Authentication and Encryption Protocols: Design ...

Introduction

Preliminaries

Protocol Design

Efficiency, Security and Reliability in Embedded Systems

Conclusion

Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools Diana S ¸ tefania Maimut¸

December 11, 2015

Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures

3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard

4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion

5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Conclusion

Introduction

Preliminaries

Protocol Design






Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion

Authentication and Encryption Challenge: design secure and efficient cryptographic protocols Our Results: A co-signature protocol achieving legal fairness without keystones; a keystone is a digitally signed check given to the aggrieved party by the other party, to compensate a would be fairness breach OMD - a compression function-based mode of operation providing nonce-based authenticated encryption with associated data (AD) A transmission-efficient distributed Fiat-Shamir zero-knowledge protocol enabling network node authentication


Introduction

Preliminaries

Protocol Design


Conclusion

Efficiency Real world cryptographic applications must not only be secure. They must also be efficient. Our Results Algorithmic speed-ups: A method for doubling the speed of Barrett’s algorithm by using specific moduli A number-theoretic error correcting code (ECC) inspired by the Naccache-Stern cryptosystem BCH speed-up strategies using polynomial versions of Barrett’s algorithm A multiplication algorithm for lightweight microprocessors when one of the operands is constant A method for regulating the pace of von Neumann randomness extractors


Introduction

Preliminaries

Protocol Design


Secure Implementation Assess and improve the resistance of embedded devices. Our Results A new fault attack on elliptic curve cryptography (ECC) implementations. The attack consists in injecting a fault during projective-to-affine conversion. Countermeasures are also proposed.


Conclusion

Introduction

Preliminaries

Protocol Design


Authenticated Encryption





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Authenticated Encryption (AE) AE is a symmetric-key mechanism providing both confidentiality and data authentication. Generic Composition... Generically composed AE algorithms achieve confidentiality and integrity by combining two separate primitives: A conventional encryption algorithm for confidentiality A MAC algorithm for data authentication ...Versus Dedicated Solutions A combined AE functionality rather than Encryption and MAC. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


AE is adopted in many widely implemented standards: SSH, SSL/TLS, IPsec, IEEE 802.11. Privacy and Integrity in the Generic Composition Context Can privacy and integrity can be achieved by simply combining a traditional encryption algorithm and a MAC? Yes. But algorithmic miscombinations resulted in several successful attacks: Message recovery attacks against OpenSSH encryption BEAST (Browser Exploit Against SSL/TLS)


Introduction

Preliminaries

Protocol Design


Digital Signatures





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion

Digital Signatures

Digital Signatures Can be considered as the public-key equivalents of MAC algorithms.

Algorithms of a digital signature scheme: KeyGen

Sign Verify

Let k be the security parameter and let 1k be the input of the key generation algorithm KeyGen. KeyGen outputs a pair (pk, sk) of public and secret keys. Given a message m and sk , Sign outputs a signature σ. Given σ, m, pk , Verify tests if σ is a valid signature of m with respect to pk .

{pk, sk} ← KeyGen(1k )

σ ← Sign(sk, m)


Verify(σ, m, pk ) = True

Introduction

Preliminaries

Protocol Design


Conclusion

Digital Signatures

A signature, be it physical or digital, must be: Undeniable Non-imitable Easy to verify Easy to generate Signatures on previously unsigned messages must be impossible to produce by entities who do not possess sk. Some well known digital signature algorithms: RSA, ElGamal, Schnorr, Girault-Poupard-Stern and ECDSA.


Introduction

Preliminaries

Protocol Design


Legally Fair Contract Signing without Keystones





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Context In many operations, such as contract signing, all participants must show their commitment to a given message. This is done by exchanging digital signatures on the agreed message or by co-signing the message. Typically, co-signatures are used for joint bank account management In electronic transactions, fairness remains a fundamental need Our results mainly focus on fairness in co-signing by two parties Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Prior Work A protocol is viable if, when both parties follow the protocol properly, the protocol terminates with both parties being committed to the contract. Early efforts mainly focused on optimistic protocols to achieve computational fairness i.e. ”bit-by-bit” secret exchange Ben-Or, Goldreich, Micali and Rivest showed that any viable fair contract signing protocol must rely on a Trusted Third Party (TTP) Weakening: gradual release schemes, optimistic schemes and concurrent schemes (using a keystone) Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Our Work and New Results We introduce the new concept of legal fairness without keystones. Legal Fairness (Definition) Any transferable proof of involvement tying one party to a message, also ties the other party to the message. Our idea: Verifiers will be given the means to determine when Alice tries to involve Bob. When this happens, verifiers will contact Bob who will be able to prove Alice’s involvement. Legal fairness will be achieved without keystones Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design



