Cryptographic Insecurity of the Test

1
Cryptographic Insecurity of the TestRepeat
Paradigm

• Tomá Rosa, trosa_at_ebanka.cz
• eBanka, a.s.,
• Charles University, Prague,
• Czech Technical University in Prague

2
Embedded Systems Do

• control flow monitoring to enforce safety
  policy
• HW monitoring for highest security
• runtime validation of programs data properties

3
TestRepeat Paradigm

• We try to study formally the things a designer
  would probably do naturally if asked to develop a
  module that
• Prevents propagation of faulty results.
• Ensures certain level of robustness i.e. mainly
  a fault tolerance.

4
DSAWIV

• Let DSAWIV stand for a Digital Signature
  Algorithm With an Implicit Verification.
• In the paper, we also use the term TARed DSA.

5
DSA
h(m)

• let i 1
• let k ?R lt1, q - 1gt
• compute r (gk mod p) mod q
• compute s (h(m) xr)k-1 mod q
• if r 0 or s 0 then go to 2

p, q, g
Signing transf.
Priv. key
r, s
6
With an Implicit Verification
h(m)

• let i 1
• let k ?R lt1, q - 1gt
• compute r (gk mod p) mod q
• compute s (h(m) xr)k-1 mod q
• if r 0 or s 0 then go to 2
• compute u h(m)s-1 mod q
• compute v rs-1 mod q
• compute w (guyv mod p) mod q
• if w r then return (r, s)
• if i gt Bound then return FAILURE
• go to 2

p, q, g
Signing transf.
Priv. key
h(m),r,s
p, q, g
Verifying transf.
Pub. key
(r, s)
FAILED
7
Obvious Properties of DSAWIV

• No faulty signature can leave the cryptographic
  module.
• This could indicate security.
• It tolerates transient faults by repeating the
  computation several times.
• This could indicate robustness.

8
Central Questions

• Shall we rely on the properties of DSAWIV and
  believe that it really is a secure implementation
  of DSA?
• Does the TestRepeat paradigm create a secure
  cryptosystem here?

9
Fault Attack on the DSAWIV

• The work of Nguyen Shparlinski done in
  1999-2002 serves as a platform for our attack.
• In our approach, we base on a slightly
  generalized idea of the work of N-S.
• We generalize an individual bit leakage into an
  individual d-ary digit leakage.

10
Useful Operator

• Let z ? ? and q ? ?.
• We define ?z?q minc?? ?z - cq?.
• Notes
• ?z?q min z mod q, q (z mod q)
• if z ? y (mod q) then ?z?q ?y?q

11
Generalized N-S Method

• Let a k mod d, where d ? ?, gcd(d, q) 1.
• The value of a represents the least significant
  d-ary digit of the nonce k a b1d b2d2
  a bd.
• Note xr h(m) ? s(a bd) (mod q), 0 ? b ? q/d.
• Then, the values of (t, u) defined as
• t rs-1d-1 mod q,
• u (a h(m)s-1)d-1 mod q q/(2d),
• are an approximation of the private key x
  satisfying
• ?xt u?q ? q/(2d).

12
Diophantine Solution

• Let us have collected N pairs (ti, ui)i1N.
• We then solve the Approximate Closest Vector
  Problem for the (N1)-dimensional full-rank
  lattice ?(q, d, t1, , tN) and the rational
  vector u (u1, , uN, 0).
• Let the resulting vector be denoted as v, v ?
  ?(q, d, t1, , tN).

13
Diophantine Solution

• For an appropriate N, it is probable that the
  private key x satisfies
• x 2dvN1 mod q.
• A rule of thumb The appropriate N shall satisfy
  dN gtgt q.

14
Back to the Attack Now

• How to gain the least significant d-ary digits
  for the HNP input approximation?
• What does it have in common with the general
  properties of the DSAWIV?

15
Gaining the Side Information
h(m)

• We study an effect of the public parameters
  substitution for the signing phase.
• Traditionally, there is often low attention paid
  to the integrity of g.

p, q, g
Signing transf.
p, q, g
Priv. key
h(m),r,s
p, q, g
Verifying transf.
Pub. key
(r, s)
FAILED
16
Once Upon a Time

• there was an insufficient integrity check in the
  OpenPGP platform allowing an attacker to do the
  following fault attack
• (it was the year 2001)

17
Normal Operation
Private key encrypted
Private key
Signing a message
Message
Digital signature
18
Under Attack
Private key encrypted
Private key encrypted
Public key and parameters
Private key
Message
Private key
Digital signature
Digital signature
19
Therefore

• an affect of public parameters substitution
  shall be well considered when designing and
  evaluating cryptographic modules

20
On the Generator g

• Let d?p 1. We find ? ? ?p, ord(?) d.
• We then set g g? mod p.
• Every signature (r, s ) released by the DSAWIV
  after such a change satisfies
• r (gk?k mod p) mod q (gk mod p) mod q.
• Therefore, k ? 0 (mod d) with a probability ? 1.
  So, we use a 0 for every (r, s ).

21
Connections with DSAWIV

• For every h(m), there is a value of the nonce k,
  such that a signature (r, s) made using a
  substituted value of g is valid.
• If k ?R lt1, q - 1gt then we get it with the
  probability ? 1/d.
• When d is chosen to be small enough, the DSAWIV
  almost never returns FAILURE.
• But the correct signatures will open an
  ultimate side channel then

22
Experimental Results
Condition for the divisor being searched d lt
512, preferably d ? 12. Channels with d lt 8 are
marked as weak.
23
Conclusion

• The DSAWIV is not universally resistant to fault
  attacks.
• Some attacks can only become hidden.
• Some ones can be even accelerated.
• The TestRepeat paradigm did not help to protect
  the scheme.
• Actually, it weakened it in a certain way.

24
Remedy

• Despite looking as a promising approach, the
  TestRepeat paradigm shall be used with care.
• We shell check the attacks that pass undetected
  or which are even right allowed and accelerated
  by this countermeasure.