Leakages during the signing process, including partial key exposure and partial (or complete) randomness exposure, may be devastating for the security of digital signatures. In this work, we investigate the security of lattice-based Fiat-Shamir signatures in the presence of randomness leakage. To this end, we present a generic key recovery attack that relies on minimum leakage of randomness, and then theoretically connect it to a variant of Integer-LWE (ILWE) problem. The ILWE problem, introduced by Bootle et al. at Asiacrypt 2018, is to recover the secret vector s given polynomially many samples of the form $({\text{a}}, \langle {\text{a}}, {\text{s}} \rangle + \text {e}) \in \mathbb {Z}^{\text {n}+1}$ , and it is solvable if the error $\text {e} \in \mathbb {Z}$ is not superpolynomially larger than the inner product $\langle {\text{a}}, {\text{s}} \rangle $ . However, in our variant (we call the variant FS-ILWE problem in this paper), ${\text{a}}\in \mathbb {Z}^{\text {n}}$ is a sparse vector whose coefficients are NOT independent any more, and e is related to a and s as well. We prove that the FS-ILWE problem can be solved in polynomial time, and present an efficient algorithm to solve it. Our generic key recovery method directly implies that many lattice-based Fiat-Shamir signatures will be totally broken with one (deterministic or probabilistic) bit of randomness leakage per signature. Our attack has been validated by experiments on two NIST PQC signatures Dilithium and qTESLA. For example, as to Dilithium-III of 125-bit quantum security, the secret key will be recovered within 10 seconds over an ordinary PC desktop, with about one million signatures. Similarly, key recovery attacks on Dilithium under other parameters and qTESLA will be completed within 20 seconds and 31 minutes respectively. In addition, we also present a non-profiled attack to show how to obtain the required randomness bit in practice through power analysis attacks on a proof-of-concept implementation of polynomial addition. The experimental results confirm the practical feasibility of our method.

中文翻译：

---

存在随机泄漏的基于格的菲亚特-沙米尔签名的安​​全性

签名过程中的泄漏，包括部分密钥暴露和部分（或完全）随机性暴露，可能会破坏数字签名的安全性。在这项工作中，我们研究在存在随机性泄漏的情况下基于晶格的菲亚特-沙米尔签名的安​​全性。为此，我们提出了一种通用的密钥恢复攻击，该攻击依赖于最小的随机性泄漏，然后在理论上将其连接到Integer-LWE（ILWE）问题的变体。布特尔介绍的ILWE问题等。 在Asiacrypt 2018上，将恢复多项式形式给定的秘密向量 $（{\ text {a}}，\ langle {\ text {a}}，{\ text {s}} \ rangle + \ text {e}）\ in \ mathbb {Z} ^ {\ text {n} +1} $ ，如果出现错误，则可以解决 $ \ text {e} \ in \ mathbb {Z} $ 多项式不大于内积 $ \ langle {\ text {a}}，{\ text {s}} \ rangle $ 。但是，在我们的变体中（在本文中我们将其称为FS-ILWE变体问题）， $ {\ text {a}} \ in \ mathbb {Z} ^ {\ text {n}} $ 是一个稀疏向量，其系数不再独立，并且e也与a和s相关。我们证明了FS-ILWE问题可以在多项式时间内解决，并提出了一种有效的算法来解决。我们的通用密钥恢复方法直接意味着，许多基于晶格的Fiat-Shamir签名将被每个签名一个（确定性或概率性）位随机泄漏完全破坏。通过对两个NIST PQC签名Dilithium和qTESLA的实验已验证了我们的攻击。例如，对于125位量子安全性的Dilithium-III，将在具有大约一百万个签名的普通PC桌面上在10秒内恢复密钥。同样，在其他参数和qTESLA下对Dilithium的密钥恢复攻击将分别在20秒和31分钟内完成。此外，我们还提出了一种非剖析攻击，以说明在实践中如何通过多项式加法的概念验证实现的功效分析攻击来获得所需的随机性位。实验结果证实了我们方法的实际可行性。