singular curve point decompression attack
play

Singular curve point decompression attack Peter Gnther joint work - PowerPoint PPT Presentation

Oct 25, 2022 •8 likes •378 views

Singular curve point decompression attack Peter Gnther joint work with Johannes Blmer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Gnther (UPB) Decompression Attack FDTC 2015 1 / 18 Elliptic curves Example: E (

  1. Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015 1 / 18

  2. Elliptic curves Example: E ( R ) : y 2 = x 3 − 3 x + 3 y Elliptic curve E ( K ) Points ( x , y ) ∈ K 2 that fulfill y 2 = x 3 + a 4 x + a 6 x with a 4 , a 6 ∈ K and discriminant ∆ := − 16 ( 4 a 3 4 + 27 a 2 6 ) � = 0 . Peter Günther (UPB) Decompression Attack FDTC 2015 2 / 18

  3. Elliptic curves as additive group Example: E ( R ) : y 2 = x 3 − 3 x + 3 y T P Group operation independent from a 6 : λ = y P − y T x P − x T x x P + T = λ 2 − x P − x T y P + T = λ ( x P − x P + T ) − y P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

  4. Elliptic curves as additive group Example: E ( R ) : y 2 = x 3 − 3 x + 3 y T P Group operation independent from a 6 : λ = 3 x T + a 4 2 y T x 2 T = λ 2 − 2 x T x y 2 T = λ ( x T − x 2 T ) − y T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

  5. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) P s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  6. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) s P s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  7. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA, . . . ) s s P s s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  8. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA, . . . ) Adversarial environment: Physical protection of s required s s P s s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  9. Invalid point attack on scalar multiplication E : y 2 = x 3 + a 4 x + a 6 Outline of invalid point attacks 1 Group law does not require a 6 2 Move P to weak curve with same a 4 3 Obtain Q = sP for secret s on weak curve 4 Compute DLOG of Q to base P on weak curve 5 Infer DLOG s on original curve Examples weak curve attacks P on curve with smooth order P in small subgroup P on singular curve Peter Günther (UPB) Decompression Attack FDTC 2015 5 / 18

  10. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  11. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P x x T + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  12. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P x x 2 T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  13. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P E NS ( F q ) ≃ subgroup of F ∗ q or F ∗ q 2 ⇒ DLOG problem subexponential 1 Map DLOG instance to F ∗ q or F ∗ q 2 x x 2 Solve DLOG in F ∗ q or F ∗ q 2 2 T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  14. Singular curves with cusp ( a 4 = 0) E ( R ) : y 2 = x 3 + 1 E ( R ) : y 2 = x 3 , ∆ = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

  15. Singular curves with cusp ( a 4 = 0) E ( R ) : y 2 = x 3 + 1 E ( R ) : y 2 = x 3 , ∆ = 0 y y E NS ( F q ) ≃ F + q ⇒ DLOG problem trivial (by division) 1 Map DLOG instance to F + T T q 2 Solve DLOG in F + q P P x x + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

  16. Singular curve attack on scalar multiplication For fixed a 4 , there are at most 2 corresponding singular curves Random faults will not provide points on singular curve How do we get a point onto one of them? P Peter Günther (UPB) Decompression Attack FDTC 2015 8 / 18

  17. Our approach: Point decompression Compression Compress : E ( F q ) → F q × { 0 , 1 } ( x , y ) �→ ( x , b ) where b = LSB ( y ) Reduces bandwidth by 50 % Defined in many standards like IEEE 1363, SEC 1, X9.62 Decompression prior to scalar multiplication Peter Günther (UPB) Decompression Attack FDTC 2015 9 / 18

  18. Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 4 x + a 6 1: v ← x 3 + a 4 x ⊲ v = x 3 + a 4 x ⊲ v = x 3 + a 4 x + a 6 2: v ← v + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 4 x + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

  19. Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Similar implementations in IEEE 1363, SEC 1, Ensure: ( x , y ) with y 2 = x 3 + a 6 X9.62, OpenSSL 1: v ← x 3 ⊲ v = x 3 Implicit (partial) point validation: ⊲ v = x 3 2: v ← v + a 6 + a 6 Decompress ( x , b ) ∈ E ( F q ) 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

