new bleichenbacher records fault attacks on qdsa
play

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES - PowerPoint PPT Presentation

Mar 19, 2023 •1.04k likes •1.89k views

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

  1. New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1

  2. Outline Introduction Contribution 1. Optimizing Bleichenbacher’s Attack Contribution 2. Fault Attacks on qDSA Signature Contribution 3. Record-breaking Implementation of Nonce Attack Wrap-up 2

  3. Introduction

  4. • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes 3

  5. • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA 3

  6. • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard 3

  7. Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce 3

  8. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify Sign 0/1 Signed Message 4

  9. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message 4

  10. • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public 4

  11. Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public • k should NOT be reused/exposed 4

  12. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key 000101 ・・・ Adversary Bias Signed Message • But what if k is slightly biased ? 5

  13. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? 5

  14. Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? � Adversary could bypass the (EC)DLP and steal the secret d by solving the hidden number problem (HNP)! 5

  15. Nonce: very sensitive! 5

  16. 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 6

  17. 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 6

  18. Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks 6

  19. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – – 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  20. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  21. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – ✓ ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  22. Optimizing Bleichenbacher’s Attack

  23. • Necessary to detect the bias peak correctly and efficiently • Idea: quantify the nonce bias by defining “bias function” and find the peak of it • if nonce is uniformly distributed over . • if nonce is biased. • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) 8

  24. • Necessary to detect the bias peak correctly and efficiently • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. 8

  25. • Necessary to detect the bias peak correctly and efficiently Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h 8

  26. Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h • Necessary to detect the bias peak correctly and efficiently 8

  27. Find: sufficiently many (say ) linear combinations for such that • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) 9

  28. • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that 9

  29. • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L 9

  30. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L 9

  31. Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Entergy Arkansas, Inc. Integrated Resource Plan Stakeholder Committee Meeting July 31, 2012

Entergy Arkansas, Inc. Integrated Resource Plan Stakeholder Committee Meeting July 31, 2012

Entergy Arkansas, Inc. Integrated Resource Plan Stakeholder Committee Meeting July 31, 2012 Todays Agenda Agenda Item Presenter Time Kurt Castleberry 8:30 9:00 Introduction and Meeting Objectives Kurt Castleberry 9:00 9:30

343 views • 22 slides
Buffer Stock Saving in a KrusellSmith World Christopher Carroll 1 Jiri Slacalek 2 Kiichi Tokuoka

Buffer Stock Saving in a KrusellSmith World Christopher Carroll 1 Jiri Slacalek 2 Kiichi Tokuoka

Buffer Stock Saving in a KrusellSmith World Christopher Carroll 1 Jiri Slacalek 2 Kiichi Tokuoka 3 1 Johns Hopkins University and NBER ccarroll@jhu.edu 2 European Central Bank jiri.slacalek@ecb.int 3 International Monetary Fund

718 views • 24 slides
Boundaries, polyhedrality and LFC norms Brazilian Workshop on geometry of Banach spaces Maresias,

Boundaries, polyhedrality and LFC norms Brazilian Workshop on geometry of Banach spaces Maresias,

Boundaries, polyhedrality and LFC norms Brazilian Workshop on geometry of Banach spaces Maresias, 28 August 2014 Richard Smith University College Dublin, Ireland Richard Smith (mathsci.ucd.ie/~rsmith) Boundaries, polyhedrality and LFC norms

1.03k views • 50 slides
Introduction to Descriptive Set Theory (MATH40350) Dr Richard Smith

Introduction to Descriptive Set Theory (MATH40350) Dr Richard Smith

Introduction to Descriptive Set Theory (MATH40350) Dr Richard Smith (http://maths.ucd.ie/~rsmith) Dr Richard Smith (maths.ucd.ie/~rsmith) Intro to Desc Set Theory (MATH40350) Semester 2 2011 2012 1 / 31 Metric spaces Polish spaces

983 views • 61 slides
Northwestern Mutual Michael J. Scher, Managing Director Matthew R. Krueger, Managing Director

Northwestern Mutual Michael J. Scher, Managing Director Matthew R. Krueger, Managing Director

Northwestern Mutual Michael J. Scher, Managing Director Matthew R. Krueger, Managing Director Northwestern Mutual Financial Network is the marketing name for the sales and distribution arm of The Northwestern Mutual Life Insurance Company, its

485 views • 7 slides
HOW V VIRTUAL BEC ECOMES R REA EAL Discretise a NURBS surface into a structural diagrid (

HOW V VIRTUAL BEC ECOMES R REA EAL Discretise a NURBS surface into a structural diagrid (

HOW V VIRTUAL BEC ECOMES R REA EAL Discretise a NURBS surface into a structural diagrid ( G_01) Production hall, Shukhov, Vyksa, 1897-98 Further details in: M. B ECKH , R. B ARTHEL , The First Doubly Curved Gridshell Structure - Shukhovs

252 views • 13 slides
a Status Report Nepomuk Otte on behalf of the VERITAS Collaboration The VERITAS Collaboration

a Status Report Nepomuk Otte on behalf of the VERITAS Collaboration The VERITAS Collaboration

VERITAS a Status Report Nepomuk Otte on behalf of the VERITAS Collaboration The VERITAS Collaboration University of Utah Georgia Institute of Technology ~100 members, 20 institutions Washington University in St. Louis Iowa State University

730 views • 26 slides
ArcGIS IrisBG sync Released august 2015 Loads plant collection data from Iris to ArcGIS

ArcGIS IrisBG sync Released august 2015 Loads plant collection data from Iris to ArcGIS

ArcGIS IrisBG sync Released august 2015 Loads plant collection data from Iris to ArcGIS Image Management Strategy How do I store my Collection Images? Version 3.5.3.#, August 2015 IrisBG as primary image library 1. Original resolution

414 views • 4 slides

More recommend