harnessing biased faults in attacks on ecc based
play

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes - PowerPoint PPT Presentation

Aug 24, 2023 •187 likes •590 views

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

  1. Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Järvinen 1 , Céline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol, Department of Computer Science, UK FDTC 2012, Leuven, Belgium, September 9, 2012

  2. Outline Background Existing attacks Our attack using biased faults Results & discussion Demo Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 2/16

  3. Introduction ◮ We build upon the attack presented by Giraud, Knudsen, and Tunstall in ACISP 2004 and CARDIS 2010 ◮ We show that the attack becomes much more powerful if faults are biased (that is, distributed nonuniformly) and the attacker knows or can accurately estimate the biases ◮ Literature suggests that such phenomena can be produced 0.025 0.025 0.025 0.02 0.02 0.02 0.015 0.015 0.015 Probability Probability Probability 0.01 0.01 0.01 0.005 0.005 0.005 0 0 0 0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250 Fault value Fault value Fault value � 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 � � 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 � � 0 . 43 , 0 . 42 , 0 . 32 , 0 . 41 , 0 . 29 , 0 . 49 , 0 . 28 , 0 . 33 � Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 3/16

  4. Outline of the attack(s) 1. Compute Q = d P 2. Inject a w -bit fault f into d so d ′ = d ⊕ ( f · 2 m ) 3. Compute Q ′ = d ′ P 4. Calculate δ = ( d − d ′ ) / 2 m from Q and Q ′ by solving ECDLP δ P = ( Q − Q ′ ) / 2 m 5. Recover information about d using δ (and δ from any previous iterations) 6. Halt if enough information is recovered, otherwise repeat from Step 2 We assume that the attacker has a direct access to Q Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 4/16

  5. The attack of Bao et al. ◮ 1-bit faults � − 2 m P if d i = 0 ◮ Q − Q ′ = ( d − d ′ ) P = + 2 m P if d i = 1 ◮ One fault reveals one key bit ◮ Difficult fault injection Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 5/16

  6. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  7. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  8. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 0 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  9. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 1 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  10. Example: Giraud’s attack N 0 δ 0 d min d max 15 − 15 − 10 − 5 0 5 10 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  11. Example: Giraud’s attack N 0 1 δ 6 0 6 d min d max 15 15 − 15 − 10 − 5 0 5 10 15 δ [ 0 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  12. Example: Giraud’s attack N 0 1 2 δ 6 − 2 0 6 6 d min d max 15 15 13 − 15 − 10 − 5 0 5 10 15 δ [ 1 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  13. Example: Giraud’s attack N 0 1 2 3 δ 6 − 2 8 0 6 6 8 d min d max 15 15 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 2 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  14. Example: Giraud’s attack N 0 1 2 3 4 δ 6 − 2 8 3 0 6 6 8 8 d min d max 15 15 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 3 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  15. Example: Giraud’s attack N 0 1 2 3 4 5 δ 6 − 2 8 3 1 0 6 6 8 8 8 d min d max 15 15 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 4 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  16. Example: Giraud’s attack N 0 1 2 3 4 5 6 δ 6 − 2 8 3 1 4 0 6 6 8 8 8 8 d min d max 15 15 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 6 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  17. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 δ 6 − 2 8 3 1 4 1 0 6 6 8 8 8 8 8 d min d max 15 15 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 7 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  18. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 δ 6 − 2 8 3 1 4 1 12 0 6 6 8 8 8 8 8 12 d min d max 15 15 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 8 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  19. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 δ 6 − 2 8 3 1 4 1 12 5 0 6 6 8 8 8 8 8 12 12 d min d max 15 15 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 9 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  20. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 10 δ 6 − 2 8 3 1 4 1 12 5 13 0 6 6 8 8 8 8 8 12 12 13 d min d max 15 15 13 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 13 15 δ [ 10 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  21. Biased faults Definition A fault f is biased iff Pr [ f = x ] � = |F| − 1 for some x . That is, some values are more probable than others. ◮ We consider a bias where the flipping probability of the i th key bit is determined by ǫ i : Pr [ f i = 1 ] = 1 2 + ǫ i ◮ Hence, � 1 � w − 1 2 + ( − 1 ) x i ǫ i � i = 0 Pr [ f = x ] = � 1 1 − � w − 1 � 2 − ǫ i i = 0 ◮ The attack applies also for other kind of biases. For instance, if faults are biased by the values of key bits ◮ We assume that the attacker knows ǫ i ’s Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 8/16

