S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwan’s Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of Technology, 2 Technische Universiteit Eindhoven, 3 University of Adelaide and Data61 CCS 2017, November 2nd www.iaik.tugraz.at
www.iaik.tugraz.at Q PQ crypto is gaining a lot of traction. . . NIST call, first real-world tests, efficient schemes and implementations BLISS - lattice-based signatures But what about implementation security? first works on BLISS (and lattice-based cryptography) . . . but often not done in a realistic setting . . . and not applicable to improved BLISS-B Peter Pessl, Graz University of Technolgy 2 CCS 2017, November 2nd
www.iaik.tugraz.at Our contribution New side-channel key-recovery algorithm for BLISS applicable to the improved BLISS-B variant First practical cache attack on BLISS production-grade BLISS-B implementation of strongSwan VPN suite 6 000 signatures for full signing-key recovery Peter Pessl, Graz University of Technolgy 3 CCS 2017, November 2nd
www.iaik.tugraz.at BLISS - Lattice Signatures [DDLL13, Duc14] BLISS - Bimodal Lattice Signature Scheme [DDLL13] Discrete Gaussians D σ ( x ) → dedicated samplers Works over ring R q = Z q [ x ] / � x n + 1 � , n = 512 polynomials a , b , ab = Ab , nega-cyclic rotations a 0 − a n − 1 · · · − a 1 − a 0 − a 1 a 0 · · · − a 2 − a 1 − A = = . . . . ... . . . . . . . . a n − 1 a n − 2 · · · a 0 − a n − 1 − Peter Pessl, Graz University of Technolgy 4 CCS 2017, November 2nd
www.iaik.tugraz.at BLISS Keys Key generation: 1: f , g ← { 0 , ± 1 , ± 2 } n (Depending on parameter set) 2: Private key ( s 1 , s 2 ) = ( f , 2 g + 1 ) 3: Public key a q = s 2 / s 1 mod q BLISS-I, II: f , g ← { 0 , ± 1 } n Peter Pessl, Graz University of Technolgy 5 CCS 2017, November 2nd
www.iaik.tugraz.at BLISS - Lattice Signatures [DDLL13] Input: Message µ , public key a 1 , private key ( s 1 , s 2 ) Output: A signature ( z 1 , z 2 , c ) 1: y 1 ← D n σ , y 2 ← D n σ 2: c = H ( a 1 y 1 + y 2 || µ ) //binary, sparse vector 3: ( v 1 , v 2 ) = ( s 1 , s 2 ) c 4: Sample a uniformly random bit b 5: ( z 1 , z 2 ) = ( y 1 , y 2 ) + ( − 1 ) b ( v 1 , v 2 ) 6: Continue with some probability f (( s 1 , s 2 ) c , z ) , restart otherwise 7: return ( z 1 , z 2 , c ) Peter Pessl, Graz University of Technolgy 6 CCS 2017, November 2nd
www.iaik.tugraz.at BLISS and BLISS-B [DDLL13, Duc14] BLISS-B → lower rejection rate, default in strongSwan GreedySC ( v 1 , v 2 ) = ( s 1 , s 2 ) c ′ , with c ′ ∈ {− 1 , 0 , + 1 } n , c ′ ≡ c mod 2 c ′ is kept secret BLISS BLISS-B 3: ( v 1 , v 2 ) = ( s 1 , s 2 ) c 3: ( v 1 , v 2 ) = GreedySC (( s 1 , s 2 ) , c ) 4: Sample a uniformly random bit b 4: Sample a uniformly random bit b 5: ( z 1 , z 2 ) = ( y 1 , y 2 ) + ( − 1 ) b ( v 1 , v 2 ) 5: ( z 1 , z 2 ) = ( y 1 , y 2 ) + ( − 1 ) b ( v 1 , v 2 ) Peter Pessl, Graz University of Technolgy 7 CCS 2017, November 2nd
www.iaik.tugraz.at A Cache Attack on BLISS [GBHLY16] Cache attack on Gaussian sampler partial recovery of the noise vector y 1 Equation z 1 = y 1 + ( − 1 ) b s 1 c . . . . . . s 0 . . . . = + ( − 1 ) b . z i y i − c i − . . . . . . . s n − 1 . . . ( z i − y i )( − 1 ) b = � c i , s 1 � Filter for z i = y i Peter Pessl, Graz University of Technolgy 8 CCS 2017, November 2nd
www.iaik.tugraz.at A Cache Attack on BLISS [GBHLY16] Gather n = 512 equations − ( c i ) 0 − s 0 0 . . . = . . . . . . − ( c i ) n − 1 − s n − 1 0 Solve system Peter Pessl, Graz University of Technolgy 9 CCS 2017, November 2nd
www.iaik.tugraz.at Limitations of the Cache Attack Target research-oriented BLISS reference implementation . . . and modify code, synchronized attacker Not applicable to BLISS-B same as other works [Pes16, BBK16, EFGT16] BLISS BLISS-B 0 1 · · · 0 s 0 0 ± 1 · · · 0 s 0 0 0 · · · − 1 s 1 0 0 · · · ± 1 s 1 = 0 = 0 . . . . . . . . ... ... . . . . . . . . . . . . . . . . 1 0 · · · − 1 s n − 1 ± 1 0 · · · ± 1 s n − 1 Peter Pessl, Graz University of Technolgy 10 CCS 2017, November 2nd
www.iaik.tugraz.at A New Side-Channel Key-Recovery Attack Peter Pessl, Graz University of Technolgy 11 CCS 2017, November 2nd
www.iaik.tugraz.at Step 1: Gathering Samples Use side-channels to gather noise samples y cache attack, power analysis, . . . Collect equations 0 ± 1 · · · 0 s 0 2 · · · ± 1 0 0 s 1 0 = . . . . . ... . . . . . . . . . . ± 1 · · · ± 1 − 3 0 s n − 1 Peter Pessl, Graz University of Technolgy 12 CCS 2017, November 2nd
www.iaik.tugraz.at Step 2: Finding s 1 mod 2 In GF(2): − 1 ≡ 1 mod 2 0 Solve system → s 1 mod 2 ± 1 LSB of the coefficients 0 s 1 = . . BLISS-I, II → | s 1 | . ± 1 Peter Pessl, Graz University of Technolgy 13 CCS 2017, November 2nd
www.iaik.tugraz.at Step 2: Correcting Errors Side-channels can have errors: approximate eqs. 0 Solving a noisy linear system in GF(2) ± 1 Learning Parity with Noise (LPN) 0 s 1 = . . . Our approach ± 1 solving LPN by decoding a random linear code utilize differing error probabilities [PM16] Peter Pessl, Graz University of Technolgy 14 CCS 2017, November 2nd
www.iaik.tugraz.at Step 3: Recovery of Twos BLISS-III, BLISS-IV: s 1 ∈ { 0 , ± 1 , ± 2 } n 0 Use sparsity of c ′ in � s 1 , c ′ i � ± 1 ± 2 s 1 = Method 1: Integer Programming . . . ( |� s 1 , c ′ i �| > # indexed 1s) → must be a 2 involved ± 1 Method 2: Statistical Approach ( |� s 1 , c ′ i �| is large) → likely a 2 involved Peter Pessl, Graz University of Technolgy 15 CCS 2017, November 2nd
www.iaik.tugraz.at Step 4: Lattice Reduction Combine recovered information | s 1 | with public key Public key: a q s 1 = s 2 s 2 : short vector in lattice spanned by a q reduce lattice rank by discarding columns a 0 − a n − 1 − a n − 2 · · · − a 1 0 − a n − 1 · · · − a 2 ± 1 a 1 a 0 a 2 a 1 a 0 · · · − a 3 0 = s 2 . . . . ... . . . . . . . . a n − 1 a n − 2 a n − 2 · · · a 0 ± 1 Peter Pessl, Graz University of Technolgy 16 CCS 2017, November 2nd
www.iaik.tugraz.at Step 4: Lattice Reduction Reduce lattice dimension ( d = 250 ) Solve SVP with BKZ lattice reduction Linear algebra to get ( s 1 , s 2 ) Full key recovered! Peter Pessl, Graz University of Technolgy 17 CCS 2017, November 2nd
www.iaik.tugraz.at Attacking strongSwans BLISS-B Peter Pessl, Graz University of Technolgy 18 CCS 2017, November 2nd
www.iaik.tugraz.at Attack Target Bernoulli rejection sampling by [DDLL13] bit-scanning of input x in subroutine Sampling a bit from B (exp( − x / ( 2 σ 2 ))) for x ∈ [ 0 , 2 ℓ ) Input: x ∈ [ 0 , 2 ℓ ) an integer in binary form x = x ℓ − 1 . . . x 0 . Precomputed table E Output: A bit b from B (exp( − x / ( 2 σ 2 ))) 1: for i = ℓ − 1 downto 0 do 2: if x i = 1 then 3: sample bit A i from B ( E [ i ]) 4: if A i = 0 then return 0 5: return 1 Peter Pessl, Graz University of Technolgy 19 CCS 2017, November 2nd
www.iaik.tugraz.at Cache Attack Detect if branch x i = 1 is taken at least once if NOT: x = 0 → y = 254 · Z Flush+Reload Cache Attack [YF14] with performance degradation [ABF + 16] Peter Pessl, Graz University of Technolgy 20 CCS 2017, November 2nd
www.iaik.tugraz.at Resynchronization Attack is asynchronous 0.2 need correct index 0.15 Resynchronization 0.1 sampling time ∼ index 0.05 s 1 c ′ is small → z ≈ 254 · Z 0 -15 -10 -5 0 5 10 15 Peter Pessl, Graz University of Technolgy 21 CCS 2017, November 2nd
www.iaik.tugraz.at Results Step 1: gathering samples observe 6 000 signature generations with strongSwan Step 2: s 1 mod 2 98% success rate, avg. runtime ≈ 1 minute (64 threads) Step 3: Recovering 2s . . . not needed, focus on BLISS-I for strongSwan tests Step 4: lattice reduction BLISS-I: always successful, avg. runtime 4-5 minutes Peter Pessl, Graz University of Technolgy 22 CCS 2017, November 2nd
www.iaik.tugraz.at What can we do? Peter Pessl, Graz University of Technolgy 23 CCS 2017, November 2nd
www.iaik.tugraz.at Countermeasures Shuffling the noise vector also has flaws [Pes16] Constant-time samplers difficult to implement, still vulnerable to power analysis Don’t use Gaussians! Gaussians are: difficult to implement, extremely prone to SCA replace with, e.g., uniform distribution (Dilithium [DLL + 17]) Peter Pessl, Graz University of Technolgy 24 CCS 2017, November 2nd
Recommend
More recommend
