Ruggero Susella

A novel fault attack against ECDSA

A novel fault attack against ECDSA is proposed in this work. It allows to retrieve the secret signing key, by means of injecting faults during the computation of the signature primitive. The proposed method relies on faults injected during a multiplication employed to perform the signature recombination at the end of the ECDSA signing algorithm. Exploiting the faulty signatures, it is possible to reduce the size of the group of the discrete logarithm problem warranting the security margin up to a point where it is computationally treatable. The amount of faulty signatures requested to perform the attack is relatively small, ranging from 4 to a few tenths. The key retrieval can be applied to any key length, like those standardised by NIST, including the ones mandated for top secret documents by NSA suite B. The required post processing of the obtained faulty values is practical on a common consumer grade desktop. The procedure does not rely on any particular structure of the employed curve and may easily be extended to the regular DSA based on modular arithmetics.

On the Homomorphic Computation of Symmetric Cryptographic Primitives

We present an analysis on the homomorphic computability of different symmetric cryptographic primitives, with the goal of understanding their characteristics with respect to the homomorphic evaluation according to the BGV scheme. Specifically, we start from the framework presented by Gentry, Halevi and Smart for evaluating AES. We provide an improvement of it, then we perform a detailed evaluation on the homomorphic computation of cryptographic algorithms of different families Salsa20 stream cipher, SHA-256 hash function and Keccak sponge function. After the analysis, we report the performance results of the primitives we have implemented using the recently released HElib. In the conclusions we discuss our findings for the different primitives we have analyzed to draw a general conclusion on the homomorphic evaluation of symmetric cryptographic primitives.

A Fault-Based Secret Key Retrieval Method for ECDSA: Analysis and Countermeasure

Elliptic curve cryptosystems proved to be well suited for securing systems with constrained resources like embedded and portable devices. In a fault-based attack, errors are induced during the computation of a cryptographic primitive, and the results are collected to derive information about the secret key safely stored in the device. We introduce a novel attack methodology to recover the secret key employed in implementations of the Elliptic Curve Digital Signature Algorithm. Our attack exploits the information leakage induced when altering the execution of the modular arithmetic operations used in the signature primitive and does not rely on the underlying elliptic curve mathematical structure, thus being applicable to all standardized curves. We provide both a validation of the feasibility of the attack, even employing common off-the-shelf hardware to perform the required computations, and a low-cost countermeasure to counteract it.

New results for partial key exposure on RSA with exponent blinding

In 1998, Boneh, Durfee and Frankel introduced partial key exposure attacks, a novel application of Coppersmiths method, to retrieve an RSA private key given only a fraction of its bits. This type of attacks is of particular interest in the context of side-channel attacks. By applying the exponent blinding technique as a countermeasure for side-channel attacks, the private exponent becomes randomized at each execution. Thus the attacker has to rely only on a single trace, significantly incrementing the noise, making the exponent bits recovery less effective. This countermeasure has also the side-effect of modifying the RSA equation used by partial key exposure attacks, in a way studied by Joye and Lepoint in 2012. We improve their results by providing a simpler technique in the case of known least significant bits and a better bound for the known most significant bits case. Additionally, we apply partial key exposure attacks to CRT-RSA when exponent blinding is used, a case not yet analyzed in literature. Our findings, for which we provide theoretical and experimental results, aim to reduce the number of bits to be recovered through side-channel attacks in order to factor an RSA modulus when the implementation is protected by exponent blinding.

Partial Key Exposure Attacks on RSA with Exponent Blinding

Partial key exposure attacks, introduced by Boneh, Durfee and Frankel in 1998, aim at retrieving an RSA private key when a fraction of its bits is known. These attacks are of particular interest in the context of side-channel attacks, where the attacker can retrieve bits of the key exploiting leakages in the implementation. In this work we analyze the effectiveness of partial key exposure when a countermeasure for side-channel attacks is adopted. In particular, we consider the exponent blinding technique, which consists in randomizing the private exponent at each execution. We address our analysis to both RSA and CRT-RSA, providing theoretical proofs and experimental results.

Breaking Ed25519 in WolfSSL

Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this value is critical for security: knowledge of one such a value, or partial knowledge of a series of them, allows reconstructing the signer’s private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.

A Compact and Exception-Free Ladder for All Short Weierstrass Elliptic Curves

The field of elliptic curve cryptography has recently experienced a deployment of new models of elliptic curves, such as Montgomery or twisted Edwards. Computations on these curves have been proven to be exception-free and easy to make constant-time. Unfortunately many standards define elliptic curves in the short Weierstrass model, where the above properties are harder to achieve. This is especially true when scalar blinding, a simple but widely deployed side-channel attacks countermeasure, is adopted. In this paper we analyze previously undisclosed exceptional cases of popular scalar multiplication algorithms, highlighting the need for proofs of correctness. Then, with the final goal of providing a compact ECC hardware accelerator for embedded platforms, suitable to offload computations on all elliptic curve models, we present a constant-time adaptation of the Montgomery ladder, leveraging addition formulas by Izu and Takagi, that we prove return the correct result for any input point, any scalar value, on all elliptic curves in Weierstrass form defined over \(\mathbb {F}_p\) with \(p \ne 2,3\).

Practical Power Analysis Attacks to RSA on a Large IP Portfolio SoC

The RSA algorithm is the most widely used public-key cryptosystem. For this reason it is important to protect RSA-based cryptosystems from the threat of Side Channels Attacks and particularly from Power Analysis.This article presents the application of Power Analysis attacks based on real power measurements and describes the main experimental results obtained by attacking software implementations of the RSA algorithm executed on an ARM 926 processor running at 266 MHz. Few practical results of similar type are reported in the literature, and none of them targets a complex SoC running at such a high frequency as that considered in this paper.