  22. Probability of a key candidate ◮ From Pr [ f ] ’s, we get Pr [ δ | d ] for all possible observations and key values ◮ Observations are collected in ∆ = � δ [ 0 ] , δ [ 1 ] , . . . , δ [ N − 1 ] � ◮ We can then calculate Pr [ d | ∆] for all key candidates by using Bayesian deduction: � N − 1 i = 0 Pr [ δ [ i ] | d ] Pr [ d | ∆] = � N − 1 � i = 0 Pr [ δ [ i ] | j ] j ∈K ◮ Let ˆ d be the most probable candidate Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 9/16

  23. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

  24. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 1 6 0 . . . 0 0.11 0.11 0.11 0.11 0.07 0.07 0.11 0.11 0.11 0.11 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc

Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc

Introduction SCA Faults Remanence Conclusions 1 / 24 Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc Schmidt February 28, 2014 Michael Hutter and J orn-Marc Schmidt Introduction SCA

528 views • 24 slides
Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Nature of ubiquitous faults Communication Faults and Agreement Limits to Number of Ubiquitous Faults for Majority Unanimity in Spite of Ubiquitous Faults Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen

685 views • 36 slides
W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

B YZANTINE F AULT T OLERANCE Ellis Michael A H IERARCHY OF F AULT M ODELS No faults Crash faults Byzantine faults People who use tabs instead of spaces B YZANTINE F AULTS Also called "general" or "arbitrary" faults.

563 views • 31 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1) Brian Randell Brian Randell Brian Randell WADS-3, May 2004 1 The Menu The Menu The Menu On Dependability Concepts On Fault Assumptions

600 views • 20 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock

Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock

Digital Learning Trail: Harnessing ICT to Facilitate Inquiry based Learning Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock Crescent Girls School Empowering Ladies and Leaders of Tomorrow

187 views • 7 slides
A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta

A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta

U.S. Accelerator R&D for High Energy Physics A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta Dept. of Physics, MIT & UCLA Economics Faculty, University of Ljubljana Director, US Particle

809 views • 46 slides
I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th, 2007 Dependable Systems and Networks Outline Fault classes Permanent faults Transient faults Intermittent faults Field

709 views • 24 slides
INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best interpret interacting faults and tell between different types of fault interaction? INTRODUCTION HOW DOES A FAULT NETWORK FORM? Forms within single

549 views • 21 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Biased coins, blindfold players Vincius G. Pereira de S

Biased coins, blindfold players Vincius G. Pereira de S

Biased coins, blindfold players Vincius G. Pereira de S based on the paper Blind-friendly von Neumanns heads or tails, to appear

810 views • 78 slides
Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr.

Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr.

Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr. Karimoddini Motivation Faults are always u Faults are unwanted u Faults are arbitrary u Faults are costly u Faults are DEADLY u Our motivation

495 views • 24 slides
Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test

Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test

Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test Case Prioritization Gregory Kapfhammer Gordon Fraser Phil McMinn David Paterson University of Sheffield Allegheny College University of Passau

652 views • 32 slides
Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods

Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods

Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods Di Cook, Monash University Joint work with Niladri Roy Chowdhury, Eric Hare, Mahbub Majumder, Michelle Graham, Tengfei Yin, Heike Hofmann Outline

1.08k views • 86 slides
A biased history of equality in type theory Some equations are more equal than others James

A biased history of equality in type theory Some equations are more equal than others James

A biased history of equality in type theory Some equations are more equal than others James Chapman Institute of Cybernetics, Tallinn Semantics days - Andu A typical biased history Famous work by genius 350 BC (e.g. Aristotle) time All of

396 views • 22 slides
Testing of Digital Systems Dr. Hao Zheng Comp. Sci & Eng U of South Florida Why Testing?

