Fault Attacks on Public Keys

Transcription

1 Fault Attacks on Public Keys Ce cile Canovas and Alexandre Berzati CEA-LETI Minatec et Universite de Versailles 5 Juin 2009

2 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms 4 ECDLP-based algorithms 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 2

3 Asymmetric cryptography Signature Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 3

4 Asymmetric cryptography Signature hash message m Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 3

5 Asymmetric cryptography Signature hash message m computation Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 3

6 Asymmetric cryptography Signature hash message m signature S Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 3

7 Fault Attacks on Asymmetric cryptography Differential Fault Analysis (DFA) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 4

8 Fault Attacks on Asymmetric cryptography Differential Fault Analysis (DFA) hash message m computation Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 4

9 Fault Attacks on Asymmetric cryptography Differential Fault Analysis (DFA) hash message m computation Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 4

10 Fault Attacks on Asymmetric cryptography Differential Fault Analysis (DFA) hash message m signature Ŝ Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 4

11 Fault Attacks on Asymmetric cryptography Differential Fault Analysis (DFA) hash message m signature Ŝ The key is recovered from the difference between S and Ŝ Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 4

12 Fault Attacks on Asymmetric cryptography Structure Fault Attacks Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 5

13 Fault Attacks on Asymmetric cryptography Structure Fault Attacks hash message m computation Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 5

14 Fault Attacks on Asymmetric cryptography Structure Fault Attacks hash message m computation Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 5

15 Fault Attacks on Asymmetric cryptography Structure Fault Attacks hash message m signature Ŝ Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 5

16 Fault Attacks on Asymmetric cryptography Structure Fault Attacks hash message m signature Ŝ The key is recovered from Ŝ because of the weak algebraic structure Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 5

17 Outline 1 Introduction 2 IFP-based algorithms RSA Signature Scheme Fault Attacks 3 DLP-based algorithms 4 ECDLP-based algorithms 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 6

18 RSA Signature Scheme Key generation Pick large primes p and q and compute N = p q Pick a random e such that gcd(e, ϕ(n)) = 1 Compute d e 1 mod N The public key is (e, N) The private key is d Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 7

19 RSA Signature Scheme Key generation Pick large primes p and q and compute N = p q Pick a random e such that gcd(e, ϕ(n)) = 1 Compute d e 1 mod N The public key is (e, N) The private key is d Signature Return S h(m) d mod N Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 7

20 RSA Signature Scheme Key generation Pick large primes p and q and compute N = p q Pick a random e such that gcd(e, ϕ(n)) = 1 Compute d e 1 mod N The public key is (e, N) The private key is d Signature Return S h(m) d mod N Signature verification Check that S e h(m) mod N Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 7

21 Outline 1 Introduction 2 IFP-based algorithms RSA Signature Scheme Fault Attacks 3 DLP-based algorithms 4 ECDLP-based algorithms 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 8

22 Why One Should Also Secure RSA Public Key Elements [BCMCC06] Fault Model The attacker performs a perturbation compaign by collecting faulty signatures computed under unknown faulty moduli Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 9

23 Why One Should Also Secure RSA Public Key Elements [BCMCC06] Fault Model The attacker performs a perturbation compaign by collecting faulty signatures computed under unknown faulty moduli Fault Analysis From some faulty signatures, the attacker recovers small residues of d by solving small D.L. The whole d is recovered with the Chinese Remainder Theorem Variant Use of a constrained fault model and moduli dictionary Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 9

24 Fault Attacks on RSA Public Keys [BCDG09] Fault Model A byte of the modulus is corrupted during the exponentiation The faulty modulus has to be prime or smooth A dictionnary of prime faulty moduli has to be computed Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 10

25 Fault Attacks on RSA Public Keys [BCDG09] Fault Model A byte of the modulus is corrupted during the exponentiation The faulty modulus has to be prime or smooth A dictionnary of prime faulty moduli has to be computed Fault Analysis The faulty signature is: Ŝ = A 2w h(m) dw mod ˆN (1) where A denotes an intermediate value before the perturbation and d w a partial value of d The values (d w, ˆN) are guessed and determined Computation of square roots The whole d is gradually recovered Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 10

26 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms ElGamal Signature Scheme DSA Signature Scheme 4 ECDLP-based algorithms 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 11

27 ElGamal Signature Scheme Key generation Pick a random prime p, g a generator of Z/pZ and a random x s.t. The public key is (y, g, p) The private key is x y = g x mod p (2) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 12

