Loop-Abort Faults on Lattice-Based
Fiat–Shamir and Hash-and-Sign Signatures
Thomas Espitau
4
, Pierre-Alain Fouque
2
,
Benoˆıt G´erard
1
, and Mehdi Tibouchi
3
1
DGA.MI & IRISA
‡
2
NTT Secure Platform Laboratories
§
3
Institut Universitaire de France & IRISA & Universit´e de Rennes I
¶
4
Ecole Normale Sup´erieure de Cachan & Sorbonne Universit´es, UPMC Univ Paris 06, LIP6
k
Abstract. As the advent of general-purpose quantum computers appears to be drawing closer, agencies
and advisory bodies have started recommending that we prepare the transition away from factoring and
discrete logarithm-based cryptography, and towards postquantum secure constructions, such as lattice-
based schemes.
Almost all primitives of classical cryptography (and more!) can be realized with lattices, and the effi-
ciency of primitives like encryption and signatures has gradually improved to the point that key sizes
are competitive with RSA at similar security levels, and fast performance can be achieved both in soft-
ware and hardware. However, little research has been conducted on physical attacks targeting concrete
implementations of postquantum cryptography in general and lattice-based schemes in particular, and
such research is essential if lattices are going to replace RSA and elliptic curves in our devices and smart
cards.
In this paper, we look in particular at fault attacks against implementations of lattice-based signature
schemes, looking both at Fiat–Shamir type constructions (particularly BLISS, but also GLP, PASSSing
and Ring-TESLA) and at hash-and-sign schemes (particularly the GPV-based scheme of Ducas–Prest–
Lyubashevsky). These schemes include essentially all practical lattice-based signatures, and achieve the
best efficiency to date in both software and hardware. We present several fault attacks against those
schemes yielding a full key recovery with only a few or even a single faulty signature, and discuss possible
countermeasures to protect against these attacks.
Keywords: Fault Attacks, Digital Signatures, Postquantum Cryptography, Lattices, BLISS, GPV.
1 Introduction
Lattice-based cryptography. Recent progress in quantum computation [11], the NSA advisory
memorandum recommending the transition away from Suite B and to postquantum cryptography [1],
as well as the announcement of the NIST standardization process for postquantum cryptography [9]
all suggest that research on postquantum schemes, which is already plentiful but mostly focused on
theoretical constructions and asymptotic security, should increasingly take into account real world
implementation issues.
Among all postquantum directions, lattice-based cryptography occupies a position of particular
interest, as it relies on well-studied problems and comes with uniquely strong security guarantees,
such as worst-case to average-case reductions [43]. A number of works have also focused on improving
the performance of lattice-based schemes, and actual implementation results suggest that properly
optimized schemes may be competitive with, or even outperform, classical factoring- and discrete
logarithm-based cryptography.
‡
benoit.gerard@irisa.fr
§
tibouchi.mehdi@lab.ntt.co.jp
¶
pierre-alain.fouque@univ-rennes1.fr
k
tespitau@ens-cachan.fr
The literature on the underlying number-theoretic problems of lattice-based cryptography is
extensive (even though concrete bit security is not nearly as well understood as for factoring and
discrete logarithms; in addition, ring-based schemes have recently been subjected to new families
of attacks that might eventually reduce their security, especially in the postquantum setting). On
the other hand, there is currently a distinct lack of cryptanalytic results on the physical security of
implementations of lattice-based schemes (or in fact, postquantum schemes in general! [48]). It is
well-known that physical attacks, particularly against public-key schemes, are often simpler, easier
to mount and more devastating than attacks targeting underlying hardness assumptions: it is often
the case that a few bits of leakage or a few fault injections can reveal an entire secret key (the
well-known attacks from [6, 8] are typical examples). We therefore deem it important to investigate
how fault attacks may be leveraged to recover secret keys in the lattice-based setting, particularly
against signature schemes as signatures are probably the most likely primitive to be deployed in a
setting where fault attacks are relevant, and have also received the most attention in terms of efficient
implementations both in hardware and software.
Practical implementations of lattice-based signatures. Efficient signature schemes are typ-
ically proved secure in the random oracle model, and can be roughly divided in two families: the
hash-and-sign family (which includes schemes like FDH and PSS), as well as signatures based on
identification schemes, using the Fiat–Shamir heuristic or a variant thereof. Efficient lattice-based
signatures can also be divided along those lines, as observed for example in the survey of practical
lattice-based digital signature schemes presented by O’Neill and G¨uneysu at the NIST workshop on
postquantum cryptography [28, 29].
The Fiat–Shamir family is the most developed, with a number of schemes coming with concrete
implementations in software, and occasionally in hardware as well. Most schemes in that family follow
Lyubashevsky’s “Fiat–Shamir with aborts” paradigm [31], which uses rejection sampling to ensure
that the underlying identification scheme achieves honest-verifier zero-knowledge. Among lattice-
based schemes, the exemplar in that family is Lyubashevsky’s scheme from EUROCRYPT 2012 [32].
It is, however, of limited efficiency, and had to be optimized to yield practical implementations. This
was first carried out by G¨uneysu et al., who described an optimized hardware implementation of it
at CHES 2012 [25], and then to a larger extent by Ducas et al. in their scheme BLISS [14], which
includes a number of theoretical improvements and is the top-performing lattice-based signature. It
was also implemented in hardware by P¨oppelmann et al. [46]. Other schemes in that family include
Hoffstein et al.’s PASSSign [27], which incorporates ideas from NTRU, and Akleylek et al.’s Ring-
TESLA [4], which boasts a tight security reduction.
On the hash-and-sign side, there were a number of early proposals with heuristic security (and no
actual security proofs), particularly GGH [23] and NTRUSign [26], but despite several attempts to
patch them
5
they turned out to be insecure. A principled, provable approach to designing lattice-based
hash-and-sign signatures was first described by Gentry, Peikert and Vaikuntanathan in [21], based
on discrete Gaussian sampling over lattices. The resulting scheme, GPV, is rather inefficient, even
when using faster techniques for lattice Gaussian sampling [38]. However, Ducas, Lyubashevsky and
Prest [16] later showed how it could be optimized and instantiated over NTRU lattices to achieve
a relatively efficient scheme with particularly short signature size. The DLP scheme is somewhat
slower than BLISS in software, but still a good contender for practical lattice-based signatures, and
seemingly the only one in the hash-and-sign family.
5
There is a provably secure scheme due to Aguilar et al. [37] that claims to “seal the leak on NTRUSign”, but it
actually turns the construction into a Fiat–Shamir type scheme, using rejection sampling `a la Lyubashevsky.
2
Our contributions. In this work, we initiate the study of fault attacks against lattice-based signa-
ture schemes, and obtain attacks against all the practical schemes mentioned above.
As noted previously, early lattice-based signature schemes with heuristic security have been broken
using standard attacks [20, 22, 40] but recent constructions including [14, 16, 21, 31, 32] are provably
secure, and cryptanalysis therefore requires a more powerful attack model. In this work we consider
fault attacks.
We present two attacks, both using a similar type of faults which allows the attacker to cause a
loop inside the signature generation algorithm to abort early. Successful loop-abort faults have been
described many times in the literature, including against DSA [39] and pairing computations [42], and
in our attacks they can be used to recover information about the private signing key. The underlying
mathematical techniques used to actually recover the key, however, are quite different in the two
attacks.
Our first attack applies to the schemes in the Fiat–Shamir family: we describe it against BLISS [14,
46], and show how it extends to GLP [25], PASSSign [27] and Ring-TESLA [4]. In that attack, we
inject a fault in the loop that generates the random “commitment value” y of the sigma protocol
associated with the Fiat–Shamir signature scheme. That commitment value is a random polynomial
generated coefficient by coefficient, and an early loop abort causes it to have abnormally low degree,
so that the protocol is no longer zero-knowledge. In fact, this will usually leak enough information
that a single faulty signature is enough to recover the entire signing key. More specifically, we show
that the faulty signature can be used to construct a point that is very close to a vector in a suitable
integer lattice of moderate dimension, and such that the difference is essentially (a subset of) the
signing key, which can thus be recovered using lattice reduction.
Our second attack targets the GPV-based hash-and-sign signature scheme of Ducas et al. [16].
In that case, we consider early loop abort faults against the discrete Gaussian sampling in the secret
trapdoor lattice used in signature generation. The early loop abort causes the signature to be a linear
combination of the last few rows of the secret lattice. A few faulty signatures can then be used to
recover the span of those rows, and using the special structure of the lattice, we can then use lattice
reduction to find one of the rows up to sign, which is enough to completely reconstruct the secret key.
In practice, if we can cause loop aborts after up to m iterations, we find that m + 2 faulty signatures
are enough for full key recovery with high probability.
Both of our attacks are supported by extensive simulations in Sage [12], that are made available
anonymously online: see Appendix D.
We also take a close look at the concrete software and hardware implementations of the schemes
above, and discuss the concrete feasibility of injecting the required loop-abort faults in practice. We
find the attacks to be highly realistic. Finally, we discuss several possible countermeasures to protect
against our attacks.
Related work. To the best of our knowledge, the first previous work on fault attacks against lattice-
based signatures, and in particular the only one mentioned in the survey of Taha and Eisenbarth [48],
is the fault analysis work of Kamal and Youssef on NTRUSign [30]. It is, however, of limited interest
since NTRUSign is known to be broken [17,40]; it also suffers from a very low probability of success.
Much more recently, a relevant preprint has also been made available online by Bindel, Buchmann
and Kr¨amer [7] concurrently with this work. That paper proposes various fault attacks against the
same Fiat–Shamir type schemes that we consider in this paper. Most of the attacks, however, are
either in a contrived model (targeting key generation), or require unrealistically many faults and are
arguably straightforward (bypassing rejection sampling in signature generation or size/correctness
checks in signature verification). One attack described in the paper can be seen as posing a serious
threat, namely the one described in [7, Sec. IV-B], but it amounts to a weaker variant of our Fiat–
3
Shamir attack, using simple linear algebra rather than lattice reduction. As a result, it requires
several hundred faulty signatures, whereas our attack needs only one.
Another interesting concurrent work is the recent cache attack against BLISS of Groot Bruin-
derink et al. [24]. It uses cache side-channels to extract information about the coefficients of the
commitment polynomial y, and then lattice reduction to recover the signing key based on that side-
channel information. In that sense, it is similar to our Fiat–Shamir attack. However, since the nature
of the information to be exploited is quite different than in our setting, the mathematical techniques
are also quite different. In particular, again, in contrast with our fault attack, that cache attack
requires many signatures for a successful key recovery.
2 Description of the lattice-based signature schemes we consider
Notation. For any integer q, we represent the ring Z
q
by [−q/2, q/2) ∩Z. Vectors are considered as
column vectors and will be written in bold lower case letters and matrices with upper case letters.
By default, we will use the `
2
Euclidean norm, kvk
2
= (
P
i
v
2
i
)
1/2
and `
∞
-norm as kvk
∞
= max
i
|v
i
|.
The Gaussian distribution with standard deviation σ ∈ R and center c ∈ R at x ∈ R, is defined
by ρ
c,σ
(x) = exp
−(x−c)
2
2σ
2
and more generally by ρ
c,σ
(x) = exp
−(x−c)
2
2σ
2
and when c = 0, by ρ
σ
(x).
The discrete Gaussian distribution over Z centered at 0 is defined by D
σ
(x) = ρ
σ
(x)/ρ
σ
(Z) (or D
Z,σ
)
and more generally over Z
m
by D
m
σ
(x) = ρ
σ
(x)/ρ
σ
(Z
m
).
Description of BLISS. The BLISS signature scheme [14] is possibly the most efficient lattice-based
signature scheme so far. It has been implemented in both software [15] and hardware [46], and boasts
performance numbers comparable to classical factoring and discrete-logarithm based schemes. BLISS
can be seen as a ring-based optimization of the earlier lattice-based scheme of Lyubashevsky [32],
sharing the same “Fiat–Shamir with aborts” structure [31]. One can give a simplified description of
the scheme as follows: the public key is an NTRU-like ratio of the form a
q
= s
2
/s
1
mod q, where
the signing key polynomials s
1
, s
2
∈ R = Z[x]/(x
n
+ 1) are small and sparse. To sign a message µ,
one first generates commitment values y
1
, y
2
∈ R with normally distributed coefficients, and then
computes a hash c of the message µ together with u = −a
q
y
1
+ y
2
mod q. The signature is then the
triple (c, z
1
, z
2
), with z
i
= y
i
+ s
i
c, and there is rejection sampling to ensure that the distribution
of z
i
is independent of the secret key. Verification is possible because u = −a
q
z
1
+ z
2
mod q. The
real BLISS scheme, described in full in Figure 1, includes several optimizations on top of the above
description. In particular, to improve the repetition rate, it targets a bimodal Gaussian distribution
for the z
i
’s, so there is a random sign flip in their definition. In addition, to reduce key size, the
signature element z
2
is actually transmitted in compressed form z
†
2
, and accordingly the hash input
includes only a compressed version of u. These various optimizations are essentially irrelevant for our
purposes.
