artial key exposure and partial (or complete) randomness

exposure, may be devastating for the security of digital signatures. In this work, we investigate the security of lattice-based

Fiat-Shamir signatures in the presence of randomness leakage.

To this end, we present a generic key recovery attack that relies on

minimum leakage of randomness, and then theoretically connect

it to a variant of Integer-LWE (ILWE) problem. The ILWE

problem, introduced by Bootle et al. at Asiacrypt 2018, is to

recover the secret vector s given polynomially many samples of

the form (a, a,s+e) ∈ Zn+1, and it is solvable if the error e ∈ Z

is not superpolynomially larger than the inner product a,s.

However, in our variant (we call the variant FS-ILWE problem

in this paper), a ∈ Zn is a sparse vector whose coefficients are

NOT independent any more, and e is related to a and s as

well. We prove that the FS-ILWE problem can be solved in

polynomial time, and present an efficient algorithm to solve it.

Our generic key recovery method directly implies that many

lattice-based Fiat-Shamir signatures will be totally broken with

one (deterministic or probabilistic) bit of randomness leakage

per signature. Our attack has been validated by experiments on

two NIST PQC signatures Dilithium and qTESLA. For example,

as to Dilithium-III of 125-bit quantum security, the secret key

will be recovered within 10 seconds over an ordinary PC desktop, with about one million signatures. Similarly, key recovery

attacks on Dilithium under other parameters and qTESLA will

be completed within 20 seconds and 31 minutes respectively.

In addition, we also present a non-profiled attack to show

how to obtain the required randomness bit in practice through

power analysis attacks on a proof-of-concept implementation

of polynomial addition. The experimental results confirm the

practical feasibility of our method.