Paper 2024/1818

SoK: On the Physical Security of UOV-based Signature Schemes

Thomas Aulbach, University of Regensburg
Fabio Campos, RheinMain University of Applied Sciences
Juliane Krämer, University of Regensburg
Abstract

Multivariate cryptography currently centres mostly around UOV-based signature schemes: All multivariate round 2 candidates in the selection process for additional digital signatures by NIST are either UOV itself or close variations of it: MAYO, QR-UOV, SNOVA, and UOV. Also schemes which have been in the focus of the multivariate research community, but are broken by now - like Rainbow and LUOV - are based on UOV. Both UOV and the schemes based on it have been frequently analyzed regarding their physical security in the course of the NIST process. However, a comprehensive analysis regarding the physical security of UOV-based signature schemes is missing. In this work, we want to bridge this gap and create a comprehensive overview of physical attacks on UOV and its variants from the second round of NIST’s selection process for additional post-quantum signature schemes, which just started. First, we collect all existing side-channel and fault attacks on UOV-based schemes and transfer them to the current UOV specification. Since UOV was subject to significant changes over the past few years, e.g., adaptions to the expanded secret key, some attacks need to be reassessed. Next, we introduce new physical attacks in order to obtain an overview as complete as possible. We then show how all these attacks would translate to MAYO, QR-UOV, and SNOVA. To improve the resistance of UOV-based signature schemes towards physical attacks, we discuss and introduce dedicated countermeasures. As related result, we observe that certain implementation decisions, like key compression techniques and randomization choices, also have a large impact on the physical security, in particular on the effectiveness of the considered fault attacks. Finally, we provide implementations of UOV and MAYO for the ARM Cortex-M4 architecture that feature first-order masking and protection against selected fault attacks. We benchmark the resulting overhead on a NUCLEO-L4R5ZI board and validate our approach by performing a TVLA on original and protected subroutines, yielding significantly smaller t-values for the latter.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Multivariate CryptographyPhysical SecurityFault AttacksSide- channel AnalysisMaskingARM Cortex-M4TVLA
Contact author(s)
thomas aulbach @ ur de
campos @ sopmac de
juliane kraemer @ ur de
History
2024-11-08: approved
2024-11-06: received
See all versions
Short URL
https://ia.cr/2024/1818
License
Creative Commons Attribution-NonCommercial
CC BY-NC

BibTeX 

@misc{cryptoeprint:2024/1818,
      author = {Thomas Aulbach and Fabio Campos and Juliane Krämer},
      title = {{SoK}: On the Physical Security of {UOV}-based Signature Schemes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1818},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1818}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.