Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ZKFault: Fault attack analysis on zero-knowledge based post-quantum digital signature schemes

Puja Mondal, Supriya Adhikary, Suparna Kundu, Angshuman Karmakar

TL;DR

This paper analyzes fault attacks on zero-knowledge based post-quantum signatures that employ binary-tree compression (notably LESS, CROSS, and MEDS). It develops a fault-injection framework targeting the Reference Tree and SeedTreePaths, demonstrating that a single effective fault can reveal a pair such as $(\widetilde{Q}_j,\ Q_{d[j]}^{T}\overline{Q}_j)$, enabling recovery of secret monomial matrices in LESS and the signing key in CROSS; the authors argue the approach extends to MEDS. End-to-end fault-attack simulations are presented, along with countermeasures that either remove the tree or modify its seed-generation to prevent leakage while preserving signature size. The work highlights practical vulnerabilities in PQC code-based signatures and provides guidance for secure deployment and parameter choices to mitigate fault-based leakage.

Abstract

Computationally hard problems based on coding theory, such as the syndrome decoding problem, have been used for constructing secure cryptographic schemes for a long time. Schemes based on these problems are also assumed to be secure against quantum computers. However, these schemes are often considered impractical for real-world deployment due to large key sizes and inefficient computation time. In the recent call for standardization of additional post-quantum digital signatures by the National Institute of Standards and Technology, several code-based candidates have been proposed, including LESS, CROSS, and MEDS. These schemes are designed on the relatively new zero-knowledge framework. Although several works analyze the hardness of these schemes, there is hardly any work that examines the security of these schemes in the presence of physical attacks. In this work, we analyze these signature schemes from the perspective of fault attacks. All these schemes use a similar tree-based construction to compress the signature size. We attack this component of these schemes. Therefore, our attack is applicable to all of these schemes. In this work, we first analyze the LESS signature scheme and devise our attack. Furthermore, we showed how this attack can be extended to the CROSS signature scheme. Our attacks are built on very simple fault assumptions. Our results show that we can recover the entire secret key of LESS and CROSS using as little as a single fault. Finally, we propose various countermeasures to prevent these kinds of attacks and discuss their efficiency and shortcomings.

ZKFault: Fault attack analysis on zero-knowledge based post-quantum digital signature schemes

TL;DR

This paper analyzes fault attacks on zero-knowledge based post-quantum signatures that employ binary-tree compression (notably LESS, CROSS, and MEDS). It develops a fault-injection framework targeting the Reference Tree and SeedTreePaths, demonstrating that a single effective fault can reveal a pair such as , enabling recovery of secret monomial matrices in LESS and the signing key in CROSS; the authors argue the approach extends to MEDS. End-to-end fault-attack simulations are presented, along with countermeasures that either remove the tree or modify its seed-generation to prevent leakage while preserving signature size. The work highlights practical vulnerabilities in PQC code-based signatures and provides guidance for secure deployment and parameter choices to mitigate fault-based leakage.

Abstract

Computationally hard problems based on coding theory, such as the syndrome decoding problem, have been used for constructing secure cryptographic schemes for a long time. Schemes based on these problems are also assumed to be secure against quantum computers. However, these schemes are often considered impractical for real-world deployment due to large key sizes and inefficient computation time. In the recent call for standardization of additional post-quantum digital signatures by the National Institute of Standards and Technology, several code-based candidates have been proposed, including LESS, CROSS, and MEDS. These schemes are designed on the relatively new zero-knowledge framework. Although several works analyze the hardness of these schemes, there is hardly any work that examines the security of these schemes in the presence of physical attacks. In this work, we analyze these signature schemes from the perspective of fault attacks. All these schemes use a similar tree-based construction to compress the signature size. We attack this component of these schemes. Therefore, our attack is applicable to all of these schemes. In this work, we first analyze the LESS signature scheme and devise our attack. Furthermore, we showed how this attack can be extended to the CROSS signature scheme. Our attacks are built on very simple fault assumptions. Our results show that we can recover the entire secret key of LESS and CROSS using as little as a single fault. Finally, we propose various countermeasures to prevent these kinds of attacks and discuss their efficiency and shortcomings.
Paper Structure (11 sections, 1 theorem, 9 equations, 1 figure, 1 table, 5 algorithms)

This paper contains 11 sections, 1 theorem, 9 equations, 1 figure, 1 table, 5 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Definitions
  4. LESS signature scheme
  5. Key Generation of LESS:
  6. Signature algorithm of LESS:
  7. Parameter set
  8. Our Work: Fault analysis of LESS
  9. An observation on LESS
  10. Identification of attack surfaces
  11. Modification of the vector $\bm{d}$:

Key Result

lemma thmcounterlemma

Let $\bm{A}=(\pi,\ \bm{u})\in M_{n}(q)$ be a monomial matrix and $\bm{B}=(\pi',\ \bm{u'})\in M_{n, k}'(q)$ be a partial monomial matrix. Let $\bm{C}=(\pi",\ \bm{u"})\in M_{n, k}'(q)$ be the partial monomial matrix defined by $\bm{C}=\bm{A}^T\bm{B}$. Given the matrices $\bm{B}$ and $\bm{C}$, we can c

Figures (1)

  • Figure 1: Example of seed tree

Theorems & Definitions (9)

  • definition thmcounterdefinition: Monomial matrix
  • definition thmcounterdefinition: Partial monomial matrix
  • definition thmcounterdefinition: Reduced Row-Echelon form
  • definition thmcounterdefinition: Lexicographically sorted order
  • definition thmcounterdefinition: Linear code
  • definition thmcounterdefinition: Linear code equivalence
  • definition thmcounterdefinition: Information Set (IS) of a Linear Code A_New_Formulation_of_the_Linear_Equivalence_Problem
  • lemma thmcounterlemma
  • proof