on their mathematical vulnerabilities and weaknesses. Recently, a new technique called Side Channel attacks has gained pace. These attacks involve detailed analysis of hardware or software inputs like cache accesses, voltage levels, timing information, processor utilization etc. Side channel attacks can be cache based, timing based or Lattice based. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 3 / 34
prime number of between 512 to 1024 bits q : a large prime divisor of p of approximately 160 bits g : h(p−1)/a mod p, where h is any integer with 1 < h < (p-1) such that h(p−1)/a mod p > 1 Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 4 / 34
and Nonces User’s Private Key x : Field element with 0 < x < q User’s Public Key y : gx mod p Per Message Nonce(ephemeral key) k : random integer with 0 < k < q Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 5 / 34
= (gk mod p) mod q s = [k−1(H(M) + xr)] mod q Signature = (r, s), M = message to be signed, H : A cryptographic Hash Function Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 6 / 34
= (s )−1 mod q u1 = [H(M )w] mod q u2 = (r’w) mod q v = [(gu1 gu2 ) mod p] mod q TEST : v = r’, where M’, r’, s’ = received versions of M, r, s Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 7 / 34
Channel Attack on DSA Lattice based attacks require that some partial information about the ephemeral keys involved be available beforehand to launch an attack. This partial information can be obtained by an initial cache based analysis. From here on, we’ll assume that this initial information is given to us. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 8 / 34
key is chosen at random and a number of pairs of ephemeral keys, messages and their corresponding signatures are generated. As an alternative, a pool of nonce, signatures pairs is generated beforehand and all the iterations are carried out using randomly picked keys from the pool itself rather than being randomly generated each time. The messages that are to be signed are also randomly generated each time. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 9 / 34
nonce(or the ephemeral key) and a generated signature, it is assumed that some bits of the nonce are known. Finally, these things are used to launch the lattice attack on the system. If the key obtained from the attack matches the permanent key, then the attack is successful, otherwise unsuccessful. This entire process is done several many times. We call this the number of iterations. In one part of the experiments, errors are deliberately introduced to check the robustness and the reliability of the attack in a realistic world. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 10 / 34
that are generated to recover the private key of the victim. We’ll frequently refer to it as the number of keys. The number of bits of each nonce that should be known beforehand to launch the lattice attack. In the ﬁrst part of the experiment, this is kept constant over all nonce, signature pairs. In the second part, it is slightly varied. Number of maximum incorrect bits known out of the total bits known in each ephemeral key. Number of ephemeral keys in which the known bits have errors Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 11 / 34
the number of known bits is slightly varied over all the nonces. For some experiments, a pool of nonce, signature pairs are randomly generated beforehand. For each iteration then, the required number of pairs are randomly picked from the pool. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 12 / 34
we would expect that higher the number of nonce, signature pairs higher the accuracy. The experiments show that it is only partly true. As we increase the number of pairs, the accuracy indeed increases but only to a certain local maxima. Thus, for best accuracy the number of signatured messages to be analysed should be just right, not too high, not too less. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 13 / 34
nonce Expected Behaviour Intuitively, we expect that more the number of known bits we have, the better accuracy we get. After all, if we have more information, it should be easier to carry out the lattice attack. The results conform with this. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 15 / 34
nonce : Contd The number of nonce, signature pairs are 400 in the second graph and only 20 in the ﬁrst graph. The graph however reﬂects the same behaviour in both the plots. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 18 / 34
Behaviour We expect the accuracy to decrease when inaccuracy in known bits of the ephemeral keys increases. However, the experiments show a strange small deviation from the expected behaviour. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 19 / 34
Contd Even if 1 bit of error is introduced, accuracy falls very sharply. Then further on, it decreases as inaccuracy increases. There is an unmistakable slight increase in accuracy as the number of incorrect bits increases. This can be seen in all of the above 3 plots. This is a slight deviation from the expected behaviour. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 23 / 34
Behaviour We expect the accuracy to dip when number of keys for which we have incorrect partial information increases. After all, the imprecision is increasing. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 24 / 34
Contd Figure 7 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 25 / 34
Contd Figure 8 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 26 / 34
Contd Figure 9 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 27 / 34
Contd In all of the above 3 graphs there is a dip in the graph very near to the y-axis. It appears as if one data point is out of place in these graphs. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 28 / 34
known bits constant The graph below plots accuracy vs Number of pairs. As expected the accuracy increases as the number of pairs increases. There is no visible change in the results because of varying the number of known bits across signatures. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 29 / 34
known bits constant : Contd Figure 10 : Accuracy vs Number of Pairs Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 30 / 34
a pool of messages The graphs show a similar patter here, when they were randomly picked each time. The following graph plots accuracy vs the Number of signed messages that need to be analysed. The messages are randomly picked from a precomputed pool of signatures. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 31 / 34
a pool of messages : Contd Figure 11 : Accuracy vs Number of Pairs Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 32 / 34
aid a lattice based attack on the DSA algorithm. The experiment results are satisfying. We have observed some very peculiar behaviour especially in the context of the number of signed messages to be analysed and the maximum number of incorrect bits known in a nonce. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 33 / 34