new bleichenbacher records fault attacks on qdsa
play

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES - PowerPoint PPT Presentation

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.


  1. New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1

  2. Outline Introduction Contribution 1. Optimizing Bleichenbacher’s Attack Contribution 2. Fault Attacks on qDSA Signature Contribution 3. Record-breaking Implementation of Nonce Attack Wrap-up 2

  3. Introduction

  4. • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes 3

  5. • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA 3

  6. • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard 3

  7. Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce 3

  8. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify Sign 0/1 Signed Message 4

  9. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message 4

  10. • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public 4

  11. Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public • k should NOT be reused/exposed 4

  12. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key 000101 ・・・ Adversary Bias Signed Message • But what if k is slightly biased ? 5

  13. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? 5

  14. Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? � Adversary could bypass the (EC)DLP and steal the secret d by solving the hidden number problem (HNP)! 5

  15. Nonce: very sensitive! 5

  16. 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 6

  17. 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 6

  18. Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks 6

  19. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – – 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  20. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  21. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – ✓ ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  22. Optimizing Bleichenbacher’s Attack

  23. • Necessary to detect the bias peak correctly and efficiently • Idea: quantify the nonce bias by defining “bias function” and find the peak of it • if nonce is uniformly distributed over . • if nonce is biased. • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) 8

  24. • Necessary to detect the bias peak correctly and efficiently • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. 8

  25. • Necessary to detect the bias peak correctly and efficiently Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h 8

  26. Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h • Necessary to detect the bias peak correctly and efficiently 8

  27. Find: sufficiently many (say ) linear combinations for such that • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) 9

  28. • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that 9

  29. • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L 9

  30. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L 9

  31. Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution 9

Recommend


More recommend