cold boot attacks on ring module lwe under the ntt
play

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. - PowerPoint PPT Presentation

Jan 17, 2024 •666 likes •1.16k views

Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G. Paterson Royal Holloway, University of London September 12, 2018 1 / 30 Cold boot attack scenario Originally investigated by [HSHCPCFAF09]

  1. Cold Boot Attacks on Ring & Module-LWE Under the NTT Martin R. Albrecht, Amit Deo, Kenneth G. Paterson Royal Holloway, University of London September 12, 2018 1 / 30

  2. Cold boot attack scenario ◮ Originally investigated by [HSHCPCFAF09] ◮ An attack method involving physical access to memory storing cryptographic secret keys ◮ The attacker ejects the memory (lunch-time attack) and plugs into their own machine ◮ The attacker locates key material in memory and uses data remanence effects [HSHCPCFAF09] to recover the key ◮ Works on any cryptographic primitive where there is a secret key 2 / 30

  3. Cold boot attacks [HSHCPCFAF09] ◮ < 1% bit flip rate towards ground state after 10 minutes cooling to -50 ◦ C ◮ Limiting case is 0 . 17% after 1 hour cooling with liquid nitrogen to -196 ◦ C 3 / 30

  4. Cold boot attack scenario ◮ Bits in RAM decay towards ground state (0/1) on power down ◮ Cool RAM to extreme temperatures to slow decay State of RAM with power on 1 0 1 1 0 1 0 1 0 0 1 1 4 / 30

  5. Cold boot attack scenario ◮ Bits in RAM decay towards ground state (0/1) on power down ◮ Cool RAM to extreme temperatures to slow decay State of RAM with power on 1 0 1 1 0 1 0 1 0 0 1 1 Freeze + extract RAM 0 0 1 1 0 1 1 1 0 0 1 1 4 / 30

  6. Cold boot attack scenario ◮ Bits in RAM decay towards ground state (0/1) on power down ◮ Cool RAM to extreme temperatures to slow decay State of RAM with power on 1 0 1 1 0 1 0 1 0 0 1 1 Freeze + extract RAM 0 0 1 1 0 1 1 1 0 0 1 1 Eventual ground state decay 0 0 0 0 1 1 1 1 0 0 0 0 4 / 30

  7. Cold boot attack flips ◮ 2 classes of bit flips: ◮ Standard bit flips (towards memory ground state) rate ρ 0 ◮ Retrograde bit flips (away from memory ground state) rate ρ 1 ≈ 0 . 1% ◮ Assuming half the bits of the key not in ground state = ⇒ # bit flips ≈ (# bits in key) · ( ρ 0 + ρ 1 ) / 2 ◮ Bit flip rates are written in the form ( ρ 0 , ρ 1 ) 5 / 30

  8. Current state-of-the-art ◮ DES: (0.5, 0.001) bit flip rate trivially [HSHCPCFAF09] ◮ AES: ◮ AES-128: (0.7,0) bit-flip rate in 1 sec on average [KY10] ◮ AES-256: (0.65,0) bit-flip rate in 90 secs on average [Tso09] ◮ RSA (1024-bit modulus): (0.4,0.001) bit-flip rate in 2.4 secs on average [PPS12] ◮ NTRU: (0.01,0.001) bit-flip rate in minutes to hours on average for the ntru-crypto eps449ep1 parameters ( N = 449 , df = 134 , dg = 149 , p = 3 , q = 2048) [PV17] 6 / 30

  9. Post quantum cryptography ◮ Cryptography resistant to quantum cryptanalytic algorithms ◮ Plans for wide-spread use and standardisation – NIST process ◮ 23 lattice-based proposals, the majority of which are LWE based 7 / 30

  10. Post quantum cryptography ◮ Cryptography resistant to quantum cryptanalytic algorithms ◮ Plans for wide-spread use and standardisation – NIST process ◮ 23 lattice-based proposals, the majority of which are LWE based Are there effective cold boot attacks on some of the LWE-based contenders? 7 / 30

  11. LWE keys Notation: R q = Z q [ x ] / ( x n + 1), n a power-of-two We focus on the two main efficient variations of LWE: ◮ Ring-LWE: ◮ SecKey = s ∈ R q ◮ Module-LWE: ◮ SecKey = s ∈ R d q 8 / 30

