Score:2

Natural resistance to side channel attacks of XMSS/LMS/SPHINCS+

cn flag

All these post quantum signature schemes are claimed by the authors to be naturally resistant to side channel attacks. My question is, why or how?

Score:3
my flag

All these post quantum signature schemes are claimed by the authors to be naturally resistant to side channel attacks. My question is, why or how?

Well, lets break this down:

  • In terms of timing and cache-based side channels, the obvious implementation is fairly good (exception: the Haraka-based parameter sets of Sphincs+)

Here's why: the natural implementation of SHA-256 and SHAKE functions rely on instructions that are constant time on modern processors (logical ops, modular addition, shifts/rotates by constant amounts), and don't make data-dependent memory accesses or data-dependent branches (except for ones based on message length - the only variable length message involved is the initial message hash, and we don't consider the message being signed to be secret). In addition, the natural implementation of the HBS infrastructure (e.g. the Winternitz chaining or the Merkle tree computations) also doesn't have secret-based memory accesses or branches (it does involve conditional branches, however those conditions are always functions of either the message or values we place into the signature; that is, values that the adversary would know anyways).

Hence, timing and cache-based side channels don't yield any value that the attacker didn't already know (assuming, of course, that the implementation doesn't deliberately try to leak).

  • In terms of power or EMF-style side channel attacks, the story isn't quite as clear.

Most of the internal values (e.g. the internal nodes to the Merkle tree) are not actually secret. In addition, a power/EMF attack (assuming the signature isn't so strong that a single trace suffices - with the symmetric operations we're talking about, they generally aren't) requires using the same secret value in a number of different contexts; hence the previous values in a Winternitz chain is also hard to attack (because those values are used only once).

What could be attacked is the function used to generate the initial values for the Winternitz chains (and for Sphincs+ the FORS leaves). What is typically done in all three (and is formally mandated by Sphincs+) is to use the same static seed (with different additional parameters) to directly generate these values - that is precisely what a DPA attack would need (and of course, once the attacker recovers that, well, it's game over). The round 3 Sphincs+ document suggests you could use a DPA-resistant hash function implementation in that case.

Now, it is possible to rework the initial value generation logic so that it can't be attacked in this way (e.g. by generating those values as leaves from a large binary tree, so that any internal node value is used in only two contexts). However, no such method has been formally suggested for any of the three.

cn flag
so generally the hash function has to yield constant power results. how about the CPA attack or fault injections that could manipulate the signature index(make it sign with the same key twice)?
poncho avatar
my flag
@hooujki: No, hash functions don't generally yield constant power results - actually translating the recorded power draw into secrets typically requires multiple traces in different contexts. As for CPA ("Chosen Plaintext Attacks") there's nothing there that's useful (however those aren't generally considered side channel attacks).
poncho avatar
my flag
@hooujki: As for fault attacks, for LMS and XMSS, those are dependent on the Merkle tree walk logic (not all that difficult, but not trivial, and also not specified in the docs); with Sphincs+, fault attacks are quite strong, and the only countermeasure I know is "compute twice, hope the attacker can't inject same fault twice.
cn flag
by CPA I mean "Correlation Power Analysis". Well injecting the same fault (changes in MSB/LSB) may not be that challenging. By walk logic do you mean the optimization algorithms used to generate the root value as the signer?
poncho avatar
my flag
@hooujki: would "Correlation Power Analysis" have the same constraints (needs to be run multiple times on related by not identical operations) that DPA has? If so, it has the same answer. As for "walk logic", well, actually a full answer would take up more space than what's allowed in a comment - brief answer is that you can do a one-way function to generate the Winternitz leaves (so once you sign, you can no longer re-sign with that leaf - you forgot how to do so), and you also (in a hierarchical model) you cache the intermediate signatures. Again, nontrivial, but doable.
cn flag
but how do you create a one way function for these leaves if they have to be recreated twice? You could create the initial values with a PRNG like in the classic Winternitz assumption but you cant do that since after the public key is generated the first time, the signer has to use the same values (a PRNG cant yield the same value) to recreate the public key of corresponding scheme during signing
poncho avatar
my flag
@hooujki: yes, the signer does need to do multiple passes through the Merkle tree (unless he caches all the Winternitz values, which no one does). For the initial passes, we would keep the starting PRNG state around. We only care about the last pass (which is the one that signs the message); once we sign the message, then we can update the PRNG state *and forget the previous state*. Then, we cannot be tricked into signing with that OTS again (because we forgot the necessary state). Faults in previous passes would result in invalid signatures, but wouldn't leak anything. Doable, nonobvious
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.