Generating a Schnorr Co-Signature of a Message m Alice Read Bob’s directory entry yA,B ← yA × yB , kA ∈R Z∗ q

Bob Read Alice’s directory entry yA,B ← yA × yB , kB ∈R Z∗ q

rA ← g kA

ρ

←−−−−−−−−−−−−−−

rB ← g kB ρ ← H(0krB )

rA

−−−−−−−−−−−−−−→ if H(0krB ) 6= ρ then abort

rB

←−−−−−−−−−−−−−−

r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q if sB is incorrect then abort s ← sA + sB mod q

sB

r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q

←−−−−−−−−−−−−−− sA

−−−−−−−−−−−−−−→

s ← sA + sB mod q if sA is incorrect then too bad !

r , s is verified by checking that: s e

r = g yA,B and H(m, r ) = e


Conclusion

Introduction

Preliminaries

Protocol Design



Generating a Schnorr Co-Signature of a Message m Alice Read Bob’s directory entry yA,B ← yA × yB , kA ∈R Z∗ q

Bob Read Alice’s directory entry yA,B ← yA × yB , kB ∈R Z∗ q

rA ← g kA

ρ

←−−−−−−−−−−−−−−

rB ← g kB ρ ← H(0krB )

rA

−−−−−−−−−−−−−−→ if H(0krB ) 6= ρ then abort

rB

←−−−−−−−−−−−−−−

r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q if sB is incorrect then abort s ← sA + sB mod q

sB

r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q

←−−−−−−−−−−−−−− sA

−−−−−−−−−−−−−−→

s ← sA + sB mod q if sA is incorrect then too bad !

r , s is verified by checking that: s e

r = g yA,B and H(m, r ) = e


Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Our Legally Fair Co-Signature Protocol: Produces standard Schnorr signatures Is provably secure in the Random Oracle Model (ROM) under the Discrete Logarithm Problem (DLP) assumption


Introduction

Preliminaries

Protocol Design


Conclusion


Security Analysis Let AAlice (respectively ABob ) denote an attacker of the protocol posing as Alice (respectively Bob). Theorem (AAlice ): Let {y, g, p, q} be a DLP instance. If AAlice plays the role of Alice and is able to forge in polynomial time a co-signature with probability F , then in the ROM AAlice can break that DLP instance with high probability in polynomial time. Theorem (ABob ): Let {y, g, p, q} be a DLP instance. If ABob plays the role of Bob and is able to forge in polynomial time a co-signature with probability F , then in the ROM ABob can break that DLP instance with high probability in polynomial time.


Introduction

Preliminaries

Protocol Design


Conclusion


Security Analysis: Proof Strategy

Assuming the existence of an efficient forger A for the co-signature scheme, we turn A into an efficient Schnorr signatures forger B. We then use Pointcheval and Stern’s Forking Lemma to transform B into an efficient DLP solver C. Protocol asymmetry: Alice has more information than Bob.


Introduction

Preliminaries

Protocol Design


Conclusion


The protocol assumes that Bob is stateful. i.e. that Bob keeps traces of problematic or aborted sessions in an internal nonvolatile memory L that Alice uses a second digital signature algorithm Σ


Introduction

Preliminaries

Protocol Design



If an issue occurs during this phase no party is harmed. Nobody committed on any meaningful message. Alice

Bob

yA,B ← yA × yB kA ∈R Z∗ q

yA,B ← yA × yB kB ∈R Z∗ q

rA ← g kA ρ

r B ← g kB ρ ← H(0krB )

←−−−−−−−−−−−−−− t ← Σ(rA kAlicekBob)

rA ,t

−−−−−−−−−−−−−−→ if t is incorrect then abort store t in L rB

←−−−−−−−−−−−−−− if H(0krB ) 6= ρ then abort r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q


r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q store sB in L

Conclusion

Introduction

Preliminaries

Protocol Design



This red part is where things may go wrong.

breakpoint 1 sB

←−−−−−−−−−−−−−− if sB is incorrect then abort breakpoint 2 sA

−−−−−−−−−−−−−−→ if sA is incorrect then abort breakpoint 3 s ← sA + sB mod q

s ← sA + sB mod q if {m, r , s} is valid then erase t, sB from L

If this part is reached both parties got what they wanted and both are happy.


Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion

Analysis of the Green Phase If the protocol is interrupted before breakpoint 1 no information involving m was released by any of the parties. The protocol’s trace can be simulated without Bob as follows: $

sB , r ← − Zq e ← H(1kmkr kAlicekBob) rB ← g sB yBe rA ← r × rB−1 t ← Σ(rA kAlicekBob) ρ ← H(0krB ) Bob has only received from Alice the signature of a random integer.


