Dec 11, 2015 - Authentication and Encryption Protocols: Design, Attacks and Algorithmic ... A co-signature protocol achieving legal fairness without keystones; ...
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools Diana S ¸ tefania Maimut¸
December 11, 2015
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Authentication and Encryption Challenge: design secure and efficient cryptographic protocols Our Results: A co-signature protocol achieving legal fairness without keystones; a keystone is a digitally signed check given to the aggrieved party by the other party, to compensate a would be fairness breach OMD - a compression function-based mode of operation providing nonce-based authenticated encryption with associated data (AD) A transmission-efficient distributed Fiat-Shamir zero-knowledge protocol enabling network node authentication
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Efficiency Real world cryptographic applications must not only be secure. They must also be efficient. Our Results Algorithmic speed-ups: A method for doubling the speed of Barrett’s algorithm by using specific moduli A number-theoretic error correcting code (ECC) inspired by the Naccache-Stern cryptosystem BCH speed-up strategies using polynomial versions of Barrett’s algorithm A multiplication algorithm for lightweight microprocessors when one of the operands is constant A method for regulating the pace of von Neumann randomness extractors
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Secure Implementation Assess and improve the resistance of embedded devices. Our Results A new fault attack on elliptic curve cryptography (ECC) implementations. The attack consists in injecting a fault during projective-to-affine conversion. Countermeasures are also proposed.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Authenticated Encryption
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Authenticated Encryption
Authenticated Encryption (AE) AE is a symmetric-key mechanism providing both confidentiality and data authentication. Generic Composition... Generically composed AE algorithms achieve confidentiality and integrity by combining two separate primitives: A conventional encryption algorithm for confidentiality A MAC algorithm for data authentication ...Versus Dedicated Solutions A combined AE functionality rather than Encryption and MAC. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Authenticated Encryption
AE is adopted in many widely implemented standards: SSH, SSL/TLS, IPsec, IEEE 802.11. Privacy and Integrity in the Generic Composition Context Can privacy and integrity can be achieved by simply combining a traditional encryption algorithm and a MAC? Yes. But algorithmic miscombinations resulted in several successful attacks: Message recovery attacks against OpenSSH encryption BEAST (Browser Exploit Against SSL/TLS)
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Digital Signatures
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Digital Signatures
Digital Signatures Can be considered as the public-key equivalents of MAC algorithms.
Algorithms of a digital signature scheme: KeyGen
Sign Verify
Let k be the security parameter and let 1k be the input of the key generation algorithm KeyGen. KeyGen outputs a pair (pk, sk) of public and secret keys. Given a message m and sk , Sign outputs a signature σ. Given σ, m, pk , Verify tests if σ is a valid signature of m with respect to pk .
{pk, sk} ← KeyGen(1k )
σ ← Sign(sk, m)
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Verify(σ, m, pk ) = True
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Digital Signatures
A signature, be it physical or digital, must be: Undeniable Non-imitable Easy to verify Easy to generate Signatures on previously unsigned messages must be impossible to produce by entities who do not possess sk. Some well known digital signature algorithms: RSA, ElGamal, Schnorr, Girault-Poupard-Stern and ECDSA.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Legally Fair Contract Signing without Keystones
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Context In many operations, such as contract signing, all participants must show their commitment to a given message. This is done by exchanging digital signatures on the agreed message or by co-signing the message. Typically, co-signatures are used for joint bank account management In electronic transactions, fairness remains a fundamental need Our results mainly focus on fairness in co-signing by two parties Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Prior Work A protocol is viable if, when both parties follow the protocol properly, the protocol terminates with both parties being committed to the contract. Early efforts mainly focused on optimistic protocols to achieve computational fairness i.e. ”bit-by-bit” secret exchange Ben-Or, Goldreich, Micali and Rivest showed that any viable fair contract signing protocol must rely on a Trusted Third Party (TTP) Weakening: gradual release schemes, optimistic schemes and concurrent schemes (using a keystone) Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Our Work and New Results We introduce the new concept of legal fairness without keystones. Legal Fairness (Definition) Any transferable proof of involvement tying one party to a message, also ties the other party to the message. Our idea: Verifiers will be given the means to determine when Alice tries to involve Bob. When this happens, verifiers will contact Bob who will be able to prove Alice’s involvement. Legal fairness will be achieved without keystones Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Legally Fair Contract Signing without Keystones
Generating a Schnorr Co-Signature of a Message m Alice Read Bob’s directory entry yA,B ← yA × yB , kA ∈R Z∗ q
Bob Read Alice’s directory entry yA,B ← yA × yB , kB ∈R Z∗ q
rA ← g kA
ρ
←−−−−−−−−−−−−−−
rB ← g kB ρ ← H(0krB )
rA
−−−−−−−−−−−−−−→ if H(0krB ) 6= ρ then abort
rB
←−−−−−−−−−−−−−−
r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q if sB is incorrect then abort s ← sA + sB mod q
sB
r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q
←−−−−−−−−−−−−−− sA
−−−−−−−−−−−−−−→
s ← sA + sB mod q if sA is incorrect then too bad !