  20. Attack on decompression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 4 x + a 6 1: v ← x 3 + a 4 x ⊲ v = x 3 + a 4 x ⊲ v = x 3 + a 4 x + a 6 2: v ← v + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 4 x + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  21. Attack on decompression Decompress with a 4 = 0 Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  22. Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  23. Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then Observation: v ← ( − 1 ) b √ v x quadratic residue ⇒ ⊲ v = ( − 1 ) b � x 3 + a 6 4: output on singular curve return ( x , y ) 5: y 2 = x 3 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  24. Hash string to curve Decompress: building block of other algorithms MapToPoint : { 0 , 1 } ∗ → E ( F q ) Require: E : y 2 = x 3 + a 4 x + a 6 , H : { 0 , 1 } ∗ → F q × { 0 , 1 } , M ∈ { 0 , 1 } ∗ , Ensure: P ∈ E ( F q ) 1: i ← 0 2: repeat ⊲ until ( x , b ) is valid compression ( x , b ) ← H ( M � i ) 3: P ← Decompress ( x , b ) 4: i ← i + 1 5: 6: until P � = O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

  25. Hash string to curve Decompress: building block of other algorithms MapToPoint : { 0 , 1 } ∗ → E ( F q ) Require: E : y 2 = x 3 + a 4 x + a 6 , H : { 0 , 1 } ∗ → F q × { 0 , 1 } , M ∈ { 0 , 1 } ∗ , Ensure: P ∈ E ( F q ) 1: i ← 0 Atttack: 2: repeat ⊲ until ( x , b ) is valid compression Choose M such that ( x , b ) ← H ( M � i ) 3: H ( M � 0 ) = ( x , b ) with P ← Decompress ( x , b ) 4: quadratic residue x . i ← i + 1 5: 6: until P � = O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

  26. Properties of the attack Features of the attack Efficient, especially in the case a 4 = 0 One shot: can be applied to exponentiation with nonce Applications: Point decompression (encryption schemes) Hashing to curve (special signature schemes) Random point sampling (countermeasures) Limitations of the attack Access to Q = sP required For a 4 � = 0: stronger control over ( x , b ) required Attack on plain Decompress still possible Attack on MapToPoint not possible Peter Günther (UPB) Decompression Attack FDTC 2015 13 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
1 Algorithm for 3 rd degree void bezier(Point p[]) { Point q[ ], r[ ]; if(colinear(p)) { This

1 Algorithm for 3 rd degree void bezier(Point p[]) { Point q[ ], r[ ]; if(colinear(p)) { This

Drawing a Bzier curve 3 rd degree Bzier curve p0, p1, p2, p3 = 4 original control points f(r,s,s) f(r,r,s) f(r,t,s) p 2 p 1 f(r,t,t) f(s,t,t) f(t,t,t) f(r,r,t) f(t,s,s) p 0 p 3 f(r,r,r) f(s,s,s) Recursive interpolation From (p

377 views • 4 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J. Introduction Compression of signals from the environment is critical to an organisms success Decompression plays an equally critical role We

434 views • 4 slides
Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a

Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a

Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a singular point? 3. Why do we care about ordinary points and singular points? 4. If you find a series solution at an ordinary point, what can you say

332 views • 8 slides
Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Overview Using Curve Implementation Lessons Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation Lessons Ninjas Shinobi Kun An John Chan David Mauskop Wisdom Omuya Zitong Wang Curve Ninjas

360 views • 17 slides
Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t

Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t

Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t Each point can be found as a function of the parameter, t , and the control points, b i n n i t n b t = i ,n b i = i

1.01k views • 46 slides
[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

The Singular Value Decomposition [11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license plate, photographed by Professor P. M. Kroonenberg of Leiden University. Frobenius norm for matrices x 2 1 + x 2

872 views • 43 slides
1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic

1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic

1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic understanding of simplices, give definition. Definition. n , the n -simplex, is defined as { ( x 0 , . . . , x n ) R n +1 : x i = 1 , x i 0 } .

