harnessing biased faults in attacks on ecc based
play

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes - PowerPoint PPT Presentation

Aug 24, 2023 •187 likes •590 views

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

  1. Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Järvinen 1 , Céline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol, Department of Computer Science, UK FDTC 2012, Leuven, Belgium, September 9, 2012

  2. Outline Background Existing attacks Our attack using biased faults Results & discussion Demo Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 2/16

  3. Introduction ◮ We build upon the attack presented by Giraud, Knudsen, and Tunstall in ACISP 2004 and CARDIS 2010 ◮ We show that the attack becomes much more powerful if faults are biased (that is, distributed nonuniformly) and the attacker knows or can accurately estimate the biases ◮ Literature suggests that such phenomena can be produced 0.025 0.025 0.025 0.02 0.02 0.02 0.015 0.015 0.015 Probability Probability Probability 0.01 0.01 0.01 0.005 0.005 0.005 0 0 0 0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250 Fault value Fault value Fault value � 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 , 0 . 5 � � 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 , 0 . 4 � � 0 . 43 , 0 . 42 , 0 . 32 , 0 . 41 , 0 . 29 , 0 . 49 , 0 . 28 , 0 . 33 � Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 3/16

  4. Outline of the attack(s) 1. Compute Q = d P 2. Inject a w -bit fault f into d so d ′ = d ⊕ ( f · 2 m ) 3. Compute Q ′ = d ′ P 4. Calculate δ = ( d − d ′ ) / 2 m from Q and Q ′ by solving ECDLP δ P = ( Q − Q ′ ) / 2 m 5. Recover information about d using δ (and δ from any previous iterations) 6. Halt if enough information is recovered, otherwise repeat from Step 2 We assume that the attacker has a direct access to Q Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 4/16

  5. The attack of Bao et al. ◮ 1-bit faults � − 2 m P if d i = 0 ◮ Q − Q ′ = ( d − d ′ ) P = + 2 m P if d i = 1 ◮ One fault reveals one key bit ◮ Difficult fault injection Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 5/16

  6. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  7. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  8. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 0 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  9. The attack of Giraud et al. ◮ w -bit faults (in their paper: w = 8) ◮ Because d , d ′ ∈ [ 0 , 2 w − 1 ] with d � = d ′ , for the difference δ = d − d ′ we have δ ∈ [ − 2 w + 1 , 2 w − 1 ] \ 0 ◮ But with a specific fixed d , we have δ ∈ [ d − 2 w + 1 , d ] \ 0 ◮ When we observe δ , we learn information about d : max ( 0 , δ ) ≤ d ≤ min ( 2 w − 1 , δ + 2 w − 1 ) ◮ We generate faults until we have enough information − 2 w + 1 2 w − 1 δ [ 1 ] 0 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 6/16

  10. Example: Giraud’s attack N 0 δ 0 d min d max 15 − 15 − 10 − 5 0 5 10 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  11. Example: Giraud’s attack N 0 1 δ 6 0 6 d min d max 15 15 − 15 − 10 − 5 0 5 10 15 δ [ 0 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  12. Example: Giraud’s attack N 0 1 2 δ 6 − 2 0 6 6 d min d max 15 15 13 − 15 − 10 − 5 0 5 10 15 δ [ 1 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  13. Example: Giraud’s attack N 0 1 2 3 δ 6 − 2 8 0 6 6 8 d min d max 15 15 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 2 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  14. Example: Giraud’s attack N 0 1 2 3 4 δ 6 − 2 8 3 0 6 6 8 8 d min d max 15 15 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 3 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  15. Example: Giraud’s attack N 0 1 2 3 4 5 δ 6 − 2 8 3 1 0 6 6 8 8 8 d min d max 15 15 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 4 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  16. Example: Giraud’s attack N 0 1 2 3 4 5 6 δ 6 − 2 8 3 1 4 0 6 6 8 8 8 8 d min d max 15 15 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 6 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  17. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 δ 6 − 2 8 3 1 4 1 0 6 6 8 8 8 8 8 d min d max 15 15 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 7 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  18. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 δ 6 − 2 8 3 1 4 1 12 0 6 6 8 8 8 8 8 12 d min d max 15 15 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 8 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  19. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 δ 6 − 2 8 3 1 4 1 12 5 0 6 6 8 8 8 8 8 12 12 d min d max 15 15 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 15 δ [ 9 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  20. Example: Giraud’s attack N 0 1 2 3 4 5 6 7 8 9 10 δ 6 − 2 8 3 1 4 1 12 5 13 0 6 6 8 8 8 8 8 12 12 13 d min d max 15 15 13 13 13 13 13 13 13 13 13 − 15 − 10 − 5 0 5 10 13 15 δ [ 10 ] Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 7/16

