The unbalanced oil and vinegar signature scheme (UOV), which is one of the multivariate signature schemes, is expected to be secure against quantum attacks. To achieve cryptosystem security in a practical manner, we need to deal with security against physical attacks such as fault attacksFault attack, which generate computational errors to lead to security failures. We simulate the performance of a fault attack on UOV proposed by Furue et al. at PQCrypto 2022, which uses faults occurring on the secret key. This attack first recovers a part of the linear map of the secret key by utilizing faults occurring on the secret key, and then transforms the public key system. In this paper, we simulate the fault attack by Furue et al. in the following two conditions: the case where the attack is completed and the case where the number of faults is limited. For two practical parameter sets satisfying 100-bit security, in the first case, we confirmed that the attack breaks the parameters by smaller than 100-bit manipulations with approximately 90% probability and by smaller than 50-bit manipulations with approximately 30% probability. In the second case, our simulation shows that the attack breaks the claimed security level at least 60% probability with only two faults on the central map.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Performance Analysis of Fault Attack on UOV Multivariate Signature Scheme

  • Hiroki Furue,
  • Tatsuya Nagasawa,
  • Tsuyoshi Takagi

摘要

The unbalanced oil and vinegar signature scheme (UOV), which is one of the multivariate signature schemes, is expected to be secure against quantum attacks. To achieve cryptosystem security in a practical manner, we need to deal with security against physical attacks such as fault attacksFault attack, which generate computational errors to lead to security failures. We simulate the performance of a fault attack on UOV proposed by Furue et al. at PQCrypto 2022, which uses faults occurring on the secret key. This attack first recovers a part of the linear map of the secret key by utilizing faults occurring on the secret key, and then transforms the public key system. In this paper, we simulate the fault attack by Furue et al. in the following two conditions: the case where the attack is completed and the case where the number of faults is limited. For two practical parameter sets satisfying 100-bit security, in the first case, we confirmed that the attack breaks the parameters by smaller than 100-bit manipulations with approximately 90% probability and by smaller than 50-bit manipulations with approximately 30% probability. In the second case, our simulation shows that the attack breaks the claimed security level at least 60% probability with only two faults on the central map.