28 ElGamal Signature Scheme Key generation Pick a random prime p, g a generator of Z/pZ and a random x s.t. The public key is (y, g, p) The private key is x y = g x mod p (2) Signature Pick a random k s.t. gcd (k, p 1) = 1 Compute u g k mod p and v h(m) xu k mod (p 1) Return the couple (u, v) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 12

29 ElGamal Signature Scheme Key generation Pick a random prime p, g a generator of Z/pZ and a random x s.t. The public key is (y, g, p) The private key is x y = g x mod p (2) Signature Pick a random k s.t. gcd (k, p 1) = 1 Compute u g k mod p and v h(m) xu k mod (p 1) Return the couple (u, v) Signature verification Check that y u u v g h(m) mod p Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 12

30 Fault Attack (Reference [KBPJJ08]) Fault Model The attacker can generate random faults on p He knows (or can guess) the resulting faulty modulus ˆp If gcd `k, ˆp 1 = 1, we have: û g k mod ˆp and ˆv h(m) xû k mod `ˆp 1 (3) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 13

31 Fault Attack (Reference [KBPJJ08]) Fault Model The attacker can generate random faults on p He knows (or can guess) the resulting faulty modulus ˆp If gcd `k, ˆp 1 = 1, we have: û g k mod ˆp and ˆv h(m) xû k mod `ˆp 1 (3) Fault Analysis Let t s.t. t ˆp and ϕ (t) `ˆp 1 ûˆv g k h(m) xû k g h(m) xû mod t ûˆv g h(m) g û x mod t So, each fault analysis makes the attacker recover x mod r, where r denotes the order of g û modulo t Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 13

32 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms ElGamal Signature Scheme DSA Signature Scheme 4 ECDLP-based algorithms 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 14

33 DSA Signature Scheme Key generation Pick a random prime p, q s.t. q (p 1), g Z/pZ s.t. ord (g) = q Then, pick a random x s.t. 0 < x < q and compute: The public key is (y, g, p, q) The private key is x y = g x mod p (4) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 15

34 DSA Signature Scheme Key generation Pick a random prime p, q s.t. q (p 1), g Z/pZ s.t. ord (g) = q Then, pick a random x s.t. 0 < x < q and compute: The public key is (y, g, p, q) The private key is x y = g x mod p (4) Signature Pick a random k s.t. gcd (k, p 1) = 1 Compute u `g k mod p mod q and v h(m)+xu mod q k Return the couple (u, v) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 15

35 DSA Signature Scheme Key generation Pick a random prime p, q s.t. q (p 1), g Z/pZ s.t. ord (g) = q Then, pick a random x s.t. 0 < x < q and compute: The public key is (y, g, p, q) The private key is x y = g x mod p (4) Signature Pick a random k s.t. gcd (k, p 1) = 1 Compute u `g k mod p mod q and v h(m)+xu mod q k Return the couple (u, v) Signature verification Compute w = v 1 mod q Check that `g wh(m) y wu mod q = u Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 15

36 Fault Attack (Reference [KBPJJ08]) Fault Model The attacker can generate random faults on p and q He knows (or can guess) resulting faulty moduli ˆp and ˆq If gcd `k, ˆq = 1, we have: û g k h(m) + xû mod ˆp mod ˆq and ˆv mod ˆq (5) k Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 16

37 Fault Attack (Reference [KBPJJ08]) Fault Model The attacker can generate random faults on p and q He knows (or can guess) resulting faulty moduli ˆp and ˆq If gcd `k, ˆq = 1, we have: û g k h(m) + xû mod ˆp mod ˆq and ˆv mod ˆq (5) k Fault Analysis Let t s.t. t ˆp, t ˆq and ϕ (t) `ˆp 1 ûˆv g h(m) ûˆv g k h(m)+xû k gû x mod t g h(m)+xû mod t So, each fault analysis makes the attacker recover x mod r, where r denotes the order of gû modulo t Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 16

38 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms 4 ECDLP-based algorithms Introduction Fault Attacks 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 17

39 Elliptic Curves Definition An elliptic curve E (a, b) defined over a finite field F p, where p > 3 can be given as: E (F p) : y 2 = x 3 + ax + b a, b F p (6) where the associated discriminant = 16 4a b 2 0 Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 18

40 Elliptic Curves Definition An elliptic curve E (a, b) defined over a finite field F p, where p > 3 can be given as: E (F p) : y 2 = x 3 + ax + b a, b F p (6) where the associated discriminant = 16 4a b 2 0 Algebraic Structure We can define a law + over the elliptic curve field that performs a point addition An elliptic curve E (F p) with this law + forms an abelian group Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 18

41 Elliptic Curves Definition An elliptic curve E (a, b) defined over a finite field F p, where p > 3 can be given as: E (F p) : y 2 = x 3 + ax + b a, b F p (6) where the associated discriminant = 16 4a b 2 0 Algebraic Structure We can define a law + over the elliptic curve field that performs a point addition An elliptic curve E (F p) with this law + forms an abelian group Scalar Multiplication Let P E (F p) and d F p be a random value: Q = d P = P + P... + P d times (7) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 18

42 Outline 1 Introduction 2 IFP-based algorithms 3 DLP-based algorithms 4 ECDLP-based algorithms Introduction Fault Attacks 5 Conclusion Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 19

43 Biehl-Meyer-Müller Attack [BMM00] Fault model Faults on the Input Point P (ˆP known) P is changed s.t ˆP E (a, ˆb) whose order has a small divisor r ˆb may not be use to perform the point addition (ANSI X9.63 and IEEE 1363) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 20

44 Biehl-Meyer-Müller Attack [BMM00] Fault model Faults on the Input Point P (ˆP known) P is changed s.t ˆP E (a, ˆb) whose order has a small divisor r ˆb may not be use to perform the point addition (ANSI X9.63 and IEEE 1363) Fault Analysis ord ˆP = r and ˆQ = d ˆP is computed over E (a, ˆb) Since r is small, compute the D.L. in < ˆP > and so find d mod r Repeat the process and get d by the Chinese Remainder Theorem Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 20

45 Biehl-Meyer-Müller Attack [BMM00] Fault model Faults on the Input Point P (ˆP known) P is changed s.t ˆP E (a, ˆb) whose order has a small divisor r ˆb may not be use to perform the point addition (ANSI X9.63 and IEEE 1363) Fault Analysis ord ˆP = r and ˆQ = d ˆP is computed over E (a, ˆb) Since r is small, compute the D.L. in < ˆP > and so find d mod r Repeat the process and get d by the Chinese Remainder Theorem Additional Fault Model Placing Register Faults Random bit fault on P Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 20

46 Ciet-Joye Attack [CJ05] Fault Model An unknown bit of the x-coordinate of P is permanently corrupted ˆP(ˆx, y) E (a, ˆb) whose order has a small divisor r, and ˆQ = d ˆP = ( ˆ x Q, ˆ y Q ) (8) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 21

47 Ciet-Joye Attack [CJ05] Fault Model An unknown bit of the x-coordinate of P is permanently corrupted ˆP(ˆx, y) E (a, ˆb) whose order has a small divisor r, and ˆQ = d ˆP = ( ˆ x Q, ˆ y Q ) (8) Fault Analysis First, recover ˆb by noticing that ˆQ E (a, ˆb): ˆb = y 2 xˆ 3 Q axˆ Q Then, since ˆP(ˆx, y) E (a, ˆb), ˆx is a root of X 3 + ax + ˆb y 2 The root that has most matching bits with x is taken as ˆx If ord ˆP = r is small, compute the D.L. in < ˆP > and find d mod r Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 21

48 Ciet-Joye Attack [CJ05] Fault Model An unknown bit of the x-coordinate of P is permanently corrupted ˆP(ˆx, y) E (a, ˆb) whose order has a small divisor r, and ˆQ = d ˆP = ( ˆ x Q, ˆ y Q ) (8) Fault Analysis First, recover ˆb by noticing that ˆQ E (a, ˆb): ˆb = y 2 xˆ 3 Q axˆ Q Then, since ˆP(ˆx, y) E (a, ˆb), ˆx is a root of X 3 + ax + ˆb y 2 The root that has most matching bits with x is taken as ˆx If ord ˆP = r is small, compute the D.L. in < ˆP > and find d mod r Additional Fault Model Permanent faults on y-coordinates Bit-error on the field parameter q Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 21

49 Twist Attack [FLRV08] Definition The twist of E by c defined over F p where p > 3 can be given as: E c (F p) : y 2 = x 3 + ac 2 x + bc 3 a, b, c F p (9) The number of points on the twist is smooth Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 22

50 Twist Attack [FLRV08] Definition The twist of E by c defined over F p where p > 3 can be given as: E c (F p) : y 2 = x 3 + ac 2 x + bc 3 a, b, c F p (9) The number of points on the twist is smooth Fault Model The attackers modifies the x-coordinate of P s.t. ˆP E c The fault is induced s.t. ˆQ = d ˆP E c The attack targets the Montgomery Ladder implementation of the scalar multiplication (y-coordinates not used) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 22

51 Twist Attack [FLRV08] Definition The twist of E by c defined over F p where p > 3 can be given as: E c (F p) : y 2 = x 3 + ac 2 x + bc 3 a, b, c F p (9) The number of points on the twist is smooth Fault Model The attackers modifies the x-coordinate of P s.t. ˆP E c The fault is induced s.t. ˆQ = d ˆP E c The attack targets the Montgomery Ladder implementation of the scalar multiplication (y-coordinates not used) Fault Analysis From ˆQ, the attacker recovers the parameter of the twist c The attackers solve D.L. and recover d mod ord(ˆp) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 22

52 Conclusion Structure Fault Attack Use fault to compute cryptographic functions in weaker finite fields Perturbation of public elements Different algebraic structure targeted Consequence Protection of public key elements and also the algebraic structure Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 23

53 Thank you! Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 24

54 References I A. Berzati, C. Canovas, J-G. Dumas, and L. Goubin. Fault Attacks on RSA Public Keys: Left-To-Right Implementations are also Vulnerable. In M. Fischlin, editor, RSA Cryptographer s Track (CT-RSA 2009), volume 5473 of Lecture Notes in Computer Science, pages Springer, E. Brier, B. Chevallier-Mames, M. Ciet, and C. Clavier. Why One Should Also Secure RSA Public Key Elements. In L. Goubin and M. Matsui, editors, Cryptographic Hardware and Embedded Systems (CHES 2006), volume 4249 of Lecture Notes in Computer Science, pages Springer-Verlag, I. Biehl, B. Meyer, and V. Müller. Differential Fault Attacks on Ellitic Curve Cryptosystems. In M. Bellare, editor, Advances in Cryptology (CRYPTO 2000), volume 1880 of Lecture Notes in Computer Science, pages Springer-Verlag, J. Blömer, M. Otto, and J-P. Seifert. Sign Change Fault Attacks on Elliptic Curve Cryptosystems. In L. Breveglieri, I. Koren, D. Naccache, and J-P. Seifert, editors, Fault Diagnosis and Tolerance in Cryptography, volume 4236 of Lecture Notes in Computer Science, pages Springer-Verlag, M. Ciet and M. Joye. Elliptic Curve Cryptosystems in the presence of permanent and transient faults. Designs, Codes and Cryptography, (36(1)):33 43, Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 25

55 References II P-A. Fouque, R. Lercier, D. Réal, and F. Valette. Fault attack on elliptic curve montgomery ladder implementation. In L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J-P. Seifert, editors, Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pages IEEE Computer Society, C.H. Kim, P. Bullens, C. Petit, and J-J.Quisquater. Fault Attaks on Public Key Elements: Application to DLP-Based Schemes. In S.F. Mjølsnes, S. Mauw, and S.K. Katsikas, editors, European PKI workshop Public Key Infrastructure (EuroPKI 2008), volume 5057 of Lecture Notes In Computer Science, pages Springer, Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 26

56 Biehl-Meyer-Müller Attack [BMM00] (1/2) Fault Attacks against ECDLP Placing Register Faults Random bit fault on P The fault is injected after checking that P is on the curve E(a, b) ˆP E (a, ˆb) differs from P in one bit at an unknown position If E (a, ˆb) is weak, find ˆb from ˆQ Check for all possible ˆP candidates and try to compute the D.L. to find a residue of d Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 27

57 Biehl-Meyer-Müller Attack [BMM00] (2/2) Fault Attacks against ECDLP Faults at Random moments of the Multiplication A bit-flip is induced on an internal register during the multiplication If the Right-to-Left binary method is used: ˆQ = ˆQ j + d [j..(n 1)] P (10) where Q j denotes the internal register value at the j-th step and d [j..(n 1)] the j most significant bits of d For all candidate values d [j..(n 1)], compute Q j = Q d [j..(n 1)] P (11) Then, from Q j, generate all possible faulty values Q j and test if the following equation is satisfied: In case of success a part of d is recovered Additional Fault Model Sign Change Fault Attacks [BOS06] Q j + d [j..(n 1)] P = ˆQ (12) Fault Attacks on Public Keys - Cécile Canovas and Alexandre Berzati 28