fault attacks on supersingular isogeny cryptosystems yan
play

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti - PowerPoint PPT Presentation

May 24, 2023 •47 likes •379 views

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

  1. Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15

  2. Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack Fault injection Recovering secret isogeny 3 Application 2/15

  3. DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 3/15

  4. DLP Definition (Discrete Logarithm Problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Let’s generalise this! 3/15

  5. Isogenies • Fix a finite field k = F p and a finite extension K = F q where q = p k . • Let E 1 and E 2 be elliptic curves over K . Definition An isogeny between E 1 and E 2 is a non-constant morphism defined over F q that sends O 1 to O 2 . We say that E 1 and E 2 are isogenous. 4/15

  6. Isogenies Fun facts: • Isogenies are group homomorphisms. • For every finite subgroup G ⊂ E 1 , there is a unique E 2 (up to isomorphism) and a separable φ : E 1 → E 2 such that ker φ = G . We write E 2 = E 1 / G . • The isogeny can be constructed by an algorithm by V´ elu. • For any φ : E → E ′ of degree n , there exists a unique ˆ φ : E ′ → E such that φ ◦ ˆ φ = [ n ] = ˆ φ ◦ φ . • For any φ : E → E ′ of degree nm , we can decompose φ into isogenies of degrees m and n . 5/15

  7. Supersingular Elliptic Curves Definition An elliptic curve E / F p k is said to be supersingular if # E ( F p k ) ≡ 1 (mod p ) . Fun facts: • All supersingular elliptic curves can be defined over F p 2 . • There are approximately p / 12 supersingular curves up to isomorphism. 6/15

  8. Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . 7/15

  9. Supersingular isogeny problem Definition (Discrete logarithm problem) Pick an abelian group G = � g � . Given g and X, where X = g s , recover s. • Each scalar s determines the map g �→ g s . • Fixing s is same as fixing endomorphism φ s : G → G . Definition (Supersingular isogeny problem) Given two supersingular elliptic curves E 1 and E 2 , find an isogeny between them. 7/15

  10. Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . 8/15

  11. Key exchange Set up: • Choose p = 2 n · 3 m · f ± 1, such that 2 n ≈ 3 m and f small. • Choose supersingular elliptic curve E over F p 2 . • Alice works over E [2 n ] with linearly independent points P A , Q A . • Bob works over E [3 m ] with linearly independent points P B , Q B . Recall that E [ N ] = Z / N Z × Z / N Z if N is co-prime to the characteristic of the field. 8/15

  12. Key exchange φ A E / G A E φ B E / G B • Picks secret 1 ≤ a 1 , a 2 ≤ 2 n , not both divisible by 2, which determines G A = � [ a 1 ] P A + [ a 2 ] Q A � . • Computes φ A with ker φ A = G A via V´ elu. • Sends E / G A , φ A ( P B ), φ A ( Q B ).

  13. Key exchange φ A E / G A E φ B E / G B E / � G A , G B � • Receives E / G B , φ B ( P A ), φ B ( Q A ). • Computes G ′ A = � [ a 1 ] φ B ( P A ) + [ a 2 ] φ B ( Q A ) � = � φ B ([ a 1 ] P A + [ a 2 ] Q A ) � = φ B ( G A ) . • Uses j ( E AB ) as secret key. 9/15

  14. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances 10/15

  15. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! 10/15

  16. Fault attacks One can try to find mathematical algorithms to break the cryptosystem. Or, one can use side-channel attacks. Fault attacks are physical attacks aimed at physical devices and may be induced by: • EM probe • Clock/volt glitching • Temperature disturbances • and more! Fault attacks cause computation of unintended values which may leak sensitive data. 10/15

  17. Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  18. Fault attacks in ECC Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • Change in curves occurs because operation does not use a 6 . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . P becomes P ′ E Compute [ λ ]( · ) [ λ ] P ′ P output fetch 11/15

  19. Fault attacks in Isogenies Given elliptic curve E , base point P , compute [ λ ] P . • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  20. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E ′ . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  21. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • This changes the elliptic curve from E to E ′ and potentially makes solving ECDLP easier. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  22. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Solving the ECDLP on [ λ ] P ′ on E ′ , we learn information about λ . 11/15

  23. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

  24. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . P becomes P ′ E Compute φ A ( · ) φ A ( P ′ ) P output fetch 11/15

  25. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 11/15

  26. Faulted point still on curve • Introduce a fault to the x -coordinate of P . • Recover P ′ by solving for y -coordinate. Then P ′ will lie in E or its quadratic twist E ′ . • Some implementations do not distinguish between the two. • If not, there is a 50% chance of P ′ landing in E . 12/15

  27. Fault attacks in Isogenies Given a point P and an isogeny φ , compute φ ( P ). • Introduce fault to base point P ∈ E to become P ′ ∈ E . • Compute [3 m ][ f ] φ ( P ′ ) to get Z which will have order 2 n with high probability. • Use Z to compute ˆ φ . 12/15

  28. Recovering isogeny Lemma Let E 1 be a supersingular elliptic curve over F p 2 , where p = 2 n 3 m f ± 1 . Suppose φ : E 1 → E 2 is a separable isogeny of degree 2 n . If φ ( P ′ ) ∈ E 2 has order 2 n , then the kernel of ˆ φ will be generated by φ ( P ′ ) . N.B. φ ( P ′ ) does not have to have order 2 n . If order is close to 2 n , we can brute force. 13/15

  29. Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . 14/15

  30. Key Exchange φ A E E A φ B E B E AB Aim: Recover secret φ A . • Need to evaluate image of random point under φ A . • Fault injection before computation of φ A ( P B ) or φ A ( Q B ). • Alice outputs φ A ( P ′ ), hence attacker may recover φ A . 14/15

Recommend

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

955 views • 58 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and

Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionQ, Inc. Full list of submitters: Reza Azarderakhsh, FAU Amir Jalali, LinkedIn Michael Naehrig, MSR Matt Campagna, Amazon David Jao, UW

365 views • 10 slides
The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO

The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + cole polytechnique 1 g = 1 A directed multigraph (but almost a graph)

408 views • 25 slides
General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the

General fault attacks on multivariate public key cryptosystems Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) K. Sakurai(ISIT) Y. Hashimoto (Univ. of the Ryukyus) T. Takagi (Kyushu Univ.) General fault attacks on multivariate

587 views • 23 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca

Supersingular Isogeny Key Encapsulation Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev November 14 ECC 2017 Nijmegen,

769 views • 75 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL 1 / 22 Institut de Mathmatiques de Marseille Journes Nationales de Calcul Formel 2019 CIRM, Luminy, 7 February 2019 Leonardo COL ( I2M-AMU ) OSIDH 7 February 2019 2

966 views • 73 slides
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr

Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions Kirsten Eisentr ager (Penn State), Sean Hallgren (Penn State), Kristin Lauter (Microsoft Research), Travis Morrison (Penn State), Christophe Petit (Birmingham)

427 views • 38 slides
ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques

ORIENTING SUPERSINGULAR ISOGENY GRAPHS LEONARDO COL & DAVID KOHEL Institut de Mathmatiques de Marseille Number-Theoretic Methods in Cryptology 2019 Sorbonne Universit, Institut de Mathmatiques de Jussieu Paris, 26 June 2019 Leonardo

739 views • 53 slides
The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

715 views • 48 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

576 views • 19 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides

More recommend