418 views • 3 slides
Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann Department of Computer Science Technion Israel Institute of Technology Cryptoday 2018 Eli Biham, Lior Neumann (Technion) Breaking the

784 views • 75 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 2 notes: SVD 1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A as A = USV ,

157 views • 4 slides
How to Textbook key exchange manipulate curve standards: using standard

How to Textbook key exchange manipulate curve standards: using standard

How to Textbook key exchange manipulate curve standards: using standard point P a white paper for the black hat on a standard elliptic curve E : Alices Bobs Daniel J. Bernstein secret key a secret key b Tung

779 views • 73 slides
RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection

RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection

RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection (second derivative) Points: changes signs changes signs The year in Review Review Jeremy Haefner n. A moment of dramatic Provost Provost

779 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Continuous Flow Process for Cr(VI) Removal from Drinking Water through Reduction onto FeOOH by ISRs

Continuous Flow Process for Cr(VI) Removal from Drinking Water through Reduction onto FeOOH by ISRs

Continuous Flow Process for Cr(VI) Removal from Drinking Water through Reduction onto FeOOH by ISRs E. Kaprara, F. Pinakidou, E. Paloura, A. Zouboulis and M. Mitrakas Aristotle University of Thessaloniki, Greece 13th IWA Specialized Conference on

255 views • 22 slides
Coupling of tw o Hyperbolic Conservation Law s M. Izadi August 20, 2005 I nstitute for Advance

Coupling of tw o Hyperbolic Conservation Law s M. Izadi August 20, 2005 I nstitute for Advance

Stream line Diffusion Method for Coupling of tw o Hyperbolic Conservation Law s M. Izadi August 20, 2005 I nstitute for Advance studies in Basic Sciences The Plane Review of Finite Element Method (FEM) The Coupled Problem

459 views • 42 slides
Co-Hosted By: 1 Agenda Learn to Leverage Data - Hear about strategies and tools available to

Co-Hosted By: 1 Agenda Learn to Leverage Data - Hear about strategies and tools available to

Co-Hosted By: 1 Agenda Learn to Leverage Data - Hear about strategies and tools available to better understand your data and make it actionable Organize Data Take steps to standardized data and reports to make informed business

437 views • 31 slides
Origins and Lessons from the Financial Crisis By Lester Henry Department of Economics UWI St

Origins and Lessons from the Financial Crisis By Lester Henry Department of Economics UWI St

Origins and Lessons from the Financial Crisis By Lester Henry Department of Economics UWI St Augustine 1 Outline The Extent of the Current Crisis Origins of the Crisis: How Did We Get here?: The Causes of the Crisis The Minsky

285 views • 15 slides
Connecticuts COVID -19 Homeless Response April 1, 2020 Agenda 1:00pm Introductory remarks

Connecticuts COVID -19 Homeless Response April 1, 2020 Agenda 1:00pm Introductory remarks

Connecticuts COVID -19 Homeless Response April 1, 2020 Agenda 1:00pm Introductory remarks Welcome from CCM (Brian OConnor) and CCEH (Madeline Ravich) Overview of COVID-19 homelessness response by CCEH (Richard Cho) DOH

666 views • 14 slides
File System Challenges in Consumer Electronics Products (Chan Gyun Jeong) SW Platform

File System Challenges in Consumer Electronics Products (Chan Gyun Jeong) SW Platform

File System Challenges in Consumer Electronics Products (Chan Gyun Jeong) SW Platform Lab., Corporate R&D LG Electronics, Inc. 2014/10/31 Contents LG webOS TV Overview File Systems in webOS TV Database in webOS TV

181 views • 16 slides
Query Execution in Column-Stores Atte Hinkka Seminar on Columnar Databases, Fall 2012 1

Query Execution in Column-Stores Atte Hinkka Seminar on Columnar Databases, Fall 2012 1

Query Execution in Column-Stores Atte Hinkka Seminar on Columnar Databases, Fall 2012 1 Central concepts Column (query) operators Compression considerations Materialization strategies Vectorized operations 2 Query what?

425 views • 20 slides
The search of water in Mars using radars Toms Ahumada Motivation First publication

The search of water in Mars using radars Toms Ahumada Motivation First publication

The search of water in Mars using radars Toms Ahumada Motivation First publication Following publications How to do it? ESA The Satellite Mars Explorer MARSIS Radar specifics Radargram Diagram to explain

289 views • 14 slides

More recommend