Abstract
Practical implementations of cryptosystems often suffer from critical information leakage through side-channels (such as their power consumption or their electromagnetic emanations). For public-key cryptography on embedded systems, the core operation is usually group exponentiation – or scalar multiplication on elliptic curves – which is a sequence of group operations derived from the private-key that may reveal secret bits to an attacker (on an unprotected implementation).
We present lattice-based polynomial-time (heuristic) algorithms that recover the signer’s secret in popular pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the corresponding exponents are known by the attacker. Our techniques relies upon Coppersmith method and apply to all signatures in the so-called exponent-inversion framework in the standard security model (i.e. Boneh-Boyen and Gentry signatures) as well as in the random oracle model (i.e. Sakai-Kasahara signatures).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is well known that the computational complexity of Gröbner basis algorithm may be exponential or even doubly exponential. In our setting, the number of variables and the total degree of the input polynomials are fixed and the theoretical complexity is polynomial in the field size (and thus in the security parameter).
- 2.
In order to reach this asymptotic bound, the constructed matrix is of huge dimension and the resulting polynomial system has a very large number of variables and the computation which is theoretically polynomial-time becomes in practice prohibitive.
References
Benhamouda, F., Chevalier, C., Thillard, A., Vergnaud, D.: Easing Coppersmith methods using analytic combinatorics: applications to public-key cryptography with weak pseudorandomness. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016: 19th International Conference on Theory and Practice of Public Key Cryptography, Part II. LNCS, vol. 9615, pp. 36–66. Springer, Heidelberg (2016)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without random oracles. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology - EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008)
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boneh, D., Halevi, S., Howgrave-Graham, N.: The modular inversion hidden number problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_3
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)
Boyen, X.: A tapestry of identity-based encryption: practical frameworks compared. IJACT 1(1), 3–21 (2008)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_14
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48059-5_25
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_27
Goudarzi, D., Rivain, M., Vergnaud, D.: Lattice attacks against elliptic-curve signatures with blinded scalar multiplication. In: Avanzi, R., Heys, H. (eds.) Selected Areas in Cryptography - SAC 2016–23rd International Conference, St. John’s, NL, Canada, August 9–12, 2016, Revised Selected Papers. LNCS. Springer (2017, to appear)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptography 23(3), 283–290 (2001)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Lenstra, A.K., Lenstra, H.W.J., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
Ling, S., Shparlinski, I.E., Steinfeld, R., Wang, H.: On the modular inversion hidden number problem. J. Symb. Comput. 47(4), 358–367 (2012)
De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-Bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_25
Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptography 30(2), 201–217 (2003)
Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054 (2003). http://eprint.iacr.org/2003/054
Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_20
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Concrete Attack Examples Against Gentry Signatures
A Concrete Attack Examples Against Gentry Signatures
In this section, we present two attack examples on Gentry signatures for a 256-bit prime p with 3 signatures \((r_0,\sigma _0)\), \((r_1,\sigma _1)\) and \((r_2,\sigma _2)\) and one T-bit unknown block in each signature, with \(T=\lfloor 0.3\log _2(p)\rfloor \).
We recall that for \(i\in \{0,1,2\}\), \(\sigma _i = g^{s_i}\) where \(s_i=(y+r_i)/(x+m) \bmod p\), x and y are the secret keys and p, m and \(r_i\), \(i\in \{0,1,2\}\) are public information. In this example, we took the following random values:
-
\(p=\texttt {\small 9b814891e89496e776bfeeebcac5c74130862914fe2b928d40c3a88323dcbaaf}\)
-
\(m=\texttt {\small 440f4a9df2936c4aad3856ed0ea5cf3d131ef658fc36c2fa56763373288d5519}\)
-
\(x=\texttt {\small 57a7b0913f5202e31555ec9538ff90f38a5e6c53b359edfe1106c8ee9518029a}\)
-
\(y=\texttt {\small 259b67be7de53e0546860379bc31ab9bb30caf68c314a956a1719e18d4a24ae2}\)
-
\(r_0=\texttt {\small 75c471becf6a9d86aa5480985a95702617892ba84b7662d6bdf3a3c1931abf3b}\)
-
\(r_1=\texttt {\small 675e28ffbf96b29365ebda463c3a0a4290a284f9fed9ddd0ccdada587c1f0152}\)
-
\(r_2=\texttt {\small 7961b0df3f0a286547f25da59a7c2a7c28764f4335a0aa2cd5a72ba2393a6cd3}\)
-
\(s_0=\texttt {\small 45f185a8ce35c2b95b3e1aef9fc516ec9e840c9a5b6b36c70532b10145790401}\)
-
\(s_1=\texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab4aafecae41fca50c713}\)
-
\(s_2=\texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44aca2ad9f4406669e8744}\)
and \(T=\lfloor 0.3\log _2(p)\rfloor =76\).
In the first case, we suppose that we do not know any least significant bits of each signature and show that we are unable to find the unknown blocks since the Gröbner basis gives us a system of dimension 1.
In the second case, we suppose that we know \(T+2\) least significant bits of \(\sigma _0\) but do not know any least significant bits of \(s_1\), and \(s_2\). We also suppose that we do not know T intermediate bits of \(s_0\) and we show that in this case we are able to find the unknown blocks since the Gröbner basis gives us a system of dimension 0.
First Case
-
We can write the signatures as:
$$\begin{aligned} s_0&= 2^{T} \cdot \texttt {\small 45f185a8ce35c2b95b3e1aef9fc516ec9e840c9a5b6b3} +z_0, \\ s_1&= 2^{T} \cdot \texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab}+ z_1, \\ s_2&= 2^{T} \cdot \texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44a} +z_2, \end{aligned}$$where the T-bit numbers \(z_0\), \(z_1\) and \(z_2\) are the unknown blocks.
-
We get the polynomial \(f(y_0,y_1,y_2)\) defined by:
$$\begin{aligned} y_2&+ \texttt {\small 86acc2de9d15dab4df6a8114243623f246376c1103c29ee97a0dd7490f87eb33} \, y_1 \\&+ \texttt {\small 14d485b34b7ebc3297556dd7a68fa34eea4ebd03fa68f3a3c6b5d13a1454cf7b} \, y_0 \\&+ \texttt {\small 11f10fbe97565b062acfb71c6d98f596de6c1e236edaa9168d891d78d66e8c4a} \end{aligned}$$having as root \((z_0,z_1,z_2)\) modulo p.
-
Constructing the lattice with \(m=4\), after the LLL reduction and the Gröbner basis computation, we obtain the system of polynomials
$$\begin{aligned} \left\{ \begin{array}{rcl} f_1(y_0,y_1,y_2) &{} = &{} y_2 - y_0 - \texttt {5dba86c930521258343} \\ f_2(y_0,y_1,y_2) &{} = &{} y_1 - y_0 + \texttt {21c0667cce17b283cee} \end{array} \right. \end{aligned}$$having indeed \((z_0,z_1,z_2)\) as root over the integers. However, the dimension of the system is 1 and then we are a priori unable to find the unknown blocks.
Second Case
-
We can write the signatures as:
$$\begin{aligned} s_0&= \texttt {\small 36c70532b10145790401} +2^{79} \cdot z_0 + 2^{79+T} \cdot \texttt {\small 8be30b519c6b8572b67c35df3} \\ s_1&= 2^{T} \cdot \texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab} + z_1 \\ s_2&= 2^{T} \cdot \texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44a} + z_2 \end{aligned}$$where the T-bit numbers \(z_0\), \(z_1\) and \(z_2\) are the unknown blocks.
-
If one proceeds like in the attack, we obtain the polynomial \(f(y_0,y_1,y_2)\) defined by
$$\begin{aligned} y_2&+ \texttt {\small 86acc2de9d15dab4df6a8114243623f246376c1103c29ee97a0dd7490f87eb33} \, y_1 \\&+ \texttt {\small 78836c7dbcc6bee53ea07b359a07fa111e09607336b452976acd0f0ec2a0c985} \, y_0 \\&+ \texttt {\small 77b82eec348f27f19cb7a6c1cc895cf7261093b80d067ea4eb7b8da90e1ae306} \end{aligned}$$having as root \((z_0,z_1,z_2)\) modulo p.
-
Constructing the lattice with \(m=4\), after the LLL reduction and the Gröbner basis computation, one obtains the system of polynomials
$$\begin{aligned} \left\{ \begin{array}{rcl} f_1(y_0,y_1,y_2) &{} = &{} y_2 - \texttt {ca2ad9f4406669e8744} \\ f_2(y_0,y_1,y_2) &{} = &{} y_1 - \texttt {4aafecae41fca50c713} \\ f_3(y_0,y_1,y_2) &{} = &{} y_0 - \texttt {f8a2dd93d081934b6d6} \end{array} \right. \end{aligned}$$having \((z_0,z_1,z_2)\) as root over the integers. The dimension of the system is 0 and one finds readily the unknown blocks.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Mefenza, T., Vergnaud, D. (2017). Lattice Attacks on Pairing-Based Signatures. In: O'Neill, M. (eds) Cryptography and Coding. IMACC 2017. Lecture Notes in Computer Science(), vol 10655. Springer, Cham. https://doi.org/10.1007/978-3-319-71045-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-71045-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71044-0
Online ISBN: 978-3-319-71045-7
eBook Packages: Computer ScienceComputer Science (R0)