To BLISS-B or not to be - Attacking strongSwans Implementation of - - PowerPoint PPT Presentation

to bliss b or not to be attacking strongswan s
SMART_READER_LITE
LIVE PREVIEW

To BLISS-B or not to be - Attacking strongSwans Implementation of - - PowerPoint PPT Presentation

Aug 21, 2022 141 likes •416 views

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

slide-1
SLIDE 1

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

To BLISS-B or not to be - Attacking strongSwan’s Implementation

  • f Post-Quantum Signatures

Peter Pessl1, Leon Groot Bruinderink2, Yuval Yarom 3

1 Graz University of Technology, 2 Technische Universiteit Eindhoven, 3 University of Adelaide and Data61

CCS 2017, November 2nd

slide-2
SLIDE 2

www.iaik.tugraz.at

Q

PQ crypto is gaining a lot of traction. . .

NIST call, first real-world tests, efficient schemes and implementations BLISS - lattice-based signatures

But what about implementation security?

first works on BLISS (and lattice-based cryptography) . . . but often not done in a realistic setting . . . and not applicable to improved BLISS-B

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 2

slide-3
SLIDE 3

www.iaik.tugraz.at

Our contribution

New side-channel key-recovery algorithm for BLISS

applicable to the improved BLISS-B variant

First practical cache attack on BLISS

production-grade BLISS-B implementation of strongSwan VPN suite 6 000 signatures for full signing-key recovery

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 3

slide-4
SLIDE 4

www.iaik.tugraz.at

BLISS - Lattice Signatures [DDLL13, Duc14]

BLISS - Bimodal Lattice Signature Scheme [DDLL13] Discrete Gaussians Dσ(x) → dedicated samplers Works over ring Rq = Zq[x]/xn + 1, n = 512

polynomials a,b, ab = Ab, nega-cyclic rotations

A =

  

a0 −an−1 · · · −a1 a1 a0 · · · −a2 . . . . . . ... . . . an−1 an−2 · · · a0

   =   

− a0 − − a1 − . . . − an−1 −

  

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 4

slide-5
SLIDE 5

www.iaik.tugraz.at

BLISS Keys

Key generation:

1: f, g ← {0, ±1, ±2}n (Depending on parameter set) 2: Private key (s1, s2) = (f, 2g + 1) 3: Public key aq = s2/s1 mod q

BLISS-I, II: f, g ← {0, ±1}n

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 5

slide-6
SLIDE 6

www.iaik.tugraz.at

BLISS - Lattice Signatures [DDLL13]

Input: Message µ, public key a1, private key (s1, s2) Output: A signature (z1, z2, c) 1: y1 ← Dn

σ , y2 ← Dn σ

2: c = H(a1y1 + y2||µ) //binary, sparse vector 3: (v1, v2) = (s1, s2)c 4: Sample a uniformly random bit b 5: (z1, z2) = (y1, y2) + (−1)b(v1, v2) 6: Continue with some probability f((s1, s2)c, z), restart otherwise 7: return (z1, z2, c)

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 6

slide-7
SLIDE 7

www.iaik.tugraz.at

BLISS and BLISS-B [DDLL13, Duc14]

BLISS-B → lower rejection rate, default in strongSwan GreedySC

(v1, v2) = (s1, s2)c′, with c′ ∈ {−1, 0, +1}n, c′ ≡ c mod 2 c′ is kept secret

BLISS

3: (v1, v2) = (s1, s2)c 4: Sample a uniformly random bit b 5: (z1, z2) = (y1, y2) + (−1)b(v1, v2)

BLISS-B

3: (v1, v2) = GreedySC((s1, s2), c) 4: Sample a uniformly random bit b 5: (z1, z2) = (y1, y2) + (−1)b(v1, v2)

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 7

slide-8
SLIDE 8

www.iaik.tugraz.at

A Cache Attack on BLISS [GBHLY16]

Cache attack on Gaussian sampler

partial recovery of the noise vector y1

Equation z1 = y1 + (−1)bs1c

 

. . . zi . . .

  =  

. . . yi . . .

  + (−1)b  

. . . − ci − . . .

   

s0 . . . sn−1

 

(zi − yi)(−1)b = ci, s1

Filter for zi = yi

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 8

slide-9
SLIDE 9

www.iaik.tugraz.at

A Cache Attack on BLISS [GBHLY16]

Gather n = 512 equations

 

− (ci)0 − . . . − (ci)n−1 −

   

s0 . . . sn−1

  =  

. . .

 

Solve system

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 9

slide-10
SLIDE 10

www.iaik.tugraz.at

Limitations of the Cache Attack

Target research-oriented BLISS reference implementation

. . . and modify code, synchronized attacker

Not applicable to BLISS-B

same as other works [Pes16, BBK16, EFGT16]

BLISS

  

1 · · · · · · −1 . . . . . . ... . . . 1 · · · −1

     

s0 s1 . . . sn−1

   = 0

BLISS-B

  

±1 · · · · · · ±1 . . . . . . ... . . . ±1 · · · ±1

     

s0 s1 . . . sn−1

   = 0

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 10

slide-11
SLIDE 11

www.iaik.tugraz.at

A New Side-Channel Key-Recovery Attack

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 11

slide-12
SLIDE 12

www.iaik.tugraz.at

Step 1: Gathering Samples

Use side-channels to gather noise samples y

cache attack, power analysis, . . .

Collect equations

  

±1 · · · · · · ±1 . . . . . . ... . . . ±1 · · · ±1

     

s0 s1 . . . sn−1

   =   

2 . . . −3

  

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 12

slide-13
SLIDE 13

www.iaik.tugraz.at

Step 2: Finding s1 mod 2

In GF(2): −1 ≡ 1 mod 2 Solve system → s1 mod 2

LSB of the coefficients BLISS-I, II → |s1|

s1 =

    

±1 . . . ±1

    

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 13

slide-14
SLIDE 14

www.iaik.tugraz.at

Step 2: Correcting Errors

Side-channels can have errors: approximate eqs. Solving a noisy linear system in GF(2)

Learning Parity with Noise (LPN)

Our approach

solving LPN by decoding a random linear code utilize differing error probabilities [PM16]

s1 =

    

±1 . . . ±1

    

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 14

slide-15
SLIDE 15

www.iaik.tugraz.at

Step 3: Recovery of Twos

BLISS-III, BLISS-IV: s1 ∈ {0, ±1, ±2}n Use sparsity of c′ in s1, c′

i

Method 1: Integer Programming

(|s1, c′

i| > # indexed 1s) → must be a 2 involved

Method 2: Statistical Approach

(|s1, c′

i| is large) → likely a 2 involved

s1 =

    

±1 ±2 . . . ±1

    

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 15

slide-16
SLIDE 16

www.iaik.tugraz.at

Step 4: Lattice Reduction

Combine recovered information |s1| with public key Public key: aqs1 = s2

s2: short vector in lattice spanned by aq reduce lattice rank by discarding columns

    

a0 −an−1 −an−2 · · · −a1 a1 a0 −an−1 · · · −a2 a2 a1 a0 · · · −a3 . . . . . . ... . . . an−1 an−2 an−2 · · · a0

         

±1 . . . ±1

     = s2

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 16

slide-17
SLIDE 17

www.iaik.tugraz.at

Step 4: Lattice Reduction

Reduce lattice dimension (d = 250) Solve SVP with BKZ lattice reduction Linear algebra to get (s1, s2)

Full key recovered!

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 17

slide-18
SLIDE 18

www.iaik.tugraz.at

Attacking strongSwans BLISS-B

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 18

slide-19
SLIDE 19

www.iaik.tugraz.at

Attack Target

Bernoulli rejection sampling by [DDLL13]

bit-scanning of input x in subroutine

Sampling a bit from B(exp(−x/(2σ2))) for x ∈ [0, 2ℓ) Input: x ∈ [0, 2ℓ) an integer in binary form x = xℓ−1 . . . x0. Precomputed table E Output: A bit b from B(exp(−x/(2σ2))) 1: for i = ℓ − 1 downto 0 do 2: if xi = 1 then 3: sample bit Ai from B(E[i]) 4: if Ai = 0 then return 0 5: return 1