Introduction

Preliminaries

Protocol Design


Conclusion

Analysis of the Red Phase

From Alice’s perspective: If Bob transmits a wrong or incorrect sB , this will be immediately detected by Alice as rB 6= g sB yBe . From Bob’s perspective: Alice can try and construct a fraudulent signature of Bob by stopping the protocol at breakpoint 2 : using sB she can try to construct a valid classical Schnorr signature. Given that sB is not a valid Schnorr signature for Bob (g sB yBe = rB 6= r ), Alice can construct s0 = sB − kA , so that m, r , s0 forms a valid signature of Bob alone on m. However, if Alice tries to exhibit a signature of Bob alone on a message they both agreed upon (signing only on Bob’s behalf is a fraud), then the court will be able to identify Alice as the fraudster.


Introduction

Preliminaries

Protocol Design


Conclusion

Analysis of the Red Phase

Definition: Authorized Signatory Credential The data field ΓAlice,Bob = {Alice, Bob, kA , Σ(g kA kAlicekBob)} is called an authorized signatory credential given by Alice to Bob, where Σ is some publicly known auxiliary signature algorithm. Any party who gets ΓAlice,Bob can check its validity, and releasing ΓAlice,Bob is by convention functionally equivalent to Alice giving her private key xA to Bob. Bob stores t (given by Alice) in a local memory L along with sB . Together, t and sB act as a keystone enabling a verifier, e.g. a court of law (or Bob) to check ΓAlice,Bob if Alice exhibits a (fraudulent) signature seemingly binding Bob alone to m.


Introduction

Preliminaries

Protocol Design


Conclusion

Analysis of the Blue Phase

Finally, if Alice and Bob successfully passed the normal completion breakpoint parties have the co-signature, and are provably committed to m.


3

, both

Introduction

Preliminaries

Protocol Design


Multi-Party Authentication Protocols





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Our Result We describe an authentication protocol for checking network integrity, and leveraging network topology to reduce transmission The verifier detects malicious nodes that do not possess correct keys and unresponsive nodes Useful in the context of wireless sensor networks and the Internet of Things (IoT)


Introduction

Preliminaries

Protocol Design


Conclusion


Prior Work

Base station authentication: Anshul and Roy - a modified version of Guillou-Quisquater identification scheme combined with the µTesla protocol for authenticated broadcast in lightweight devices Close to our goal: Aggregate signatures. Non-interactive but computationally expensive (usually use pairing) Even closer to our goal: Udgata et al. only authenticate two nodes at a time, and the base station acts as a TTP.


Introduction

Preliminaries

Protocol Design


Conclusion


Fiat-Shamir Authentication This protocol allows a prover P to convince a verifier V that P possesses a secret key without revealing the secret key. Let n be an RSA modulus. P selects a secret s < n such that gcd(n, s) = 1, computes v = s2 mod n and publishes v as its public key. Prover r ∈R [1, n − 1] x ← r 2 mod n

Verifier

x

−−−−−−→

e1 ,...,ek

Check x 6= 0 e1 , . . . , ek ∈R {0, 1}

←−−−−−− y ←r

k Y i=1

e si i

mod n y

−−−−−−→ Check y 2 = x

k Y

e

vi i mod n

i=1

Fiat-Shamir zero-knowledge authentication protocol Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Distributed Fiat-Shamir Authentication Given a k -node network P1 , ..., Pk , we consider the nodes Pi as vertices in a graph and the network connections between them as edges. A specific node V wishes to authenticate the graph as a whole. Each Pi will be given an si .


