Upload
gerald-patrick
View
216
Download
0
Embed Size (px)
DESCRIPTION
3 Security and Protection of Information 2005 DSA… 1.let i = 1 2.let k R 3.compute r = (g k mod p) mod q 4.compute s = (h(m) + xr)k -1 mod q 5.if r = 0 or s = 0 then go to 2 6.… h(m)h(m) Signing transf. p, q, g Priv. key r, s
Citation preview
2Security and Protection of Information 2005
DSAWIV
• Let DSAWIV stand for a Digital Signature Algorithm With an Implicit Verification.
3Security and Protection of Information 2005
DSA…1. let i = 12. let k R <1, q - 1>
3. compute r = (gk mod p) mod q4. compute s = (h(m) + xr)k-1 mod q5. if r = 0 or s = 0 then go to 26. …
h(m)
Signingtransf.
p, q, g
Priv.key
r, s
4Security and Protection of Information 2005
…With an Implicit Verification1. let i = 12. let k R <1, q - 1>
3. compute r = (gk mod p) mod q4. compute s = (h(m) + xr)k-1 mod q5. if r = 0 or s = 0 then go to 26. compute u = h(m)s-1 mod q7. compute v = rs-1 mod q8. compute w = (guyv mod p) mod q9. if w = r then return (r, s)10. if ++i > Bound then return FAILURE11. go to 2
h(m)
Signingtransf.
p, q, g
Priv.key
h(m),r,s
Verifyingtransf.
p, q, g
Pub.key
(r, s) FAILED
5Security and Protection of Information 2005
DSAWIV vs. Fault Attacks
• It looks like a robust universal countermeasure against fault attacks.
• It could be so if we were talking, for instance, about RSA according to PKCS-1-v1_5.
• However, it is neither robust nor universal, since there are realistic attacks passing undetected.• They can become even more hidden and accelerated
instead…
6Security and Protection of Information 2005
Fault Attack Cracking the DSAWIV
• The work of Nguyen & Shparlinski done in 1999-2002 serves as a platform for our attack.
• In our approach, we base on a slightly generalized idea of the work of N-S.• We generalize an individual bit leakage into an
individual modular digit leakage.
7Security and Protection of Information 2005
Generalized N-S Method
• Let a = k mod d, where d , gcd(d, q) = 1.• The value of a represents the least significant d-modular
digit of k.• Then, the values of (t, u) defined as
t = rs-1d-1 mod q,u = [(a – h(m)s-1)d-1] mod q + q/2d,
are an approximation of the private key x (also called a hidden number here) satisfying
xt – uq q/2d,where zq = min { z mod q, q – (z mod q) }.
8Security and Protection of Information 2005
Solving the Approximations• We have to solve the Hidden Number Problem.• We use the “Standard HNP to CVP” approach.• Let us have collected N pairs of (ti, ui).• We then solve the Closest Vector Problem for the
(N+1)-dimensional full-rank lattice (q, d, t1, …, tN)
and the rational vector u = (u1, …, uN, 0).
• Let the resulting vector be denoted as v, v (q, d, t1, …, tN).
• For an appropriate N, it is probable that the private key x can be computed as
x = 2dvN+1 mod q.
9Security and Protection of Information 2005
But Back to the Attack Now
• We have two basic questions to solve:1. How to gain the least significant modular
digits for the HNP input approximation?2. What does it have in common with the
general properties of the DSAWIV?
10Security and Protection of Information 2005
Answering the Question no. 1
• We study an effect of the public parameters substitution for the signing phase.• Traditionally, there
is often low attention paid to the integrity of g.
h(m)
Signingtransf.
p, q, g
Priv.key
h(m),r,s
Verifyingtransf.
p, q, g
Pub.key
(r’, s’) FAILED
p, q, g’
11Security and Protection of Information 2005
On the Substituted Generator g’
• Let dp – 1. We find p*, ord() = d.
• We then set g’ = g mod p.• Every signature (r’, s’) made after such a
change using the DSAWIV satisfiesr’ = (gk mod p) mod q = (gkk mod p) mod q.
• Therefore, k 0 (mod d) with a probability 1. So, we use a = 0 for every (r’, s’).
12Security and Protection of Information 2005
Answering the Question no. 2
• For every h(m), there is a value of the nonce k, such that a signature (r’, s’) made using a substituted value of g’ is valid.• If k R <1, q - 1> then we get it with the
probability 1/d.• When d is chosen to be small enough, the
DSAWIV almost never returns FAILURE.• But the “correct” signatures will open an
ultimate side channel then…
13Security and Protection of Information 2005
Another Substitution Scheme
• Even the generator written in the user’s certificate can be faked.• We then assume
k u’ (mod d),whereu’ = h(m)s’-1 mod q.
h(m)
Signingtransf.
p, q, g
Priv.key
h(m),r,s
Verifyingtransf.
p, q, g
Pub.key
(r’, s’) FAILED
p, q, g’
p, q, g’
14Security and Protection of Information 2005
Experimental Results
Condition for the divisor being searched: d < 512, preferably also d 12.Channels with d < 8 are marked as weak.
Exp. No. Divisor d #Signatures Signatures Total Exp. Duration1 12 70 880 182 s2 12 55 688 66 s3 15 61 923 120 s4 12 55 649 63 s5 2 weak channel N/A N/A6 14 48 550 44 s7 22 46 912 67 s8 12 55 832 76 s9 2 weak channel N/A N/A10 12 65 621 118 s
15Security and Protection of Information 2005
Conclusion
• Another realistic fault attack on DSA.• We also saw that the DSAWIV is neither robust
nor universal scheme.• Implicit verification has to be used with care.• Some attacks can only become hidden.• Some ones can be even accelerated.
• Note: DSAWIV can also occur naturally just by a user activity.• We shall warn users to report any strange behaviour of
their signing tools. (e.g. “Sometimes failing chipcard”)