Aymeric Genet
This thesis surveys the current state of the art of hash-based cryptography with a view to finding vulnerabilities related to side-channel attacks and fault attacks. For side-channel investigation, we analyzed the power consumption of an Arduino Due microcontroller running a custom ARM implementation of SPHINCS-256---the most advanced digital signature scheme based on hash functions. Simple power analysis (SPA) was applied on a single trace to obtain a first insight into the implementation, and then on multiple traces to identify an initial data dependence of the power consumption on the hash functions involved in the instance. Based on this result, differential power analysis (DPA), with difference of means, V-test, and Pearson correlation, was applied to further investigate the leakage relating to BLAKE-256, as this function is used within SPHINCS-256 several times with the same secret key but applied on different known addresses. Concerning fault attacks, using instances of one-time signature (OTS) or few-times signatures (FTS) to sign a same message has been shown to theoretically make many schemes, such as LD-OTS, W-OTS, and HORS, existentially forgeable with non-invasive attacks. These vulnerabilities are fatal for the Merkle signature schemes which implement the tree chaining method (CMSS). When the schemes provide n/2 = 128 bits of quantum security, a universal forgery can be created with around q = 20 different faulty signatures. This thesis demonstrates a practical application of fault attacks to create this universal forgery using voltage glitching on the previously mentioned ARM implementation of SPHINCS-256. An invasive attack performing key recovery against W-OTS by forcing bits of two quantities to be zero is also described. Countermeasures to thwart all the described attacks are discussed.
2017