r , s is verified by checking that: s e
r = g yA,B and H(m, r ) = e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Legally Fair Contract Signing without Keystones
Generating a Schnorr Co-Signature of a Message m Alice Read Bob’s directory entry yA,B ← yA × yB , kA ∈R Z∗ q
Bob Read Alice’s directory entry yA,B ← yA × yB , kB ∈R Z∗ q
rA ← g kA
ρ
←−−−−−−−−−−−−−−
rB ← g kB ρ ← H(0krB )
rA
−−−−−−−−−−−−−−→ if H(0krB ) 6= ρ then abort
rB
←−−−−−−−−−−−−−−
r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q if sB is incorrect then abort s ← sA + sB mod q
sB
r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q
←−−−−−−−−−−−−−− sA
−−−−−−−−−−−−−−→
s ← sA + sB mod q if sA is incorrect then too bad !
r , s is verified by checking that: s e
r = g yA,B and H(m, r ) = e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Our Legally Fair Co-Signature Protocol: Produces standard Schnorr signatures Is provably secure in the Random Oracle Model (ROM) under the Discrete Logarithm Problem (DLP) assumption
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Security Analysis Let AAlice (respectively ABob ) denote an attacker of the protocol posing as Alice (respectively Bob). Theorem (AAlice ): Let {y, g, p, q} be a DLP instance. If AAlice plays the role of Alice and is able to forge in polynomial time a co-signature with probability F , then in the ROM AAlice can break that DLP instance with high probability in polynomial time. Theorem (ABob ): Let {y, g, p, q} be a DLP instance. If ABob plays the role of Bob and is able to forge in polynomial time a co-signature with probability F , then in the ROM ABob can break that DLP instance with high probability in polynomial time.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
Security Analysis: Proof Strategy
Assuming the existence of an efficient forger A for the co-signature scheme, we turn A into an efficient Schnorr signatures forger B. We then use Pointcheval and Stern’s Forking Lemma to transform B into an efficient DLP solver C. Protocol asymmetry: Alice has more information than Bob.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Legally Fair Contract Signing without Keystones
The protocol assumes that Bob is stateful. i.e. that Bob keeps traces of problematic or aborted sessions in an internal nonvolatile memory L that Alice uses a second digital signature algorithm Σ
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Legally Fair Contract Signing without Keystones
If an issue occurs during this phase no party is harmed. Nobody committed on any meaningful message. Alice
Bob
yA,B ← yA × yB kA ∈R Z∗ q
yA,B ← yA × yB kB ∈R Z∗ q
rA ← g kA ρ
r B ← g kB ρ ← H(0krB )
←−−−−−−−−−−−−−− t ← Σ(rA kAlicekBob)
rA ,t
−−−−−−−−−−−−−−→ if t is incorrect then abort store t in L rB
←−−−−−−−−−−−−−− if H(0krB ) 6= ρ then abort r ← rA × rB e ← H(1kmkr ) sA ← kA − exA mod q
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
r ← rA × rB e ← H(1kmkr ) sB ← kB − exB mod q store sB in L
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Legally Fair Contract Signing without Keystones
This red part is where things may go wrong.
