New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1
Outline Introduction Contribution 1. Optimizing Bleichenbacher’s Attack Contribution 2. Fault Attacks on qDSA Signature Contribution 3. Record-breaking Implementation of Nonce Attack Wrap-up 2
Introduction
• Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes 3
• Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA 3
• Relies on an ephemeral random value known as nonce Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard 3
Motivating Example: Schnorr Signature Scheme • One of the simplest and most widely-used digital signature schemes • Most notable variant: (EC)DSA • Secure in ROM if the discrete logarithm problem (DLP) is hard • Relies on an ephemeral random value known as nonce 3
• is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify Sign 0/1 Signed Message 4
• is called nonce. It satisfies public public • should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message 4
• should NOT be reused/exposed Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public 4
Nonce in Schnorr Signatures Alice Bob Message Alice’s Secret key Alice’s Public key Verify 101101 ・・・ 0/1 Signed Message • k is called nonce. It satisfies k ≡ s + h d mod n. ���� ���� public public • k should NOT be reused/exposed 4
Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key 000101 ・・・ Adversary Bias Signed Message • But what if k is slightly biased ? 5
Adversary could bypass the (EC)DLP and steal the secret by solving the hidden number problem (HNP)! Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? 5
Risk of biased/leaky nonce Alice Message Alice’s Secret key Leak 101101 ・・・ Adversary Signed Message • But what if k is slightly biased or partially leaked? � Adversary could bypass the (EC)DLP and steal the secret d by solving the hidden number problem (HNP)! 5
Nonce: very sensitive! 5
2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 6
3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 6
Our Contribution 1. Optimized a statistical attack framework, known as Bleichenbacher’s attack, against nonces in Schnorr-like signatures 2. New fault attacks against recent, high-speed Schnorr-like signature scheme, qDSA, to obtain a few bits of nonces 3. Implemented a full secret key recovery attack against Schnorr-like signatures • Over 252-bit group • Only 2 or 3-bit nonce leaks 6
We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – – 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7
We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – – ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7
We set new records! # Leaked bits of Nonces 1 2 3 4 5 384-bit – – – – [DMHMP14] 252-bit – – – ✓ ✓ 160-bit [AFG + 14] [LN13] [NS02] – – Table 1: Comparison with previous published records • Orange: Bleichenbacher’s attack • Others: Lattice attack 7
Optimizing Bleichenbacher’s Attack
• Necessary to detect the bias peak correctly and efficiently • Idea: quantify the nonce bias by defining “bias function” and find the peak of it • if nonce is uniformly distributed over . • if nonce is biased. • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) 8
• Necessary to detect the bias peak correctly and efficiently • Most important & costly phase is so-called range reduction of integers Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. 8
• Necessary to detect the bias peak correctly and efficiently Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h 8
Bleichenbacher’s Nonce Attack • Originally proposed 18 years ago [Ble00], recently revisited by De Mulder et al. (CHES’13) and Aranha et al. (ASIACRYPT’14) • Idea: quantify the nonce bias by defining “bias function” B n ( K ) ∈ [0 , 1] and find the peak of it • B n ( K ) = 0 if nonce is uniformly distributed over Z /n Z . • B n ( K ) ≈ 1 if nonce is biased. • Most important & costly phase is so-called range reduction of integers h • Necessary to detect the bias peak correctly and efficiently 8
Find: sufficiently many (say ) linear combinations for such that • Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) 9
• Small • Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that 9
• Sparse coefficients s.t. Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L 9
Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L 9
Range Reduction Problem Given: S signatures ( h 1 , . . . , h S ) Find: sufficiently many (say L ) linear combinations for h ′ j = ω j, 1 h 1 + . . . + ω j,S h S 1 ≤ j ≤ L such that • Small h ′ j < L √ • Sparse coefficients Ω := ∑ i | ω j,i | s.t. | B n ( K ) | Ω > 1 / L Looks like knapsack? Difference: find many linear combinations instead of a single exact knapsack solution 9
Recommend
More recommend