harnessing biased faults in attacks on ecc based
play

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes - PowerPoint PPT Presentation

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,


  1. Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Järvinen 1 , Céline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol, Department of Computer Science, UK FDTC 2012, Leuven, Belgium, September 9, 2012

  2. Outline Background Existing attacks Our attack using biased faults Results & discussion Demo Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 2/16

  3. Introduction ◮ We build upon the attack presented by Giraud, Knudsen, and Tunstall in ACISP 2004 and CARDIS 2010 ◮ We show that the attack becomes much more powerful if faults are biased (that is, distributed nonuniformly) and the attacker knows or can accurately estimate the biases ◮ Literature suggests that such phenomena can be produced 0.025 0.025 0.025 0.02 0.02 0.02 0.015 0.015 0.015 Probability Probability Probability 0.01 0.01 0.01 0.005 0.005 0.005 0 0 0 0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250 Fault value Fault value Fault value � 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 � � 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 � � 0 . 43 , 0 . 42 , 0 . 32 , 0 . 41 , 0 . 29 , 0 . 49 , 0 . 28 , 0 . 33 � Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 3/16

  4. Outline of the attack(s) 1. Compute Q = d P 2. Inject a w -bit fault f into d so d ′ = d ⊕ ( f · 2 m ) 3. Compute Q ′ = d ′ P 4. Calculate δ = ( d − d ′ ) / 2 m from Q and Q ′ by solving ECDLP δ P = ( Q − Q ′ ) / 2 m 5. Recover information about d using δ (and δ from any previous iterations) 6. Halt if enough information is recovered, otherwise repeat from Step 2 We assume that the attacker has a direct access to Q Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 4/16

  5. The attack of Bao et al. ◮ 1-bit faults � − 2 m P if d i = 0 ◮ Q − Q ′ = ( d − d ′ ) P = + 2 m P if d i = 1 ◮ One fault reveals one key bit ◮ Difficult fault injection Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 5/16

  6. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  7. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  8. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 0 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  9. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 1 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  10. Example: Giraud’s attack N 0 δ 0 d min d max 15 − 15 − 10 − 5 0 5 10 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  11. Example: Giraud’s attack N 0 1 δ 6 0 6 d min d max 15 15 − 15 − 10 − 5 0 5 10 15 δ [ 0 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  12. Example: Giraud’s attack N 0 1 2 δ 6 − 2 0 6 6 d min d max 15 15 13 − 15 − 10 − 5 0 5 10 15 δ [ 1 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  13. Example: Giraud’s attack N 0 1 2 3 δ 6 − 2 8 0 6 6 8 d min d max 15 15 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 2 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  14. Example: Giraud’s attack N 0 1 2 3 4 δ 6 − 2 8 3 0 6 6 8 8 d min d max 15 15 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 3 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  15. Example: Giraud’s attack N 0 1 2 3 4 5 δ 6 − 2 8 3 1 0 6 6 8 8 8 d min d max 15 15 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 4 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  16. Example: Giraud’s attack N 0 1 2 3 4 5 6 δ 6 − 2 8 3 1 4 0 6 6 8 8 8 8 d min d max 15 15 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 6 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  17. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 δ 6 − 2 8 3 1 4 1 0 6 6 8 8 8 8 8 d min d max 15 15 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 7 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  18. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 δ 6 − 2 8 3 1 4 1 12 0 6 6 8 8 8 8 8 12 d min d max 15 15 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 8 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  19. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 δ 6 − 2 8 3 1 4 1 12 5 0 6 6 8 8 8 8 8 12 12 d min d max 15 15 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 9 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  20. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 10 δ 6 − 2 8 3 1 4 1 12 5 13 0 6 6 8 8 8 8 8 12 12 13 d min d max 15 15 13 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 13 15 δ [ 10 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  21. Biased faults Definition A fault f is biased iff Pr [ f = x ] � = |F| − 1 for some x . That is, some values are more probable than others. ◮ We consider a bias where the flipping probability of the i th key bit is determined by ǫ i : Pr [ f i = 1 ] = 1 2 + ǫ i ◮ Hence, � 1 � w − 1 2 + ( − 1 ) x i ǫ i � i = 0 Pr [ f = x ] = � 1 1 − � w − 1 � 2 − ǫ i i = 0 ◮ The attack applies also for other kind of biases. For instance, if faults are biased by the values of key bits ◮ We assume that the attacker knows ǫ i ’s Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 8/16

  22. Probability of a key candidate ◮ From Pr [ f ] ’s, we get Pr [ δ | d ] for all possible observations and key values ◮ Observations are collected in ∆ = � δ [ 0 ] , δ [ 1 ] , . . . , δ [ N − 1 ] � ◮ We can then calculate Pr [ d | ∆] for all key candidates by using Bayesian deduction: � N − 1 i = 0 Pr [ δ [ i ] | d ] Pr [ d | ∆] = � N − 1 � i = 0 Pr [ δ [ i ] | j ] j ∈K ◮ Let ˆ d be the most probable candidate Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 9/16

  23. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

  24. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 1 6 0 . . . 0 0.11 0.11 0.11 0.11 0.07 0.07 0.11 0.11 0.11 0.11 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

Recommend


More recommend