Abstract

The digital signature scheme SPHINCS <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">+</sup> is a candidate in the NIST post-quantum project, whose aim is to standardize cryptographic systems that are secure against attacks originating from both quantum and classical computers. We present an efficient and, to our knowledge, first hardware implementation for SPHINCS <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">+</sup> . Our systematic approach of a performance-optimized FPGA architecture results in a 100x speed-up compared to the reference software-only implementation. Our investigation on a real-world implementation revealed a weakness regarding fault injection. The attack breaks the scheme completely. Collecting enough private information to forge a signature is a matter of seconds on our setup. We discuss possible countermeasures. A “sign-then-verify” operation unfortunately does not detect a faulty signature, but a full replication of the hardware might make a detection possible.