Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in.

Published byAubrie Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in."— Presentation transcript:

1 Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, trosa@ebanka.cz eBanka, a.s., Charles University, Prague, Czech Technical University in Prague

2 Embedded Systems Do… …control flow monitoring to enforce safety policy… …HW monitoring for highest security… …runtime validation of program’s data properties… …

3 Test&Repeat Paradigm We try to study formally the things a designer would probably do naturally if asked to develop a module that: 1. Prevents propagation of faulty results. 2. Ensures certain level of robustness – i.e. mainly a fault tolerance.

4 DSAWIV Let DSAWIV stand for a Digital Signature Algorithm With an Implicit Verification. In the paper, we also use the term “TARed DSA”.

5 DSA… 1. let i = 1 2. let k  R 3. compute r = (g k mod p) mod q 4. compute s = (h(m) + xr)k -1 mod q 5. if r = 0 or s = 0 then go to 2 6. … h(m)h(m) Signing transf. p, q, g Priv. key r, s

6 …With an Implicit Verification 1. let i = 1 2. let k  R 3. compute r = (g k mod p) mod q 4. compute s = (h(m) + xr)k -1 mod q 5. if r = 0 or s = 0 then go to 2 6. compute u = h(m)s -1 mod q 7. compute v = rs -1 mod q 8. compute w = (g u y v mod p) mod q 9. if w = r then return (r, s) 10. if ++i > Bound then return FAILURE 11. go to 2 h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r, s)FAILED

7 Obvious Properties of DSAWIV No faulty signature can leave the cryptographic module. This could indicate security. It tolerates transient faults by repeating the computation several times. This could indicate robustness.

8 Central Questions Shall we rely on the properties of DSAWIV and believe that it really is a secure implementation of DSA? Does the Test&Repeat paradigm create a secure cryptosystem here?

9 Fault Attack on the DSAWIV The work of Nguyen & Shparlinski done in 1999-2002 serves as a platform for our attack. In our approach, we base on a slightly generalized idea of the work of N-S. We generalize an individual bit leakage into an individual d-ary digit leakage.

10 Useful Operator Let z   and q  . We define  z  q = min c    z - cq . Notes:  z  q = min {z mod q, q – (z mod q)} if z  y (mod q) then  z  q =  y  q

11 Generalized N-S Method Let a = k mod d, where d  , gcd(d, q) = 1. The value of a represents the least significant d -ary digit of the nonce k = a + b 1 d + b 2 d 2 + … = a + bd. Note: xr + h(m)  s(a + bd) (mod q), 0  b  q/d. Then, the values of (t, u) defined as t = rs -1 d -1 mod q, u = [(a – h(m)s -1 )d -1 ] mod q + q/(2d), are an approximation of the private key x satisfying  xt – u  q  q/(2d).

12 Diophantine Solution Let us have collected N pairs {(t i, u i )} i=1 N. We then solve the Approximate Closest Vector Problem for the (N+1) -dimensional full-rank lattice  (q, d, t 1, …, t N ) and the rational vector u = (u 1, …, u N, 0). Let the resulting vector be denoted as v, v   (q, d, t 1, …, t N ).

13 Diophantine Solution For an appropriate N, it is probable that the private key x satisfies x = 2dv N+1 mod q. A rule of thumb: The appropriate N shall satisfy d N >> q.

14 Back to the Attack Now How to gain the least significant d-ary digits for the HNP input approximation? What does it have in common with the general properties of the DSAWIV?

15 Gaining the Side Information We study an effect of the public parameters substitution for the signing phase. Traditionally, there is often low attention paid to the integrity of g. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

16 Once Upon a Time… …there was an insufficient integrity check in the OpenPGP platform allowing an attacker to do the following fault attack… (it was the year 2001)

17 Private key encrypted Message Digital signature Private key User’s Password Decryption Signing algorithm Normal Operation Signing a message

18 fault side channel Private key encrypted Message Digital signature Private key User’s Password Decryption Signing algorithm Under Attack Private key encrypted Digital signature Public key and parameters Private key Attacker’s program

19 Therefore… …an affect of public parameters substitution shall be well considered when designing and evaluating cryptographic modules…

20 On the Generator g’ Let d  p – 1. We find    p *, ord(  ) = d. We then set g’ = g  mod p. Every signature (r’, s’ ) released by the DSAWIV after such a change satisfies r’ = (g k  k mod p) mod q = (g k mod p) mod q. Therefore, k  0 (mod d) with a probability  1. So, we use a = 0 for every (r’, s’ ).

21 Connections with DSAWIV For every h(m), there is a value of the nonce k, such that a signature (r’, s’) made using a substituted value of g’ is valid. If k  R then we get it with the probability  1/d. When d is chosen to be small enough, the DSAWIV almost never returns FAILURE. But the “correct” signatures will open an ultimate side channel then…

22 Experimental Results Condition for the divisor being searched: d < 512, preferably d  12. Channels with d < 8 are marked as weak.

23 Conclusion The DSAWIV is not universally resistant to fault attacks. Some attacks can only become hidden. Some ones can be even accelerated. The Test&Repeat paradigm did not help to protect the scheme. Actually, it weakened it in a certain way.

24 Remedy Despite looking as a promising approach, the Test&Repeat paradigm shall be used with care. We shell check the attacks that pass undetected or which are even right allowed and accelerated by this countermeasure.

Download ppt "Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in."

Similar presentations

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Bob can sign a message using a digital signature generation algorithm

Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

Similar presentations

Ads by Google