security of hedged fiat shamir signatures under fault
play

Security of Hedged FiatShamir Signatures under Fault Attacks - PowerPoint PPT Presentation

Jun 04, 2023 •260 likes •909 views

Security of Hedged FiatShamir Signatures under Fault Attacks Eurocrypt 2020 ePrint 2019/956 Diego F. Aranha 1 Claudio Orlandi 1 Akira Takahashi 1 Greg Zaverucha 2 May 14, 2020 1 Aarhus University, Denmark 2 Microsoft Research, United States 1

  1. Security of Hedged Fiat–Shamir Signatures under Fault Attacks Eurocrypt 2020 ePrint 2019/956 Diego F. Aranha 1 Claudio Orlandi 1 Akira Takahashi 1 Greg Zaverucha 2 May 14, 2020 1 Aarhus University, Denmark 2 Microsoft Research, United States 1

  2. This Talk in a Nutshell… • Goal • Formally analyze the fault-resilience of existing Fiat–Shamir signatures, motivated by actual attacks. • Outline 1. Brief history of the fault attacks on FS signatures and randomness hedging. 2. Fault attacker model. 3. Overview of our provable security analysis. 2

  3. Fiat–Shamir-type Signatures and Attacks

  4. a e z Signature from Canonical ID Protocol Prover ( sk ; r ) Verifier ( pk ) ( a , St ) ← Com ( sk ; r ) e ← $ C H z ← Resp ( sk , e , St ) 0 / 1 ← V ( a , e , z , pk ) • If ID is special HVZK and special sound (= Σ -protocol), then SIG := FS [ ID ] is UF-CMA secure. 3 • e.g., Schnorr, Guillou–Quisquater, etc.

  5. Signature from Canonical ID Protocol Sign ( sk , m ; r ) Verifier ( pk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) a , e , z z ← Resp ( sk , e , St ) 0 / 1 ← V ( a , e , z , pk ) ? H ( a , m ) = e • If ID is special HVZK and special sound (= Σ -protocol), then SIG := FS [ ID ] is UF-CMA secure. • e.g., Schnorr, Guillou–Quisquater, etc. 3

  6. Signature from Canonical ID Protocol Sign ( sk , m ; r ) Verifier ( pk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) a , e , z z ← Resp ( sk , e , St ) 0 / 1 ← V ( a , e , z , pk ) ? H ( a , m ) = e • If ID is special HVZK and special sound (= Σ -protocol), then SIG := FS [ ID ] is UF-CMA secure. • e.g., Schnorr, Guillou–Quisquater, etc. 3

  7. m Sensitivity of Per-signature Randomness RSign ( sk , m ) A r ← RNG ( · ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) a , e , z z ← Resp ( sk , e , St ) • r must follow the uniform distribution. • Otherwise there is an attack! 4

  8. Randomness Failure in Practice • Poorly designed RNGs. • VM resets � same snapshot will end up with the same seed. • Side-channel leakage. • and more . . . BBC news. 2011. https://www.bbc.com/news/ technology-12116051 5

  9. Popular Solution: Deterministic Randomness Generation r ← RNG ( · ) ✘ ✘✘✘✘✘✘✘✘ r ← H ′ ( sk , m ) • Hash each message keyed with sk . • Widely implemented, e.g., in EdDSA, ECDSA, Dilithium, etc. • However, another practical issue arises… 6

  10. Deterministic FS is Vulnerable to Faults! • Fault attack • Modifies the internal state of the device. • Can be performed remotely (e.g., Rowhammer) • Many recent fault attacks on FS! [BP16, ABF + 18, RP17, PSS + 18, SB18, BP18, RJH + 19] • Idea: exploit determinism to rewind the prover (= signer). 7

  11. Deterministic FS is Vulnerable to Faults! • Fault attack • Modifies the internal state of the device. • Can be performed remotely (e.g., Rowhammer) • Many recent fault attacks on FS! [BP16, ABF + 18, RP17, PSS + 18, SB18, BP18, RJH + 19] • Idea: exploit determinism to rewind the prover (= signer). 7

  12. Deterministic FS is Vulnerable to Faults! • Fault attack • Modifies the internal state of the device. • Can be performed remotely (e.g., Rowhammer) • Many recent fault attacks on FS! [BP16, ABF + 18, RP17, PSS + 18, SB18, BP18, RJH + 19] • Idea: exploit determinism to rewind the prover (= signer). 7

  13. m Fault Adversary Type I: Special Soundness Attack DSign ( sk , m ) A r ← H ′ ( sk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) a , e , z z ← Resp ( sk , e , St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature ( a , ˜ z ) on the same m , by injecting fault on e , ˜ hash I/O or commitment output. • Special soundness allows A to recover sk ! 8

  14. z Fault Adversary Type I: Special Soundness Attack m , � DSign ( sk , m ) A r ← H ′ ( sk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) � ˜ a , ˜ e , ˜ z ← Resp ( sk , ˜ ˜ e , St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature ( a , ˜ z ) on the same m , by injecting fault on e , ˜ hash I/O or commitment output. • Special soundness allows A to recover sk ! 8

  15. z Fault Adversary Type I: Special Soundness Attack m , � DSign ( sk , m ) A r ← H ′ ( sk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) � ˜ a , ˜ e , ˜ z ← Resp ( sk , ˜ ˜ e , St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature ( a , ˜ z ) on the same m , by injecting fault on e , ˜ hash I/O or commitment output. • Special soundness allows A to recover sk ! 8

  16. m Fault Adversary Type II: Large Randomness Bias Attack DSign ( sk , m ) A r ← H ′ ( sk , m ) ( a , St ) ← Com ( sk ; r ) e ← H ( a , m ) a , e , z z ← Resp ( sk , e , St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature (˜ z ) on the same m , by injecting fault on r a , ˜ e , ˜ or Resp input. • Second signature relies on correlated randomness ˜ r = r + ∆ ! 9

  17. z Fault Adversary Type II: Large Randomness Bias Attack m , � DSign ( sk , m ) A r ← H ′ ( sk , m ) � ˜ a , ˜ St ) ← Com ( sk ;˜ (˜ r ) e ← H (˜ ˜ a , m ) ˜ a , ˜ e , ˜ e , ˜ z ← Resp ( sk , ˜ ˜ St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature (˜ z ) on the same m , by injecting fault on r a , ˜ e , ˜ or Resp input. • Second signature relies on correlated randomness ˜ r = r + ∆ ! 9

  18. z Fault Adversary Type II: Large Randomness Bias Attack m , � DSign ( sk , m ) A r ← H ′ ( sk , m ) � ˜ a , ˜ St ) ← Com ( sk ;˜ (˜ r ) e ← H (˜ ˜ a , m ) ˜ a , ˜ e , ˜ e , ˜ z ← Resp ( sk , ˜ ˜ St ) • Query 1: get the legitimate signature ( a , e , z ) on m . • Query 2: get a faulty signature (˜ z ) on the same m , by injecting fault on r a , ˜ e , ˜ or Resp input. • Second signature relies on correlated randomness ˜ r = r + ∆ ! 9

  19. Better Countermeasure? – Randomness Hedging r ← RNG ( · ) ✘ ✘✘✘✘✘✘✘✘ r ← H ′ ( sk , m ) ✭✭✭✭✭✭✭✭✭✭ r ← H ′ ( sk , m , nonce ) • Nonces could be from low-quality PRNG, or just a counter. • Randomness r doesn’t repeat on the same message. • Seems secure, but no formal analysis so far. To what extent are hedged FS signatures secure against fault attacks? 10

  20. Better Countermeasure? – Randomness Hedging r ← RNG ( · ) ✘ ✘✘✘✘✘✘✘✘ r ← H ′ ( sk , m ) ✭✭✭✭✭✭✭✭✭✭ r ← H ′ ( sk , m , nonce ) • Nonces could be from low-quality PRNG, or just a counter. • Randomness r doesn’t repeat on the same message. • Seems secure, but no formal analysis so far. To what extent are hedged FS signatures secure against fault attacks? 10

  21. Better Countermeasure? – Randomness Hedging r ← RNG ( · ) ✘ ✘✘✘✘✘✘✘✘ r ← H ′ ( sk , m ) ✭✭✭✭✭✭✭✭✭✭ r ← H ′ ( sk , m , nonce ) • Nonces could be from low-quality PRNG, or just a counter. • Randomness r doesn’t repeat on the same message. • Seems secure, but no formal analysis so far. To what extent are hedged FS signatures secure against fault attacks? 10

  22. Better Countermeasure? – Randomness Hedging r ← RNG ( · ) ✘ ✘✘✘✘✘✘✘✘ r ← H ′ ( sk , m ) ✭✭✭✭✭✭✭✭✭✭ r ← H ′ ( sk , m , nonce ) • Nonces could be from low-quality PRNG, or just a counter. • Randomness r doesn’t repeat on the same message. • Seems secure, but no formal analysis so far. To what extent are hedged FS signatures secure against fault attacks? 10

  23. Contributions • Formal attacker model and security notions to capture the corrupted nonces and previous fault attacks. • Proved that hedged FS schemes in general are (in)secure against certain class of fault attacks. • Application to concrete instantiations. • XEdDSA: Variant of EdDSA used in Signal • Picnic2: NIST PQC competition round 2 candidate 11

  24. Attacker Model and Security Notions

  25. Approach • UF-fCMNA Security • UnForgeability against Faults, Chosen Message and Nonce Attacks • Models hedged construction and corrupted nonces (inspired by [BPS16, BT16]). • Equips the adversary with bit-tampering fault attacks. • Tailored to Fiat–Shamir. 12

  26. Approach • UF-fCMNA Security • UnForgeability against Faults, Chosen Message and Nonce Attacks • Models hedged construction and corrupted nonces (inspired by [BPS16, BT16]). • Equips the adversary with bit-tampering fault attacks. • Tailored to Fiat–Shamir. 12

  27. Approach • UF-fCMNA Security • UnForgeability against Faults, Chosen Message and Nonce Attacks • Models hedged construction and corrupted nonces (inspired by [BPS16, BT16]). • Equips the adversary with bit-tampering fault attacks. • Tailored to Fiat–Shamir. 12

  28. Approach • UF-fCMNA Security • UnForgeability against Faults, Chosen Message and Nonce Attacks • Models hedged construction and corrupted nonces (inspired by [BPS16, BT16]). • Equips the adversary with bit-tampering fault attacks. • Tailored to Fiat–Shamir. 12

Recommend

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journes C2 2018 Univ Rennes, CNRS, IRISA 1 Contribution Fiat-Shamir

326 views • 19 slides
A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir

268 views • 26 slides
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI Amsterdam Joint work with Serge Fehr and Christian Majenz Introduction Proving Fiat-Shamir digital signatures and ZK proof systems secure against

712 views • 49 slides
Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style signatures from LWE or SIS Lyubashevsky 2012 Sigs via Fiat-Shamir Bai-Galbraith BLISS 2013 Short sigs Optimized DBGGOPSS 2014 Improvements,

1.6k views • 43 slides
Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris Majenz Chris Schaffner Jelle Don CWI and UvA UvA CWI Leiden University Our Result in Short Let S be a S -protocol, FS[ S ] its Fiat-Shamir

422 views • 40 slides
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life

1.38k views • 98 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1 2 How are you? 3 How are you? Great! How are you? 4 How are you? Great! How

681 views • 65 slides
On the Design of Code-Based Signatures Ayoub Otmani ayoub.otmani@unicaen.fr Outline 1.

On the Design of Code-Based Signatures Ayoub Otmani ayoub.otmani@unicaen.fr Outline 1.

Code-Based Cryptography Workshop 2012 9 11 May 2012, Lyngby, Denmark On the Design of Code-Based Signatures Ayoub Otmani ayoub.otmani@unicaen.fr Outline 1. Fiat-Shamir paradigm 2. Hash-and-Sign paradigm 3. Lossy Source Coding

664 views • 50 slides
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry (Princeton & NTT Research) Lattice Crypto Post-Quantum Crypto Typical Lattice Crypto Thm: are

623 views • 61 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist Topics to Cover Background and Development of FIAT FIAT Step 1: The regional context FIAT Step 2: Strategies within priority landscapes

577 views • 32 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

743 views • 58 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-18 1 Outline Logistics Overview Introduction Definition Security Security experiments Formal security definition Relations among

686 views • 64 slides
New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi

New Bleichenbacher Records: Fault Attacks on qDSA Signatures CHES 2018 Akira Takahashi 1 Mehdi Tibouchi 1 , 2 Masayuki Abe 1 , 2 September 12, 2018 1 Kyoto University 2 NTT Secure Platform Laboratories 1 Outline Introduction Contribution 1.

1.89k views • 81 slides
Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its Financial Intermediation lower rate of return? Maybe because fiat money is less risky than most of the other assets. Maybe because fiat money is more

374 views • 8 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential privacy methods

595 views • 43 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD Multi-signatures (pk 1 ,sk

635 views • 27 slides
Formalization and Verification of Fault Tolerance and Security Felix G artner TU Darmstadt,

Formalization and Verification of Fault Tolerance and Security Felix G artner TU Darmstadt,

1/35 Formalization and Verification of Fault Tolerance and Security Felix G artner TU Darmstadt, Germany fcg@acm.org Example: Space Shuttle STS51 Discovery, http://spaceflight.nasa.gov/ 2/35 3/35 Fault-tolerant Operation [Spector and

682 views • 42 slides

More recommend