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 19

slide-20
SLIDE 20

www.iaik.tugraz.at

Cache Attack

Detect if branch xi = 1 is taken at least once

if NOT: x = 0 → y = 254 · Z

Flush+Reload Cache Attack [YF14]

with performance degradation [ABF+16]

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 20

slide-21
SLIDE 21

www.iaik.tugraz.at

Resynchronization

Attack is asynchronous

need correct index

Resynchronization

sampling time ∼ index s1c′ is small → z ≈ 254 · Z

  • 15
  • 10
  • 5

5 10 15 0.05 0.1 0.15 0.2 Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 21

slide-22
SLIDE 22

www.iaik.tugraz.at

Results

Step 1: gathering samples

  • bserve 6 000 signature generations with strongSwan

Step 2: s1 mod 2

98% success rate, avg. runtime ≈ 1 minute (64 threads)

Step 3: Recovering 2s

. . . not needed, focus on BLISS-I for strongSwan tests

Step 4: lattice reduction

BLISS-I: always successful, avg. runtime 4-5 minutes

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 22

slide-23
SLIDE 23

www.iaik.tugraz.at

What can we do?

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 23

slide-24
SLIDE 24

www.iaik.tugraz.at

Countermeasures

Shuffling the noise vector

also has flaws [Pes16]

Constant-time samplers

difficult to implement, still vulnerable to power analysis

Don’t use Gaussians!

Gaussians are: difficult to implement, extremely prone to SCA replace with, e.g., uniform distribution (Dilithium [DLL+17])

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 24

slide-25
SLIDE 25

S C I E N C E P A S S I O N T E C H N O L O G Y www.iaik.tugraz.at

To BLISS-B or not to be - Attacking strongSwan’s Implementation

  • f Post-Quantum Signatures

Peter Pessl1, Leon Groot Bruinderink2, Yuval Yarom 3

1 Graz University of Technology, 2 Technische Universiteit Eindhoven, 3 University of Adelaide and Data61

CCS 2017, November 2nd

slide-26
SLIDE 26

www.iaik.tugraz.at

Bibliography I

[ABF+16] Thomas Allan, Billy Bob Brumley, Katrina E. Falkner, Joop van de Pol, and Yuval Yarom. Amplifying side channels through performance

  • degradation. In ACSAC 2016, pages 422–435, 2016.

[BBK16] Nina Bindel, Johannes A. Buchmann, and Juliane Kr¨

  • amer. Lattice-based signature schemes and their sensitivity to fault attacks. In FDTC

2016, pages 63–77, 2016. [DDLL13] L´ eo Ducas, Alain Durmus, Tancr` ede Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In CRYPTO 2013, pages 40–56, 2013. [DLL+17] L´ eo Ducas, Tancr` ede Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehl´

  • e. CRYSTALS - dilithium: Digital

signatures from module lattices. 2017. [Duc14] L´ eo Ducas. Accelerating bliss: the geometry of ternary polynomials. 2014. [EFGT16] Thomas Espitau, Pierre-Alain Fouque, Benoˆ ıt G´ erard, and Mehdi Tibouchi. Loop abort faults on lattice-based fiat-shamir & hash’n sign

  • signatures. 2016.

Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 26

slide-27
SLIDE 27

www.iaik.tugraz.at

Bibliography II

[GBHLY16] Leon Groot Bruinderink, Andreas H¨ ulsing, Tanja Lange, and Yuval Yarom. Flush, gauss, and reload - A cache attack on the BLISS lattice-based signature scheme. In CHES 2016, pages 323–345, 2016. Full version available at: http://ia.cr/2016/300. [Pes16] Peter Pessl. Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In INDOCRYPT 2016, pages 153–170, 2016. [PM16] Peter Pessl and Stefan Mangard. Enhancing side-channel analysis of binary-field multiplication with bit reliability. In CT-RSA 2016, pages 255–270, 2016. [YF14] Yuval Yarom and Katrina Falkner. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium, pages 719–732, 2014. Peter Pessl, Graz University of Technolgy CCS 2017, November 2nd 27