  12. LWE keys Notation: R q = Z q [ x ] / ( x n + 1), n a power-of-two We focus on the two main efficient variations of LWE: ◮ Ring-LWE: ◮ SecKey = s ∈ R q ◮ Module-LWE: ◮ SecKey = s ∈ R d q Trade-off between d and n : ◮ MLWE Kyber: n = 256 , d = 3 ◮ RLWE NewHope: n = 1024 , d = 1 8 / 30

  13. Practical key storage for ring/module-LWE ◮ The number theoretic transform ( NTT ) is used for efficiency ◮ Without NTT , polynomial multiplication takes O ( n 2 ) ops ◮ With NTT , polynomial multiplication takes O ( n log n ) ops ◮ Polynomials in the secret key s often stored using an NTT 9 / 30

  14. The NTT cold boot problem “Decode a noisy NTT” OR “Recover s from s = NTT n ( s ) + ∆ mod q ” ˜ ◮ Assumption: We have κ ≪ n bit flips ◮ ∆’s components have a low Hamming weight binary signed digit representation (BSDR) ◮ A BSDR of 7 is “1, 0, 0, -1” since 7 = 1 ∗ 8 − 1 ◮ κ bit flips = ⇒ BSDR (∆) has Hamming weight κ ◮ s has small coefficients 10 / 30

  15. The NTT cold boot problem “Decode a noisy NTT” OR “Recover s from s = NTT n ( s ) + ∆ mod q ” ˜ ◮ Assumption: We have κ ≪ n bit flips ◮ ∆’s components have a low Hamming weight binary signed digit representation (BSDR) ◮ A BSDR of 7 is “1, 0, 0, -1” since 7 = 1 ∗ 8 − 1 ◮ κ bit flips = ⇒ BSDR (∆) has Hamming weight κ ◮ s has small coefficients MLWE Kyber [Sch+17] dimension: n = 256 , d = 3 RLWE NewHope [Pop+17] dimension: n = 1024 , d = 1 10 / 30

  16. Attack overview “Decode a noisy NTT” OR “Recover s from s = NTT n ( s ) + ∆ mod q ” ˜ 3 main components: 1. Divide and conquer to reduce dimension 2. Work a low-dimensional solution up to solve the problem 3. Lattice + combinatorial attack to solve low dimensional instance 11 / 30

  17. Divide and conquer Definition Let ω be a primitive n th root of unity. Then for any a ∈ Z n q , n − 1 � ω ( i +1 / 2) j a j NTT ( a ) := j =0 NTT n =2 k NTT n / 2 NTT n / 2 NTT n / 4 NTT n / 4 NTT n / 4 NTT n / 4 12 / 30

  18. Divide and conquer For power of two n : ◮ a e = ( a 0 , a 2 , . . . , a n − 2 ) ◮ a o = ( a 1 , a 3 , . . . , a n − 1 ) Formulae For i = 0 , . . . , n / 2 − 1 NTT n ( a ) i + NTT n ( a ) i + n / 2 = 2 · NTT n / 2 ( a e ) i NTT n ( a ) i − NTT n ( a ) i + n / 2 = 2 ω i +1 / 2 · NTT n / 2 ( a o ) i 13 / 30

  19. Divide and conquer Original n -dimensional instance: ˜ s = NTT n ( s ) + ∆ mod q Folded n / 2-dimensional instance: For i = 0 , . . . , n / 2 − 1 (∆ + ) i � �� � � � ˜ s i + ˜ = 2 · NTT n / 2 ( s e ) i + ∆ i + ∆ i + n / 2 (1) s i + n / 2 = 2 ω i +1 / 2 · NTT n / 2 ( s o ) i � � s i − ˜ ˜ s i + n / 2 + ∆ i − ∆ i + n / 2 (2) � �� � (∆ − ) i (1) – the positive fold, (2) – the negative fold And repeat on the positive folded instance . . . 14 / 30

  20. Can we reach trivial dimension? Writing ∆ = (∆ ℓ , ∆ r ), the error terms after folding once are ◮ ∆ + = ∆ ℓ + ∆ r ∈ Z n / 2 q ◮ ∆ − = ∆ ℓ − ∆ r ∈ Z n / 2 q Example (∆ ℓ ) i (∆ r ) i ∆ = . . . || 1 , 0 , 0 , 0 , 0 || . . . || . . . || 0 , 0 , 0 , 0 , − 1 || . . . (∆ + ) i = 1 , 0 , 0 , 0 , 0 (∆ − ) i = 1 , 0 , 0 , 0 , 0 + 0 , 0 , 0 , 0 , − 1 − 0 , 0 , 0 , 0 , − 1 1 , 0 , 0 , 0 , − 1 − 1 , 0 , 0 , 0 , 1 15 / 30

