ZKFault: Fault attack analysis on zero-knowledge based post-quantum digital signature schemes

TL;DR

This paper investigates fault attacks on zero-knowledge based post-quantum digital signature schemes, demonstrating vulnerabilities in schemes like LESS and CROSS and proposing countermeasures.

Contribution

It introduces fault attack methods targeting the tree-based signature component of zero-knowledge post-quantum schemes, revealing critical security flaws.

Findings

Fault attacks can recover secret keys with minimal faults

The attack applies to multiple schemes sharing similar structures

Countermeasures can mitigate these fault vulnerabilities

Abstract

Computationally hard problems based on coding theory, such as the syndrome decoding problem, have been used for constructing secure cryptographic schemes for a long time. Schemes based on these problems are also assumed to be secure against quantum computers. However, these schemes are often considered impractical for real-world deployment due to large key sizes and inefficient computation time. In the recent call for standardization of additional post-quantum digital signatures by the National Institute of Standards and Technology, several code-based candidates have been proposed, including LESS, CROSS, and MEDS. These schemes are designed on the relatively new zero-knowledge framework. Although several works analyze the hardness of these schemes, there is hardly any work that examines the security of these schemes in the presence of physical attacks. In this work, we analyze these signature schemes from the perspective of fault attacks. All these schemes use a similar tree-based construction to compress the signature size. We attack this component of these schemes. Therefore, our attack is applicable to all of these schemes. In this work, we first analyze the LESS signature scheme and devise our attack. Furthermore, we showed how this attack can be extended to the CROSS signature scheme. Our attacks are built on very simple fault assumptions. Our results show that we can recover the entire secret key of LESS and CROSS using as little as a single fault. Finally, we propose various countermeasures to prevent these kinds of attacks and discuss their efficiency and shortcomings.