  21. Biased faults Definition A fault f is biased iff Pr [ f = x ] � = |F| − 1 for some x . That is, some values are more probable than others. ◮ We consider a bias where the flipping probability of the i th key bit is determined by ǫ i : Pr [ f i = 1 ] = 1 2 + ǫ i ◮ Hence, � 1 � w − 1 2 + ( − 1 ) x i ǫ i � i = 0 Pr [ f = x ] = � 1 1 − � w − 1 � 2 − ǫ i i = 0 ◮ The attack applies also for other kind of biases. For instance, if faults are biased by the values of key bits ◮ We assume that the attacker knows ǫ i ’s Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 8/16

  22. Probability of a key candidate ◮ From Pr [ f ] ’s, we get Pr [ δ | d ] for all possible observations and key values ◮ Observations are collected in ∆ = � δ [ 0 ] , δ [ 1 ] , . . . , δ [ N − 1 ] � ◮ We can then calculate Pr [ d | ∆] for all key candidates by using Bayesian deduction: � N − 1 i = 0 Pr [ δ [ i ] | d ] Pr [ d | ∆] = � N − 1 � i = 0 Pr [ δ [ i ] | j ] j ∈K ◮ Let ˆ d be the most probable candidate Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 9/16

  23. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

  24. Example w = 4 and ǫ = − 1 / 8 Pr[ δ | d ] 0 0.1 0.09 2 0.08 4 0.07 6 0.06 d 8 0.05 0.04 10 0.03 12 0.02 14 0.01 −15 −10 −5 0 5 10 15 δ d N δ [ i ] 0 . . . 5 6 7 8 9 10 11 12 13 14 15 1 6 0 . . . 0 0.11 0.11 0.11 0.11 0.07 0.07 0.11 0.11 0.11 0.11 Fault Diagnosis and Tolerance in Cryptography (FDTC 2012) Sept. 9, 2012, Leuven, Belgium 10/16

Recommend

Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc

Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc

Introduction SCA Faults Remanence Conclusions 1 / 24 Thermo Attacks - On Temperature Side Channels and Heating Faults Michael Hutter and J orn-Marc Schmidt February 28, 2014 Michael Hutter and J orn-Marc Schmidt Introduction SCA

528 views • 24 slides
Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen 4.4.2007

Nature of ubiquitous faults Communication Faults and Agreement Limits to Number of Ubiquitous Faults for Majority Unanimity in Spite of Ubiquitous Faults Ubiquitous faults T-79.4001 Seminar on Theoretical Computer Science Tero Pietilinen

685 views • 36 slides
W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

W HAT A BOUT P AXOS ? Paxos tolerates a minority of processing failing by crashing . What

B YZANTINE F AULT T OLERANCE Ellis Michael A H IERARCHY OF F AULT M ODELS No faults Crash faults Byzantine faults People who use tabs instead of spaces B YZANTINE F AULTS Also called "general" or "arbitrary" faults.

563 views • 31 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1)

Facing Up to Faults Facing Up to Faults Facing Up to Faults (v.2.0.1) (v.2.0.1) (v.2.0.1) Brian Randell Brian Randell Brian Randell WADS-3, May 2004 1 The Menu The Menu The Menu On Dependability Concepts On Fault Assumptions

600 views • 20 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock

Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock

Digital Learning Trail: Harnessing ICT to Facilitate Inquiry based Learning Digital Learning Trail: Harnessing ICT to Facilitate Inquiry-Based Learning Tan Yew Hock Crescent Girls School Empowering Ladies and Leaders of Tomorrow

187 views • 7 slides
A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta

A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta

U.S. Accelerator R&D for High Energy Physics A biased perspective based on our participation on a HEPAP sub-panel in mid-FY15 W. Barletta Dept. of Physics, MIT & UCLA Economics Faculty, University of Ljubljana Director, US Particle