  21. Can we reach trivial dimension? Writing ∆ = (∆ ℓ , ∆ r ), the error terms after folding once are ◮ ∆ + = ∆ ℓ + ∆ r ∈ Z n / 2 q ◮ ∆ − = ∆ ℓ − ∆ r ∈ Z n / 2 q Example (∆ ℓ ) i (∆ r ) i ∆ = . . . || 1 , 0 , 0 , 0 , 0 || . . . || . . . || 0 , 0 , 0 , 0 , − 1 || . . . (∆ + ) i = 1 , 0 , 0 , 0 , 0 (∆ − ) i = 1 , 0 , 0 , 0 , 0 + 0 , 0 , 0 , 0 , − 1 − 0 , 0 , 0 , 0 , − 1 1 , 0 , 0 , 0 , − 1 − 1 , 0 , 0 , 0 , 1 Notes: ◮ These are less sparse when written in BSDR ◮ Repeated folding → “∆” term approaches a uniform distribution ◮ “ s ” terms stay the same size 15 / 30

  22. Summary of divide and conquer component ( n = 2 k , ∆) top level − → Legend: (dim , ∆) ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 16 / 30

  23. Summary of divide and conquer component ( n = 2 k , ∆) top level − → Legend: (dim , ∆) ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 16 / 30

  24. Summary of divide and conquer component ( n = 2 k , ∆) top level − → Legend: (dim , ∆) ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 16 / 30

  25. Summary of divide and conquer component ( n = 2 k , ∆) top level − → Legend: (dim , ∆) ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 16 / 30

  26. Working a solution up a level Instance in ∆ = (∆ ℓ , ∆ r ) divides into two instances in ◮ ∆ + = ∆ ℓ + ∆ r ∈ Z n / 2 q ◮ ∆ − = ∆ ℓ − ∆ r ∈ Z n / 2 q Given ∆ + , guess which bits come from ∆ ℓ and which come from ∆ r to reconstruct ∆. Assuming κ ≪ n , at most 2 κ guesses. 1 Each guess is verified by plugging the solution into sibling instance. Small complication when bit flips in ∆ ℓ and ∆ r collide! ≫ 2 κ guesses for cold boot exhaustive search 1 Compare to � n log( q ) � κ 17 / 30

  27. What we have so far ( n = 2 k , ∆) top level − → ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 18 / 30

  28. What we have so far ( n = 2 k , ∆) top level − → ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 18 / 30

  29. What we have so far ( n = 2 k , ∆) top level − → ( n / 2 , ∆ + ) ( n / 2 , ∆ − ) ( n / 4 , ∆ ++ ) ( n / 4 , ∆ + − ) ( n / 8 , ∆ +++ ) ( n / 8 , ∆ ++ − ) ← − bottom level 18 / 30

Recommend

21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module

21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module

21/02/2012 CSN08101 Digital Forensics Lecture 5A: PC Boot Sequence and Storage Devices Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives BIOS and boot process Storage devices Partitions Computer Hardware

777 views • 15 slides
BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S..

1.27k views • 100 slides
Jack Fried Cold Electronics Review October 13, 2016 10/13/2016 Cold Electronics Review 1 APA

Jack Fried Cold Electronics Review October 13, 2016 10/13/2016 Cold Electronics Review 1 APA

SBND Warm Electronics Design and Integration Test with DAQ System Jack Fried Cold Electronics Review October 13, 2016 10/13/2016 Cold Electronics Review 1 APA with Integrated Cold Electronics Cold electronics module and its attachment to

540 views • 34 slides
Ultra-Fast Boot Approach Using Suspend to RAM on Linux based IVI System 2017/6/1 Panasonic

Ultra-Fast Boot Approach Using Suspend to RAM on Linux based IVI System 2017/6/1 Panasonic

Ultra-Fast Boot Approach Using Suspend to RAM on Linux based IVI System 2017/6/1 Panasonic Corporation Kazuomi KATO Agenda 1. Introduction 2. Approaches for optimizing startup time 3. Improvement the time at the COLD boot 4. Improvement the

