Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in Prague

Embedded Systems Do… …control flow monitoring to enforce safety policy… …HW monitoring for highest security… …runtime validation of program’s data properties… …

Test&Repeat Paradigm We try to study formally the things a designer would probably do naturally if asked to develop a module that: 1. Prevents propagation of faulty results. 2. Ensures certain level of robustness – i.e. mainly a fault tolerance.

DSAWIV Let DSAWIV stand for a Digital Signature Algorithm With an Implicit Verification. In the paper, we also use the term “TARed DSA”.

DSA… 1. let i = 1 2. let k  R 3. compute r = (g k mod p) mod q 4. compute s = (h(m) + xr)k -1 mod q 5. if r = 0 or s = 0 then go to 2 6. … h(m)h(m) Signing transf. p, q, g Priv. key r, s

…With an Implicit Verification 1. let i = 1 2. let k  R 3. compute r = (g k mod p) mod q 4. compute s = (h(m) + xr)k -1 mod q 5. if r = 0 or s = 0 then go to 2 6. compute u = h(m)s -1 mod q 7. compute v = rs -1 mod q 8. compute w = (g u y v mod p) mod q 9. if w = r then return (r, s) 10. if ++i > Bound then return FAILURE 11. go to 2 h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r, s)FAILED

Obvious Properties of DSAWIV No faulty signature can leave the cryptographic module. This could indicate security. It tolerates transient faults by repeating the computation several times. This could indicate robustness.

Central Questions Shall we rely on the properties of DSAWIV and believe that it really is a secure implementation of DSA? Does the Test&Repeat paradigm create a secure cryptosystem here?

Fault Attack on the DSAWIV The work of Nguyen & Shparlinski done in serves as a platform for our attack. In our approach, we base on a slightly generalized idea of the work of N-S. We generalize an individual bit leakage into an individual d-ary digit leakage.

Useful Operator Let z   and q  . We define  z  q = min c    z - cq . Notes:  z  q = min {z mod q, q – (z mod q)} if z  y (mod q) then  z  q =  y  q

Generalized N-S Method Let a = k mod d, where d  , gcd(d, q) = 1. The value of a represents the least significant d -ary digit of the nonce k = a + b 1 d + b 2 d 2 + … = a + bd. Note: xr + h(m)  s(a + bd) (mod q), 0  b  q/d. Then, the values of (t, u) defined as t = rs -1 d -1 mod q, u = [(a – h(m)s -1 )d -1 ] mod q + q/(2d), are an approximation of the private key x satisfying  xt – u  q  q/(2d).

Diophantine Solution Let us have collected N pairs {(t i, u i )} i=1 N. We then solve the Approximate Closest Vector Problem for the (N+1) -dimensional full-rank lattice  (q, d, t 1, …, t N ) and the rational vector u = (u 1, …, u N, 0). Let the resulting vector be denoted as v, v   (q, d, t 1, …, t N ).

Diophantine Solution For an appropriate N, it is probable that the private key x satisfies x = 2dv N+1 mod q. A rule of thumb: The appropriate N shall satisfy d N >> q.

Back to the Attack Now How to gain the least significant d-ary digits for the HNP input approximation? What does it have in common with the general properties of the DSAWIV?

Gaining the Side Information We study an effect of the public parameters substitution for the signing phase. Traditionally, there is often low attention paid to the integrity of g. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

Once Upon a Time… …there was an insufficient integrity check in the OpenPGP platform allowing an attacker to do the following fault attack… (it was the year 2001)

Private key encrypted Message Digital signature Private key User’s Password Decryption Signing algorithm Normal Operation Signing a message

fault side channel Private key encrypted Message Digital signature Private key User’s Password Decryption Signing algorithm Under Attack Private key encrypted Digital signature Public key and parameters Private key Attacker’s program

Therefore… …an affect of public parameters substitution shall be well considered when designing and evaluating cryptographic modules…

On the Generator g’ Let d  p – 1. We find    p *, ord(  ) = d. We then set g’ = g  mod p. Every signature (r’, s’ ) released by the DSAWIV after such a change satisfies r’ = (g k  k mod p) mod q = (g k mod p) mod q. Therefore, k  0 (mod d) with a probability  1. So, we use a = 0 for every (r’, s’ ).

Connections with DSAWIV For every h(m), there is a value of the nonce k, such that a signature (r’, s’) made using a substituted value of g’ is valid. If k  R then we get it with the probability  1/d. When d is chosen to be small enough, the DSAWIV almost never returns FAILURE. But the “correct” signatures will open an ultimate side channel then…

Experimental Results Condition for the divisor being searched: d < 512, preferably d  12. Channels with d < 8 are marked as weak.

Conclusion The DSAWIV is not universally resistant to fault attacks. Some attacks can only become hidden. Some ones can be even accelerated. The Test&Repeat paradigm did not help to protect the scheme. Actually, it weakened it in a certain way.

Remedy Despite looking as a promising approach, the Test&Repeat paradigm shall be used with care. We shell check the attacks that pass undetected or which are even right allowed and accelerated by this countermeasure.