breakpoint 1 sB
←−−−−−−−−−−−−−− if sB is incorrect then abort breakpoint 2 sA
−−−−−−−−−−−−−−→ if sA is incorrect then abort breakpoint 3 s ← sA + sB mod q
s ← sA + sB mod q if {m, r , s} is valid then erase t, sB from L
If this part is reached both parties got what they wanted and both are happy.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Analysis of the Green Phase If the protocol is interrupted before breakpoint 1 no information involving m was released by any of the parties. The protocol’s trace can be simulated without Bob as follows: $
sB , r ← − Zq e ← H(1kmkr kAlicekBob) rB ← g sB yBe rA ← r × rB−1 t ← Σ(rA kAlicekBob) ρ ← H(0krB ) Bob has only received from Alice the signature of a random integer.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Analysis of the Red Phase
From Alice’s perspective: If Bob transmits a wrong or incorrect sB , this will be immediately detected by Alice as rB 6= g sB yBe . From Bob’s perspective: Alice can try and construct a fraudulent signature of Bob by stopping the protocol at breakpoint 2 : using sB she can try to construct a valid classical Schnorr signature. Given that sB is not a valid Schnorr signature for Bob (g sB yBe = rB 6= r ), Alice can construct s0 = sB − kA , so that m, r , s0 forms a valid signature of Bob alone on m. However, if Alice tries to exhibit a signature of Bob alone on a message they both agreed upon (signing only on Bob’s behalf is a fraud), then the court will be able to identify Alice as the fraudster.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Analysis of the Red Phase
Definition: Authorized Signatory Credential The data field ΓAlice,Bob = {Alice, Bob, kA , Σ(g kA kAlicekBob)} is called an authorized signatory credential given by Alice to Bob, where Σ is some publicly known auxiliary signature algorithm. Any party who gets ΓAlice,Bob can check its validity, and releasing ΓAlice,Bob is by convention functionally equivalent to Alice giving her private key xA to Bob. Bob stores t (given by Alice) in a local memory L along with sB . Together, t and sB act as a keystone enabling a verifier, e.g. a court of law (or Bob) to check ΓAlice,Bob if Alice exhibits a (fraudulent) signature seemingly binding Bob alone to m.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Analysis of the Blue Phase
Finally, if Alice and Bob successfully passed the normal completion breakpoint parties have the co-signature, and are provably committed to m.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
3
, both
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Multi-Party Authentication Protocols
Our Result We describe an authentication protocol for checking network integrity, and leveraging network topology to reduce transmission The verifier detects malicious nodes that do not possess correct keys and unresponsive nodes Useful in the context of wireless sensor networks and the Internet of Things (IoT)
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Multi-Party Authentication Protocols
Prior Work
Base station authentication: Anshul and Roy - a modified version of Guillou-Quisquater identification scheme combined with the µTesla protocol for authenticated broadcast in lightweight devices Close to our goal: Aggregate signatures. Non-interactive but computationally expensive (usually use pairing) Even closer to our goal: Udgata et al. only authenticate two nodes at a time, and the base station acts as a TTP.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Multi-Party Authentication Protocols
Fiat-Shamir Authentication This protocol allows a prover P to convince a verifier V that P possesses a secret key without revealing the secret key. Let n be an RSA modulus. P selects a secret s < n such that gcd(n, s) = 1, computes v = s2 mod n and publishes v as its public key. Prover r ∈R [1, n − 1] x ← r 2 mod n
Verifier
x
−−−−−−→
e1 ,...,ek
Check x 6= 0 e1 , . . . , ek ∈R {0, 1}
←−−−−−− y ←r
k Y i=1
e si i
mod n y
−−−−−−→ Check y 2 = x
k Y
e
vi i mod n
i=1
Fiat-Shamir zero-knowledge authentication protocol Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Multi-Party Authentication Protocols
Distributed Fiat-Shamir Authentication Given a k -node network P1 , ..., Pk , we consider the nodes Pi as vertices in a graph and the network connections between them as edges. A specific node V wishes to authenticate the graph as a whole. Each Pi will be given an si .
