Lattice Attacks against Elliptic-Curve Signatures with Blinded - PowerPoint PPT Presentation

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns

Outline � EC signature schemes based on random nonces ◮ σ computed from [ k ] P , k ← $ ◮ σ + k ⇒ secret key ◮ lattice attack: few bits of several k i ⇒ secret key � Scenario: ◮ implementation with countermeasures against SCA ◮ blinding of the nonce ◮ noisy side-channel leakage on the bits of the blinded nonce � Issue: noisy information on blinded nonces ⇒ lattice attack

Outline � Approach: ◮ template attack ⇒ probability scores ◮ probability scores ⇒ bit-selection algorithm ◮ selected bits ⇒ lattice attack ◮ dealing with blinding � Presentation: ◮ ECDSA ◮ target implementation & leakage model ◮ Howgrave-Graham and Smart lattice attack ◮ bit selection ◮ experimental results

ECDSA

� Key pair ( x, Q ) with Q = [ x ] P ∈ E ( K )

� Key pair ( x, Q ) with Q = [ x ] P ∈ E ( K ) � Signature of h = H ( m ) $ ← − [1; q ] ( q = | E ( K ) | ) k t = xcoord ([ k ] P ) s = h + t · x (mod q ) k

� Key pair ( x, Q ) with Q = [ x ] P ∈ E ( K ) � Signature of h = H ( m ) $ ← − [1; q ] ( q = | E ( K ) | ) ⇒ random nonce k k t = xcoord ([ k ] P ) s = h + t · x (mod q ) ⇒ signature σ = ( t, s ) k

� Key pair ( x, Q ) with Q = [ x ] P ∈ E ( K ) � Signature of h = H ( m ) $ ← − [1; q ] ( q = | E ( K ) | ) ⇒ random nonce k k t = xcoord ([ k ] P ) s = h + t · x (mod q ) ⇒ signature σ = ( t, s ) k � Verification of σ = ( t, s ) k = h + t · x s

� Key pair ( x, Q ) with Q = [ x ] P ∈ E ( K ) � Signature of h = H ( m ) $ ← − [1; q ] ( q = | E ( K ) | ) ⇒ random nonce k k t = xcoord ([ k ] P ) s = h + t · x (mod q ) ⇒ signature σ = ( t, s ) k � Verification of σ = ( t, s ) k = h + t · x s � h � � t · x � ? [ k ] P = P + P s s ���� � �� � t � � t Q s

Target implementation and leakage model

Target implementation � Regular binary algorithm ( e.g. Montgomery ladder) � Classical side-channel countermeasures: ◮ randomization of point coordinates ◮ scalar blinding Classic blinding : Euclidean blinding : $ [0 , 2 λ − 1] $ [1 , 2 λ − 1] 1 . r ← − [ ] 1 . r ← − [ ] 2 . a ← k + r · q 2 . a ← ⌊ k/r ⌋ ; b ← k mod r 3 . return [ a ] P 3 . return [ r ]([ a ] P ) + [ b ] P

Leakage model Algorithm 1 Montgomery ladder Input: blinded nonce a Output: [ a ] P 1. P 0 ← O ; P 1 ← P 2. for i = ℓ − 1 downto 0 do P 1 − a i ← P 1 − a i + P a i 3. P a i ← 2 P a i 4. 5. end for 6. return P 0 � Loop iteration: ( P 0 , P 1 ) ← f ( a i , P 0 , P 1 ) ⇒ leaks Ψ( a i , P 0 , P 1 ) � Gaussian leakage assumption: Ψ( a i , P 0 , P 1 ) ∼ N ( m a i , Σ)

Template attacker � Get a side-channel trace ( ψ ℓ − 1 , . . . , ψ 1 , ψ 0 ) � For every i , use leakage templates to decide ψ i ∼ Ψ(0) or ψ i ∼ Ψ(1) � Maximum likelihood � 2 ( ψ i − m 0 ) t · Σ − 1 · ( ψ i − m 0 ) � 1 Pr[ a i = 0 | ψ i ] = cst · exp − � 2 ( ψ i − m 1 ) t · Σ − 1 · ( ψ i − m 1 ) � 1 Pr[ a i = 1 | ψ i ] = cst · exp − � We get Pr[ a i = 0 | ψ i ] ∼ D θ ( a i ) with where Λ t Λ = Σ θ = Λ · ( m 0 − m 1 ) � �� � multivariate SNR

Howgrave-Graham and Smart attack with blinded nonces

ℓ λ k a a = k + r · q

ℓ λ k a a = k + r · q known unknown

ℓ λ k a 0 σ 0 = ( s 0 , t 0 ) a 1 σ 1 = ( s 1 , t 1 ) a n σ n = ( s n , t n )

ℓ λ k a 0 σ 0 = ( s 0 , t 0 ) a 1 σ 1 = ( s 1 , t 1 ) a n σ n = ( s n , t n ) x ≡ a i · s i − h i (mod q ) t i

ℓ λ k a 0 σ 0 = ( s 0 , t 0 ) a 1 σ 1 = ( s 1 , t 1 ) a n σ n = ( s n , t n ) x ≡ a i · s i − h i ≡ a 0 · s 0 − h 0 (mod q ) t i t 0