Introduction

Preliminaries

Protocol Design



Illustration of Step 1

x2

x1

x5

x6

x8

x3

x4

x7


Conclusion

Introduction

Preliminaries

Protocol Design




x2

x5

x1 x6

x8

x3

x4

x7


Conclusion

Introduction

Preliminaries

Protocol Design



Illustration of Step 1 x1 x2

x5

x6 x8

x3 x4

x7


Conclusion

Introduction

Preliminaries

Protocol Design




x1 x2 x5 x6 x8

x3 x4 x7


Conclusion

Introduction

Preliminaries

Protocol Design




x = x1 x2 x3 x4 x5 x6 x7


Conclusion

Introduction

Preliminaries

Protocol Design



Propagating e


Conclusion

Introduction

Preliminaries

Protocol Design



Propagating e

e


Conclusion

Introduction

Preliminaries

Protocol Design


Propagating e

e

e


Conclusion

Introduction

Preliminaries

Protocol Design


Propagating e e e

e e


Conclusion

Introduction

Preliminaries

Protocol Design


Propagating e

e


Conclusion

Introduction

Preliminaries

Protocol Design



y2

y1

y5

y6

y8

y3

y4

y7


Conclusion

Introduction

Preliminaries

Protocol Design



y2

y5

y1 y6

y8

y3

y4

y7


Conclusion

Introduction

Preliminaries

Protocol Design


Illustration of Step 3 y1 y2

y5

y6 y8

y3 y4

y7


Conclusion

Introduction

Preliminaries

Protocol Design



y1 y2 y5 y6 y8

y3 y4 y7


Conclusion

Introduction

Preliminaries

Protocol Design



y = y1 y2 y3 y4 y5 y6 y7


Conclusion

Introduction

Preliminaries

Protocol Design


V

V

V

y = y1 y2 y3 y4 mod n

x = x1 x2 x3 x4 mod n

P4

e P4

x4 = r42 e

P1

P2

P3

x1 = r12

x2 = r22

x3 = r32

The construction of x

Conclusion

P1

e P2

P4

y4 = r4 s4e4

e P3

The propagation of e

P1

P2

P3

y1 = r1 s1e1

y2 = r2 s2e2

y3 = r3 s3e3

The construction of y

The proposed algorithm running on a network


Introduction

Preliminaries

Protocol Design


Conclusion

Security We prove: Soundness: If the authentication protocol succeeds, then with overwhelming probability all network nodes are genuine and responsive. Zero-knowledge: The distributed authentication protocol achieves statistical zero-knowledge.


Introduction

Preliminaries

Protocol Design


Conclusion

Parameters and Complexity Choice of parameters: For a desired security level 2λ : The protocol should be run t ≥ dλ/ke times n should take more than 2λt operations to factor Private and public keys are log2 n bits long. Complexity: The effort required to authenticate the network is: 2kt modular squarings ≤ 3kt modular multiplications


Introduction

Preliminaries

Protocol Design


˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


A CAESAR candidate (selected for second phase competition) A compression function-based mode of operation for AEAD Security Features Confidentiality for the plaintext Authenticity for the nonce, associated data and plaintext Provable security in the standard model based on the PRF assumption: if the compression function keyed via its message input is a PRF ⇒ OMD is a secure AEAD scheme.


Introduction

Preliminaries

Protocol Design


Conclusion


Nonce-based Authenticated Encryption with Associated Data Notations N: Nonce (e.g. fresh random or a public message number); M: Plaintext that needs to be encrypted and authenticated; AD: Associated data that will be authenticated but not encrypted; C: Ciphertext; K : Secret Key K

N M AD

E NC

K

C

N C AD


D EC

M or ⊥

Introduction

Preliminaries

Protocol Design



˚ (MD) Construction The Merkle-Damgard

M1

IV

M2

FK

FK

...

Assumption: the keyed compression function FK is a PRF; If FK is a PRF then MD is also a PRF (result by Bellare and Ristenpart).


Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


OMD: A Nonce-Based AE Scheme Using the MD Construction hτ i

M`−1

M1

h0i

FK

FK

∆K1,,N 0

M`

...

n FK

∆K2,,N 0 M1

Tage

FK ∆K`,1,N

M` C1

C`

τ Tag

Encrypting a message whose length is a multiple of the block length Encryption is also possible when message size is not a multiple of the block length (details in the thesis). OMD is a provably secure nonce-based AE Algorithm integrating a modified MD pass with a XOR MAC. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Security σe : total number of calls to the compression function in encryption queries σ: total number of calls to the compression function in all (encryption and verification) queries qe : the number of encryption queries qv : the number of decryption (verification) queries `max : the maximum number of internal calls to the compression function in any query n: the output length of the compression function in bits τ : the tag length t 0 = t + cnσ, where t is the time complexity and c is a constant We Prove that: priv

prf

3σe2 2n 2 + 3σ 2n

AdvOMD[F ,τ ] (t, qe , σe , `max ) ≤ AdvF (t 0 , 2σe ) + prf

0 Advauth OMD[F ,τ ] (t, qe , qv , σ, `max ) ≤ AdvF (t , 2σ) Diana S ¸ tefania Maimut¸

Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

+

qv `max 2n

+

qv 2τ

Introduction

Preliminaries

Protocol Design






Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion

Lightweight Cryptography: Cryptographic primitives and computational techniques suitable for implementations in resource-constrained devices. Trade-Offs Challenge: reach sufficient security using only little computing power. The trade-off between lightweightness and security is the cornerstone of lightweight cryptography.


Introduction

Preliminaries

Protocol Design


Trade-offs Physical

nc HW s m o ec ur it y re fu

fun cti s on s le s

Low Cost

ty

Area

Algorithmic

ri cu se S W re mo

ti o ns les s

Security

type of architecture µC

µP

Throughput

Performance Energy

Power

Securing Devices Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Conclusion

Introduction

Preliminaries

Protocol Design


Double-Speed Barrett Moduli





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


A Method Allowing to Double the Speed of Barrett’s Algorithm Moduli having predetermined bit portions are generally considered as safe as moduli that do not feature predetermined bit portions Several techniques for generating such moduli are well-known


Introduction

Preliminaries

Protocol Design


Conclusion


RSA moduli with a predetermined portion (the leading bits) are used to reduce storage or computations. Generating Moduli with a Predetermined Portion Input: N, H ≤ N/2, nh < 2H Output: n = nh × 2N−H + n` , such that 0 < n` < 2N−H Generate a random prime p, such that 2N−H−1 < p < 2N−H − 1 η ← nh × 2N−H l m ω ← ηp q ← NextPrime(ω) n ← pq return n

Lemma Consider the above parameters and let m = q − ω. Then, n < nh 2N−H + (1 + m)(2N−H − 1) and ω < 2H+1 + 1. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Barrett’s Algorithm Barrett’s method assembles the operation a mod b from bit shifts, multiplications and additions in N.

Barrett’s Algorithm L

Input: n < 2N , d < 2D , κ = b 2n cwhere N ≤ D ≤ L Output: c = d mod n c1 ← d (N − 1) c2 ← c1 × κ c3 ← c2 (L − N + 1) c4 ← d − n × c3 while c4 ≥ n do c4 ← c4 − n end while return c4


Introduction

Preliminaries

Protocol Design


Conclusion


Barrett-Friendly Moduli (New Idea) Goal: generate a composite n whose leading bits do not need to be multiplied and whose associated κ also has a most significant part that does not need to be multiplied. Example Let N r p q

= 100 and L = 200. = 1ace38e78e29f = 322a28626f0a7 = 51a6acec7fcd5

η ω n κ

= = = =

8000000000001ace38e78e29f 28d356763fe4a 80000000000a8c93071ac14d9 1ffffffffffd5cdb3e394fe440


Introduction

Preliminaries

Protocol Design


Conclusion


Barrett-friendly RSA modulus generator Input: L = 2N = 4U Output: n, an RSA modulus such that 2N−1 < n < 2N−1 + (0.7U + 2)(2U − 1) whose associated κ is such that 2N+1 − 2U+1 (1 + 0.7U) < κ < 2N+1 Generate a random integer r such that 2U−1 < r < 2U − 1; η ← 2N−1 + r Generate a random prime p such that 2U−1 < p < 2U − 1 l m ω ← ηp q ← NextPrime(ω) n ←p×q return n


Introduction

Preliminaries

Protocol Design



Lemma 2P

2 c = 2P+1 − 4x. If 0 < x < 2P/2−1 , then b 2P−1 +x

Lemma: Bounding n, ω and κ Consider the parameters used in the above algorithm and let m = q − ω. Then: n < 2N−1 + (2 + m)(2U − 1) 2N+1 − 2U+1 (1 + m) < κ < 2N+1 ω < 2U + 2 .


Conclusion

Introduction

Preliminaries

Protocol Design



The same can be even further extended. Here are Schnorr p, q, κp , κq that are all multiplication friendly. Example Let P ω ip Lq q κq Lp p x κp

= 1024 and Q = 160. = 299 = 1 = 2 · 160 = 2159 + 299 = 2163 − 4 · 299 = 2 · 1024 = 211 = (2864 + 2)q + 1 = (2864 + 2)(2159 + 299) + 1 = 260 + 299 · 2864 + 2 · 299 + 1 P = 271 5k=0 2159k (−299)6−k − 2162 + 2387

Details in the thesis.


Conclusion

Introduction

Preliminaries

Protocol Design


Applying Cryptographic Techniques to Error Correction





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Context Bose-Chaudhuri-Chaum (BCH) codes: Are widely used for error correction in digital systems, memory devices and computer networks; Require repeated polynomial reductions modulo the same constant polynomial: conceptually similar to the implementation of public-key cryptography Idea: Apply Cryptographic Techniques to Error-Correction Transfer the modular reduction expertise developed by cryptographers to obtain new BCH speed-up strategies: we propose a “polynomialization” of Barrett’s modular reduction algorithm. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Preliminaries Generalization of Operator: Let P=