Testing of Digital Systems Dr. Hao Zheng Comp. Sci & Eng U of South Florida Why Testing?

Testing of Digital Systems Dr. Hao Zheng Comp. Sci & Eng U of South Florida Why Testing? Digital System Complex At various levels of abstraction Errors/faults can be introduced easily. Need to guarantee its correctness

411 views • 37 slides
Overview Problem and motivation ECE 553: TESTING AND Fault simulation algorithms

Overview Problem and motivation ECE 553: TESTING AND Fault simulation algorithms

9/23/2014 Overview Problem and motivation ECE 553: TESTING AND Fault simulation algorithms TESTABLE DESIGN OF Serial Parallel DIGITAL SYSTES DIGITAL SYSTES Deductive Concurrent Other algorithms Random

222 views • 5 slides
Minimization of Sensor Activation in Decentralized Fault Diagnosis of Discrete Event Systems

Minimization of Sensor Activation in Decentralized Fault Diagnosis of Discrete Event Systems

Minimization of Sensor Activation in Decentralized Fault Diagnosis of Discrete Event Systems Xiang Yin and Stphane Lafortune EECS Department, University of Michigan 54th IEEE CDC, Dec 15-18, 2015, Osaka, Japan 0/15 X.Yin & S.Lafortune

773 views • 52 slides
A Note on Fault Diagnosis Algorithms Franck Cassez National ICT Australia & CNRS Sydney,

A Note on Fault Diagnosis Algorithms Franck Cassez National ICT Australia & CNRS Sydney,

A Note on Fault Diagnosis Algorithms Franck Cassez National ICT Australia & CNRS Sydney, Australia December 18th, 2009 CDC09, Shanghai, China Fault Diagnosis for Discrete Event Systems a b f a Goal: detect a fault at most k

221 views • 6 slides
Designing fault-diagnosis and reintegration to prevent node redundancy attrition in highly

Designing fault-diagnosis and reintegration to prevent node redundancy attrition in highly

Designing fault-diagnosis and reintegration to prevent node redundancy attrition in highly reliable control systems based on FTT-Ethernet Sinisa Derasevic, Manuel Barranco, Julin Proenza Mathematics and Computer Science Department, University

751 views • 36 slides
CRC enter for eliable omputing BAST02 Diagnosis of Sequence Dependent Chips James

CRC enter for eliable omputing BAST02 Diagnosis of Sequence Dependent Chips James

CRC enter for eliable omputing BAST02 Diagnosis of Sequence Dependent Chips James Chien-Mo Li Bio B.S.E.E., National Taiwan University,1993. M.S.E.E., Stanford University, 1997. Ph.D. student at CRC since 1998. 1 Sequence Dependence

213 views • 7 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (Oct 18, 2001) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (Oct 18, 2001) I E S R C E O

VLSI Design Verification and Test Fault Simulation I CMSC 691x Algorithms for Fault Simulation Purposes of fault simulation during design cycle: Guiding the TPG process. Measuring the effectiveness of the test patterns. Generating

298 views • 16 slides
AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software Wojciech Mostowski

AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software Wojciech Mostowski

AUTO-CAAS: Model-Based Fault Prediction and Diagnosis of Automotive Software Wojciech Mostowski and Mohammad Mousavi Model-Based Testing Group, Centre for Research on Embedded Systems (CERES) Dagstuhl Meeting 16172, 2016 Elevator pitch Bug fi

407 views • 5 slides

More recommend