Description of the GPV-based scheme of Ducas et al. The second signature scheme we
consider is the one prosed by Ducas, Lyubashevsky and Prest at ASIACRYPT 2014 [16]. It is an
optimization using NTRU lattices of the GPV hash-and-sign signature scheme of Gentry, Peikert and
Vaikuntanathan [21], and has been implemented in software by Prest [47]. As in GPV, the signing
key is a “good” basis of a certain lattice Λ (with short, almost orthogonal vectors), and the public
key is a “bad” basis of the same lattice (with longer vectors and a large orthogonality defect). To
sign a message µ, one simply hashes it to obtain a vector c in the ambient space of Λ, and uses the
good, secret basis to sample v ∈ Λ according to a discrete Gaussian distribution of small variance
supported on Λ and centered at c. That vector v is the signature; it is, in particular, a lattice point
very close to c. That property can be checked using the bad, public basis, but that basis is too
4
large to sample such close vectors (this, combined with the fact that the discrete Gaussian leaks no
information about the secret basis, is what makes it possible to prove security). The actual scheme
of Ducas–Lyubashevsky–Prest, described in Figure 2, uses a lattice of the same form as NTRU:
Λ = {(y, z) ∈ R
2
| y + z ·h = 0}, where the public key h is again a ratio g/f mod q of small, sparse
polynomials in R = Z[x]/(x
n
+ 1). The use of such a lattice yields a very compact representation
of the keys, and makes it possible to compress the signature as well by publishing only the second
component of the sampled vector v. As a result, this hash-and-sign scheme is very space efficient
(even more than BLISS). However, the use of lattice Gaussian sampling makes signature generation
significantly slower than BLISS at similar security levels.
3 Attack on Fiat–Shamir type lattice-based signatures
The first fault attack that we consider targets the lattice-based signature schemes of Fiat–Shamir
type, and specifically the generation of the random “commitment” element in the underlying sigma
protocols, which is denoted by y in our descriptions. That element consists of one or several poly-
nomials generated coefficient by coefficient, and the idea of the attack is to introduce a fault in that
random sampling to obtain a polynomial of abnormally small degree, in which case signatures will
leak information about the private signing key. For simplicity’s sake, we introduce the attack against
BLISS in particular, but it works against the other Fiat–Shamir type schemes (GLP, PASSSign and
Ring-TESLA) with almost no changes: see Appendix B for details.
In BLISS, the commitment element actually consists of two polynomials (y
1
, y
2
), and it suffices
to attack y
1
. Intuitively, y
1
should mask the secret key element s
1
in the relation z
1
= ±s
1
c + y
1
,
and therefore modifying the distribution of y
1
should cause some information about s to leak in
signatures. The actual picture in the Fiat–Shamir with aborts paradigm is in fact slightly different
(namely, rejection sampling ensures that the distribution of z
1
is independent of s
1
, but only does
so under the assumption that y
1
follows the correct distribution), but the end result is the same:
perturbing the generation of y
1
should lead to secret key leakage.
Concretely speaking, in BLISS, y
1
∈ R
q
is a ring element generated according to a discrete
Gaussian distribution
6
, and that generation is typically carried out coefficient by coefficient in the
polynomial representation. Therefore, if we can use faults to cause an early termination of that
generation process, we should obtain signatures in which the element y
1
is actually a low-degree
polynomial. If the degree is low enough, we will see that this reveals the whole secret key right away,
from a single faulty signature!
Indeed, suppose that we can obtain a faulty signature obtained by forcing a termination of the
loop for sampling y
1
after the m-th iteration, with m n. Then, the resulting polynomial y
1
is of
degree at most m −1. As part of the faulty signature, we get the pair (c, z
1
) with z
1
= (−1)
b
s
1
c + y
1
.
Without loss of generality, we may assume that b = 0 (we will recover the whole secret key only up
to sign, but in BLISS, (s
1
, s
2
) and (−s
1
, −s
2
) are clearly equivalent secret keys). Moreover, with high
probability, c is invertible: if we heuristically assume that c behaves like a random element of the
ring from that standpoint, we expect it to be the case with probability about (1 − 1/q)
n
, which is
over 95% for all proposed BLISS parameters. We thus get an equation of the form:
c
−1
z
1
− s
1
≡ c
−1
y
1
≡
m−1
X
i=0
y
1,i
c
−1
x
i
(mod q) (1)
Thus, the vector v = c
−1
z
1
is very close to the sublattice of Z
n
generated by w
i
= c
−1
x
i
mod q for
i = 0, . . . , m − 1 and qZ
n
, and the difference should be s
1
.
6
In the other Fiat–Shamir schemes such as [25], the distribution of each coefficient is uniform in some interval rather
than Gaussian, but this doesn’t affect our attack strategy at all.
5