Latticebased Fault Attacks on DSA Another Possible Strategy - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Latticebased Fault Attacks on DSA Another Possible Strategy

Description:

compute s = (h(m) xr)k-1 mod q. if r = 0 or s = 0 then go to 2. compute u = h(m)s-1 mod q ... it have in common with the general properties of the DSAWIV? 10 ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 16
Provided by: drt95
Category:

less

Transcript and Presenter's Notes

Title: Latticebased Fault Attacks on DSA Another Possible Strategy


1
Lattice-based Fault Attacks on DSA Another
Possible Strategy
  • Tomá Rosa, trosa_at_ebanka.cz

2
DSAWIV
  • Let DSAWIV stand for a Digital Signature
    Algorithm With an Implicit Verification.

3
DSA
h(m)
  • let i 1
  • let k ?R lt1, q - 1gt
  • compute r (gk mod p) mod q
  • compute s (h(m) xr)k-1 mod q
  • if r 0 or s 0 then go to 2

p, q, g
Signing transf.
Priv. key
r, s
4
With an Implicit Verification
h(m)
  • let i 1
  • let k ?R lt1, q - 1gt
  • compute r (gk mod p) mod q
  • compute s (h(m) xr)k-1 mod q
  • if r 0 or s 0 then go to 2
  • compute u h(m)s-1 mod q
  • compute v rs-1 mod q
  • compute w (guyv mod p) mod q
  • if w r then return (r, s)
  • if i gt Bound then return FAILURE
  • go to 2

p, q, g
Signing transf.
Priv. key
h(m),r,s
p, q, g
Verifying transf.
Pub. key
(r, s)
FAILED
5
DSAWIV vs. Fault Attacks
  • It looks like a robust universal countermeasure
    against fault attacks.
  • It could be so if we were talking, for instance,
    about RSA according to PKCS-1-v1_5.
  • However, it is neither robust nor universal,
    since there are realistic attacks passing
    undetected.
  • They can become even more hidden and accelerated
    instead

6
Fault Attack Cracking the DSAWIV
  • The work of Nguyen Shparlinski done in
    1999-2002 serves as a platform for our attack.
  • In our approach, we base on a slightly
    generalized idea of the work of N-S.
  • We generalize an individual bit leakage into an
    individual modular digit leakage.

7
Generalized N-S Method
  • Let a k mod d, where d ? ?, gcd(d, q) 1.
  • The value of a represents the least significant
    d-modular digit of k.
  • Then, the values of (t, u) defined as
  • t rs-1d-1 mod q,
  • u (a h(m)s-1)d-1 mod q q/2d,
  • are an approximation of the private key x (also
    called a hidden number here) satisfying
  • ?xt u?q ? q/2d,
  • where ?z?q min z mod q, q (z mod q) .

8
Solving the Approximations
  • We have to solve the Hidden Number Problem.
  • We use the Standard HNP to CVP approach.
  • Let us have collected N pairs of (ti, ui).
  • We then solve the Closest Vector Problem for the
  • (N1)-dimensional full-rank lattice ?(q, d, t1,
    , tN)
  • and the rational vector u (u1, , uN, 0).
  • Let the resulting vector be denoted as v, v ?
    ?(q, d, t1, , tN).
  • For an appropriate N, it is probable that the
    private key x can be computed as
  • x 2dvN1 mod q.

9
But Back to the Attack Now
  • We have two basic questions to solve
  • How to gain the least significant modular digits
    for the HNP input approximation?
  • What does it have in common with the general
    properties of the DSAWIV?

10
Answering the Question no. 1
h(m)
  • We study an effect of the public parameters
    substitution for the signing phase.
  • Traditionally, there is often low attention paid
    to the integrity of g.

p, q, g
Signing transf.
p, q, g
Priv. key
h(m),r,s
p, q, g
Verifying transf.
Pub. key
(r, s)
FAILED
11
On the Substituted Generator g
  • Let d?p 1. We find ? ? ?p, ord(?) d.
  • We then set g g? mod p.
  • Every signature (r, s) made after such a change
    using the DSAWIV satisfies
  • r (gk mod p) mod q (gk?k mod p) mod q.
  • Therefore, k ? 0 (mod d) with a probability ? 1.
    So, we use a 0 for every (r, s).

12
Answering the Question no. 2
  • For every h(m), there is a value of the nonce k,
    such that a signature (r, s) made using a
    substituted value of g is valid.
  • If k ?R lt1, q - 1gt then we get it with the
    probability ? 1/d.
  • When d is chosen to be small enough, the DSAWIV
    almost never returns FAILURE.
  • But the correct signatures will open an
    ultimate side channel then

13
Another Substitution Scheme
h(m)
  • Even the generator written in the users
    certificate can be faked.
  • We then assume
  • k ? u (mod d),
  • where
  • u h(m)s-1 mod q.

p, q, g
Signing transf.
p, q, g
Priv. key
h(m),r,s
p, q, g
Verifying transf.
p, q, g
Pub. key
(r, s)
FAILED
14
Experimental Results
Condition for the divisor being searched d lt
512, preferably also d ? 12. Channels with d lt 8
are marked as weak.
15
Conclusion
  • Another realistic fault attack on DSA.
  • We also saw that the DSAWIV is neither robust nor
    universal scheme.
  • Implicit verification has to be used with care.
  • Some attacks can only become hidden.
  • Some ones can be even accelerated.
  • Note DSAWIV can also occur naturally just by a
    user activity.
  • We shall warn users to report any strange
    behaviour of their signing tools. (e.g.
    Sometimes failing chipcard)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Latticebased Fault Attacks on DSA Another Possible Strategy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!