1}}| = d , |{h ∈ {−2, 2}}| = d } and ν = χ be a distribution over R. 1 i 2 2 2 2 Given n, q, and m LWE-samples, the (search) ring M exp −||Sc|| /(2σ )cosh(hz, Sci/σ ) . learning with errors problem R − LW En,m,q,χ is to find the polynomial s. Given n, q, and samples (a1, b1), ..., (am, bm) the (decisional) ring learning with errors problem is to decide whether the samples are LWE-samples or whether b1, ..., bm are chosen uniformly n random over Zq[x]/(x + 1).