Impact
The XMSS Library, version 1.0.0, has a number of countermeasures against fault injection attacks during signature verification, as explained in the documentation: https://foxcryptonl.github.io/xmss-documentation/signature-verification.html.
Despite the implemented countermeasures, research has identified a scenario that is not countered by the implemented measures. On certain hardware a fault injection attack is possible such that a sophisticated physical attack by an advanced adversary can bypass the security function provided by xmss_calculate_expected_public_key of the XMSS Library version 1.0.0 with a below 1% reproducibility.
If your implementation does not require protection against fault injections by advanced adversaries then you are not affected.
If your implementation requires protection against fault injections by advanced adversaries then, depending on your hardware platform, this implies a potential vulnerability:
-
If you are currently developing a product based on version 1.0.0 of the library, please update to the next major release as soon as it becomes available before deploying your product.
-
If you have deployed product(s) based on version 1.0.0 of the library, please contact Fox Crypto B.V. for advice.
Patches
Additional countermeasures will be implemented in the next major release of the library, which will be available shortly.
Please update to version 2.0.0 of the library.
Workarounds
As a workaround, the same user guidance for resilient verification (https://foxcryptonl.github.io/xmss-documentation/signature-verification.html#autotoc_md6) can also be employed for the xmss_calculate_expected_public_key function.
Impact
The XMSS Library, version 1.0.0, has a number of countermeasures against fault injection attacks during signature verification, as explained in the documentation: https://foxcryptonl.github.io/xmss-documentation/signature-verification.html.
Despite the implemented countermeasures, research has identified a scenario that is not countered by the implemented measures. On certain hardware a fault injection attack is possible such that a sophisticated physical attack by an advanced adversary can bypass the security function provided by
xmss_calculate_expected_public_keyof the XMSS Library version 1.0.0 with a below 1% reproducibility.If your implementation does not require protection against fault injections by advanced adversaries then you are not affected.
If your implementation requires protection against fault injections by advanced adversaries then, depending on your hardware platform, this implies a potential vulnerability:
If you are currently developing a product based on version 1.0.0 of the library, please update to the next major release as soon as it becomes available before deploying your product.
If you have deployed product(s) based on version 1.0.0 of the library, please contact Fox Crypto B.V. for advice.
Patches
Additional countermeasures will be implemented in the next major release of the library, which will be available shortly.Please update to version 2.0.0 of the library.
Workarounds
As a workaround, the same user guidance for resilient verification (https://foxcryptonl.github.io/xmss-documentation/signature-verification.html#autotoc_md6) can also be employed for the
xmss_calculate_expected_public_keyfunction.