642 views • 36 slides
Cold War Development of the Cold War The Cold War (1945-91) was one of perception where

Cold War Development of the Cold War The Cold War (1945-91) was one of perception where

Origins of the Cold War Development of the Cold War The Cold War (1945-91) was one of perception where neither side fully understood the intentions and ambitions of the other. This led to mistrust and military build-ups. United States

398 views • 37 slides
RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n &lt;name&gt; [+a &lt;option&gt;]* $ cd

566 views • 22 slides
Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham

Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham

Reconstructing RSA Private Keys from Random Key Bits Nadia Heninger and Hovav Shacham Princeton UCSD August 17, 2009 Motivation:Cold boot or memory attacks A new side-channel attack on cryptographic keys that leaks information

359 views • 23 slides
Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the outside To protect Linux VMs from outside attacks (from processes running on the host). Injecting code into the boot chain. Stealing data from

559 views • 18 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56

Module-LWE vs. Ring-LWE? Amit Deo Royal Holloway, University of London 15 January, 2018 1/56 Main Aim of the Talk 1. Discuss popular variants of the LWE problem 2. Present a collection of reductions between the variants 3. Explicitly state

990 views • 78 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides
On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory

( ) On Projective Module with unique Maximal Submodule The 51th Ring and Representation Theory Symposium Okayama University of Science Masahisa Sato Aichi University &amp; University of Yamanashi 13:10-13:40

514 views • 25 slides
Privacy Attacks Practicum Privacy &amp; Fairness in Data Science CS848 Fall 2019 2 Module 1:

Privacy Attacks Practicum Privacy &amp; Fairness in Data Science CS848 Fall 2019 2 Module 1:

Privacy Attacks Practicum Privacy &amp; Fairness in Data Science CS848 Fall 2019 2 Module 1: Intro to Privacy 1. Privacy Attacks Practicum 2. Differential Privacy 3. Basic Algorithms 4. Designing Complex Algorithms &amp; Composition 3

677 views • 44 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device 3. The bootkit 4. Defending / Detecting 2 / 44 Introduction Vincent Works at KPN REDteam Likes Linux and low-level stu Located in Amsterdam

792 views • 44 slides
Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are the transmitters of body movement to the ski. Proper support, comfort, and performance application make the difference between a good day on the snow

431 views • 29 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique

Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique

Cold Brew THIS IS COLD BREW Cofgee brewed with cold fresh water over a long time gets unique fmavour characteristics. Cold Brew is already a hot trend in USA and Japan. Now we ofger the Swedish market an innovative product that matches an

75 views • 6 slides
1.3. MINOS KERNEL 79 System Startup OS Initializer (we!) RPI (2) VC / firmware Initialize

1.3. MINOS KERNEL 79 System Startup OS Initializer (we!) RPI (2) VC / firmware Initialize

1.3. MINOS KERNEL 79 System Startup OS Initializer (we!) RPI (2) VC / firmware Initialize hardware Set stack registers for all processor modes Copy boot image to RAM Setup free heap list and module list Jump to OS boot image

286 views • 28 slides
Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is an innovative SPI tool created by DediProg to force the application controller to work (read, program, update..) on the backup memory inserted in the

1.06k views • 17 slides
1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

1 MODULE SPECIFICATION Module Aims The module aims to deliver knowledge of the essential

MODULE SPECIFICATION Project Management and Credit Module Title: Level : 5 20 Presentation Techniques Value : Is this a Code of module Module code : ENG543 new NO being replaced : module? Cost Centre : GAME JACS3 code : F311

261 views • 4 slides
WEATHER FRONTS Map Obtained from TWC COLD FRONTS We already have stated that a cold front is a

WEATHER FRONTS Map Obtained from TWC COLD FRONTS We already have stated that a cold front is a

WEATHER FRONTS Map Obtained from TWC COLD FRONTS We already have stated that a cold front is a boundary separating two air masses (a cold air mass and a warm air mass) The cold air is found behind the cold front and it advances towards the

560 views • 31 slides
Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of Computing Sciences D. Justin Price Spring 2014 Master Boot Record Occupies the first 512-byte sector Boot Code Assembly Language

65 views • 6 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&amp;A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides

More recommend