practical key recovery for discrete logarithm based
play

Practical Key Recovery for Discrete-Logarithm Based Authentication - PowerPoint PPT Presentation

Aug 25, 2022 •271 likes •766 views

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

  1. Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 1 / 20

  2. Contents Introduction 1 DL-based Identification Schemes Cryptanalysis of DL-based Authentication Schemes First attack: Exact Partial Knowledge of Nonces 2 Key Recovery with Two Signatures (Key Recovery with More Signatures Coding-Theoretic Viewpoint Second Attack: Correcting Errors in Nonces 3 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 2 / 20

  3. Identification Schemes enables a prover to identify itself to a verifier Adversary goal: impersonation ◮ playing the role of Alice but denied the secret key, ◮ it should have negligible probability of making Bob accept. ◮ passive attacks / active attacks Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 3 / 20

  4. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  5. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  6. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  7. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  8. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  9. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  10. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  11. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q s Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  12. Schnorr’s Identification Scheme G = � g � a group of prime order q Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . R ← − Z q x y y = g x P V R ← − Z q r Z = g r Z R ← − Z q c c s = r + cx mod q s g s · y − c ? = Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 4 / 20

  13. GPS Identification Scheme proposed by Girault in 1991 formally analyzed by Poupard, and Stern in 1998 based on Schnorr’s identification scheme Leaves modular reduction in response-calculation step ◮ save computation time ◮ allows fast on-the-fly authentication (use of coupons ) � signatures using Fiat-Shamir transform Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 5 / 20

  14. GPS Identification Scheme G = � g � a group Prover P proves to verifier V that it knows the discrete log x of a public group element y = g x . Parameters (128-bit security level): ( S , R , C ) = ( 256 , 512 , 128 ) R ← − { 1 ,..., 2 S } x y y = g x P V R ← − { 1 ,..., 2 R } r Z = g r Z R ← − { 1 ,..., 2 C } c c s = r + cx s g s · y − c ? = Z Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 6 / 20

  15. Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20

  16. Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20

  17. Cryptanalysis of DL-based Schemes Discrete logarithm computation of x = log g ( y ) � impersonation Knowledge of r = log g ( Z ) � Key recovery: s = r + cx ⇒ x = ( s − r ) / c � impersonation This knowledge may be due to ◮ a weak random number generator ◮ a timing attack ◮ a probing attack ◮ . . . Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 7 / 20

  18. Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20

  19. Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20

  20. Cryptanalysis of DL-based Schemes Kuwakado, Tanaka (1999): half of r ’s LSB leaked for two identification/signatures Howgrave-Graham, Smart, Nguyen, Shparlinski (2001-2002): fraction of r ’s consecutive bits for several identification/signatures Our work: fraction of r ’s bits for several identification/signatures not necessarily consecutive Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 8 / 20

  21. Our Work reconstructing private keys given a random fraction of nonce bits ◮ elementary and does not make use of the lattice techniques ◮ similar to reconstruction of RSA secret key (Heninger et al. Crypto’09 + Crypto’10) specialized to the case where the value r + cx is known over Z ◮ GPS identification under passive attacks ◮ GPS signature (Fiat-Shamir heuristic) ◮ Schnorr identification under active attacks (small challenge) analysis of the algorithm’s runtime behavior algorithm implemented (extensive experiments using it) Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 9 / 20

  22. General Idea – Two Signatures r 1 + c 1 x = s 1 r 2 + c 2 x = s 2 G OAL : reconstruct bits of nonces starting at the LSB. A PPROACH (odd c 1 and c 2 ) ◮ 4 choices for each pair of bits ( r 1 [ i ] , r 2 [ i ]) � # Search space: 2 2 R ◮ reduces to 2 as the relation c 2 r 1 − c 1 r 2 = c 2 s 1 − c 1 s 2 = C gives r 1 [ i ] + r 2 [ i ] = ( C − c 2 r 1 [ 0 .. i − 1 ] − c 1 r 2 [ 0 .. i − 1 ])[ i ] mod 2 � # Search space: 2 R (same as exhaustive search!) I DEA : Search tree can be pruned if we know some bits of r 1 , r 2 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 10 / 20

