SLasH-DSA: Breaking SLH-DSA Using an Extensible End-To-End Rowhammer Framework

TL;DR

This work demonstrates a practical, software-only Rowhammer forgery against the NIST-standardized SLH-DSA post-quantum signature scheme on commodity hardware, extending previous hardware-glitch approaches to a fully end-to-end attack. The authors introduce Swage, a modular framework that orchestrates DRAM address reverse-engineering, memory allocation, hammering, and page injection to enable end-to-end exploitation of the SLH-DSA signing process. They provide a novel exact grafting-complexity analysis to identify optimal forgery paths and validate the attack on OpenSSL 3.5.1 across deterministic and randomized SLH-DSA configurations, achieving forgery within minutes to hours on real hardware. The results underscore the need for hardened hardware defenses and improved implementation countermeasures to reliably protect PQC schemes against Rowhammer-based faults in practical deployments.

Abstract

As quantum computing advances, Post-Quantum Cryptography (PQC) schemes are adopted to replace classical algorithms. Among them is the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) that was recently standardized by NIST and is favored for its conservative security basis. In this work, we present the first software-only universal forgery attack on SLH-DSA, leveraging Rowhammer-induced bit flips to corrupt the internal state and forge signatures. While prior work targeted embedded systems and required physical access, our attack is software-only, targeting commodity desktop and server hardware, significantly broadening the threat model. We demonstrate full end-to-end attacks against SLH-DSA in OpenSSL 3.5.1, achieving universal forgery for the SHAKE-128f (deterministic), SHA2-128s, and SHAKE-192f (randomized) parameter sets after one hour (deterministic) or eight hours (randomized) of hammering and post-processing ranging from minutes to an hour, and showing theoretical attack complexities for most parameter sets. Our post-processing is informed by a novel complexity analysis that, given a concrete set of faulty signatures, identifies the most promising computational path to pursue. To enable the attack, we introduce Swage, a modular and extensible framework for implementing end-to-end Rowhammer-based fault attacks. Swage abstracts and automates key components of practical Rowhammer attacks. Unlike prior tooling, Swage is untangled from the attacked code, making it reusable and suitable for frictionless analysis of different targets. Our findings highlight that even theoretically sound PQC schemes can fail under real-world conditions, underscoring the need for additional implementation hardening or hardware defenses against Rowhammer.

Figures (6)

• Figure 1: A [first-style=long-short-the]WOTSP signature for message $m=(1,0,2,3)$ with checksum $c=(1,2)$. $\hash$ and $\fash$ are hash functions, nodes represent hash function outputs. The nodes that are composed to produce the signature are shown in green. The public key is a hash of the chain endpoints. Here, chain length $w = 4$, message length $\ell_1 = 4$, and checksum length $\ell_2 = 2$.
• Figure 2: A Merkle tree of height 2 with $2^2 = 4$ leaves. The leaf $\textsf{h}_i$ represents the hash of a [first-style=long-short-the]WOTSP key $\pk_i^W$. A parent node $\textsf{h}_{i,j}$ represents the hash of the concatenation of its children $\textsf{h}_i, \textsf{h}_j$. The final hash is the root node $\pk^X$ and represents the public key. The nodes forming the authentication path $\mathop{auth}(\pk_1^W)$ are highlighted with blue rectangles.
• Figure 3: Grafting tree attack on SLH-DSA genetProtectingSPHINCSFault2023.
• Figure 4: Flowchart showing the steps of a Rowhammer attack using Swage. ❍ depicts offline phase usage of the strategy, ● stands for online usage and ◗ is a strategy used in both offline and online phase of an attack.
• Figure 5: DRAM bank-selection mapping for the target system. Bank bit 0 is taken directly from physical bit 13, while bank bits 1-4 are computed as the XOR ($\oplus$) of bit pairs ($b_{14} \oplus b_{18}$, $b_{15} \oplus b_{19}$, $b_{16} \oplus b_{20}$, and $b_{17} \oplus b_{21}$), respectively. Dots indicate omitted neighboring physical address bits.