Tanja Lange Technische Universiteit Eindhoven

Size: px

Start display at page:

Download "Tanja Lange Technische Universiteit Eindhoven"

Dwayne Heath
6 years ago
Views:

1 Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein

2 Main goal of this course: We are the attackers. We want to break ECC and RSA. First need to understand ECC; this is also needed for Dan s high-seed cryto course. Main motivation for ECC: Avoid index-calculus attacks that lague finite-field DL. See, e.g., yesterday s talk by P. T. H. Duong.

3 Diffie-Hellman key exchange Pick some generator P, i.e. some grou element (using additive notation here). Alice s secret key a Bob s secret key b Alice s Bob s ublic key ublic key ap b P falice; Bobg s fbob; Aliceg s shared secret = shared secret ab P b ap

4 Diffie-Hellman key exchange Pick some generator P, i.e. some grou element (using additive notation here). Alice s secret key a Bob s secret key b Alice s Bob s ublic key ublic key ap b P falice; Bobg s fbob; Aliceg s shared secret = shared secret ab P b ap What does P look like & how to comute P + Q?

5 The clock y x This is the curve x 2 + y 2 = 1. Warning: This is not an ellitic curve. Ellitic curve 6= ellise.

6 Examles of oints on this curve:

7 Examles of oints on this curve: (0; 1) = 12:00.

8 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00.

9 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00.

10 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00.

11 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) =

12 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00.

13 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00. (1=2; 3=4) =

14 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00. (1=2; 3=4) = 5:00. 3=4) = ( 1=2;

15 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00. (1=2; 3=4) = 5:00. 3=4) = 7:00. ( 1=2;

16 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00. (1=2; 3=4) = 5:00. 3=4) = 7:00. ( 1=2; ( 1=2; 1=2) = 1:30. (3=5; 4=5). ( 3=5; 4=5).

17 Examles of oints on this curve: (0; 1) = 12:00. (0; 1) = 6:00. (1; 0) = 3:00. ( 1; 0) = 9:00. ( 3=4; 1=2) = 2:00. (1=2; 3=4) = 5:00. 3=4) = 7:00. ( 1=2; ( 1=2; 1=2) = 1:30. (3=5; 4=5). ( 3=5; 4=5). (3=5; 4=5). ( 3=5; 4=5). (4=5; 3=5). ( 4=5; 3=5). (4=5; 3=5). ( 4=5; 3=5). Many more.

18 Addition on the clock: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) 1 P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1, arametrized by x = sin, y = cos.

19 Addition on the clock: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) 1 P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1, arametrized by x = sin, y = cos. Recall (sin( ); cos( )) =

20 Addition on the clock: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) 1 P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1, arametrized by x = sin, y = cos. Recall (sin( ); cos( )) = (sin 1 cos 2 + cos 1 sin 2 ;

21 Addition on the clock: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) 1 P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1, arametrized by x = sin, y = cos. Recall (sin( ); cos( )) = (sin 1 cos 2 + cos 1 sin 2 ; cos 1 cos 2 sin 1 sin 2 ).

22 Adding two oints corresonds to adding the angles 1 and 2. Angles modulo 360 are a grou, so oints on clock are a grou. Neutral element: angle = 0; oint (0; 1); 12:00. The oint with = 180 has order 2 and equals 6:00. 3:00 and 9:00 have order 4. Inverse of oint with is oint with since + ( ) = 0. There are many more oints where angle is not nice.

23 Addition on the clock: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) 1 P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1, arametrized by x = sin, y = cos. Recall (sin( ); cos( )) = (sin 1 cos 2 + cos 1 sin 2 ; cos 1 cos 2 sin 1 sin 2 ).

24 Clock addition without sin, cos: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) Use Cartesian coordinates for addition. Addition formula for the clock x 2 + y 2 = 1: sum (x 1 ; y 1 ) + (x 2 ; y 2 ) = (x 3 ; y 3 )

25 Clock addition without sin, cos: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) Use Cartesian coordinates for addition. Addition formula for the clock x 2 + y 2 = 1: sum (x 1 ; y 1 ) + (x 2 ; y 2 ) = (x 3 ; y 3 ) = (x 1 y 2 + y 1 x 2 ; y 1 y 2 x 1 x 2 ). Note (x 1 ; y 1 ) + ( x 1 ; y 1 ) = (0; 1). kp = P + P + + P {z } k coies for k 0.

26 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ;

27 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ;

28 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ; ; = ;

29 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ; ; = ; (x 1 ; y 1 ) + (0; 1) =

30 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ; ; = ; (x 1 ; y 1 ) + (0; 1) = (x 1 ; y 1 ).

31 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ; ; = ; (x 1 ; y 1 ) + (0; 1) = (x 1 ; y 1 ). (x 1 ; y 1 ) + ( x 1 ; y 1 ) =

32 Examles of clock addition: 2:00 + 5:00 = ( 3=4; 1=2) + (1=2; 3=4) = ( 1=2; 3=4) = 7:00. 5:00 + 9:00 = (1=2; 3=4) + ( 1; 0) = ( 3=4; 1=2) = 2: ; 4 24 = ; ; = ; ; = ; (x 1 ; y 1 ) + (0; 1) = (x 1 ; y 1 ). (x 1 ; y 1 ) + ( x 1 ; y 1 ) = (0; 1).

33 Clocks over finite fields Clock(F 7 ) = (x; y) 2 F7 F 7 : x 2 + y 2 = 1. Here F 7 = f0; 1; 2; 3; 4; 5; 6g = f0; 1; 2; 3; 3; 2; 1g with +; ; modulo 7. E.g. 2 5 = 3 and 3=2 = 5 in F 7.

34 >>> for x in range(7):... for y in range(7):... if (x*x+y*y) % 7 == 1:... rint (x,y)... (0, 1) (0, 6) (1, 0) (2, 2) (2, 5) (5, 2) (5, 5) (6, 0) >>>

35 >>> class F7:... def init (self,x):... self.int = x % 7... def str (self):... return str(self.int)... rer = str... >>> rint F7(2) 2 >>> rint F7(6) 6 >>> rint F7(7) 0 >>> rint F7(10) 3

36 >>> F7. eq = lambda a,b: \... a.int == b.int >>> >>> rint F7(7) == F7(0) True >>> rint F7(10) == F7(3) True >>> rint F7(-3) == F7(4) True >>> rint F7(0) == F7(1) False >>> rint F7(0) == F7(2) False >>> rint F7(0) == F7(3) False

37 >>> F7. add = lambda a,b: \... F7(a.int + b.int) >>> F7. sub = lambda a,b: \... F7(a.int - b.int) >>> F7. mul = lambda a,b: \... F7(a.int * b.int) >>> >>> rint F7(2) + F7(5) 0 >>> rint F7(2) - F7(5) 4 >>> rint F7(2) * F7(5) 3 >>>

38 Larger examle: Clock(F ). = class F:... def clockadd(p1,p2): x1,y1 = P1 x2,y2 = P2 x3 = x1*y2+y1*x2 y3 = y1*y2-x1*x2 return x3,y3

39 >>> P = (F(1000),F(2)) >>> P2 = clockadd(p,p) >>> rint P2 (4000, 7) >>> P3 = clockadd(p2,p) >>> rint P3 (15000, 26) >>> P4 = clockadd(p3,p) >>> P5 = clockadd(p4,p) >>> P6 = clockadd(p5,p) >>> rint P6 (780000, 1351) >>> rint clockadd(p3,p3) (780000, 1351) >>>

40 >>> def scalarmult(n,p):... if n == 0: \... return (F(0),F(1))... if n == 1: return P... Q = scalarmult(n//2,p)... Q = clockadd(q,q)... if n % 2: Q = clockadd(p,q)... return Q... >>> n = oursixdigitsecret >>> scalarmult(n,p) (947472, ) >>> Can you figure out our secret n?

41 Clock crytograhy The Clock Diffie Hellman rotocol : Standardize large rime & base oint (x; y) 2 Clock(F ). Alice chooses big secret a, comutes her ublic key a(x; y). Bob chooses big secret b, comutes his ublic key b (x; y). Alice comutes a(b (x; y)). Bob comutes b (a(x; y)). They use this shared secret to encryt with AES-GCM etc.

42 Alice s secret key a Bob s secret key b Alice s Bob s ublic key ublic key a(x; Y ) b (X; Y ) falice; Bobg s fbob; Aliceg s shared secret = shared secret ab (X; Y ) b a(x; Y )

43 Alice s secret key a Bob s secret key b Alice s Bob s ublic key ublic key a(x; Y ) b (X; Y ) falice; Bobg s fbob; Aliceg s shared secret = shared secret ab (X; Y ) b a(x; Y ) Warning #1: Many are unsafe! Warning #2: Clocks aren t ellitic! To match RSA-3072 security need

44 Warning #3: Attacker sees more than ublic keys a(x; y) and b (x; y). Attacker sees how much time Alice uses to comute a(b (x; y)). Often attacker can see time for each oeration erformed by Alice, not just total time. This reveals secret scalar a. Break by timing attacks, e.g., 2011 Brumley Tuveri.

45 Warning #3: Attacker sees more than ublic keys a(x; y) and b (x; y). Attacker sees how much time Alice uses to comute a(b (x; y)). Often attacker can see time for each oeration erformed by Alice, not just total time. This reveals secret scalar a. Break by timing attacks, e.g., 2011 Brumley Tuveri. Fix: constant-time code, erforming same oerations no matter what scalar is.

46 Exercise How many multilications do you need to comute (x 1 y 2 + y 1 x 2 ; y 1 y 2 x 1 x 2 )? How many multilications do you need to double a oint, i.e. to comute (x 1 y 1 + y 1 x 1 ; y 1 y 1 x 1 x 1 )? How can you otimize the comutation if squarings are cheaer than multilications? Assume S < M < 2S.

47 Addition on an Edwards curve Change the curve on which Alice and Bob work. y neutral = (0; 1) P 1 = (x 1 ; y 1 ) P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1 30x 2 y 2. Sum of (x 1 ; y 1 ) and (x 2 ; y 2 ) is ((x 1 y 2 +y 1 x 2 )=(1 30x 1 x 2 y 1 y 2 ), (y 1 y 2 x 1 x 2 )=(1+30x 1 x 2 y 1 y 2 )).

48 The clock again, for comarison: y neutral = (0; 1) P 1 = (x 1 ; y 1 ) P 2 = (x 2 ; y 2 ) x P 3 = (x 3 ; y 3 ) x 2 + y 2 = 1. Sum of (x 1 ; y 1 ) and (x 2 ; y 2 ) is (x 1 y 2 + y 1 x 2, y 1 y 2 x 1 x 2 ).

49 Hey, there were divisions in the Edwards addition law! What if the denominators are 0? Answer: They aren t! If x i = 0 or y i = 0 then 1 30x 1 x 2 y 1 y 2 = 1 6= 0. If x 2 + y 2 = 1 30x 2 y 2 then 30x 2 y 2 < 1 so 30 jxyj < 1.

50 Hey, there were divisions in the Edwards addition law! What if the denominators are 0? Answer: They aren t! If x i = 0 or y i = 0 then 1 30x 1 x 2 y 1 y 2 = 1 6= 0. If x 2 + y 2 = 1 30x 2 y 2 then 30x 2 y 2 < 1 so 30 jxyj < 1. If x y2 1 = 1 30x2 1 y2 1 and x y2 2 = 1 30x2 2 y2 2 then 30 jx 1 y 1 j < 1 and 30 jx 2 y 2 j < 1

51 Hey, there were divisions in the Edwards addition law! What if the denominators are 0? Answer: They aren t! If x i = 0 or y i = 0 then 1 30x 1 x 2 y 1 y 2 = 1 6= 0. If x 2 + y 2 = 1 30x 2 y 2 then 30x 2 y 2 < 1 so 30 jxyj < 1. If x y2 1 = 1 30x2 1 y2 1 and x y2 2 = 1 30x2 2 y2 2 then 30 jx 1 y 1 j < 1 and 30 jx 2 y 2 j < 1 so 30 jx 1 y 1 x 2 y 2 j < 1 so 1 30x 1 x 2 y 1 y 2 > 0.

52 The Edwards addition law (x 1 ; y 1 ) + (x 2 ; y 2 ) = ((x 1 y 2 +y 1 x 2 )=(1 30x 1 x 2 y 1 y 2 ), (y 1 y 2 x 1 x 2 )=(1+30x 1 x 2 y 1 y 2 )) is a grou law for the curve x 2 + y 2 = 1 30x 2 y 2. Some calculation required: addition result is on curve; addition law is associative. Other arts of roof are easy: addition law is commutative; (0; 1) is neutral element; (x 1 ; y 1 ) + ( x 1 ; y 1 ) = (0; 1).

53 Edwards curves mod Choose an odd rime. Choose a non-square d 2 F. f(x; y) 2 F F : x 2 + y 2 = 1 + dx 2 y 2 g is a comlete Edwards curve. Roughly + 1 airs (x; y). def edwardsadd(p1,p2): x1,y1 = P1 x2,y2 = P2 x3 = (x1*y2+y1*x2)/ \ (1+d*x1*x2*y1*y2) y3 = (y1*y2-x1*x2)/ \ (1-d*x1*x2*y1*y2) return x3,y3

54 Denominators are never 0. But need different roof; x 2 + y 2 > 0 doesn t work.

55 Denominators are never 0. But need different roof; x 2 + y 2 > 0 doesn t work. Answer: Can rove that the denominators are never 0. Addition law is comlete.

56 Denominators are never 0. But need different roof; x 2 + y 2 > 0 doesn t work. Answer: Can rove that the denominators are never 0. Addition law is comlete. This roof relies on choosing non-square d.

57 Denominators are never 0. But need different roof; x 2 + y 2 > 0 doesn t work. Answer: Can rove that the denominators are never 0. Addition law is comlete. This roof relies on choosing non-square d. If we instead choose square d: curve is still ellitic, and addition seems to work, but there are failure cases, often exloitable by attackers. Safe code is more comlicated.

58 Edwards curves are cool

59 ECDSA Users can sign messages using Edwards curves. Take a oint P on an Edwards curve modulo a rime > 2. ECDSA signer needs to know the order of P. There are only finitely many other oints; about in total. Adding P to itself will eventually reach (0; 1); let ` be the smallest integer > 0 with `P = (0; 1). This ` is the order of P.

60 The signature scheme has as system arameters a curve E; a base oint P ; and a hash function h with outut length at least blog 2 `c + 1. Alice s secret key is an integer a and her ublic key is P = A ap. To sign message m, Alice comutes h(m); icks random k; comutes R = kp = (x 1 ; y 1 ); uts r y 1 mod `; comutes s k 1 (h(m) + r a) mod `. The signature on m is (r; s).

61 Anybody can verify signature given m and (r; s): Comute w 1 s 1 h(m) mod ` and w 2 s 1 r mod `. Check whether the y-coordinate of w 1 P + w 2 P equals A r modulo ` and if so, accet signature. Alice s signatures are valid: w 1 P + w 2 P = A (s 1 h(m))p + (s 1 r)p = A (s 1 (h(m) + ra))p = kp and so the y-coordinate of this exression equals r, the y-coordinate of kp.

62 Attacker s view on signatures Anybody can roduce an R = kp. Alice s rivate key is only used in s k 1 (h(m) + r a) mod `. Can fake signatures if one can break the DLP, i.e., if one can comute a from P. A Most of this course deals with methods for breaking DLPs. Sometimes attacks are easier: : :

63 If k is known for some m; (r; s) then a (sk h(m))=r mod `. If two signatures m 1 ; (r; s 1 ) and m 2 ; (r; s 2 ) have the same value for r: assume k 1 = k 2 ; observe s 1 s 2 = k 1 1 (h(m 1) + ra (h(m 2 ) + ra)); comute k = (s 1 s 2 )=(h(m 1 ) h(m 2 )). Continue as above. If bits of many k s are known (biased PRNG) can attack s k 1 (h(m) + r a) mod ` as hidden number roblem using lattice basis reduction.

64 Malicious signer Alice can set u her ublic key so that two messages of her choice share the same signature, i.e., she can claim to have signed m 1 or m 2 at will: R = (x 1 ; y 1 ) and R = ( x 1 ; y 1 ) have the same y-coordinate. Thus, (r; s) fits R = kp, s k 1 (h(m 1 ) + ra) mod ` and R = ( k)p, s k 1 (h(m 2 ) + ra) mod ` if a (h(m 1 )+h(m 2 ))=2r mod `.

65 Malicious signer Alice can set u her ublic key so that two messages of her choice share the same signature, i.e., she can claim to have signed m 1 or m 2 at will: R = (x 1 ; y 1 ) and R = ( x 1 ; y 1 ) have the same y-coordinate. Thus, (r; s) fits R = kp, s k 1 (h(m 1 ) + ra) mod ` and R = ( k)p, s k 1 (h(m 2 ) + ra) mod ` if a (h(m 1 )+h(m 2 ))=2r mod `. (Easy tweak: include bit of x 1.)

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman