On the Security of Lattice-Based Fiat-Shamir Signatures in the Presence of Randomness Leakage

Abstract

Leakages during the signing process, including partial key exposure and partial (or complete) randomness exposure, may be devastating for the security of digital signatures. In this work, we investigate the security of lattice-based Fiat-Shamir signatures in the presence of randomness leakage. To this end, we present a generic key recovery attack that relies on minimum leakage of randomness, and then theoretically connect it to a variant of Integer-LWE (ILWE) problem. The ILWE problem, introduced by Bootle <italic>et al.</italic> at Asiacrypt 2018, is to recover the secret vector s given polynomially many samples of the form <inline-formula> <tex-math notation= LaTeX >$({\\text{a}}, \\langle {\\text{a}}, {\\text{s}} \\rangle + \\text {e}) \\in \\mathbb {Z}^{\\text {n}+1}$ </tex-math></inline-formula>, and it is solvable if the error <inline-formula> <tex-math notation= LaTeX >$\\text {e} \\in \\mathbb {Z}$ </tex-math></inline-formula> is not superpolynomially larger than the inner product <inline-formula> <tex-math notation= LaTeX >$\\langle {\\text{a}}, {\\text{s}} \\rangle $ </tex-math></inline-formula>. However, in our variant (we call the variant FS-ILWE problem in this paper), <inline-formula> <tex-math notation= LaTeX >${\\text{a}}\\in \\mathbb {Z}^{\\text {n}}$ </tex-math></inline-formula> is a sparse vector whose coefficients are NOT independent any more, and e is related to a and s as well. We prove that the FS-ILWE problem can be solved in polynomial time, and present an efficient algorithm to solve it. Our generic key recovery method directly implies that many lattice-based Fiat-Shamir signatures will be totally broken with one (deterministic or probabilistic) bit of randomness leakage per signature. Our attack has been validated by experiments on two NIST PQC signatures Dilithium and qTESLA. For example, as to Dilithium-III of 125-bit quantum security, the secret key will be recovered within 10 seconds over an ordinary PC desktop, with about one million signatures. Similarly, key recovery attacks on Dilithium under other parameters and qTESLA will be completed within 20 seconds and 31 minutes respectively. In addition, we also present a non-profiled attack to show how to obtain the required randomness bit in practice through power analysis attacks on a proof-of-concept implementation of polynomial addition. The experimental results confirm the practical feasibility of our method.