Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti - PowerPoint PPT Presentation

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15

Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack Fault injection Recovering secret isogeny 3 Application 2/15

DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 3/15

DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Let’s generalise this! 3/15

Isogenies • Fix a finite field k = F p and a finite extension K = F q where q = p k . • Let E 1 and E 2 be elliptic curves over K . Definition An isogeny between E 1 and E 2 is a non-constant morphism defined over F q that sends O 1 to O 2 . We say that E 1 and E 2 are isogenous. 4/15

Isogenies Fun facts: • Isogenies are group homomorphisms. • For every finite subgroup G ⊂ E 1 , there is a unique E 2 (up to isomorphism) and a separable φ : E 1 → E 2 such that ker φ = G . We write E 2 = E 1 / G . • The isogeny can be constructed by an algorithm by V´ elu. • For any φ : E → E ′ of degree n , there exists a unique ˆ φ : E ′ → E such that φ ◦ ˆ φ = [ n ] = ˆ φ ◦ φ . • For any φ : E → E ′ of degree nm , we can decompose φ into isogenies of degrees m and n . 5/15

Supersingular Elliptic Curves Definition An elliptic curve E / F p k is said to be supersingular if # E ( F p k ) ≡ 1 (mod p ) . Fun facts: • All supersingular elliptic curves can be defined over F p 2 . • There are approximately p / 12 supersingular curves up to isomorphism. 6/15

Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 7/15

Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Definition (Supersingular isogeny problem) Given two supersingular elliptic curves E 1 and E 2 , find an isogeny between them. 7/15

Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . 8/15

Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . Recall that E [ N ] = Z / N Z × Z / N Z if N is co-prime to the characteristic of the field. 8/15

Key exchange φ A E / G A E φ B E / G B • Picks secret 1 ≤ a 1 , a 2 ≤ 2 n , not both divisible by 2, which determines G A = � [ a 1 ] P A + [ a 2 ] Q A � . • Computes φ A with ker φ A = G A via V´ elu. • Sends E / G A , φ A ( P B ), φ A ( Q B ).

Key exchange φ A E / G A E φ B E / G B E / � G A , G B � • Receives E / G B , φ B ( P A ), φ B ( Q A ). • Computes G ′ A = � [ a 1 ] φ B ( P A ) + [ a 2 ] φ B ( Q A ) � = � φ B ([ a 1 ] P A + [ a 2 ] Q A ) � = φ B ( G A ) . • Uses j ( E AB ) as secret key. 9/15

Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances 10/15

Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! 10/15

Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! Fault attacks cause computation of unintended values which may leak sensitive data. 10/15

Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . P becomes P ′ E Compute [ λ ]( · ) [ λ ] P ′ P output fetch 11/15

Fault attacks in Isogenies Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . P becomes P ′ E Compute φ A ( · ) φ A ( P ′ ) P output fetch 11/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

Faulted point still on curve • Introduce a fault to the x -coordinate of P . • Recover P ′ by solving for y -coordinate. Then P ′ will lie in E or its quadratic twist E ′ . • Some implementations do not distinguish between the two. • If not, there is a 50% chance of P ′ landing in E . 12/15

Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 12/15

Recovering isogeny Lemma Let E 1 be a supersingular elliptic curve over F p 2 , where p = 2 n 3 m f ± 1 . Suppose φ : E 1 → E 2 is a separable isogeny of degree 2 n . If φ ( P ′ ) ∈ E 2 has order 2 n , then the kernel of ˆ φ will be generated by φ ( P ′ ) . N.B. φ ( P ′ ) does not have to have order 2 n . If order is close to 2 n , we can brute force. 13/15

Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . 14/15

Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . • Need to evaluate image of random point under φ A . • Fault injection before computation of φ A ( P B ) or φ A ( Q B ). • Alice outputs φ A ( P ′ ), hence attacker may recover φ A . 14/15