B.Tech. Project Presentation

Transcript

1. Lattice Based Attacks on Cryptographic Algorithms : Some Experiments Vipul

   Harsh IIT Bombay, India Advisor : Prof. Bernard Menezes Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 1 / 34

2. Outline 1 Introduction 2 Digital Signature Algorithm 3 Lattice Based

   Side Channel Attack on DSA 4 Experiments 5 Experiment Parameters 6 Experiments 7 Conclusion Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 2 / 34

3. Introduction Side Channel Attacks Classically attacks on cryptosystems were based

   on their mathematical vulnerabilities and weaknesses. Recently, a new technique called Side Channel attacks has gained pace. These attacks involve detailed analysis of hardware or software inputs like cache accesses, voltage levels, timing information, processor utilization etc. Side channel attacks can be cache based, timing based or Lattice based. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 3 / 34

4. Digital Signature Algorithm Digital Signature Algorithm p : a large

   prime number of between 512 to 1024 bits q : a large prime divisor of p of approximately 160 bits g : h(p−1)/a mod p, where h is any integer with 1 < h < (p-1) such that h(p−1)/a mod p > 1 Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 4 / 34

5. Digital Signature Algorithm Digital Signature Algorithm : Private, Public Keys

   and Nonces User’s Private Key x : Field element with 0 < x < q User’s Public Key y : gx mod p Per Message Nonce(ephemeral key) k : random integer with 0 < k < q Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 5 / 34

6. Digital Signature Algorithm Digital Signature Algorithm : Signature Generation r

   = (gk mod p) mod q s = [k−1(H(M) + xr)] mod q Signature = (r, s), M = message to be signed, H : A cryptographic Hash Function Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 6 / 34

7. Digital Signature Algorithm Digital Signature Algorithm : Signature Verification w

   = (s )−1 mod q u1 = [H(M )w] mod q u2 = (r’w) mod q v = [(gu1 gu2 ) mod p] mod q TEST : v = r’, where M’, r’, s’ = received versions of M, r, s Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 7 / 34

8. Lattice Based Side Channel Attack on DSA Lattice Based Side

   Channel Attack on DSA Lattice based attacks require that some partial information about the ephemeral keys involved be available beforehand to launch an attack. This partial information can be obtained by an initial cache based analysis. From here on, we’ll assume that this initial information is given to us. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 8 / 34

9. Experiments Experiment Details For each lattice attack, the user’s private

   key is chosen at random and a number of pairs of ephemeral keys, messages and their corresponding signatures are generated. As an alternative, a pool of nonce, signatures pairs is generated beforehand and all the iterations are carried out using randomly picked keys from the pool itself rather than being randomly generated each time. The messages that are to be signed are also randomly generated each time. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 9 / 34

10. Experiments Experiment Details : continued In each pair of a

    nonce(or the ephemeral key) and a generated signature, it is assumed that some bits of the nonce are known. Finally, these things are used to launch the lattice attack on the system. If the key obtained from the attack matches the permanent key, then the attack is successful, otherwise unsuccessful. This entire process is done several many times. We call this the number of iterations. In one part of the experiments, errors are deliberately introduced to check the robustness and the reliability of the attack in a realistic world. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 10 / 34

11. Experiment Parameters Experiment Parameters The number of nonce, signature pairs

    that are generated to recover the private key of the victim. We’ll frequently refer to it as the number of keys. The number of bits of each nonce that should be known beforehand to launch the lattice attack. In the first part of the experiment, this is kept constant over all nonce, signature pairs. In the second part, it is slightly varied. Number of maximum incorrect bits known out of the total bits known in each ephemeral key. Number of ephemeral keys in which the known bits have errors Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 11 / 34

12. Experiment Parameters Experiment Parameters : Other Variations For some experiments,

    the number of known bits is slightly varied over all the nonces. For some experiments, a pool of nonce, signature pairs are randomly generated beforehand. For each iteration then, the required number of pairs are randomly picked from the pool. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 12 / 34

13. Experiments Experiments : Varying Number of Nonce, Signature Pairs Normally

    we would expect that higher the number of nonce, signature pairs higher the accuracy. The experiments show that it is only partly true. As we increase the number of pairs, the accuracy indeed increases but only to a certain local maxima. Thus, for best accuracy the number of signatured messages to be analysed should be just right, not too high, not too less. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 13 / 34

14. Experiments Experiments : Varying Number of Nonce, Signature Pairs :

    Contd Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 14 / 34

15. Experiments Experiments : Varying Number of Known bits in each

    nonce Expected Behaviour Intuitively, we expect that more the number of known bits we have, the better accuracy we get. After all, if we have more information, it should be easier to carry out the lattice attack. The results conform with this. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 15 / 34

16. Experiments Experiments : Varying Number of Known bits in each

    nonce : Contd Figure 2 : Accuracy vs Number of KnownBits(without errors) Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 16 / 34

17. Experiments Experiments : Varying Number of Known bits in each

    nonce : Contd Figure 3 : Accuracy vs Number of KnownBits(without errors) Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 17 / 34

18. Experiments Experiments : Varying Number of Known bits in each

    nonce : Contd The number of nonce, signature pairs are 400 in the second graph and only 20 in the first graph. The graph however reflects the same behaviour in both the plots. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 18 / 34

19. Experiments Experiments : Varying Number of max incorrect bits Expected

    Behaviour We expect the accuracy to decrease when inaccuracy in known bits of the ephemeral keys increases. However, the experiments show a strange small deviation from the expected behaviour. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 19 / 34

20. Experiments Experiments : Varying Number of max incorrect bits :

    Contd Figure 4 : Accuracy vs Number of Incorrect Bits Known Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 20 / 34

21. Experiments Experiments : Varying Number of max incorrect bits :

    Contd Figure 5 : Accuracy vs Number of Incorrect Bits Known Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 21 / 34

22. Experiments Experiments : Varying Number of max incorrect bits :

    Contd Figure 6 : Accuracy vs Number of Incorrect Bits Known Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 22 / 34

23. Experiments Experiments : Varying Number of max incorrect bits :

    Contd Even if 1 bit of error is introduced, accuracy falls very sharply. Then further on, it decreases as inaccuracy increases. There is an unmistakable slight increase in accuracy as the number of incorrect bits increases. This can be seen in all of the above 3 plots. This is a slight deviation from the expected behaviour. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 23 / 34

24. Experiments Experiments : Varying Number of Inaccurately known nonces Expected

    Behaviour We expect the accuracy to dip when number of keys for which we have incorrect partial information increases. After all, the imprecision is increasing. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 24 / 34

25. Experiments Experiments : Varying Number of Inaccurately known nonces :

    Contd Figure 7 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 25 / 34

26. Experiments Experiments : Varying Number of Inaccurately known nonces :

    Contd Figure 8 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 26 / 34

27. Experiments Experiments : Varying Number of Inaccurately known nonces :

    Contd Figure 9 : Accuracy vs Number of Inaccurately known Keys Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 27 / 34

28. Experiments Experiments : Varying Number of Inaccurately known nonces :

    Contd In all of the above 3 graphs there is a dip in the graph very near to the y-axis. It appears as if one data point is out of place in these graphs. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 28 / 34

29. Experiments Experiments : Effects of not keeping the number of

    known bits constant The graph below plots accuracy vs Number of pairs. As expected the accuracy increases as the number of pairs increases. There is no visible change in the results because of varying the number of known bits across signatures. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 29 / 34

30. Experiments Experiments : Effects of not keeping the number of

    known bits constant : Contd Figure 10 : Accuracy vs Number of Pairs Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 30 / 34

31. Experiments Experiments : Effects of Picking random signed messages from

    a pool of messages The graphs show a similar patter here, when they were randomly picked each time. The following graph plots accuracy vs the Number of signed messages that need to be analysed. The messages are randomly picked from a precomputed pool of signatures. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 31 / 34

32. Experiments Experiments : Effects of Picking random signed messages from

    a pool of messages : Contd Figure 11 : Accuracy vs Number of Pairs Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 32 / 34

33. Conclusion Conclusion I have presented a series of experiments to

    aid a lattice based attack on the DSA algorithm. The experiment results are satisfying. We have observed some very peculiar behaviour especially in the context of the number of signed messages to be analysed and the maximum number of incorrect bits known in a nonce. Vipul Harsh (IIT Bombay, India) BTP Presentation Advisor : Prof. Bernard Menezes 33 / 34

34. Conclusion Thank you! Vipul Harsh (IIT Bombay, India) BTP Presentation

    Advisor : Prof. Bernard Menezes 34 / 34