artial key exposure and partial (or complete) randomness
exposure, may be devastating for the security of digital signatures. In this work, we investigate the security of lattice-based
Fiat-Shamir signatures in the presence of randomness leakage.
To this end, we present a generic key recovery attack that relies on
minimum leakage of randomness, and then theoretically connect
it to a variant of Integer-LWE (ILWE) problem. The ILWE
problem, introduced by Bootle et al. at Asiacrypt 2018, is to
recover the secret vector s given polynomially many samples of
the form (a, a,s+e) ∈ Zn+1, and it is solvable if the error e ∈ Z
is not superpolynomially larger than the inner product a,s.
However, in our variant (we call the variant FS-ILWE problem
in this paper), a ∈ Zn is a sparse vector whose coefficients are
NOT independent any more, and e is related to a and s as
well. We prove that the FS-ILWE problem can be solved in
polynomial time, and present an efficient algorithm to solve it.
Our generic key recovery method directly implies that many
lattice-based Fiat-Shamir signatures will be totally broken with
one (deterministic or probabilistic) bit of randomness leakage
per signature. Our attack has been validated by experiments on
two NIST PQC signatures Dilithium and qTESLA. For example,
as to Dilithium-III of 125-bit quantum security, the secret key
will be recovered within 10 seconds over an ordinary PC desktop, with about one million signatures. Similarly, key recovery
attacks on Dilithium under other parameters and qTESLA will
be completed within 20 seconds and 31 minutes respectively.
In addition, we also present a non-profiled attack to show
how to obtain the required randomness bit in practice through
power analysis attacks on a proof-of-concept implementation
of polynomial addition. The experimental results confirm the
practical feasibility of our method.