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Illustration of Step 1
x2
x1
x5
x6
x8
x3
x4
x7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Illustration of Step 1
x2
x5
x1 x6
x8
x3
x4
x7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Illustration of Step 1 x1 x2
x5
x6 x8
x3 x4
x7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Illustration of Step 1
x1 x2 x5 x6 x8
x3 x4 x7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Illustration of Step 1
x = x1 x2 x3 x4 x5 x6 x7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Propagating e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Multi-Party Authentication Protocols
Propagating e
e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Propagating e
e
e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Propagating e e e
e e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Propagating e
e
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Illustration of Step 3
y2
y1
y5
y6
y8
y3
y4
y7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Illustration of Step 3
y2
y5
y1 y6
y8
y3
y4
y7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Illustration of Step 3 y1 y2
y5
y6 y8
y3 y4
y7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Illustration of Step 3
y1 y2 y5 y6 y8
y3 y4 y7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Illustration of Step 3
y = y1 y2 y3 y4 y5 y6 y7
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
V
V
V
y = y1 y2 y3 y4 mod n
x = x1 x2 x3 x4 mod n
P4
e P4
x4 = r42 e
P1
P2
P3
x1 = r12
x2 = r22
x3 = r32
The construction of x
Conclusion
P1
e P2
P4
y4 = r4 s4e4
e P3
The propagation of e
P1
P2
P3
y1 = r1 s1e1
y2 = r2 s2e2
y3 = r3 s3e3
The construction of y
The proposed algorithm running on a network
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Security We prove: Soundness: If the authentication protocol succeeds, then with overwhelming probability all network nodes are genuine and responsive. Zero-knowledge: The distributed authentication protocol achieves statistical zero-knowledge.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Parameters and Complexity Choice of parameters: For a desired security level 2λ : The protocol should be run t ≥ dλ/ke times n should take more than 2λt operations to factor Private and public keys are log2 n bits long. Complexity: The effort required to authenticate the network is: 2kt modular squarings ≤ 3kt modular multiplications
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
A CAESAR candidate (selected for second phase competition) A compression function-based mode of operation for AEAD Security Features Confidentiality for the plaintext Authenticity for the nonce, associated data and plaintext Provable security in the standard model based on the PRF assumption: if the compression function keyed via its message input is a PRF ⇒ OMD is a secure AEAD scheme.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
Nonce-based Authenticated Encryption with Associated Data Notations N: Nonce (e.g. fresh random or a public message number); M: Plaintext that needs to be encrypted and authenticated; AD: Associated data that will be authenticated but not encrypted; C: Ciphertext; K : Secret Key K
N M AD
E NC
K
C
N C AD
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
D EC
M or ⊥
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
˚ (MD) Construction The Merkle-Damgard
M1
IV
M2
FK
FK
...
Assumption: the keyed compression function FK is a PRF; If FK is a PRF then MD is also a PRF (result by Bellare and Ristenpart).
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
OMD: A Nonce-Based AE Scheme Using the MD Construction hτ i
M`−1
M1
h0i
FK
FK
∆K1,,N 0
M`
...
n FK
∆K2,,N 0 M1
Tage
FK ∆K`,1,N
M` C1
C`
τ Tag
Encrypting a message whose length is a multiple of the block length Encryption is also possible when message size is not a multiple of the block length (details in the thesis). OMD is a provably secure nonce-based AE Algorithm integrating a modified MD pass with a XOR MAC. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
Security σe : total number of calls to the compression function in encryption queries σ: total number of calls to the compression function in all (encryption and verification) queries qe : the number of encryption queries qv : the number of decryption (verification) queries `max : the maximum number of internal calls to the compression function in any query n: the output length of the compression function in bits τ : the tag length t 0 = t + cnσ, where t is the time complexity and c is a constant We Prove that: priv
prf
3σe2 2n 2 + 3σ 2n
AdvOMD[F ,τ ] (t, qe , σe , `max ) ≤ AdvF (t 0 , 2σe ) + prf
0 Advauth OMD[F ,τ ] (t, qe , qv , σ, `max ) ≤ AdvF (t , 2σ) Diana S ¸ tefania Maimut¸
Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
+
qv `max 2n
+
qv 2τ
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Lightweight Cryptography: Cryptographic primitives and computational techniques suitable for implementations in resource-constrained devices. Trade-Offs Challenge: reach sufficient security using only little computing power. The trade-off between lightweightness and security is the cornerstone of lightweight cryptography.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Trade-offs Physical
nc HW s m o ec ur it y re fu
fun cti s on s le s
Low Cost
ty
Area
Algorithmic
ri cu se S W re mo
ti o ns les s
Security
type of architecture µC
µP
Throughput
Performance Energy
Power
Securing Devices Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Double-Speed Barrett Moduli
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Double-Speed Barrett Moduli
A Method Allowing to Double the Speed of Barrett’s Algorithm Moduli having predetermined bit portions are generally considered as safe as moduli that do not feature predetermined bit portions Several techniques for generating such moduli are well-known
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Double-Speed Barrett Moduli
RSA moduli with a predetermined portion (the leading bits) are used to reduce storage or computations. Generating Moduli with a Predetermined Portion Input: N, H ≤ N/2, nh < 2H Output: n = nh × 2N−H + n` , such that 0 < n` < 2N−H Generate a random prime p, such that 2N−H−1 < p < 2N−H − 1 η ← nh × 2N−H l m ω ← ηp q ← NextPrime(ω) n ← pq return n
Lemma Consider the above parameters and let m = q − ω. Then, n < nh 2N−H + (1 + m)(2N−H − 1) and ω < 2H+1 + 1. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Double-Speed Barrett Moduli
Barrett’s Algorithm Barrett’s method assembles the operation a mod b from bit shifts, multiplications and additions in N.
