Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 Utrecht 2017/06/26
Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011
Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06]
Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:
Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:
Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that
Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that Interesting properties: All supersingular elliptic curves can be defined over F p 2 About p 12 supersingular elliptic curves, up to isomorphism
Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ.
Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ. Interesting properties: G E 1 = a unique E 2 and φ such that φ : E 1 E 2 and Ker φ = G E 2 = E/G is obtained in O ( degφ )
Key-Exchange Protocol A prime p such that p + 1 = l n A lm B
A supersingular elliptic curve E with l n A lm B points E Key-Exchange Protocol A prime p such that p + 1 = l n A lm B
Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B points A point R A chosen randomly in E [ l n A ] E
Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points E
Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E = the curve E A = E/ R A and φ A : E E A E A
Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E φ B = the curve E A = E/ R A and φ A : E E A E A E B A point R B = m B P B + n B Q B random in E [ l m ] B = PB,Q B, the curve E B = E/ R B and φ B : E E B
Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B E A E B
Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) E A E B E AB
Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB
Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) E AB
Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) = j(e AB ) secret shared by Alice and Bob E AB
Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A.
Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph
Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p )
Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p ) ) Claw finding: Find a collision in O (l n 2 A O ( 4 p )
Attack framework Alice uses a static private key (m A,n A ) E φ A φ B E A E B E AB
Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E φ A φ B E A E B E AB
Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B E A E B E AB
Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) E A E B E AB
Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) E AB
Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) Countermeasure: Validation method verifies the correctness of the inputs (Fujisaki-Okamoto transform) E AB
How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A )
How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny
How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k )
How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k ) E n = E AB = E B / R 0 and φ = φ n φ 1
Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes
Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop
Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.]
Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.] Implementations of SIDH on embedded devices already exist
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A )
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) and a even
The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) = (m A,n A ) equivalent to (1,a) for a = n A m A and a even and a odd
The attack l A = 2 Subsequent steps: we assume the key of the form (1,a)
The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits
The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A )
The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A ) Make a guess and recover the k-th bit of a
The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A ) Make a guess and recover the k-th bit of a Conclusion: full-key recovery by iterating this process
Analysis n bits recovered in n interactions with the victim = n faults injected
Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1,
Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ faults injected if the success can be detected
Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise
Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise Alternative with less faults assuming a stronger oracle
Thanks Bedankt