ℓ λ k a 0 σ 0 = ( s 0 , t 0 ) a 1 σ 1 = ( s 1 , t 1 ) a n σ n = ( s n , t n ) x ≡ a i · s i − h i ≡ a 0 · s 0 − h 0 (mod q ) t i t 0 ⇔ a i + A a 0 + B ≡ 0 (mod q )

a i a 0 + A × + B ≡ 0 (mod q )

a i a 0 + A × + B ≡ 0 (mod q ) ⇔ x i, 1 + α i, 2 · x i, 2 + α i, 3 · x i, 3 + · · · + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · · + γ i ≡ 0 (mod q )

a i a 0 + A × + B ≡ 0 (mod q ) ⇔ x i, 1 + α i, 2 · x i, 2 + α i, 3 · x i, 3 + · · · + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · · · q + γ i = η i

x i, 1 + α i, 2 · x i, 2 + α i, 3 · x i, 3 + · · · + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · · + γ i = η i · q ⇒ n equations (for i = 1 , 2 , . . . , n )

α i, 2 · x i, 2 + α i, 3 · x i, 3 + · · · + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · · · q = η i x i, 1 + γ i ⇒ n equations (for i = 1 , 2 , . . . , n )

          α i, 2 · x i, 2 + α i, 3 · x i, 3 + · · ·         . + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · ·  .  .       · q = η i x i, 1 + γ i           ⇒ n equations (for i = 1 , 2 , . . . , n )     .  .  .                 .   . .       ( α 1 ,j ) j ( β 1 ,j ) j q γ 1 + ( α 2 ,j ) j ( β 2 ,j ) j q × = γ 2 +         . ... ...    .  .     ( α n,j ) j ( β n,j ) j q γ n +

          α i, 2 · + α i, 3 · + · · · x i, 2 x i, 3         + β i, 1 · x 0 , 1 + β i, 2 · x 0 , 2 + β i, 3 · x 0 , 3 + · · · .  .  .       η i · q = x i, 1 + γ i             ⇒ n equations (for i = 1 , 2 , . . . , n )   .   .  .                .   .  .      γ 1 + ( α 1 ,j ) j ( β 1 ,j ) j q γ 2 +  ( α 2 ,j ) j ( β 2 ,j ) j q        . ... ...    .  .         γ n +  ( α n,j ) j ( β n,j ) j q                         1        ×   =   1             .     .    .           ...                            .     .  .    1

Lattice problem � There exists y st: M · y = v + x where v = ( γ 1 , γ 2 , . . . , γ n , 0 , 0 , · · · , 0) x is the vector of unknown blocks � CVP (Closest Vector Problem): v ⇒ ( v + x ) � 1 � ( v + x ) − v � ≤ c 0 dim( M ) det( M ) dim( M ) � �� � � x � √ c 0 ≈ 1 / 2 π e (heuristic)

Lattice attack parameters � Sum of contributions: n � ( δ i − λ − c 1 · N i ) ≥ ℓ i =0 where δ i = number of known bits in a i N i = number of unknown blocks in a i � Loss λ bits per blinded nonce � Linear term c 1 · N i ◮ overlooked in the original paper ◮ significant in our context ◮ heuristically c 1 ≈ − log 2 ( c 0 ) ≈ 2 . 05 ◮ higher in practice

Experiments Practical c 1 values for a 95% success rate: ( n + 1) = 5 ( n + 1) = 10 ( n + 1) = 20 N b = 5 10 25 50 10 20 50 100 20 40 100 λ = 0 3.60 2.60 2.56 2.90 4.10 3.30 3.52 3.57 4.85 4.42 4.51 λ = 16 3.40 2.60 2.40 3.02 4.20 3.15 3.40 4.20 5.25 4.77 4.96 λ = 32 3.40 2.60 2.60 2.68 3.90 3.10 3.60 n/a 4.95 4.50 n/a λ = 64 3.20 2.80 2.36 n/a 3.70 3.55 3.68 n/a 4.80 4.60 n/a � CVP algorithm: the embedding method � For tested parameters: 2 . 3 < c 1 < 5 . 3

Attack on leaking implementations

a i

a i leak ∼ Ψ( a i, 0 ) Pr[ a i, 0 = 0]

a i leak ∼ Ψ( a i, 1 ) Pr[ a i, 1 = 0]

a i leak ∼ Ψ( a i, 2 ) Pr[ a i, 2 = 0]

a i leak ∼ Ψ( a i,j ) Pr[ a i,j = 0]

a i leak ∼ Ψ( a i,j ) Pr[ a i,j = 0]

a i leak ∼ Ψ( a i,j ) Pr[ a i,j = 0] � Guess ˆ a i,j = argmax Pr[ a i,j = b ] b ∈{ 0 , 1 } � Good-guess probability p i,j := Pr[ a i,j = ˆ a i,j ] = max b ∈{ 0 , 1 } Pr[ a i,j = b ] � Select some guess bits to construct the lattice

I

I J i

I J i � Goal: select I and ( J i ) i ∈ I to maximize � � success proba = p i,j i ∈ I j ∈ J i such that � � ( | J i | − λ − c 1 · N i ) ≥ ℓ and N i ≤ ∆ max i ∈ I i ∈ I � �� � � �� � CVP constraint lattice dimension

� For each selected set J i CVP constraint += | J i | − λ − c 1 · N i ( must reach ℓ ) dim( L ) += N i ( must not exceed ∆ max ) � success proba × = p i,j j ∈ J i � Select J i to maximize 1 � � � | Ji |− λ − c 1 Ni γ i = p i,j j ∈ J i � Efficient algorithm based on dynamic programming

Euclidean case