new bleichenbacher records fault attacks on qdsa
play

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES - PowerPoint PPT Presentation

Mar 19, 2023 •1.04k likes •1.89k views

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

  1. New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1

  2. Outline Introduction Contribution 1. Optimizing Bleichenbacher’s Attack Contribution 2. Fault Attacks on qDSA Signature Contribution 3. Record-breaking Implementation of Nonce Attack Wrap-up 2

  3. Introduction

  4. • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes 3

  5. • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA 3

  6. • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard 3

  7. Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce 3

  8. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify Sign 0/1 Signed Message 4

  9. • is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message 4

  10. • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public 4

  11. Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public • k should NOT be reused/exposed 4

  12. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key 000101 ・・・ Adversary Bias Signed Message • But what if k is slightly biased ? 5

  13. Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? 5

  14. Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? � Adversary could bypass the (EC)DLP and steal the secret d by solving the hidden number problem (HNP)! 5

  15. Nonce: very sensitive! 5

  16. 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 6

  17. 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 6

  18. Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks 6

  19. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – – 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  20. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  21. We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – ✓ ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7

  22. Optimizing Bleichenbacher’s Attack

  23. • Necessary to detect the bias peak correctly and efficiently • Idea: quantify the nonce bias by defining “bias function” and find the peak of it • if nonce is uniformly distributed over . • if nonce is biased. • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) 8

  24. • Necessary to detect the bias peak correctly and efficiently • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. 8

  25. • Necessary to detect the bias peak correctly and efficiently Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h 8

  26. Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h • Necessary to detect the bias peak correctly and efficiently 8

  27. Find: sufficiently many (say ) linear combinations for such that • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) 9

  28. • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that 9

  29. • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L 9

  30. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L 9

  31. Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution 9

Recommend

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

379 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain &amp; Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Cheap &amp; Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,

667 views • 31 slides
Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team https://sites.google.com/view/famechip Supported through National

1.01k views • 72 slides
Presence of Fault Attacks Robert Schilling 1,2 , Mario Werner 1 , Stefan Mangard 1 1 Graz

Presence of Fault Attacks Robert Schilling 1,2 , Mario Werner 1 , Stefan Mangard 1 1 Graz

Securing Conditional Branches in the Presence of Fault Attacks Robert Schilling 1,2 , Mario Werner 1 , Stefan Mangard 1 1 Graz University of Technology, 2 Know-Center GmbH March 22, 2018 Overview Introduction to control-flow integrity and

702 views • 33 slides

More recommend