Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015 1 / 18
Elliptic curves Example: E(R) : y 2 = x 3 3x + 3 y Elliptic curve E(K) Points (x, y) K 2 that fulfill y 2 = x 3 + a 4 x + a 6 with a 4, a 6 K and discriminant x := 16(4a 3 4 + 27a 2 6) 0. Peter Günther (UPB) Decompression Attack FDTC 2015 2 / 18
Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = y P y T x P x T x P+T = λ 2 x P x T y P+T = λ(x P x P+T ) y P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18
Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = 3x T + a 4 2y T x 2T = λ 2 2x T 2T y 2T = λ(x T x 2T ) y T Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18
Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18
Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18
Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18
Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) Adversarial environment: Physical protection of s required s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18
Invalid point attack on scalar multiplication E : y 2 = x 3 + a 4 x + a 6 Outline of invalid point attacks 1 Group law does not require a 6 2 Move P to weak curve with same a 4 3 Obtain Q = sp for secret s on weak curve 4 Compute DLOG of Q to base P on weak curve 5 Infer DLOG s on original curve Examples weak curve attacks P on curve with smooth order P in small subgroup P on singular curve Peter Günther (UPB) Decompression Attack FDTC 2015 5 / 18
Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18
Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x x T + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18
Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x 2T x 2T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18
Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T E NS (F q ) subgroup of F q or F q 2 DLOG problem subexponential 1 Map DLOG instance to F q or F q x 2 2 Solve DLOG in F q or F q 2 2T x 2T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18
Singular curves with cusp (a 4 = 0) E(R) : y 2 = x 3 + 1 E(R) : y 2 = x 3, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18
Singular curves with cusp (a 4 = 0) E(R) : y 2 = x 3 + 1 E(R) : y 2 = x 3, = 0 y y E NS (F q ) F + q DLOG problem trivial (by division) T 1 Map DLOG instance T to F + q 2 Solve DLOG in F + q P x P x + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18
Singular curve attack on scalar multiplication For fixed a 4, there are at most 2 corresponding singular curves Random faults will not provide points on singular curve How do we get a point onto one of them? P Peter Günther (UPB) Decompression Attack FDTC 2015 8 / 18
Our approach: Point decompression Compression Compress : E(F q ) F q {0, 1} (x, y) (x, b) where b = LSB(y) Reduces bandwidth by 50% Defined in many standards like IEEE 1363, SEC 1, X9.62 Decompression prior to scalar multiplication Peter Günther (UPB) Decompression Attack FDTC 2015 9 / 18
Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18
Point compression Decompress Require: E : y 2 = Similar x 3 + implementations a 4 x + a 6, (x, b) infieee q {0, 1363, 1} SEC 1, Ensure: (x, y) with X9.62, y 2 = OpenSSL x 3 + a 6 1: v x 3 Implicit (partial) point validation: v = x 3 2: v v + a 6 v = x 3 + a 6 3: if Decompress(x, b) E(F q ) v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18
Attack on decompression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18
Attack on decompression Decompress with a 4 = 0 Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18
Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18
Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then Observation: 4: v ( 1) b x quadratic residue v v = ( 1) b x 3 + a output on singular curve 6 5: return (x, y) y 6: else 2 = x 3 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18
Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 2: repeat until (x, b) is valid compression 3: (x, b) H(M i) 4: P Decompress(x, b) 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18
Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 Atttack: 2: repeat until (x, b) is valid compression Choose M such that 3: (x, b) H(M i) H(M 0) = (x, b) with 4: P Decompress(x, b) quadratic residue x. 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18
Properties of the attack Features of the attack Efficient, especially in the case a 4 = 0 One shot: can be applied to exponentiation with nonce Applications: Point decompression (encryption schemes) Hashing to curve (special signature schemes) Random point sampling (countermeasures) Limitations of the attack Access to Q = sp required For a 4 0: stronger control over (x, b) required Attack on plain Decompress still possible Attack on MapToPoint not possible Peter Günther (UPB) Decompression Attack FDTC 2015 13 / 18
Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18
Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18
Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic Very group efficient of order withr Barreto-Naehrig (BN) curves: pairing e : G 1 G 2 G T E : y 2 = x 3 + a MapToPoint : {0, 1} 6 E(F q ) Note: a 4 = 0 KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18
Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC 2015 15 / 18
Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC 2015 15 / 18
Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer... 33 MHz config clock reset 99 MHz Host *.log *.py IO Peter Günther (UPB) Decompression Attack FDTC 2015 16 / 18
Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer... 33 MHz config clock reset 99 MHz Host *.log *.py IO 99 MHz 33 MHz clock t 1 t 2 Peter Günther (UPB) Decompression Attack FDTC 2015 16 / 18
The RELIC implementation First fault: move to singular curve Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x P 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18
The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x 3 + 17, note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc P.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp.+18... Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18
The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x 3 + 17, note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp.+18... Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18
References Relic toolkit: https://github.com/relic-toolkit Glitcher Die Datenkrake: https://www.usenix.org/conference/woot13/ workshop-program/presentation/nedospasov Peter Günther (UPB) Decompression Attack FDTC 2015 18 / 18