α X i=0

pi

ν Y

y

xj j,i ∈ Q[~x ]

j=1

and ~a = ha1 , a2 , ..., aν i ∈ Nν . We denote P ~a =

X ϕ(~a)

pi

ν Y

y −ai

xj j,i

∈ Q[~x ], where ϕ(~a) = {i, ∀j, yi,j ≥ ai }.

j=1


Introduction

Preliminaries

Protocol Design


Conclusion


Barrett’s Algorithm for Polynomials

Theorem: Barrett’s Algorithm for Polynomials Let: P=

α X i=0

pi

ν Y

yj,0

xj

∈ Q[~x ] and Q =

β X i=0

j=1

qi

ν Y

∈ Q[~x ] s.t. lm(Q) lm(P)

j=1

ν Y L ≥ max wi,j ∈ N, h(L) = xjL and K = j=1

wj,i

xj

h(L) P

y~0 = hy1,0 , y2,0 , ..., yν,0 i ∈ Nν Given the above notations, (K(Q y~0 )) (hLν i − y~0 ) =


Q . P

Introduction

Preliminaries

Protocol Design


Conclusion


Performance We implemented in FPGA several BCH encoders using standard polynomial reduction methods (shown here in black) and compared them to polynomial Barrett circuits (in red). Our BCH-Barrett design halves power consumption and multiplies throughput by 4.

Our synthesis results for five BCH encoder designs

Design

Gate Instances

Gate Equivalent

Max Frequency (MHz)

Throughput (Mbps)

Power (nW)

BCH-Standard BCH-LFSR BCH-LFSR-improved BCH-Barrett BCH-Barrett-pipelined

310 155 160 194 426

447 223 236 260 591

741 1043 1043 655 995

690 972 2080 9150 13900

978 920 952 512 2208

Full details and circuit schematics in the thesis. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


A Number-Theoretic Error-Correcting Code





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Generate a large prime p, where pi stands for the i-th prime. P i To encode a message m = k−1 i=0 2 mi the sender computes: m

k −1 c = p0m0 × . . . × pk−1 mod p

{c, m} is sent over the noisy channel. We first assume that errors occurred only in m. Upon reception of {c, m0 } the receiver can compute m0

m0

k−1 c 0 = p0 0 × . . . × pk−1 mod p

and divide-out modulo p all the common (unflipped bits) of m and m0 . Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Let d = c/c 0 mod p. We use the extended Euclidean algorithm to write d as a modular √ ratio s = a/b mod p of two integers a, b of size ' p. Theorem Let a, b ∈ Z such that −A ≤ a ≤ A and 0 < b ≤ B. Let p be some prime integer such that 2AB < p. Let s = a · b−1 mod p. Then given A, B, s and p, a and b can be recovered in polynomial time. If there were not too many errors, a and b will factor over the integers into products of small primes. The primes present in a encode the bits equal to 1 in m and reset to 0 in m0 during transmission. The primes present in b encode the bits equal to 0 in m that flipped into 1 in m0 during transmission.


Introduction

Preliminaries

Protocol Design


Conclusion


To correct t errors in a k-bit message the size of p should be: 2pk2t < p < 4pk2t . (bounding the worst case where all errors affect the end of the message)

Using pk ' k log k we get log2 p ' 2t

log(k log k ) . log 2

Given t and k , the error-correcting code can be easily instantiated.


Introduction

Preliminaries

Protocol Design


Conclusion


Up to this point, we assumed errors occurred only in m. To deal with errors in c we use a new code hybridization technique. Gain example for (number-theoretic)+(Reed-Muller) hybridization: a new code which is more efficient than both. Examples of length n, dimension k, and error capacity t for Reed-Muller code: n k t

16 11 1

64 42 3

128 99 3

256 163 7

512 382 7

2048 1024 31

8192 5812 31

32768 9949 255

131072 65536 255

(n, k, t)-codes generated from Reed-Muller by our hybrid construction: n0 k c(m) RM(c(m)) t

638 382 157 256 7

7860 5812 931 2048 31


98304 65536 9931 32768 255

Introduction

Preliminaries

Protocol Design


Conclusion


Lemma (Error Correction Hybridization) Assume that there exists a constant δ > 1 such that, for k large enough, n(k) ≥ δk. Then for k large enough, n0 (k) ≤ n(k). underlying ECC new ECC

C

n=

δk

n(k)

lyi ng

EC

n

er

gain

er low

=

k

b

bo

un

do

nu nd

n0

dn

n ou

k

For large enough values of k, the hybrid ECC requires less transmission than both underlying ECCs Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Backtracking-Assisted Multiplication





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Motivation In many cryptographic applications we need to multiply a variable x by a constant c. Examples Diffie Hellman/DSA Fiat-Shamir Barret modular reduction Montgomery modular reduction

c c c c

is g is a secret key si is b2L /nc is 22L mod n

Question: Is there a way to take advantage of the fact that c is constant? Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design



Classically:


Conclusion

Introduction

Preliminaries

Protocol Design



A quadratic number of byte-by-byte multiplications.


Conclusion

Introduction

Preliminaries

Protocol Design



Idea: Replace MULs by ADDs


70

21

91

Conclusion

Introduction

Preliminaries

Protocol Design



70

Do not compute!

21

91

? ? ? ? ? ?


Conclusion

Introduction

Preliminaries

Protocol Design



70

21

91

? ? ? ? ? ? Compute!


Conclusion

Introduction

Preliminaries

Protocol Design



70


21

91

Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


The Algorithm Because the red operand is constant, we may encode its bytes as an addition/subtraction chain departing from two bytes only. We do this by backtracking. Expected gain for cryptography (1024 bits = 128 bytes): instead of: 128 × 128 byte by byte multiplications perform only: 2 × 128 byte by byte multiplications and 126 × 128 byte additions.

Interesting for 8-bit µPs and crypto integers (' 1024 bits). Less appealing for bigger chips and/or shorter operands.


Introduction

Preliminaries

Protocol Design


Conclusion


The Backtracking Algorithm

Several backtracking trade-offs can be applied. The embedded device will work with 3 RAM registers only:

Backtracking (high-level description, refer to thesis for details) start with two bytes a and b try to find r = a + b or r = |a − b| or r = 2a or r = 2b if found then throw either a, b or r and continue else backtrack end if end if

More registers ⇒ longer backtracking time and more RAM usage in the embedded device but longer chains that will make multiplication faster.


Introduction

Preliminaries

Protocol Design


Conclusion


Performance Comparative performance data for a multiplication by the covered constant bπ21024 c are shown below. Backtracking this constant took 85 days on an Altix UV1000 cluster. Performance on a 68HC05 clocked at 5 MHz

Usual Algorithm New Algorithm

Time

RAM

Code Size

188 ms 72 ms

395 bytes 663 bytes

1.1 kilobytes 1.7 kilobytes

Speed-up by a factor of 2.6 using 1.7 times more RAM.


Introduction

Preliminaries

Protocol Design


Conclusion


Bonus Features

1

Compatible with Karatsuba when one of the operands is constant. Both algorithms can be used simultaneously. Causing both speedups to add-up

2

We can also envision “multiplication friendly keys”, of a lesser entropy but allowing a much easier processing. e.g. for Fiat-Shamir. If needed, re-increase entropy by taking somewhat longer keys


Introduction

Preliminaries

Protocol Design


Fault Attacks on Projective-to-Affine Coordinate Conversion





Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


Elliptic Curve Cryptography Definition An elliptic curve over a finite prime field Fp of characteristic p > 3 can be described by its reduced Weierstraß form: E : y 2 = x 3 + ax + b . Elliptic Curves used in Cryptography: Are defined over a finite field Fq , where q is either a prime or q = 2n Have ip points, where p is prime and i ∈ {1, 2, 3, 4} p is typically 192-bits long Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Attack by Naccache, Smart and Stern at EUROCRYPT’04 Attack on elliptic curve cryptosystems when the signature scheme returns a point in projective coordinates (X , Y , Z ). Unfeasibility of the NSS Attack In many systems, results are given in affine coordinates (x, y). Our Fault Attack Model Inject an error during the conversion process to recover the missing Z coordinate. We propose different ways to do so depending on the fault’s precision.


Introduction

Preliminaries

Protocol Design



Computation of Q = [k ]P Elliptic Curve Scalar Multiplication (ECSM) k is private P is public Is it secure to return the value Q = (X , Y , Z ) in Jacobian coordinates? No “Projective coordinates leak” (Naccache, Smart, Stern). Some bits of k can be retrieved.


Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion


The NSS attack does not recover all scalar bits, only a few; but this is enough to seriously endanger some protocols For the attack to work the result must be in Jacobian coordinates (X , Y , Z ); this is never the case in practice as [k ]P is computed in Jacobian coordinates but the result is converted to affine coordinates before being returned Our Contribution Inject a fault during the conversion procedure, so that a faulty result in affine coordinates contains information on the missing coordinate Z .


Introduction

Preliminaries

Protocol Design


Conclusion


Conversion Procedure Convert P = (X , Y , Z ) = (xZ 2 , yZ 3 , Z ) from Jacobian to affine coordinates (x, y):  r      s Algorithm CONVERT(X , Y , Z ) = x    t   y

← ← ← ← ←


Z −1 r2 X ·s Y ·s t ·r

return(x, y)

Introduction

Preliminaries

Protocol Design


Conclusion


The Idea  r     s    ˜ s =s+ Algorithm CONVERT(X, Y, Z) = x˜     ˜t    y˜

← ← ←← ← ←

Z −1 r2 corruption of s X ·˜ s Y ·˜ s ˜t · r

Equations System x˜ = X (s + ) ⇒ x˜ = x + xZ 2 mod p y˜ = Y (s + )r ⇒ y˜ = y + yZ 2 mod p


return(x˜ , y˜ )

Introduction

Preliminaries

Protocol Design


Conclusion


Large Unknown Faults and a Correct Result Equations System with a Known Result (x, y) x˜i − 1 = Z 2 i mod p with i < pa for some a < 1 x x˜ ⇒ ui = Z 2 i mod p with ui = i − 1 x ⇒ = s · u mod p with s = Z −2 , u = (u1 , . . . , un ), = (1 , . . . , n )

xi = x + xZ 2 i ⇒

Recover Using LLL Let L be the lattice generated by the vector u and pZ n in Zn ; Because satisfies = s · u mod p, ∈ L, with i < pa then, we can recover directly by reducing L using LLL since is a small vector of L.


Introduction

Preliminaries

Protocol Design


Conclusion


Two Faults and a Correct Result Equations System with a Known Result (x, y) √ x˜1 − 1 = u1 = Z 2 1 mod p with 1 < p x √ x˜2 − 1 = u2 = Z 2 2 mod p with 2 < p x Let α = u1 /u2 = 1 −1 2 ⇒ problem known as the Rational Number Reconstruction solved using Euclid’s algorithm for finding the shortest vector in a bidimensional lattice. Theorem (already seen during the error-correction part of this presentation) Let 1 , 2 ∈ Z such that −A ≤ 1 ≤ A and 0 < 2 ≤ B. Let p > 2AB be a prime and α = 1 −1 mod p. Then 1 , 2 can be recovered from A, B, α, p in polynomial time. 2 √ Recover 1 , 2 with A = B = b pc, 2AB < p, 0 ≤ 1 ≤ A and 0 < 2 ≤ B. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools

Introduction

Preliminaries

Protocol Design


Conclusion


Let G be a public generator of order n. Let (d, P = [d]G) be the key pair of an entity.

ECDSA

signature

Input: Private key d, message m Output: Signature (r , s) $

k← − [1, n − 1] Q ← [k]G r ← xQ mod n i ← k −1 mod n s ← i · (dr + m) mod n return (r , s)

ECDSA

verification

Input: Public key P, m, signature (r , s) Output: True or False w ← s−1 mod n u1 ← w · m mod n u2 ← w · r mod n Q ← [u1 ]G + [u2 ]P v ← xQ mod n ?

return v = r


Introduction

Preliminaries

Protocol Design


Conclusion


Wrong ECDSA signature Input: Private key d, message m Output: Signature (r , s) $

k← − [1, n − 1] (x˜Q , y˜Q ) ← [k]G ← fault during the conversion of Q ˜r ← x˜Q mod n i ← k −1 mod n s ← i(d ˜r + m) mod n return (˜r , ˜ s)

Recover the x coordinate of Q Input: Public key P, m, wrong signature (˜r , ˜ s) Output: Q −1 ˜ ←˜ w s mod n ˜1 ← w ˜ · m mod n u ˜2 ← w ˜ · ˜r mod n u ˜ ← [u ˜ ˜2 ]P Q h 1 ]G i+ [u h i k ˜r ˜ = km G + Q P d ˜r +m

d ˜r +m

˜ = [k]G = Q Q return Q

Recover the True x Coordinate of Q From (˜r , ˜ s), we can recover the correct value of xQ ⇒ recover the Z coordinate of Q ⇒ using the NSS attack, grab a few bits of k


Introduction

Preliminaries

Protocol Design


Conclusion


In the Thesis We Report the Experimental Feasibility of the Attack Practical attacks on particular elliptic curve schemes (large unknown faults and two faults) Theoretical attack on ECDSA. Theoretical because the fault model is too strong. To Prevent our Attack Check the validity of the result after conversion to affine coordinates and not before.


Introduction

Preliminaries

Protocol Design






Conclusion

Introduction

Preliminaries

Protocol Design


Conclusion

Conclusion During the thesis we studied: Authentication and encryption: starting from protocol design, passing through algorithmic improvements and getting to attacks Cryptographic techniques successfully applied to error correcting codes And several computational improvements.


Introduction

Preliminaries

Protocol Design


Thank

you for your

attention!


Conclusion