Singular curve point decompression attack

Similar documents
Introduction to Elliptic Curve Cryptography. Anupam Datta

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

Pairings at High Security Levels

Constructing Abelian Varieties for Pairing-Based Cryptography

Introduction to Elliptic Curve Cryptography

SM9 identity-based cryptographic algorithms Part 1: General

ELECTROMAGNETIC FAULT INJECTION: TOWARDS A FAULT MODEL ON A 32-BIT MICROCONTROLLER

Elliptic Curve Cryptosystems in the Presence of Faults

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Lattice-Based Cryptography

Elliptic Curve Cryptography

Katherine Stange. ECC 2007, Dublin, Ireland

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

Asymmetric Encryption

Efficient Application of Countermeasures for Elliptic Curve Cryptography

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Discrete logarithm and related schemes

Public Key Cryptography

Cryptography and Security Final Exam

Katz, Lindell Introduction to Modern Cryptrography

An Analysis of Affine Coordinates for Pairing Computation

Wagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

An introduction to supersingular isogeny-based cryptography

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Arithmétique et Cryptographie Asymétrique

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Mapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n )

Fast, twist-secure elliptic curve cryptography from Q-curves

COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES

Algorithmic Number Theory and Public-key Cryptography

Elliptic Curve Cryptography

Arithmetic Operators for Pairing-Based Cryptography

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Short Signature Scheme From Bilinear Pairings

Elliptic Curve Cryptography and Security of Embedded Devices

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

An Introduction to Pairings in Cryptography

From NewHope to Kyber. Peter Schwabe April 7, 2017

Four-Dimensional GLV Scalar Multiplication

Elliptic Curves and Cryptography

True & Deterministic Random Number Generators

Digital Signatures. Adam O Neill based on

Hardware Implementation of Elliptic Curve Point Multiplication over GF (2 m ) for ECC protocols

Error-free protection of EC point multiplication by modular extension

G Advanced Cryptography April 10th, Lecture 11

Side Channel Analysis and Protection for McEliece Implementations

Modern elliptic curve cryptography

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS

Elliptic Curve Cryptography

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

On the complexity of computing discrete logarithms in the field F

Pairings for Cryptography

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Fundamentals of Modern Cryptography

Advanced Constructions in Curve-based Cryptography

GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias

Lecture 1: Introduction to Public key cryptography

Computational Number Theory. Adam O Neill Based on

Short Signatures from the Weil Pairing

Représentation RNS des nombres et calcul de couplages

SEC X.1: Supplemental Document for Odd Characteristic Extension Fields

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Pairing-Friendly Elliptic Curves of Prime Order

Introduction to Cryptography. Lecture 8

Subgroup security in pairing-based cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Short Signatures Without Random Oracles

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

A Pairing-Based DAA Scheme Further Reducing TPM Resources

CSC 5930/9010 Modern Cryptography: Number Theory

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

How to Use Linear Homomorphic Signature in Network Coding

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Cryptography IV: Asymmetric Ciphers

A gentle introduction to elliptic curve cryptography

Short signatures from the Weil pairing

Digital Signatures. p1.

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

A point compression method for elliptic curves defined over GF (2 n )

Arithmetic Operators for Pairing-Based Cryptography

Public-key Cryptography and elliptic curves

The Elliptic Curve in https

Week : Public Key Cryptosystem and Digital Signatures

Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman

Reducing the Key Size of Rainbow using Non-Commutative Rings

Property Preserving Symmetric Encryption

1 Number Theory Basics

Transcription:

Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015 1 / 18

Elliptic curves Example: E(R) : y 2 = x 3 3x + 3 y Elliptic curve E(K) Points (x, y) K 2 that fulfill y 2 = x 3 + a 4 x + a 6 with a 4, a 6 K and discriminant x := 16(4a 3 4 + 27a 2 6) 0. Peter Günther (UPB) Decompression Attack FDTC 2015 2 / 18

Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = y P y T x P x T x P+T = λ 2 x P x T y P+T = λ(x P x P+T ) y P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = 3x T + a 4 2y T x 2T = λ 2 2x T 2T y 2T = λ(x T x 2T ) y T Peter Günther (UPB) Decompression Attack FDTC 2015 3 / 18

Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) Adversarial environment: Physical protection of s required s P sp s Peter Günther (UPB) Decompression Attack FDTC 2015 4 / 18

Invalid point attack on scalar multiplication E : y 2 = x 3 + a 4 x + a 6 Outline of invalid point attacks 1 Group law does not require a 6 2 Move P to weak curve with same a 4 3 Obtain Q = sp for secret s on weak curve 4 Compute DLOG of Q to base P on weak curve 5 Infer DLOG s on original curve Examples weak curve attacks P on curve with smooth order P in small subgroup P on singular curve Peter Günther (UPB) Decompression Attack FDTC 2015 5 / 18

Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x x T + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x 2T x 2T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T E NS (F q ) subgroup of F q or F q 2 DLOG problem subexponential 1 Map DLOG instance to F q or F q x 2 2 Solve DLOG in F q or F q 2 2T x 2T Peter Günther (UPB) Decompression Attack FDTC 2015 6 / 18

Singular curves with cusp (a 4 = 0) E(R) : y 2 = x 3 + 1 E(R) : y 2 = x 3, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

Singular curves with cusp (a 4 = 0) E(R) : y 2 = x 3 + 1 E(R) : y 2 = x 3, = 0 y y E NS (F q ) F + q DLOG problem trivial (by division) T 1 Map DLOG instance T to F + q 2 Solve DLOG in F + q P x P x + P T + P Peter Günther (UPB) Decompression Attack FDTC 2015 7 / 18

Singular curve attack on scalar multiplication For fixed a 4, there are at most 2 corresponding singular curves Random faults will not provide points on singular curve How do we get a point onto one of them? P Peter Günther (UPB) Decompression Attack FDTC 2015 8 / 18

Our approach: Point decompression Compression Compress : E(F q ) F q {0, 1} (x, y) (x, b) where b = LSB(y) Reduces bandwidth by 50% Defined in many standards like IEEE 1363, SEC 1, X9.62 Decompression prior to scalar multiplication Peter Günther (UPB) Decompression Attack FDTC 2015 9 / 18

Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

Point compression Decompress Require: E : y 2 = Similar x 3 + implementations a 4 x + a 6, (x, b) infieee q {0, 1363, 1} SEC 1, Ensure: (x, y) with X9.62, y 2 = OpenSSL x 3 + a 6 1: v x 3 Implicit (partial) point validation: v = x 3 2: v v + a 6 v = x 3 + a 6 3: if Decompress(x, b) E(F q ) v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 10 / 18

Attack on decompression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

Attack on decompression Decompress with a 4 = 0 Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then Observation: 4: v ( 1) b x quadratic residue v v = ( 1) b x 3 + a output on singular curve 6 5: return (x, y) y 6: else 2 = x 3 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 11 / 18

Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 2: repeat until (x, b) is valid compression 3: (x, b) H(M i) 4: P Decompress(x, b) 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 Atttack: 2: repeat until (x, b) is valid compression Choose M such that 3: (x, b) H(M i) H(M 0) = (x, b) with 4: P Decompress(x, b) quadratic residue x. 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC 2015 12 / 18

Properties of the attack Features of the attack Efficient, especially in the case a 4 = 0 One shot: can be applied to exponentiation with nonce Applications: Point decompression (encryption schemes) Hashing to curve (special signature schemes) Random point sampling (countermeasures) Limitations of the attack Access to Q = sp required For a 4 0: stronger control over (x, b) required Attack on plain Decompress still possible Attack on MapToPoint not possible Peter Günther (UPB) Decompression Attack FDTC 2015 13 / 18

Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18

Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18

Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic Very group efficient of order withr Barreto-Naehrig (BN) curves: pairing e : G 1 G 2 G T E : y 2 = x 3 + a MapToPoint : {0, 1} 6 E(F q ) Note: a 4 = 0 KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC 2015 14 / 18

Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC 2015 15 / 18

Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC 2015 15 / 18

Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer... 33 MHz config clock reset 99 MHz Host *.log *.py IO Peter Günther (UPB) Decompression Attack FDTC 2015 16 / 18

Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer... 33 MHz config clock reset 99 MHz Host *.log *.py IO 99 MHz 33 MHz clock t 1 t 2 Peter Günther (UPB) Decompression Attack FDTC 2015 16 / 18

The RELIC implementation First fault: move to singular curve Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x P 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18

The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x 3 + 17, note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc P.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp.+18... Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18

The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x 3 + 17, note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp.+18... Peter Günther (UPB) Decompression Attack FDTC 2015 17 / 18

References Relic toolkit: https://github.com/relic-toolkit Glitcher Die Datenkrake: https://www.usenix.org/conference/woot13/ workshop-program/presentation/nedospasov Peter Günther (UPB) Decompression Attack FDTC 2015 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback