a key recovery timing attack on post quantum primitives
play

A key-recovery timing attack on post-quantum primitives using the - PowerPoint PPT Presentation

Oct 24, 2023 •184 likes •994 views

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

  1. A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020

  2. Preliminaries

  3. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: 1

  4. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] 1

  5. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . 1

  6. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database 1

  7. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database Post quantum Schemes? 1

  8. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database Post quantum Schemes? • McEliece in 2010 and 2013 [Str10; Str13] 1

  9. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database Post quantum Schemes? • McEliece in 2010 and 2013 [Str10; Str13] • BLISS in 2016 [Bru+16] 1

  10. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database Post quantum Schemes? • McEliece in 2010 and 2013 [Str10; Str13] • BLISS in 2016 [Bru+16] • LAC & Ramstake in 2019 [D’A+19] 1

  11. Implementing Crypto Is Hard WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM As shown by attacks on: • DH / RSA / DSS in 1996 [Koc96] • Openssl in 2002 and 2016 [BB03; YGH16] . . . • 212 CVEs currently in NIST’s Vulnerability Database Post quantum Schemes? • McEliece in 2010 and 2013 [Str10; Str13] • BLISS in 2016 [Bru+16] • LAC & Ramstake in 2019 [D’A+19] This presentation: A general attack against the Fujisaki-Okamoto transformation. 1

  12. Our contribution WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The Fujisaki-Okamoto (FO) transform does not directly handle secret data, yet must be implemented in constant time. 2

  13. Our contribution WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The Fujisaki-Okamoto (FO) transform does not directly handle secret data, yet must be implemented in constant time. Potentially vulnerable NIST PQC candidates: FrodoKEM, LAC, BIKE (early version), HQC, ROLLO and RQC. Maybe others? 2

  14. Our contribution WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The Fujisaki-Okamoto (FO) transform does not directly handle secret data, yet must be implemented in constant time. Potentially vulnerable NIST PQC candidates: FrodoKEM, LAC, BIKE (early version), HQC, ROLLO and RQC. Maybe others? We show the attack for FrodoKEM (Lattice/LWE based). 2

  15. A quick, lightweight, background

  16. PKE’s and KEM’s WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM Publik Key Encryption Schemes sk , pk ← KeyGen ( · ) ( sk , pk ) ⇔ (secret key, public key) c ← PKE.CPA.Encrypt ( pk,m ) ( m , c ) ⇔ (plaintext, ciphertext) m ← PKE.CPA.Decrypt ( sk,c ) 3

  17. PKE’s and KEM’s WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM Publik Key Encryption Schemes sk , pk ← KeyGen ( · ) ( sk , pk ) ⇔ (secret key, public key) c ← PKE.CPA.Encrypt ( pk,m ) ( m , c ) ⇔ (plaintext, ciphertext) m ← PKE.CPA.Decrypt ( sk,c ) Key Encapsulation Mechanisms sk , pk ← KeyGen ( · ) c , ss ← KEM.CCA.Encaps ( pk ) ss ⇔ (shared secret) ss ← KEM.CCA.Decaps ( sk,c ) 3

  18. Security Models WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM PKE-schemes are often proven under the IND-CPA model 4

  19. Security Models WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM PKE-schemes are often proven under the IND-CPA model INDistinguishability under Chosen Plaintext Attack: Security game with no access to a decryption oracle. 4

  20. Security Models WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM PKE-schemes are often proven under the IND-CPA model INDistinguishability under Chosen Plaintext Attack: Security game with no access to a decryption oracle. Often, IND-CCA is desirable. 4

  21. Security Models WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM PKE-schemes are often proven under the IND-CPA model INDistinguishability under Chosen Plaintext Attack: Security game with no access to a decryption oracle. Often, IND-CCA is desirable. INDistinguishability under Chosen Ciphertext Attack: Security game with access to a decryption oracle. 4

  22. Security Models WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM PKE-schemes are often proven under the IND-CPA model INDistinguishability under Chosen Plaintext Attack: Security game with no access to a decryption oracle. Often, IND-CCA is desirable. INDistinguishability under Chosen Ciphertext Attack: Security game with access to a decryption oracle. The Fujisaki-Okamoto (FO) transform can be used to transform a CPA secure PKE-cipher into a CCA secure cipher. 4

  23. LWE and Code-based schemes WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM A common property: 5

  24. LWE and Code-based schemes WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM A common property: LWE encoding c = g ( pk , m ; r ) + e ( r ) Code-based encoding c = mG ⊕ e 5

  25. LWE and Code-based schemes WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM A common property: LWE encoding c = g ( pk , m ; r ) + e ( r ) Code-based encoding c = mG ⊕ e e can vary by a small degree without affecting decryption. 5

  26. LWE and Code-based schemes WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM A common property: LWE encoding c = g ( pk , m ; r ) + e ( r ) Code-based encoding c = mG ⊕ e e can vary by a small degree without affecting decryption. Decryption fails if e varies by a larger degree. 5

  27. Fujisaki-Okamoto I WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The FO-transform can be used to transform a CPA secure PK-cipher into a CCA secure non-malleable KEM: 6

  28. Fujisaki-Okamoto I WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The FO-transform can be used to transform a CPA secure PK-cipher into a CCA secure non-malleable KEM: Algorithm 1: KEM.CCA.Encaps Input: pk Output: ( c , ss ) 1 pick a random m 2 ( r , k ) ← H ( m , pk ) 3 c ← PKE.CPA.Encrypt ( pk,m;r ) 4 ss ← H ( c , k ) 5 return ( c , ss ) 6

  29. Fujisaki-Okamoto I WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The FO-transform can be used to transform a CPA secure PK-cipher into a CCA secure non-malleable KEM: Algorithm 1: KEM.CCA.Encaps Input: pk Output: ( c , ss ) 1 pick a random m 2 ( r , k ) ← H ( m , pk ) 3 c ← PKE.CPA.Encrypt ( pk,m;r ) /* IND-CPA secure */ 4 ss ← H ( c , k ) 5 return ( c , ss ) 6

  30. Fujisaki-Okamoto II WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The decapsulation function decodes and compare the re-encoding with the received ciphertext. 7

  31. Fujisaki-Okamoto II WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The decapsulation function decodes and compare the re-encoding with the received ciphertext. Algorithm 2: KEM.CCA.Decaps Input: ( sk , pk , c ) Output: ( ss ) 1 m ′ ← PKE.CPA.Decrypt ( sk,c ) 2 ( r ′ , k ′ ) ← H ( m ′ , pk ) 3 c ′ ← PKE.CPA.Encrypt ( pk,m’;r ) 4 if ( c ′ = c ) then return ss ′ ← H ( c , k ) 5 else return ss ′ ← H ( c , k ′ ) 6 end if 7 return ( c , ss ) 7

  32. Fujisaki-Okamoto II WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The decapsulation function decodes and compare the re-encoding with the received ciphertext. Algorithm 2: KEM.CCA.Decaps Input: ( sk , pk , c ) Output: ( ss ) 1 m ′ ← PKE.CPA.Decrypt ( sk,c ) 2 ( r ′ , k ′ ) ← H ( m ′ , pk ) 3 c ′ ← PKE.CPA.Encrypt ( pk,m’;r ) 4 if ( c ′ = c ) then return ss ′ ← H ( c , k ) 5 else return ss ′ ← H ( c , k ′ ) 6 end if 7 return ( c , ss ) 7

  33. Fujisaki-Okamoto II WALLENBERG AI, AUTONOMOUS SYSTEMS AND SOFTWARE PROGRAM The decapsulation function decodes and compare the re-encoding with the received ciphertext. Algorithm 2: KEM.CCA.Decaps Input: ( sk , pk , c ) Output: ( ss ) 1 m ′ ← PKE.CPA.Decrypt ( sk,c ) 2 ( r ′ , k ′ ) ← H ( m ′ , pk ) 3 c ′ ← PKE.CPA.Encrypt ( pk,m’;r ) 4 if ( c ′ = c ) then return ss ′ ← H ( c , k ) 5 else return ss ′ ← H ( c , k ′ ) 6 end if 7 return ( c , ss ) 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive & Secure Computing Systems Lab Department of Electrical & Computer Engineering Boston

