Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,

Slides:



Advertisements
Similar presentations
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Advertisements

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
Digital Signatures and Hash Functions. Digital Signatures.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Chapter 7-1 Signature Schemes.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Chapter 3 Encryption Algorithms & Systems (Part C)
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography and Network Security Chapter 13
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Digital Signatures Applied Handbook of Cryptography: Chapt 11
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
The RSA Algorithm Rocky K. C. Chang, March
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 10 – Digital Signatures.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Cryptography Lecture 9 Stefan Dziembowski
Exercises Information Security Course Eric Laermans – Tom Dhaene.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Lecture 2: Introduction to Cryptography
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
ENCRYPTION TAKE 2: PRACTICAL DETAILS David Kauchak CS52 – Spring 2015.
Prepared by Dr. Lamiaa Elshenawy
Future Cryptography: Standards Are Not Enough Tomáš Rosa Decros-ICZ, CTU FEE
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
Exercises Information Security Course Eric Laermans – Tom Dhaene.
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
COM 5336 Lecture 8 Digital Signatures
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptography and Network Security Chapter 13
Cryptographic Insecurity of the Test&Repeat Paradigm Tomáš Rosa, eBanka, a.s., Charles University, Prague, Czech Technical University in.
Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication
Overview Modern public-key cryptosystems: RSA
Reporter :Chien-Wen Huang
Public Key Cryptosystems - RSA
Digital Signatures…!.
z , and therefore u =  x ~ /s is an approximation of p z.
Presentation transcript:

Lattice-based Fault Attacks on DSA – Another Possible Strategy Tomáš Rosa,

2 Security and Protection of Information 2005 DSAWIV Let DSAWIV stand for a Digital Signature Algorithm With an Implicit Verification.

3 Security and Protection of Information 2005 DSA… 1.let i = 1 2.let k  R 3.compute r = (g k mod p) mod q 4.compute s = (h(m) + xr)k -1 mod q 5.if r = 0 or s = 0 then go to 2 6.… h(m)h(m) Signing transf. p, q, g Priv. key r, s

4 Security and Protection of Information 2005 …With an Implicit Verification 1.let i = 1 2.let k  R 3.compute r = (g k mod p) mod q 4.compute s = (h(m) + xr)k -1 mod q 5.if r = 0 or s = 0 then go to 2 6.compute u = h(m)s -1 mod q 7.compute v = rs -1 mod q 8.compute w = (g u y v mod p) mod q 9.if w = r then return (r, s) 10.if ++i > Bound then return FAILURE 11.go to 2 h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r, s)FAILED

5 Security and Protection of Information 2005 DSAWIV vs. Fault Attacks It looks like a robust universal countermeasure against fault attacks. It could be so if we were talking, for instance, about RSA according to PKCS-1-v1_5. However, it is neither robust nor universal, since there are realistic attacks passing undetected. They can become even more hidden and accelerated instead…

6 Security and Protection of Information 2005 Fault Attack Cracking the DSAWIV The work of Nguyen & Shparlinski done in serves as a platform for our attack. In our approach, we base on a slightly generalized idea of the work of N-S. We generalize an individual bit leakage into an individual modular digit leakage.

7 Security and Protection of Information 2005 Generalized N-S Method Let a = k mod d, where d  , gcd(d, q) = 1. The value of a represents the least significant d-modular digit of k. Then, the values of (t, u) defined as t = rs -1 d -1 mod q, u = [(a – h(m)s -1 )d -1 ] mod q + q/2d, are an approximation of the private key x (also called a hidden number here) satisfying  xt – u  q  q/2d, where  z  q = min { z mod q, q – (z mod q) }.

8 Security and Protection of Information 2005 Solving the Approximations We have to solve the Hidden Number Problem. We use the “Standard HNP to CVP” approach. Let us have collected N pairs of (t i, u i ). We then solve the Closest Vector Problem for the (N+1)-dimensional full-rank lattice  (q, d, t 1, …, t N ) and the rational vector u = (u 1, …, u N, 0). Let the resulting vector be denoted as v, v   (q, d, t 1, …, t N ). For an appropriate N, it is probable that the private key x can be computed as x = 2dv N+1 mod q.

9 Security and Protection of Information 2005 But Back to the Attack Now We have two basic questions to solve: 1.How to gain the least significant modular digits for the HNP input approximation? 2.What does it have in common with the general properties of the DSAWIV?

10 Security and Protection of Information 2005 Answering the Question no. 1 We study an effect of the public parameters substitution for the signing phase. Traditionally, there is often low attention paid to the integrity of g. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

11 Security and Protection of Information 2005 On the Substituted Generator g’ Let d  p – 1. We find    p *, ord(  ) = d. We then set g’ = g  mod p. Every signature (r’, s’) made after such a change using the DSAWIV satisfies r’ = (g k mod p) mod q = (g k  k mod p) mod q. Therefore, k  0 (mod d) with a probability  1. So, we use a = 0 for every (r’, s’).

12 Security and Protection of Information 2005 Answering the Question no. 2 For every h(m), there is a value of the nonce k, such that a signature (r’, s’) made using a substituted value of g’ is valid. If k  R then we get it with the probability  1/d. When d is chosen to be small enough, the DSAWIV almost never returns FAILURE. But the “correct” signatures will open an ultimate side channel then…

13 Security and Protection of Information 2005 Another Substitution Scheme Even the generator written in the user’s certificate can be faked. We then assume k  u’ (mod d), where u’ = h(m)s’ -1 mod q. h(m)h(m) Signing transf. p, q, g Priv. key h(m),r,s Verifying transf. p, q, g Pub. key (r’, s’)FAILED p, q, g’

14 Security and Protection of Information 2005 Experimental Results Condition for the divisor being searched: d < 512, preferably also d  12. Channels with d < 8 are marked as weak.

15 Security and Protection of Information 2005 Conclusion Another realistic fault attack on DSA. We also saw that the DSAWIV is neither robust nor universal scheme. Implicit verification has to be used with care. Some attacks can only become hidden. Some ones can be even accelerated. Note: DSAWIV can also occur naturally just by a user activity. We shall warn users to report any strange behaviour of their signing tools. (e.g. “Sometimes failing chipcard”)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.