fault attacks on supersingular isogeny cryptosystems yan
play

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti - PowerPoint PPT Presentation

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack


  1. Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15

  2. Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack Fault injection Recovering secret isogeny 3 Application 2/15

  3. DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 3/15

  4. DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Let’s generalise this! 3/15

  5. Isogenies • Fix a finite field k = F p and a finite extension K = F q where q = p k . • Let E 1 and E 2 be elliptic curves over K . Definition An isogeny between E 1 and E 2 is a non-constant morphism defined over F q that sends O 1 to O 2 . We say that E 1 and E 2 are isogenous. 4/15

  6. Isogenies Fun facts: • Isogenies are group homomorphisms. • For every finite subgroup G ⊂ E 1 , there is a unique E 2 (up to isomorphism) and a separable φ : E 1 → E 2 such that ker φ = G . We write E 2 = E 1 / G . • The isogeny can be constructed by an algorithm by V´ elu. • For any φ : E → E ′ of degree n , there exists a unique ˆ φ : E ′ → E such that φ ◦ ˆ φ = [ n ] = ˆ φ ◦ φ . • For any φ : E → E ′ of degree nm , we can decompose φ into isogenies of degrees m and n . 5/15

  7. Supersingular Elliptic Curves Definition An elliptic curve E / F p k is said to be supersingular if # E ( F p k ) ≡ 1 (mod p ) . Fun facts: • All supersingular elliptic curves can be defined over F p 2 . • There are approximately p / 12 supersingular curves up to isomorphism. 6/15

  8. Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 7/15

  9. Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Definition (Supersingular isogeny problem) Given two supersingular elliptic curves E 1 and E 2 , find an isogeny between them. 7/15

  10. Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . 8/15

  11. Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . Recall that E [ N ] = Z / N Z × Z / N Z if N is co-prime to the characteristic of the field. 8/15

  12. Key exchange φ A E / G A E φ B E / G B • Picks secret 1 ≤ a 1 , a 2 ≤ 2 n , not both divisible by 2, which determines G A = � [ a 1 ] P A + [ a 2 ] Q A � . • Computes φ A with ker φ A = G A via V´ elu. • Sends E / G A , φ A ( P B ), φ A ( Q B ).

  13. Key exchange φ A E / G A E φ B E / G B E / � G A , G B � • Receives E / G B , φ B ( P A ), φ B ( Q A ). • Computes G ′ A = � [ a 1 ] φ B ( P A ) + [ a 2 ] φ B ( Q A ) � = � φ B ([ a 1 ] P A + [ a 2 ] Q A ) � = φ B ( G A ) . • Uses j ( E AB ) as secret key. 9/15

  14. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances 10/15

  15. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! 10/15

  16. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! Fault attacks cause computation of unintended values which may leak sensitive data. 10/15

  17. Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  18. Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . P becomes P ′ E Compute [ λ ]( · ) [ λ ] P ′ P output fetch 11/15

  19. Fault attacks in Isogenies Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  20. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  21. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  22. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  23. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

  24. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . P becomes P ′ E Compute φ A ( · ) φ A ( P ′ ) P output fetch 11/15

  25. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

  26. Faulted point still on curve • Introduce a fault to the x -coordinate of P . • Recover P ′ by solving for y -coordinate. Then P ′ will lie in E or its quadratic twist E ′ . • Some implementations do not distinguish between the two. • If not, there is a 50% chance of P ′ landing in E . 12/15

  27. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 12/15

  28. Recovering isogeny Lemma Let E 1 be a supersingular elliptic curve over F p 2 , where p = 2 n 3 m f ± 1 . Suppose φ : E 1 → E 2 is a separable isogeny of degree 2 n . If φ ( P ′ ) ∈ E 2 has order 2 n , then the kernel of ˆ φ will be generated by φ ( P ′ ) . N.B. φ ( P ′ ) does not have to have order 2 n . If order is close to 2 n , we can brute force. 13/15

  29. Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . 14/15

  30. Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . • Need to evaluate image of random point under φ A . • Fault injection before computation of φ A ( P B ) or φ A ( Q B ). • Alice outputs φ A ( P ′ ), hence attacker may recover φ A . 14/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend