Loop-abort faults on supersingular isogeny cryptosystems

Similar documents
Loop-abort faults on supersingular isogeny cryptosystems

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman

You could have invented Supersingular Isogeny Diffie-Hellman

Isogenies in a quantum world

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

A gentle introduction to isogeny-based cryptography

Supersingular Isogeny Key Encapsulation

An introduction to supersingular isogeny-based cryptography

Genus Two Isogeny Cryptography

Supersingular Isogeny Key Encapsulation (SIKE)


A Post-Quantum Digital Signature Scheme based on Supersingular Isogenies

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Parametrizations for Families of ECM-Friendly Curves

Explicit Complex Multiplication

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography

Fast, twist-secure elliptic curve cryptography from Q-curves

The isogeny cycle seminar

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Die-Hellman

Post-quantum security models for authenticated encryption

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Winter 2011 Josh Benaloh Brian LaMacchia

Non-generic attacks on elliptic curve DLPs

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Lecture 1: Introduction to Public key cryptography

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Mappings of elliptic curves

Hard and Easy Problems for Supersingular Isogeny Graphs

CSIDH: An Efficient Post-Quantum Commutative Group Action

Quantum-resistant cryptography

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic

Advanced Cryptography Quantum Algorithms Christophe Petit

Supersingular isogeny graphs and endomorphism rings: reductions and solutions

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

A quantum algorithm for computing isogenies between supersingular elliptic curves

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 7: ElGamal and Discrete Logarithms

Elliptic Curve Computations (1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x 3 x over the real number field R.

Introduction to Elliptic Curve Cryptography. Anupam Datta

An Introduction to Pairings in Cryptography

Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Counting points on genus 2 curves over finite

Discrete Logarithm Problem

Current trends and challenges in post-quantum cryptography. Steven Galbraith University of Auckland, New Zealand

Fault Attacks Against Lattice-Based Signatures

MATH 158 FINAL EXAM 20 DECEMBER 2016

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Secure and Practical Identity-Based Encryption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Asymmetric Encryption

Faster Algorithms for Isogeny Problems using Torsion Point Images

Cryptographical Security in the Quantum Random Oracle Model

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

NEON-SIDH: Ecient Implementation of Supersingular Isogeny Die-Hellman Key Exchange Protocol on ARM

Fraud within Asymmetric Multi-Hop Cellular Networks

Introduction to Quantum Safe Cryptography. ENISA September 2018

PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes

Evaluating Large Degree Isogenies between Elliptic Curves

The odd couple: MQV and HMQV

A message recovery signature scheme equivalent to DSA over elliptic curves

Practical Supersingular Isogeny Group Key Agreement

Elliptic Curve Cryptosystems

A Dierential Power Analysis attack against the Miller's Algorithm

Side-channel analysis in code-based cryptography

Public Key Cryptography

Overview. Public Key Algorithms II

ON THE COST OF COMPUTING ISOGENIES BETWEEN SUPERSINGULAR ELLIPTIC CURVES

Computing modular polynomials with the Chinese Remainder Theorem

SJÄLVSTÄNDIGA ARBETEN I MATEMATIK

Lecture Notes, Week 6

Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

dit-upm RSA Cybersecurity Cryptography

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Elliptic Curve Discrete Logarithm Problem

Public key exchange using semidirect product of (semi)groups

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Question: Total Points: Score:

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Notes for Lecture 17

Digital Signatures. p1.

Lecture V : Public Key Cryptography

Evitando ataques Side-Channel mediante el cálculo de curvas isógenas e isomorfas

RSA. Ramki Thurimella

TOWARDS QUANTUM-RESISTANT CRYPTOSYSTEMS FROM SUPERSINGULAR ELLIPTIC CURVE ISOGENIES

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Transcription:

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne, EPFL IC LACAL, Switzerland PQCrypto 2017 Utrecht 2017/06/26

Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011

Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06]

Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:

Supersingular-Isogeny Public-key Cryptography Introduced by Jao, De Feo, and Plût in 2011 Based on the same problem as the hash function of [CLG06] The isogeny graph of a supersingular elliptic curve:

Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that

Supersingular elliptic curves Definition A supersingular elliptic curve is a curve E defined over F p k ( ) #E F p k = 1 mod p. such that Interesting properties: All supersingular elliptic curves can be defined over F p 2 About p 12 supersingular elliptic curves, up to isomorphism

Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ.

