singular curve point decompression attack
play

Singular curve point decompression attack Peter Gnther joint work - PowerPoint PPT Presentation

Oct 25, 2022 •8 likes •378 views

Singular curve point decompression attack Peter Gnther joint work with Johannes Blmer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Gnther (UPB) Decompression Attack FDTC 2015 1 / 18 Elliptic curves Example: E (

  1. Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015 1 / 18

  2. Elliptic curves Example: E ( R ) : y 2 = x 3 − 3 x + 3 y Elliptic curve E ( K ) Points ( x , y ) ∈ K 2 that fulfill y 2 = x 3 + a 4 x + a 6 x with a 4 , a 6 ∈ K and discriminant ∆ := − 16 ( 4 a 3 4 + 27 a 2 6 ) � = 0 . Peter Günther (UPB) Decompression Attack FDTC 2015 2 / 18

  3. Elliptic curves as additive group Example: E ( R ) : y 2 = x 3 − 3 x + 3 y T P Group operation independent from a 6 : λ = y P − y T x P − x T x x P + T = λ 2 − x P − x T y P + T = λ ( x P − x P + T ) − y P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

  4. Elliptic curves as additive group Example: E ( R ) : y 2 = x 3 − 3 x + 3 y T P Group operation independent from a 6 : λ = 3 x T + a 4 2 y T x 2 T = λ 2 − 2 x T x y 2 T = λ ( x T − x 2 T ) − y T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

  5. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) P s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  6. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) s P s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  7. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA, . . . ) s s P s s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  8. Elliptic curve scalar multiplication and DLOG Scalar multiplication: s ∈ N , P ∈ E ( F q ) : sP := P + P + · · · + P ( s times) Discrete logarithm (DLOG): given P , Q = sP , compute s Assumption: complexity of DLOG problem exponential on elliptic curve ⇒ high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA, . . . ) Adversarial environment: Physical protection of s required s s P s s sP Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

  9. Invalid point attack on scalar multiplication E : y 2 = x 3 + a 4 x + a 6 Outline of invalid point attacks 1 Group law does not require a 6 2 Move P to weak curve with same a 4 3 Obtain Q = sP for secret s on weak curve 4 Compute DLOG of Q to base P on weak curve 5 Infer DLOG s on original curve Examples weak curve attacks P on curve with smooth order P in small subgroup P on singular curve Peter Günther (UPB) Decompression Attack FDTC 2015 5 / 18

  10. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  11. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P x x T + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  12. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P x x 2 T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  13. Singular curves with node ( a 4 � = 0) E ( R ) : y 2 = x 3 − 3 x + 3 E ( R ) : y 2 = x 3 − 3 x + 2, ∆ = 0 y y T P T P E NS ( F q ) ≃ subgroup of F ∗ q or F ∗ q 2 ⇒ DLOG problem subexponential 1 Map DLOG instance to F ∗ q or F ∗ q 2 x x 2 Solve DLOG in F ∗ q or F ∗ q 2 2 T 2 T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

  14. Singular curves with cusp ( a 4 = 0) E ( R ) : y 2 = x 3 + 1 E ( R ) : y 2 = x 3 , ∆ = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

  15. Singular curves with cusp ( a 4 = 0) E ( R ) : y 2 = x 3 + 1 E ( R ) : y 2 = x 3 , ∆ = 0 y y E NS ( F q ) ≃ F + q ⇒ DLOG problem trivial (by division) 1 Map DLOG instance to F + T T q 2 Solve DLOG in F + q P P x x + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

  16. Singular curve attack on scalar multiplication For fixed a 4 , there are at most 2 corresponding singular curves Random faults will not provide points on singular curve How do we get a point onto one of them? P Peter Günther (UPB) Decompression Attack FDTC 2015 8 / 18

  17. Our approach: Point decompression Compression Compress : E ( F q ) → F q × { 0 , 1 } ( x , y ) �→ ( x , b ) where b = LSB ( y ) Reduces bandwidth by 50 % Defined in many standards like IEEE 1363, SEC 1, X9.62 Decompression prior to scalar multiplication Peter Günther (UPB) Decompression Attack FDTC 2015 9 / 18

  18. Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 4 x + a 6 1: v ← x 3 + a 4 x ⊲ v = x 3 + a 4 x ⊲ v = x 3 + a 4 x + a 6 2: v ← v + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 4 x + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

  19. Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Similar implementations in IEEE 1363, SEC 1, Ensure: ( x , y ) with y 2 = x 3 + a 6 X9.62, OpenSSL 1: v ← x 3 ⊲ v = x 3 Implicit (partial) point validation: ⊲ v = x 3 2: v ← v + a 6 + a 6 Decompress ( x , b ) ∈ E ( F q ) 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

  20. Attack on decompression Decompress Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 4 x + a 6 1: v ← x 3 + a 4 x ⊲ v = x 3 + a 4 x ⊲ v = x 3 + a 4 x + a 6 2: v ← v + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 4 x + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  21. Attack on decompression Decompress with a 4 = 0 Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  22. Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then v ← ( − 1 ) b √ v ⊲ v = ( − 1 ) b � x 3 + a 6 4: return ( x , y ) 5: 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  23. Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6 , ( x , b ) ∈ F q × { 0 , 1 } Ensure: ( x , y ) with y 2 = x 3 + a 6 1: v ← x 3 ⊲ v = x 3 ⊲ v = x 3 2: v ← v + a 6 + a 6 3: if √ v ∈ F q then Observation: v ← ( − 1 ) b √ v x quadratic residue ⇒ ⊲ v = ( − 1 ) b � x 3 + a 6 4: output on singular curve return ( x , y ) 5: y 2 = x 3 6: else return O 7: 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

  24. Hash string to curve Decompress: building block of other algorithms MapToPoint : { 0 , 1 } ∗ → E ( F q ) Require: E : y 2 = x 3 + a 4 x + a 6 , H : { 0 , 1 } ∗ → F q × { 0 , 1 } , M ∈ { 0 , 1 } ∗ , Ensure: P ∈ E ( F q ) 1: i ← 0 2: repeat ⊲ until ( x , b ) is valid compression ( x , b ) ← H ( M � i ) 3: P ← Decompress ( x , b ) 4: i ← i + 1 5: 6: until P � = O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

  25. Hash string to curve Decompress: building block of other algorithms MapToPoint : { 0 , 1 } ∗ → E ( F q ) Require: E : y 2 = x 3 + a 4 x + a 6 , H : { 0 , 1 } ∗ → F q × { 0 , 1 } , M ∈ { 0 , 1 } ∗ , Ensure: P ∈ E ( F q ) 1: i ← 0 Atttack: 2: repeat ⊲ until ( x , b ) is valid compression Choose M such that ( x , b ) ← H ( M � i ) 3: H ( M � 0 ) = ( x , b ) with P ← Decompress ( x , b ) 4: quadratic residue x . i ← i + 1 5: 6: until P � = O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

  26. Properties of the attack Features of the attack Efficient, especially in the case a 4 = 0 One shot: can be applied to exponentiation with nonce Applications: Point decompression (encryption schemes) Hashing to curve (special signature schemes) Random point sampling (countermeasures) Limitations of the attack Access to Q = sP required For a 4 � = 0: stronger control over ( x , b ) required Attack on plain Decompress still possible Attack on MapToPoint not possible Peter Günther (UPB) Decompression Attack FDTC 2015 13 / 18

Recommend

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
1 Algorithm for 3 rd degree void bezier(Point p[]) { Point q[ ], r[ ]; if(colinear(p)) { This

1 Algorithm for 3 rd degree void bezier(Point p[]) { Point q[ ], r[ ]; if(colinear(p)) { This

Drawing a Bzier curve 3 rd degree Bzier curve p0, p1, p2, p3 = 4 original control points f(r,s,s) f(r,r,s) f(r,t,s) p 2 p 1 f(r,t,t) f(s,t,t) f(t,t,t) f(r,r,t) f(t,s,s) p 0 p 3 f(r,r,r) f(s,s,s) Recursive interpolation From (p

377 views • 4 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J. Introduction Compression of signals from the environment is critical to an organisms success Decompression plays an equally critical role We

434 views • 4 slides
Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a

Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a

Math 217 - November 29, 2010 Series Solutions 1. What is an ordinary point? 2. What is a singular point? 3. Why do we care about ordinary points and singular points? 4. If you find a series solution at an ordinary point, what can you say

332 views • 8 slides
Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Overview Using Curve Implementation Lessons Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation Lessons Ninjas Shinobi Kun An John Chan David Mauskop Wisdom Omuya Zitong Wang Curve Ninjas

360 views • 17 slides
Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t

Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t

Blossoms Bezier Curve Construction Reminder Successive linear interpolations at point t Each point can be found as a function of the parameter, t , and the control points, b i n n i t n b t = i ,n b i = i

1.01k views • 46 slides
[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

[11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license

The Singular Value Decomposition [11] The Singular Value Decomposition The Singular Value Decomposition Gene Golubs license plate, photographed by Professor P. M. Kroonenberg of Leiden University. Frobenius norm for matrices x 2 1 + x 2

872 views • 43 slides
1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic

1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic

1 1. Basic intro to singular chain complexes, compute homology of a point. (a) Basic understanding of simplices, give definition. Definition. n , the n -simplex, is defined as { ( x 0 , . . . , x n ) R n +1 : x i = 1 , x i 0 } .

418 views • 3 slides
Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann Department of Computer Science Technion Israel Institute of Technology Cryptoday 2018 Eli Biham, Lior Neumann (Technion) Breaking the

784 views • 75 slides
Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

1.45k views • 32 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 2 notes: SVD 1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A as A = USV ,

157 views • 4 slides
How to Textbook key exchange manipulate curve standards: using standard

How to Textbook key exchange manipulate curve standards: using standard

How to Textbook key exchange manipulate curve standards: using standard point P a white paper for the black hat on a standard elliptic curve E : Alices Bobs Daniel J. Bernstein secret key a secret key b Tung

779 views • 73 slides
RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection

RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection

RIT n. a point on a curve at which the curvature which the curvature Inflection Inflection (second derivative) Points: changes signs changes signs The year in Review Review Jeremy Haefner n. A moment of dramatic Provost Provost

779 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Math 217 - December 6, 2010 Theorem (Frobenius Series) Suppose x = 0 is a regular singular point

Math 217 - December 6, 2010 Theorem (Frobenius Series) Suppose x = 0 is a regular singular point

Math 217 - December 6, 2010 Theorem (Frobenius Series) Suppose x = 0 is a regular singular point of the equation x 2 y + xp ( x ) y + q ( x ) y = 0 . Let r 1 and r 2 be the roots, r 1 r 2 of the indicial equation r ( r 1) + p 0 r

640 views • 8 slides
Singular Value Decomposition Presented by Matthew Motoki 1 What is a singular value

Singular Value Decomposition Presented by Matthew Motoki 1 What is a singular value

Singular Value Decomposition Presented by Matthew Motoki 1 What is a singular value decomposition (SVD)? A singular value decomposition is a factorization of the form A = U V T , where A is an m n matrix, U is an m m orthogonal

381 views • 9 slides
Semilinear elliptic problems involving Leray-Hardy potential and measure data Huyuan Chen

Semilinear elliptic problems involving Leray-Hardy potential and measure data Huyuan Chen

Backgrounds Isolated singular solutions semilinear Hardy problem Singular point on the boundary Semilinear elliptic problems involving Leray-Hardy potential and measure data Huyuan Chen Jiangxi Normal Univeristy Workshop: Singular Problems

532 views • 52 slides
Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp Koppermann, Fabrizio De Santis, Johann Heyszl and Georg Sigl History of High-Speed Curve Cryptography over Prime Fields 1 Point Addition on a

319 views • 16 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
/ Link Invariants from Braided Monoidal On the PROB of Singular Braids Categories Singular

/ Link Invariants from Braided Monoidal On the PROB of Singular Braids Categories Singular

On the PROB of Singular Braids Jonathan Beardsley / Link Invariants from Braided Monoidal On the PROB of Singular Braids Categories Singular Braid Monoids From Operads to PROBs Jonathan Beardsley (UNR), Suhyeon Lee (Berkeley), The

239 views • 20 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides

More recommend