Loop-abort faults on supersingular isogeny cryptosystems

Size: px

Start display at page:

Download "Loop-abort faults on supersingular isogeny cryptosystems"

Kellie Wilkinson
5 years ago
Views:

1 Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 Utrecht 2017/06/26

2 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011

3 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06]

4 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:

5 Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:

6 Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that

7 Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that Interesting properties: All supersingular elliptic curves can be defined over F p 2 About p 12 supersingular elliptic curves, up to isomorphism

8 Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ.

9 Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ. Interesting properties: G E 1 = a unique E 2 and φ such that φ : E 1 E 2 and Ker φ = G E 2 = E/G is obtained in O ( degφ )

10 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B

11 A supersingular elliptic curve E with l n A lm B points E Key-Exchange Protocol A prime p such that p + 1 = l n A lm B

12 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B points A point R A chosen randomly in E [ l n A ] E

13 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points E

14 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E = the curve E A = E/ R A and φ A : E E A E A

15 Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E φ B = the curve E A = E/ R A and φ A : E E A E A E B A point R B = m B P B + n B Q B random in E [ l m ] B = PB,Q B, the curve E B = E/ R B and φ B : E E B

16 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B E A E B

17 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) E A E B E AB

18 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB

19 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) E AB

20 Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) = j(e AB ) secret shared by Alice and Bob E AB

21 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A.

22 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph

23 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p )

24 Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p ) ) Claw finding: Find a collision in O (l n 2 A O ( 4 p )

25 Attack framework Alice uses a static private key (m A,n A ) E φ A φ B E A E B E AB

26 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E φ A φ B E A E B E AB

27 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B E A E B E AB

28 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) E A E B E AB

29 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) E AB

30 Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) Countermeasure: Validation method verifies the correctness of the inputs (Fujisaki-Okamoto transform) E AB

31 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A )

32 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny

33 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k )

34 How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k ) E n = E AB = E B / R 0 and φ = φ n φ 1

35 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes

36 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop

37 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.]

38 Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.] Implementations of SIDH on embedded devices already exist

39 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes

40 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A )

41 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1

42 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A

43 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A

44 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )

45 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )

46 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) and a even

47 The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) = (m A,n A ) equivalent to (1,a) for a = n A m A and a even and a odd

48 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a)

49 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits

50 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A )

51 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A ) Make a guess and recover the k-th bit of a

52 The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k k 1 )Q A ) Make a guess and recover the k-th bit of a Conclusion: full-key recovery by iterating this process

53 Analysis n bits recovered in n interactions with the victim = n faults injected

54 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1,

55 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ faults injected if the success can be detected

56 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise

57 Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise Alternative with less faults assuming a stronger oracle

58 Thanks Bedankt

Loop-abort faults on supersingular isogeny cryptosystems

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin 1 and Benjamin Wesolowski 2 1 Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France alexandre.gelin@lip6.fr 2 École