964 views • 48 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

505 views • 34 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

1 2 The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences: state-of-the-art pre-quantum University of Illinois at Chicago & attack against original DH, Technische Universiteit Eindhoven RSA, and some

2.34k views • 171 slides
Timing Recovery at Low SNR Cramer-Rao bound, and outperforming the PLL Aravind R. Nayak John R.

Timing Recovery at Low SNR Cramer-Rao bound, and outperforming the PLL Aravind R. Nayak John R.

I N S T A I T I G U R T O E E G O F E H T T E C F H P R O G R E S S S E R V I C E O N A N D O L L A O E G S Y 1 8 8 5 Timing Recovery at Low SNR

820 views • 38 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Iterative Timing Recovery John R. Barry School of Electrical and Computer Engineering, Georgia

Iterative Timing Recovery John R. Barry School of Electrical and Computer Engineering, Georgia

Iterative Timing Recovery John R. Barry School of Electrical and Computer Engineering, Georgia Tech Atlanta, Georgia U.S.A. barry@ece.gatech.edu 0 Outline Timing Recovery Tutorial Problem statement TED: M&M, LMS, S-curves

859 views • 56 slides
Post-Synthesis Simulation VITAL Models, SDF Files, Timing Simulation Post-synthesis simulation

Post-Synthesis Simulation VITAL Models, SDF Files, Timing Simulation Post-synthesis simulation

Post-Synthesis Simulation VITAL Models, SDF Files, Timing Simulation Post-synthesis simulation Purpose: Verify correctness of synthesized circuit Verify synthesis tool delay/timing estimates Synthesis tool generates: Gate-level

363 views • 18 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto Alexander May Horst Grtz Institute for IT-Security Faculty of Mathematics Ruhr-University of Bochum L ATTICE C ODING AND C RYPTO M EETING M AY 2017,

793 views • 32 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh

INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh

INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh client Ethernet Infiniband Home Other Scratch Directory Storage (Lustre) Allocations Rivanna is allocated: At the most basic level, an

1.17k views • 104 slides
INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage

INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage

INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage Indirect Multi-Level (AD/DA Digital) Storage Direct Multi-Level Storage Non-Volatile Storage Weekly Questions Lecture 10: Analog Storage 2

326 views • 18 slides
Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin

Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin

Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin College of Engineering sanjoy@olin.edu streetfightingmath.com MIT ESME, Cambridge, MA, 05 Mar 2019 Philosophy of mathematics from the start Pr(10 13

824 views • 66 slides
7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine

7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine

7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine July 2013 UCSF CME Kathleen D. Liu, MD, PhD Associate Professor NEPHROLOGY Roadmap for today Department of Medicine AKI (beyond ATN) Division

643 views • 51 slides
Design Technology Bennett Lauber, Chief Experience Officer July 31, 2018 @HISA_HIC #HIC18 The

Design Technology Bennett Lauber, Chief Experience Officer July 31, 2018 @HISA_HIC #HIC18 The

Usability and Patient-centered Design Technology Bennett Lauber, Chief Experience Officer July 31, 2018 @HISA_HIC #HIC18 The Selfie Contest #HIC18 #WeAreHealthInformatics @HISA_HIC #HIC18 Agenda Usability (Bad) Usability in the

326 views • 29 slides
New England Children with Genetic Disorders and Health Care Reform: Information and

New England Children with Genetic Disorders and Health Care Reform: Information and

New England Children with Genetic Disorders and Health Care Reform: Information and Recommendations for State Policymakers September 2, 2014 Meg Comeau, MHA Chair, New England Genetics Collaborative Health Care Access and Financing Workgroup

449 views • 40 slides

More recommend