  23. General Idea – Two Signatures r 1 + c 1 x = s 1 r 2 + c 2 x = s 2 G OAL : reconstruct bits of nonces starting at the LSB. A PPROACH (odd c 1 and c 2 ) ◮ 4 choices for each pair of bits ( r 1 [ i ] , r 2 [ i ]) � # Search space: 2 2 R ◮ reduces to 2 as the relation c 2 r 1 − c 1 r 2 = c 2 s 1 − c 1 s 2 = C gives r 1 [ i ] + r 2 [ i ] = ( C − c 2 r 1 [ 0 .. i − 1 ] − c 1 r 2 [ 0 .. i − 1 ])[ i ] mod 2 � # Search space: 2 R (same as exhaustive search!) I DEA : Search tree can be pruned if we know some bits of r 1 , r 2 Damien Vergnaud (ENS) Key Recovery from Random Nonce Bits September, 15th 2015 10 / 20

Recommend

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 ,

A kilobit hidden SNFS discrete logarithm computation ia.cr/2016/961 (Eurocrypt 2017) J. Fried 1 , P. Gaudry 2 , N. Heninger 1 , E. Thom e 2 1 U. Penn ; 2 Caramba/Inria/Loria Nov 13rd, 2017 A kilobit hidden SNFS discrete logarithm computation

441 views • 42 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Crypto 2020 Virtual Conference 1/29 The discrete

338 views • 29 slides
Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving

Comparing the Difficulty of Factorization and Discrete Logarithm: a 240-digit Experiment Solving RSA-240, DLP-240, RSA-250 Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger, Emmanuel Thom e, Paul Zimmermann ere de l FB:

466 views • 31 slides
Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey

Discrete Logarithm in GF(2 809 ) with FFS Razvan Barbulescu Cyril Bouvier J er emie Detrey Pierrick Gaudry Hamza Jeljeli Emmanuel Thom e Marion Videau Paul Zimmermann CARAMEL project-team, LORIA, INRIA / CNRS / Universit e de

419 views • 22 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly

Discrete Logarithm with Auxiliary Inputs (Special Semester Workshop 4) Jung Hee Cheon (partly joint work with Taechan Kim and Yongsu Song) Department of Mathematical Sciences and ISaC-RIM Seoul National University December 13, 2013 1 / 41

557 views • 41 slides
The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics

The Future of the Discrete Logarithm Gerhard Frey Institute for Experimental Mathematics University of Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate (encrypt and decrypt)

410 views • 38 slides
A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan

ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 e 2 Emmanuel Thom IMJ-PRG, Paris Loria, Nancy LIP6, Paris R.

606 views • 41 slides
Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete

Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete

Mathematical Tools Summation Operator The Natural Review - Mathematical Tools & Probability Logarithm Fundamentals of Probability Discrete & Continuous Random Variable Caio Vigo Features of Probability Distributions Expected

699 views • 50 slides
Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Maranello : Practical Partial Packet Recovery for 802.11 Bo Han Aaron Schulman Lusheng Ji Neil Spring Francesco Gringoli Seungjoon Lee Bobby Bhattacharjee Lorenzo Nava Robert Miller University of Maryland University of Brescia AT&T

894 views • 43 slides
Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS,

Integer factorization and discrete logarithm problems Pierrick Gaudry Caramel LORIA CNRS, Universit de Lorraine, Inria JNCF CIRM November 2014 1/81 Plan Presentation of the problems Cryptographic background Primality,

919 views • 88 slides
Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore

Individual Discrete Logarithm in GF( p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team Ecole Polytechnique / LIX Asiacrypt 2015 Conference, Auckland, New Zealand, November 30 Aurore Guillevic

711 views • 51 slides
Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental

Perspectives of the Discrete Logarithm Systems Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen frey@exp-math.uni-essen.de 1 1 Abstract DL-Systems We want exchange keys sign authenticate

841 views • 53 slides
Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work

Discrete logarithm algorithms in pairing-relevant finite fields Gabrielle De Micheli Joint work with Pierrick Gaudry and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France February 26th, 2020 Northeastern University, Boston

657 views • 40 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and

Public Key Cryptography PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite Discrete Logarithm and Secure Authentication David Pointcheval Dpartement d Informatique ENS - CNRS David.Pointcheval@ens.fr

266 views • 13 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides

More recommend