Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 1 / 20
Contents Introduction 1 DL-based Identification Schemes Cryptanalysis of DL-based Authentication Schemes First attack: Exact Partial Knowledge of Nonces 2 Key Recovery with Two Signatures (Key Recovery with More Signatures Coding-Theoretic Viewpoint Second Attack: Correcting Errors in Nonces 3 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 2 / 20
Identification Schemes enables a prover to identify itself to a verifier Adversary goal: impersonation ◮ playing the role of Alice but denied the secret key, ◮ it should have negligible probability of making Bob accept. ◮ passive attacks / active attacks Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 3 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q s Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q s g s · y − c ? = Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20
GPS Identification Scheme proposed by Girault in 1991 formally analyzed by Poupard, and Stern in 1998 based on Schnorr’s identification scheme Leaves modular reduction in response-calculation step ◮ save computation time ◮ allows fast on-the-fly authentication (use of coupons ) � signatures using Fiat-Shamir transform Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 5 / 20
GPS Identification Scheme G = � g � a group Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . Parameters (128-bit security level): ( S , R , C ) = ( 256 , 512 , 128 ) R ← − { 1 ,..., 2 S } x y y = g x P V R ← − { 1 ,..., 2 R } r Z = g r Z R ← − { 1 ,..., 2 C } c c s = r + cx s g s · y − c ? = Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 6 / 20
Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20
Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20
Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20
Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20
Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20
Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20
Our Work reconstructing private keys given a random fraction of nonce bits ◮ elementary and does not make use of the lattice techniques ◮ similar to reconstruction of RSA secret key (Heninger et al. Crypto’09 + Crypto’10) specialized to the case where the value r + cx is known over Z ◮ GPS identification under passive attacks ◮ GPS signature (Fiat-Shamir heuristic) ◮ Schnorr identification under active attacks (small challenge) analysis of the algorithm’s runtime behavior algorithm implemented (extensive experiments using it) Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 9 / 20
General Idea – Two Signatures r 1 + c 1 x = s 1 r 2 + c 2 x = s 2 G OAL : reconstruct bits of nonces starting at the LSB. A PPROACH (odd c 1 and c 2 ) ◮ 4 choices for each pair of bits ( r 1 [ i ] , r 2 [ i ]) � # Search space: 2 2 R ◮ reduces to 2 as the relation c 2 r 1 − c 1 r 2 = c 2 s 1 − c 1 s 2 = C gives r 1 [ i ] + r 2 [ i ] = ( C − c 2 r 1 [ 0 .. i − 1 ] − c 1 r 2 [ 0 .. i − 1 ])[ i ] mod 2 � # Search space: 2 R (same as exhaustive search!) I DEA : Search tree can be pruned if we know some bits of r 1 , r 2 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 10 / 20
General Idea – Two Signatures r 1 + c 1 x = s 1 r 2 + c 2 x = s 2 G OAL : reconstruct bits of nonces starting at the LSB. A PPROACH (odd c 1 and c 2 ) ◮ 4 choices for each pair of bits ( r 1 [ i ] , r 2 [ i ]) � # Search space: 2 2 R ◮ reduces to 2 as the relation c 2 r 1 − c 1 r 2 = c 2 s 1 − c 1 s 2 = C gives r 1 [ i ] + r 2 [ i ] = ( C − c 2 r 1 [ 0 .. i − 1 ] − c 1 r 2 [ 0 .. i − 1 ])[ i ] mod 2 � # Search space: 2 R (same as exhaustive search!) I DEA : Search tree can be pruned if we know some bits of r 1 , r 2 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 10 / 20
Recommend
More recommend