Barrett’s Algorithm L
Input: n < 2N , d < 2D , κ = b 2n cwhere N ≤ D ≤ L Output: c = d mod n c1 ← d (N − 1) c2 ← c1 × κ c3 ← c2 (L − N + 1) c4 ← d − n × c3 while c4 ≥ n do c4 ← c4 − n end while return c4
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Double-Speed Barrett Moduli
Barrett-Friendly Moduli (New Idea) Goal: generate a composite n whose leading bits do not need to be multiplied and whose associated κ also has a most significant part that does not need to be multiplied. Example Let N r p q
= 100 and L = 200. = 1ace38e78e29f = 322a28626f0a7 = 51a6acec7fcd5
η ω n κ
= = = =
8000000000001ace38e78e29f 28d356763fe4a 80000000000a8c93071ac14d9 1ffffffffffd5cdb3e394fe440
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Double-Speed Barrett Moduli
Barrett-friendly RSA modulus generator Input: L = 2N = 4U Output: n, an RSA modulus such that 2N−1 < n < 2N−1 + (0.7U + 2)(2U − 1) whose associated κ is such that 2N+1 − 2U+1 (1 + 0.7U) < κ < 2N+1 Generate a random integer r such that 2U−1 < r < 2U − 1; η ← 2N−1 + r Generate a random prime p such that 2U−1 < p < 2U − 1 l m ω ← ηp q ← NextPrime(ω) n ←p×q return n
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Double-Speed Barrett Moduli
Lemma 2P
2 c = 2P+1 − 4x. If 0 < x < 2P/2−1 , then b 2P−1 +x
Lemma: Bounding n, ω and κ Consider the parameters used in the above algorithm and let m = q − ω. Then: n < 2N−1 + (2 + m)(2U − 1) 2N+1 − 2U+1 (1 + m) < κ < 2N+1 ω < 2U + 2 .
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Double-Speed Barrett Moduli
The same can be even further extended. Here are Schnorr p, q, κp , κq that are all multiplication friendly. Example Let P ω ip Lq q κq Lp p x κp
= 1024 and Q = 160. = 299 = 1 = 2 · 160 = 2159 + 299 = 2163 − 4 · 299 = 2 · 1024 = 211 = (2864 + 2)q + 1 = (2864 + 2)(2159 + 299) + 1 = 260 + 299 · 2864 + 2 · 299 + 1 P = 271 5k=0 2159k (−299)6−k − 2162 + 2387
Details in the thesis.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Applying Cryptographic Techniques to Error Correction
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Applying Cryptographic Techniques to Error Correction
Context Bose-Chaudhuri-Chaum (BCH) codes: Are widely used for error correction in digital systems, memory devices and computer networks; Require repeated polynomial reductions modulo the same constant polynomial: conceptually similar to the implementation of public-key cryptography Idea: Apply Cryptographic Techniques to Error-Correction Transfer the modular reduction expertise developed by cryptographers to obtain new BCH speed-up strategies: we propose a “polynomialization” of Barrett’s modular reduction algorithm. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Applying Cryptographic Techniques to Error Correction
Preliminaries Generalization of Operator: Let P=
α X i=0
pi
ν Y
y
xj j,i ∈ Q[~x ]
j=1
and ~a = ha1 , a2 , ..., aν i ∈ Nν . We denote P ~a =
X ϕ(~a)
pi
ν Y
y −ai
xj j,i
∈ Q[~x ], where ϕ(~a) = {i, ∀j, yi,j ≥ ai }.
j=1
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Applying Cryptographic Techniques to Error Correction
Barrett’s Algorithm for Polynomials
Theorem: Barrett’s Algorithm for Polynomials Let: P=
α X i=0
pi
ν Y
yj,0
xj
∈ Q[~x ] and Q =
β X i=0
j=1
qi
ν Y
∈ Q[~x ] s.t. lm(Q) lm(P)
j=1
ν Y L ≥ max wi,j ∈ N, h(L) = xjL and K = j=1
wj,i
xj
h(L) P
y~0 = hy1,0 , y2,0 , ..., yν,0 i ∈ Nν Given the above notations, (K(Q y~0 )) (hLν i − y~0 ) =
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Q . P
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Applying Cryptographic Techniques to Error Correction
Performance We implemented in FPGA several BCH encoders using standard polynomial reduction methods (shown here in black) and compared them to polynomial Barrett circuits (in red). Our BCH-Barrett design halves power consumption and multiplies throughput by 4.