809 views • 46 slides
I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th,

I m pact of I nterm ittent Faults on Nanocom puting Devices Cristian Constantinescu June 28th, 2007 Dependable Systems and Networks Outline Fault classes Permanent faults Transient faults Intermittent faults Field

709 views • 24 slides
INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best

INTERACTING FAULTS By Tyler Lagasse Faults typically form as a network How do we best interpret interacting faults and tell between different types of fault interaction? INTRODUCTION HOW DOES A FAULT NETWORK FORM? Forms within single

549 views • 21 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Biased coins, blindfold players Vincius G. Pereira de S

Biased coins, blindfold players Vincius G. Pereira de S

Biased coins, blindfold players Vincius G. Pereira de S based on the paper Blind-friendly von Neumanns heads or tails, to appear

810 views • 78 slides
Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr.

Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr.

Fault Diagnosis of Discrete-Event Systems Alejandro White, Doctoral Candidate Advisor: Dr. Karimoddini Motivation Faults are always u Faults are unwanted u Faults are arbitrary u Faults are costly u Faults are DEADLY u Our motivation

495 views • 24 slides
Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test

Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test

Using Controlled Numbers of Real Faults and Mutants to Empirically Evaluate Coverage-Based Test Case Prioritization Gregory Kapfhammer Gordon Fraser Phil McMinn David Paterson University of Sheffield Allegheny College University of Passau

652 views • 32 slides
Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods

Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods

Harnessing Crowd-Sourcing to Assess Genes based on Effect Size Using Visual Inference Methods Di Cook, Monash University Joint work with Niladri Roy Chowdhury, Eric Hare, Mahbub Majumder, Michelle Graham, Tengfei Yin, Heike Hofmann Outline

1.08k views • 86 slides
A biased history of equality in type theory Some equations are more equal than others James

A biased history of equality in type theory Some equations are more equal than others James

A biased history of equality in type theory Some equations are more equal than others James Chapman Institute of Cybernetics, Tallinn Semantics days - Andu A typical biased history Famous work by genius 350 BC (e.g. Aristotle) time All of

396 views • 22 slides
Discovering and Ranking Web Services with BASIL: A Personalized Approach with Biased Focus James

Discovering and Ranking Web Services with BASIL: A Personalized Approach with Biased Focus James

Discovering and Ranking Web Services with BASIL: A Personalized Approach with Biased Focus James Caverlee , Ling Liu, and Daniel Rocco College of Computing Georgia Institute of Technology ICSOC 2004 Categorization-based Service Discovery

771 views • 28 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Biased landscape in random constraint satisfaction problems Louise Budzynski LPENS, PhD with

Biased landscape in random constraint satisfaction problems Louise Budzynski LPENS, PhD with

Biased landscape in random constraint satisfaction problems Louise Budzynski LPENS, PhD with Guilhem Semerjian June 30, 2020 Table of contents 1. Introduction 2. Biased measure over the set of solutions 3. Large k asymptotics of the

348 views • 22 slides
On Faults and Faulty Programs Ali Jaoua, Marcelo Frias, Ali Mili RAMICS 2014 Marienstatt im

On Faults and Faulty Programs Ali Jaoua, Marcelo Frias, Ali Mili RAMICS 2014 Marienstatt im

On Faults and Faulty Programs Ali Jaoua, Marcelo Frias, Ali Mili RAMICS 2014 Marienstatt im Westerwald, Apr/May 2014 Outline Whats Wrong with Faults Correctness and Relative Correctness Faults and Monotonic Fault Removal

766 views • 41 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (10/16/06) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/16/06) I E S R C E O V

VLSI Design Verification and Test Faults I CMPE 646 Defects, Errors and Faults Models bridge the gap between physical reality and a mathematical abstraction and allow for development of analytical tools. Definitions: Defect : An untended

253 views • 21 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (10/3/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/3/07) I E S R C E O V U

VLSI Design Verification and Test Faults I CMPE 646 Defects, Errors and Faults Models bridge the gap between physical reality and a mathematical abstraction and allow for development of analytical tools. Definitions: Defect : An untended

249 views • 21 slides
Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms Centric Task Farms Data Ioan Raicu Distributed Systems Laboratory Computer Science Department University of Chicago Committee Members: Ian Foster:

750 views • 58 slides

More recommend