The Security of ML-DSA against Fault-Injection Attacks (original) (raw)

Paper 2025/904

The Security of ML-DSA against Fault-Injection Attacks

Keita Xagawa, Technology Innovation Institute

Abstract

Deterministic signatures are often used to mitigate the risks associated with poor-quality randomness, where the randomness in the signing process is generated by a pseudorandom function that takes a message as input. However, some studies have shown that such signatures are vulnerable to fault-injection attacks. To strike a balance, recent signature schemes often adopt "hedged" randomness generation, where the pseudorandom function takes both a message and a nonce as input. Aranha et al. (EUROCRYPT 2020) investigated the security of hedged Fiat-Shamir signatures against 1-bit faults and demonstrated security for certain types of bit-tampering faults. Grilo et al. (ASIACRYPT 2021) extended this proof to the quantum random oracle model. Last year, NIST standardized the lattice-based signature scheme ML-DSA, which adopts the hedged Fiat-Shamir with aborts. However, existing security proofs against bit-tampering faults do not directly apply, as Aranha et al. left this as an open problem. To address this gap, we analyze the security of ML-DSA against multi-bit fault-injection attacks. We provide a formal proof of security for a specific class of faults at the inputs and outputs of internal functions, showing that faults at these points cannot be exploited. Furthermore, to highlight the infeasibility of stronger fault resilience, we survey key-recovery attacks that exploit signatures generated under fault injection at the other intermediate points.

BibTeX

@misc{cryptoeprint:2025/904, author = {Haruhisa Kosuge and Keita Xagawa}, title = {The Security of {ML}-{DSA} against Fault-Injection Attacks}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/904}, year = {2025}, url = {https://eprint.iacr.org/2025/904} }