Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,

Published byGerald Patrick Modified over 8 years ago

Similar presentations

Presentation on theme: "Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,"— Presentation transcript:

1 Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa, trosa@ebanka.cz

2 2 Security and Protection of Information 2005 DSAWIV Let DSAWIV stand for a Digital Signature Algorithm With an Implicit Verification.

3 3 Security and Protection of Information 2005 DSA… 1.let i = 1 2.let k  R 3.compute r = (g k mod p) mod q 4.compute s = (h(m) + xr)k -1 mod q 5.if r = 0 or s = 0 then go to 2 6.… h(m)h(m) Signing transf. p, q, g Priv. key r, s

4 4 Security and Protection of Information 2005 …With an Implicit Verification 1.let i = 1 2.let k  R 3.compute r = (g k mod p) mod q 4.compute s = (h(m) + xr)k -1 mod q 5.if r = 0 or s = 0 then go to 2 6.compute u = h(m)s -1 mod q 7.compute v = rs -1 mod q 8.compute w = (g u y v mod p) mod q 9.if w = r then return (r, s) 10.if ++i > Bound then return FAILURE 11.go to 2 h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r, s)FAILED

5 5 Security and Protection of Information 2005 DSAWIV vs. Fault Attacks It looks like a robust universal countermeasure against fault attacks. It could be so if we were talking, for instance, about RSA according to PKCS-1-v1_5. However, it is neither robust nor universal, since there are realistic attacks passing undetected. They can become even more hidden and accelerated instead…

6 6 Security and Protection of Information 2005 Fault Attack Cracking the DSAWIV The work of Nguyen & Shparlinski done in 1999-2002 serves as a platform for our attack. In our approach, we base on a slightly generalized idea of the work of N-S. We generalize an individual bit leakage into an individual modular digit leakage.

7 7 Security and Protection of Information 2005 Generalized N-S Method Let a = k mod d, where d  , gcd(d, q) = 1. The value of a represents the least significant d-modular digit of k. Then, the values of (t, u) defined as t = rs -1 d -1 mod q, u = [(a – h(m)s -1 )d -1 ] mod q + q/2d, are an approximation of the private key x (also called a hidden number here) satisfying  xt – u  q  q/2d, where  z  q = min { z mod q, q – (z mod q) }.

8 8 Security and Protection of Information 2005 Solving the Approximations We have to solve the Hidden Number Problem. We use the “Standard HNP to CVP” approach. Let us have collected N pairs of (t i, u i ). We then solve the Closest Vector Problem for the (N+1)-dimensional full-rank lattice  (q, d, t 1, …, t N ) and the rational vector u = (u 1, …, u N, 0). Let the resulting vector be denoted as v, v   (q, d, t 1, …, t N ). For an appropriate N, it is probable that the private key x can be computed as x = 2dv N+1 mod q.

9 9 Security and Protection of Information 2005 But Back to the Attack Now We have two basic questions to solve: 1.How to gain the least significant modular digits for the HNP input approximation? 2.What does it have in common with the general properties of the DSAWIV?

10 10 Security and Protection of Information 2005 Answering the Question no. 1 We study an effect of the public parameters substitution for the signing phase. Traditionally, there is often low attention paid to the integrity of g. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

11 11 Security and Protection of Information 2005 On the Substituted Generator g’ Let d  p – 1. We find    p *, ord(  ) = d. We then set g’ = g  mod p. Every signature (r’, s’) made after such a change using the DSAWIV satisfies r’ = (g k mod p) mod q = (g k  k mod p) mod q. Therefore, k  0 (mod d) with a probability  1. So, we use a = 0 for every (r’, s’).

12 12 Security and Protection of Information 2005 Answering the Question no. 2 For every h(m), there is a value of the nonce k, such that a signature (r’, s’) made using a substituted value of g’ is valid. If k  R then we get it with the probability  1/d. When d is chosen to be small enough, the DSAWIV almost never returns FAILURE. But the “correct” signatures will open an ultimate side channel then…

13 13 Security and Protection of Information 2005 Another Substitution Scheme Even the generator written in the user’s certificate can be faked. We then assume k  u’ (mod d), where u’ = h(m)s’ -1 mod q. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

14 14 Security and Protection of Information 2005 Experimental Results Condition for the divisor being searched: d < 512, preferably also d  12. Channels with d < 8 are marked as weak.

15 15 Security and Protection of Information 2005 Conclusion Another realistic fault attack on DSA. We also saw that the DSAWIV is neither robust nor universal scheme. Implicit verification has to be used with care. Some attacks can only become hidden. Some ones can be even accelerated. Note: DSAWIV can also occur naturally just by a user activity. We shall warn users to report any strange behaviour of their signing tools. (e.g. “Sometimes failing chipcard”)

Download ppt "Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,"

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Similar presentations

Ads by Google