Our synthesis results for five BCH encoder designs
Design
Gate Instances
Gate Equivalent
Max Frequency (MHz)
Throughput (Mbps)
Power (nW)
BCH-Standard BCH-LFSR BCH-LFSR-improved BCH-Barrett BCH-Barrett-pipelined
310 155 160 194 426
447 223 236 260 591
741 1043 1043 655 995
690 972 2080 9150 13900
978 920 952 512 2208
Full details and circuit schematics in the thesis. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
A Number-Theoretic Error-Correcting Code
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
A Number-Theoretic Error-Correcting Code
Generate a large prime p, where pi stands for the i-th prime. P i To encode a message m = k−1 i=0 2 mi the sender computes: m
k −1 c = p0m0 × . . . × pk−1 mod p
{c, m} is sent over the noisy channel. We first assume that errors occurred only in m. Upon reception of {c, m0 } the receiver can compute m0
m0
k−1 c 0 = p0 0 × . . . × pk−1 mod p
and divide-out modulo p all the common (unflipped bits) of m and m0 . Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
A Number-Theoretic Error-Correcting Code
Let d = c/c 0 mod p. We use the extended Euclidean algorithm to write d as a modular √ ratio s = a/b mod p of two integers a, b of size ' p. Theorem Let a, b ∈ Z such that −A ≤ a ≤ A and 0 < b ≤ B. Let p be some prime integer such that 2AB < p. Let s = a · b−1 mod p. Then given A, B, s and p, a and b can be recovered in polynomial time. If there were not too many errors, a and b will factor over the integers into products of small primes. The primes present in a encode the bits equal to 1 in m and reset to 0 in m0 during transmission. The primes present in b encode the bits equal to 0 in m that flipped into 1 in m0 during transmission.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
A Number-Theoretic Error-Correcting Code
To correct t errors in a k-bit message the size of p should be: 2pk2t < p < 4pk2t . (bounding the worst case where all errors affect the end of the message)
Using pk ' k log k we get log2 p ' 2t
log(k log k ) . log 2
Given t and k , the error-correcting code can be easily instantiated.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
A Number-Theoretic Error-Correcting Code
Up to this point, we assumed errors occurred only in m. To deal with errors in c we use a new code hybridization technique. Gain example for (number-theoretic)+(Reed-Muller) hybridization: a new code which is more efficient than both. Examples of length n, dimension k, and error capacity t for Reed-Muller code: n k t
16 11 1
64 42 3
128 99 3
256 163 7
512 382 7
2048 1024 31
8192 5812 31
32768 9949 255
131072 65536 255
(n, k, t)-codes generated from Reed-Muller by our hybrid construction: n0 k c(m) RM(c(m)) t
638 382 157 256 7
7860 5812 931 2048 31
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
98304 65536 9931 32768 255
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
A Number-Theoretic Error-Correcting Code
Lemma (Error Correction Hybridization) Assume that there exists a constant δ > 1 such that, for k large enough, n(k) ≥ δk. Then for k large enough, n0 (k) ≤ n(k). underlying ECC new ECC
C
n=
δk
n(k)
lyi ng
EC
n
er
gain
er low
=
k
b
bo
un
do
nu nd
n0
dn
n ou
k
For large enough values of k, the hybrid ECC requires less transmission than both underlying ECCs Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Backtracking-Assisted Multiplication
Motivation In many cryptographic applications we need to multiply a variable x by a constant c. Examples Diffie Hellman/DSA Fiat-Shamir Barret modular reduction Montgomery modular reduction
c c c c
is g is a secret key si is b2L /nc is 22L mod n
Question: Is there a way to take advantage of the fact that c is constant? Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
Classically:
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
A quadratic number of byte-by-byte multiplications.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
Idea: Replace MULs by ADDs
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
70
21
91
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
70
Do not compute!
21
91
? ? ? ? ? ?
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
70
21
91
? ? ? ? ? ? Compute!
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Backtracking-Assisted Multiplication
70
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
21
91
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Backtracking-Assisted Multiplication
The Algorithm Because the red operand is constant, we may encode its bytes as an addition/subtraction chain departing from two bytes only. We do this by backtracking. Expected gain for cryptography (1024 bits = 128 bytes): instead of: 128 × 128 byte by byte multiplications perform only: 2 × 128 byte by byte multiplications and 126 × 128 byte additions.
Interesting for 8-bit µPs and crypto integers (' 1024 bits). Less appealing for bigger chips and/or shorter operands.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Backtracking-Assisted Multiplication
The Backtracking Algorithm
Several backtracking trade-offs can be applied. The embedded device will work with 3 RAM registers only:
Backtracking (high-level description, refer to thesis for details) start with two bytes a and b try to find r = a + b or r = |a − b| or r = 2a or r = 2b if found then throw either a, b or r and continue else backtrack end if end if
More registers ⇒ longer backtracking time and more RAM usage in the embedded device but longer chains that will make multiplication faster.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Backtracking-Assisted Multiplication
Performance Comparative performance data for a multiplication by the covered constant bπ21024 c are shown below. Backtracking this constant took 85 days on an Altix UV1000 cluster. Performance on a 68HC05 clocked at 5 MHz
Usual Algorithm New Algorithm
Time
RAM
Code Size
188 ms 72 ms
395 bytes 663 bytes
1.1 kilobytes 1.7 kilobytes
Speed-up by a factor of 2.6 using 1.7 times more RAM.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Backtracking-Assisted Multiplication
Bonus Features
1
Compatible with Karatsuba when one of the operands is constant. Both algorithms can be used simultaneously. Causing both speedups to add-up
2
We can also envision “multiplication friendly keys”, of a lesser entropy but allowing a much easier processing. e.g. for Fiat-Shamir. If needed, re-increase entropy by taking somewhat longer keys
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Fault Attacks on Projective-to-Affine Coordinate Conversion
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Elliptic Curve Cryptography Definition An elliptic curve over a finite prime field Fp of characteristic p > 3 can be described by its reduced Weierstraß form: E : y 2 = x 3 + ax + b . Elliptic Curves used in Cryptography: Are defined over a finite field Fq , where q is either a prime or q = 2n Have ip points, where p is prime and i ∈ {1, 2, 3, 4} p is typically 192-bits long Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Attack by Naccache, Smart and Stern at EUROCRYPT’04 Attack on elliptic curve cryptosystems when the signature scheme returns a point in projective coordinates (X , Y , Z ). Unfeasibility of the NSS Attack In many systems, results are given in affine coordinates (x, y). Our Fault Attack Model Inject an error during the conversion process to recover the missing Z coordinate. We propose different ways to do so depending on the fault’s precision.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Fault Attacks on Projective-to-Affine Coordinate Conversion
Computation of Q = [k ]P Elliptic Curve Scalar Multiplication (ECSM) k is private P is public Is it secure to return the value Q = (X , Y , Z ) in Jacobian coordinates? No “Projective coordinates leak” (Naccache, Smart, Stern). Some bits of k can be retrieved.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
The NSS attack does not recover all scalar bits, only a few; but this is enough to seriously endanger some protocols For the attack to work the result must be in Jacobian coordinates (X , Y , Z ); this is never the case in practice as [k ]P is computed in Jacobian coordinates but the result is converted to affine coordinates before being returned Our Contribution Inject a fault during the conversion procedure, so that a faulty result in affine coordinates contains information on the missing coordinate Z .
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Conversion Procedure Convert P = (X , Y , Z ) = (xZ 2 , yZ 3 , Z ) from Jacobian to affine coordinates (x, y): r s Algorithm CONVERT(X , Y , Z ) = x t y
← ← ← ← ←
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Z −1 r2 X ·s Y ·s t ·r
return(x, y)
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
The Idea r s ˜ s =s+ Algorithm CONVERT(X, Y, Z) = x˜ ˜t y˜
← ← ←← ← ←
Z −1 r2 corruption of s X ·˜ s Y ·˜ s ˜t · r
Equations System x˜ = X (s + ) ⇒ x˜ = x + xZ 2 mod p y˜ = Y (s + )r ⇒ y˜ = y + yZ 2 mod p
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
return(x˜ , y˜ )
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Large Unknown Faults and a Correct Result Equations System with a Known Result (x, y) x˜i − 1 = Z 2 i mod p with i < pa for some a < 1 x x˜ ⇒ ui = Z 2 i mod p with ui = i − 1 x ⇒ = s · u mod p with s = Z −2 , u = (u1 , . . . , un ), = (1 , . . . , n )
xi = x + xZ 2 i ⇒
Recover Using LLL Let L be the lattice generated by the vector u and pZ n in Zn ; Because satisfies = s · u mod p, ∈ L, with i < pa then, we can recover directly by reducing L using LLL since is a small vector of L.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Two Faults and a Correct Result Equations System with a Known Result (x, y) √ x˜1 − 1 = u1 = Z 2 1 mod p with 1 < p x √ x˜2 − 1 = u2 = Z 2 2 mod p with 2 < p x Let α = u1 /u2 = 1 −1 2 ⇒ problem known as the Rational Number Reconstruction solved using Euclid’s algorithm for finding the shortest vector in a bidimensional lattice. Theorem (already seen during the error-correction part of this presentation) Let 1 , 2 ∈ Z such that −A ≤ 1 ≤ A and 0 < 2 ≤ B. Let p > 2AB be a prime and α = 1 −1 mod p. Then 1 , 2 can be recovered from A, B, α, p in polynomial time. 2 √ Recover 1 , 2 with A = B = b pc, 2AB < p, 0 ≤ 1 ≤ A and 0 < 2 ≤ B. Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Let G be a public generator of order n. Let (d, P = [d]G) be the key pair of an entity.
ECDSA
signature
Input: Private key d, message m Output: Signature (r , s) $
k← − [1, n − 1] Q ← [k]G r ← xQ mod n i ← k −1 mod n s ← i · (dr + m) mod n return (r , s)
ECDSA
verification
Input: Public key P, m, signature (r , s) Output: True or False w ← s−1 mod n u1 ← w · m mod n u2 ← w · r mod n Q ← [u1 ]G + [u2 ]P v ← xQ mod n ?
return v = r
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
Wrong ECDSA signature Input: Private key d, message m Output: Signature (r , s) $
k← − [1, n − 1] (x˜Q , y˜Q ) ← [k]G ← fault during the conversion of Q ˜r ← x˜Q mod n i ← k −1 mod n s ← i(d ˜r + m) mod n return (˜r , ˜ s)
Recover the x coordinate of Q Input: Public key P, m, wrong signature (˜r , ˜ s) Output: Q −1 ˜ ←˜ w s mod n ˜1 ← w ˜ · m mod n u ˜2 ← w ˜ · ˜r mod n u ˜ ← [u ˜ ˜2 ]P Q h 1 ]G i+ [u h i k ˜r ˜ = km G + Q P d ˜r +m
d ˜r +m
˜ = [k]G = Q Q return Q
Recover the True x Coordinate of Q From (˜r , ˜ s), we can recover the correct value of xQ ⇒ recover the Z coordinate of Q ⇒ using the NSS attack, grab a few bits of k
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Fault Attacks on Projective-to-Affine Coordinate Conversion
In the Thesis We Report the Experimental Feasibility of the Attack Practical attacks on particular elliptic curve schemes (large unknown faults and two faults) Theoretical attack on ECDSA. Theoretical because the fault model is too strong. To Prevent our Attack Check the validity of the result after conversion to affine coordinates and not before.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
1 Introduction 2 Preliminaries Authenticated Encryption Digital Signatures
3 Protocol Design Legally Fair Contract Signing without Keystones Multi-Party Authentication Protocols ˚ An Authenticated Encryption Scheme: Offset Merkle-Damgard
4 Efficiency, Security and Reliability in Embedded Systems Double-Speed Barrett Moduli Applying Cryptographic Techniques to Error Correction A Number-Theoretic Error-Correcting Code Backtracking-Assisted Multiplication Fault Attacks on Projective-to-Affine Coordinate Conversion
5 Conclusion Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Conclusion
Conclusion During the thesis we studied: Authentication and encryption: starting from protocol design, passing through algorithmic improvements and getting to attacks Cryptographic techniques successfully applied to error correcting codes And several computational improvements.
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Introduction
Preliminaries
Protocol Design
Efficiency, Security and Reliability in Embedded Systems
Thank
you for your
attention!
Diana S ¸ tefania Maimut¸ Authentication and Encryption Protocols: Design, Attacks and Algorithmic Tools
Conclusion