general fault attacks on multivariate public key
play

General fault attacks on multivariate public key cryptosystems Y. - PowerPoint PPT Presentation

Oct 01, 2022 •352 likes •587 views

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate

  1. General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  2. Multivariate Public Key Cryptosystem (MPKC) Public key consists of multivariate (quadratic) polynomials over a finite field k . a (1) b (1) � � x i + c (1) , f 1 ( x 1 , · · · , x n ) = ij x i x j + i i , j i . . . a ( m ) b ( m ) � � x i + c ( m ) . f m ( x 1 , · · · , x n ) = x i x j + ij i i , j i The security of MPKC is based on the difficulty of solving simultaneous multivariate equations. f 1 ( x ) = · · · = f n ( x ) = 0 Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  3. Solving (randomly chosen) simultaneous multivariate quadratic equations is NP-hard. ⇓ MPKC is expected as one of candidates of Post-Quantum Cryptography. (others : lattice-based cryptography, code-based cryptography, etc.) MPKC is more efficient than RSA or ECC. ⇓ We expect to apply MPKC to embedding systems. Chen et al, CHES 2009. Scheme PubKey SecKey Encryp Decryp RSA(1024) 128B 1024B 22.4 µ s 813.5 µ s ECDSA(160) 40B 60B 409.2 µ s 357.8 µ s 3HFE-p(31,9) 7KB 5KB 2.3 µ s 60.5 µ s Rainbow(31,24,20,20) 57KB 150KB 17.7 µ s 70.6 µ s TTS(31,24,20,20) 57KB 16KB 18.4 µ s 14.2 µ s Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  4. Attacks on MPKC. 1. Gr¨ obner basis attacks, 2. Rank attacks, 3. Differential attacks, etc. Almost all attacks aim at evaluating the difficulty of problem of solving the multivariate equations or recovering secret keys. There are no physical attacks except the side channel attack on the Sflash by Okeya-Takagi-Vuillaume, 2005. Our goal is to evaluate the security against Fault Attacks on MPKC . Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  5. General construction of MPKC k : a finite field of q elements. n : # of variables, m : # of quadratic forms. Secret keys: S : k n → k n : an affine map. G : k n → k m : a quadratic map ( G − 1 is easy to compute). T : k m → k m : an affine map. Public key: F := T ◦ G ◦ S . → k n G S → k m T F : k n → k m Encryption: x (message) �→ F ( x ) = y (cipher-text) . Decryption: y �→ S − 1 ( G − 1 ( T − 1 ( y ))) = x . Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  6. One-way Function F → k n G S → k m T F : k n → k m It is easy to compute the inversion of the central map G − 1 , but the map F becomes a one-way function by composing the random affine maps S and T . ⇓ Attack target: (a part of ) S and T . The way of breaking S , T depends on the central map G . Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  7. Classification of MPKC 1. Big Field Type. The polynomials over K , which is an extension field of k , are considered as those over k . (Matsumoto ‐ Imai, HFE, Sflash, l IC, Quarz, etc) 2. Stepwise Triangular System (STS) Type. The multivariate quadratic equations can be solved step-by-step. (Tsujii’s STS scheme, Oil and vinegar, Rainbow, etc) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  8. The proposed fault attack → k n G S → k m T Public-key F : k n → k m Fault attack on G . We try to change a coefficient of G by a fault. S , G , T fault → S , G ′ , T �− S − 1 , G ′− 1 , T − 1 F x ′ → y ′ y �− → �− δ := y − y ′ = T ◦ ( G − G ′ ) ◦ S ( x ). Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  9. Main results (1) # of Faults Table: Our fault attacks on G Big Field STS #Fault 1 n − 1 1 #( x , δ ) 2 ( n + 1)( n + 2) 1 Recovering parts of S , T a part of T Big Field type can be broken by a single fault. Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  10. (2) Success probability. The fault hits on G among the secrete parameters S , G , T . This is high enough. Table: Success probability of our proposed fault attacks on some MPKCs. Scheme q n m S G T Quarz(2,103,129,3,4) 2 107 100 0.38 0.29 0.33 4HFE(31,10) 31 40 40 0.37 0.26 0.37 Rainbow(31,24,20,20) 31 64 40 0.07 0.90 0.03 Rainbow(256,18,12,12) 256 42 24 0.10 0.87 0.03 (3) Distinguishability. We give an algorithm that tells the fault hits the central map G or not. Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  11. Big field type K : an extension field of k ( N := [ K : k ]). G : a polynomial map over K . G : k n 1 − 1 → K m / N 1 − 1 G → K n / N → k m Matsumoto-Imai Cryptosystem (1984, Eurocrypt’88) G ( X ) = X q i +1 ( i ≥ 0) . { 1 , w , · · · , w n − 1 } : a basis of K over k . x 1 , · · · , x n ∈ k . X = x 1 + x 2 w + · · · + x n w n − 1 , X q =( x 1 , · · · , x n -linear) + · · · + ( x 1 , · · · , x n -linear) w n − 1 . X q i +1 =( x 1 , · · · , x n -quadratic) + · · · + ( x 1 , · · · , x n -quadratic) w n − 1 Patarin broke the one-wayness of G at Crypto’95. Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  12. HFE (Patarin, Eurocrypt’96) r ≥ 1. α ij X q i + q j + β i X q i + γ, � � G ( X ) = ( α ij , β i , γ ∈ K ) . 0 ≤ i , j ≤ r 0 ≤ i ≤ r Decryption: We solve equation G ( X ) = Y over K . Its complexity is O ( q 2 r × (polyn.)). Attacks: 1. Kipnis-Shamir attack (Crypto’99): break the secret S , T . 2. Gr¨ obner basis attack (F4): break the message. Both attacks are effective for small r . Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  13. Stepwise Triangular System (STS) Type G ( x ) = ( g 1 ( x ) , · · · , g m ( x )). 1 ≤ n 1 < · · · < n l = n 1 ≤ m 1 < · · · < m l = m g 1 ( x ) , · · · , g m 1 ( x ) =( x 1 , · · · , x n 1 -quadratic) g m 1 +1 ( x ) , · · · , g m 2 ( x ) =( x 1 , · · · , x n 1 , · · · , x n 2 -quadratic) . . . g m l − 1 +1 ( x ) , · · · , g m ( x ) =( x 1 , · · · , x n 1 , · · · , x n 2 , · · · , x n -quadratic) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  14. Tsujii’s STS scheme (1986) g 1 ( x ) =( x 1 -linear) (1) g 2 ( x ) =( x 1 -quad.) + x 2 ( x 1 -linear) (2) . . . g n ( x ) =( x 1 , · · · , x n − 1 -linear) + x n ( x 1 , · · · , x n − 1 -linear) ( n ) Decryption: Find x 1 using (1), then substitute x 1 to others, Find x 2 using (2), then substitute x 2 to others, . . . . Hasegawa-Kaneko proposed an attack to beak the one-wayness of this central map G (SITA’87). Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  15. UOV (Patarin, 1997) � g l ( x ) = x i ( x m +1 , · · · , x n -linear) + ( x m +1 , · · · , x n -quadratic) 1 ≤ i ≤ m � 0 m � ∗ = x t x + (linear) (1 ≤ l ≤ m ) . ∗ ∗ Signature generation: 1. Choose random values for x m +1 , · · · , x n . 2. Solve the linear equation of x 1 , · · · , x m . Kipnis-Shamir attack (Crypto’98) recovers a part of S with O ( q n − 2 m × (polyn.))-complexity. ⇓ # of variables must be sufficiently larger than twice of that of equations. Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

  16. Rainbow (Multi-layer UOV, Ding-Schmidt, PKC’05) 8 ! 0 m 1 ∗ x t > x + (linear) , (1 ≤ l ≤ m 1 ) , > > > ∗ ∗ > > < 0 1 g l ( x ) = 0 m 1 0 0 > x t 0 0 m − m 1 ∗ A x + (linear) , ( m 1 + 1 ≤ l ≤ m ) , > B C > > @ > > 0 ∗ ∗ n − m : Signature generation: 1. Choose random values for x m +1 , · · · , x n . 2. Solve the linear equation g m 1 +1 = · · · = g m ( x ) = 0 of x m 1 +1 , · · · , x m . 3. Solve the linear equation g 1 ( x ) = · · · = g m 1 ( x ) = 0 of x 1 , · · · , x m 1 . Attacks: 1. Rank attacks recover a part of T . 2. K-S attack on UOV recovers a part of S . Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate public key cryptosystems K. Sakurai(ISIT)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Multivariate Responses In the general mean-variance specification E ( Y j | x ) = f ( x j , ) ,

Multivariate Responses In the general mean-variance specification E ( Y j | x ) = f ( x j , ) ,

ST 762 Nonlinear Statistical Models for Univariate and Multivariate Response Multivariate Responses In the general mean-variance specification E ( Y j | x ) = f ( x j , ) , var ( Y j | x j ) = 2 g ( , , x j ) 2 , we have assumed that

618 views • 37 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain

Introduction Solution Results Conclusions and perspectives Optimal Attacks for Multivariate and Multimodel Side-Channel Leakages Nicolas Bruneau, Sylvain Guilley, Annelie Heuser, Damien Marion and Olivier Rioul Saturday August 20, 2016

1.11k views • 36 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November

University of Milano-Bicocca Department of Informatics, Systems and Communications Cryptography by Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Zagreb November 14, 2017 Context (1/2): Cellular Automata One-dimensional

847 views • 47 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever ending list! essential in distributed systems Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail

571 views • 22 slides
An Introduction to Physical Attacks Application to Secret Specifications Algorithms

An Introduction to Physical Attacks Application to Secret Specifications Algorithms

An Introduction to Physical Attacks Application to Secret Specifications Algorithms Christophe Clavier GEMALTO Security Labs SSTIC Rennes May 30, 2007 Christophe Clavier SSTIC 07 Rennes Physical Attacks Against

708 views • 23 slides
1 FPGAs Attack Model Consider a device capable of implementing the FPGAs allow parallel

1 FPGAs Attack Model Consider a device capable of implementing the FPGAs allow parallel

Introduction Classic cryptography views the secure problems with mathematical abstractions The classic cryptanalysis has had a great

443 views • 11 slides
Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de Fabian Seiberling Fabian.b.Seiberling@student.hs-rm.de 1st Wiesbaden Workshop on 13.02.2014 Advanced Microkernel Operating Systems Table of

580 views • 27 slides

More recommend