Isogenies Definition An isogeny φ between two elliptic curves E 1 and E 2 is a surjective group homomorphism with a finite kernel. The degree is defined by degφ = #Ker φ. Interesting properties: G E 1 = a unique E 2 and φ such that φ : E 1 E 2 and Ker φ = G E 2 = E/G is obtained in O ( degφ )

Key-Exchange Protocol A prime p such that p + 1 = l n A lm B

A supersingular elliptic curve E with l n A lm B points E Key-Exchange Protocol A prime p such that p + 1 = l n A lm B

Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B points A point R A chosen randomly in E [ l n A ] E

Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points E

Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E = the curve E A = E/ R A and φ A : E E A E A

Key-Exchange Protocol A prime p such that p + 1 = l n A lm B A supersingular elliptic curve E with l n A lm B A point R A chosen randomly in E [ l n A (m A,n A ) {1,...,l n A }2 random, R A = m A P A + n A Q A for P A,Q A = E [ l n ] A ] points φ A E φ B = the curve E A = E/ R A and φ A : E E A E A E B A point R B = m B P B + n B Q B random in E [ l m ] B = PB,Q B, the curve E B = E/ R B and φ B : E E B

Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B E A E B

Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) E A E B E AB

Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB

Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) E AB

Key-Exchange Protocol Bob sends ( E B,φ B (P A ),φ B (Q A ) ) where φ B (P A ),φ B (Q A ) = E B [l n A ] φ A E φ B Alice computes E AB = E B / m A φ B (P A ) + n A φ B (Q A ) Bob computes E BA = E A / m B φ A (P B ) + n B φ A (Q B ) E A E B E AB E/ R A,R B E BA so j(e AB ) = j(e BA ) = j(e AB ) secret shared by Alice and Bob E AB

Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A.

Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph

Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p )

Position of the problem Path-finding problem Given two isogenous curves E 1 and E 2, find an isogeny between them of degree l n A. Equivalent to find a path of fixed length in the isogeny graph Brute-force attack in O ( l n A ) O ( p ) ) Claw finding: Find a collision in O (l n 2 A O ( 4 p )

Attack framework Alice uses a static private key (m A,n A ) E φ A φ B E A E B E AB

Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E φ A φ B E A E B E AB

Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B E A E B E AB

Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) E A E B E AB

Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) E AB

Attack framework Alice uses a static private key (m A,n A ) = E A and φ A can be precomputed E The attacker plays the role of Bob φ A φ B Focus on the isogeny from E B to E B / m A P A + n AQ A, where P A = φ B(P A ) and Q A = φ B(Q A ) Previous active attack [GPST16]: E A E B Idea: Provide dishonest points ( P A, Q A ) instead of (P A,Q A ) Countermeasure: Validation method verifies the correctness of the inputs (Fujisaki-Okamoto transform) E AB

How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A )

How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny

How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k )

How is computed the isogeny? Degree l n A : Vélu s formulae O( l n A Decompose and iterate n O(l A ) ) E B = E 0 E 1 E n 1 E n = E AB where each is a degree-l A isogeny R 0 = m A P A + n AQ A and for 1 k n 1, E k+1 = E k / l n k 1 A R k φ k+1 : E k E k+1 R k+1 = φ k+1 (R k ) E n = E AB = E B / R 0 and φ = φ n φ 1

Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes

Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop

Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.]

Loop-abort fault attacks Introduced for pairing-based cryptography Used recently in the context of lattice-based signature schemes Inject a fault that induces an early-abort in the loop Proven feasible in practice [Blömer et al.] Implementations of SIDH on embedded devices already exist

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A )

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A )

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) and a even

The attack l A = 2 Need an oracle to compare Alice s outputs with what the attacker computes After k iterations, Alice has computed the intermediate curve E k = E B / 2 n k (m A P A + n AQ A ) Guess strategy: first step, k = 1 if m a is even, then Ker φ 1 = 2 n 1 Q A = (m A,n A ) equivalent to (a,1) for a = m A n A and a even if n a is even, then Ker φ 1 = 2 n 1 P A = (m A,n A ) equivalent to (1,a) for a = n A m A if both are odd, then Ker φ 1 = 2 n 1 (P A + Q A ) = (m A,n A ) equivalent to (1,a) for a = n A m A and a even and a odd

The attack l A = 2 Subsequent steps: we assume the key of the form (1,a)

The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits

The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A )

The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A ) Make a guess and recover the k-th bit of a

The attack l A = 2 Subsequent steps: we assume the key of the form (1,a) We know the k 1 least significant bits The k-th bit is either 0 or 1, i.e., / ( ) E k = E B 2 n k P A + (a mod 2k 1 )Q A or E k = E B / 2 n k ( P A + (a mod 2k 1 + 2 k 1 )Q A ) Make a guess and recover the k-th bit of a Conclusion: full-key recovery by iterating this process

Analysis n bits recovered in n interactions with the victim = n faults injected

Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1,

Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ faults injected if the success can be detected

Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise

Analysis n bits recovered in n interactions with the victim = n faults injected if the success probability µ of the fault injection is not 1, about n µ about 2n µ faults injected if the success can be detected otherwise Alternative with less faults assuming a stronger oracle

Thanks Bedankt

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback