research-article

A Cautionary Note: Side-Channel Leakage Implications of Deterministic Signature Schemes

Authors:

Hermann Seuschek,

Fabrizio De SantisAuthors Info & Claims

CS2 '16: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems

Pages 7 - 12

https://doi.org/10.1145/2858930.2858932

Published: 20 January 2016 Publication History

Abstract

Two recent proposals by Bernstein and Pornin emphasize the use of deterministic signatures in DSA and its elliptic curve-based variants. Deterministic signatures derive the required ephemeral key value in a deterministic manner from the message to be signed and the secret key instead of using random number generators. The goal is to prevent severe security issues, such as the straight-forward secret key recovery from low quality random numbers. Recent developments have raised skepticism whether e.g. embedded or pervasive devices are able to generate randomness of sufficient quality. The main concerns stem from individual implementations lacking sufficient entropy source and standardized methods for random number generation with suspected back doors. While we support the goal of deterministic signatures, we are concerned about the fact that this has a significant influence on side-channel security of implementations. Specifically, attackers will be able to mount differential side-channel attacks on the additional use of the secret key in a cryptographic hash function to derive the deterministic ephemeral key. Previously, only a simple integer arithmetic function to generate the second signature parameter had to be protected, which is rather straight-forward. Hash functions are significantly more difficult to protect. In this contribution, we systematically explain how deterministic signatures introduce this new side-channel vulnerability.

References

[1]

FIPS PUB 198-1: The Keyed-Hash Message Authentication Code (HMAC). Technical report, Information Technology Laboratory, National Institute of Standards and Technology, July 2008.

[2]

FIPS PUB 202: SHA-3 Standard, Permutation-Based Hash and Extendable-Output Functions. Technical report, Information Technology Laboratory National Institute of Standards and Technology, Aug. 2015.

[3]

ANSI. ANS X9.62-2005. Public Key Cryptography for the Financial Services Industry. The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute, 2005.

[4]

E. Barker, J. Kelsey, et al. Nist special publication 800-90a: Recommendation for random number generation using deterministic random bit generators, 2012.

Digital Library

[5]

S. Belaid, L. Bettale, E. Dottax, L. Genelle, and F. Rondepierre. Differential power analysis of HMAC SHA-2 in the Hamming weight model. In Security and Cryptography (SECRYPT), 2013 International Conference on, pages 1--12. IEEE, July 2013.

[6]

D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77--89, 2012.

[7]

G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche. The KECCAK SHA-3 submission, January 2011. http://keccak.noekeon.org/.

[8]

E. Brier and M. Joye. Weierstraß Elliptic Curves and Side-Channel Attacks. In D. Naccache and P. Paillier, editors, Public Key Cryptography, volume 2274 of Lecture Notes in Computer Science, pages 335--345. Springer Berlin Heidelberg, 2002.

Digital Library

[9]

M. Ciet and M. Joye. (virtually) free randomization techniques for elliptic curve cryptography. In Information and Communications Security, volume 2836 of Lecture Notes in Computer Science, pages 348--359. Springer Berlin / Heidelberg, 2003.

[10]

C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, and V. Verneuil. Horizontal Correlation Analysis on Exponentiation. In M. Soriano, S. Qing, and J. López, editors, Information and Communications Security, volume 6476 of Lecture Notes in Computer Science, pages 46--61. Springer Berlin Heidelberg, 2010.

Digital Library

[11]

J.-S. Coron. Resistance against differential power analysis for elliptic curve cryptosystems. In CHES '99: Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, pages 292--302, London, UK, 1999. Springer-Verlag.

Digital Library

[12]

J.-L. Danger, S. Guilley, P. Hoogvorst, C. Murdica, and D. Naccache. Improving the Big Mac Attack on Elliptic Curve Cryptography. Cryptology ePrint Archive, Report 2015/819, Aug. 2015.

[13]

Fil0verflow. Console Hacking 2010 -- PS3 Epic Fail. https://events.ccc.de/congress/2010/Fahrplan/events/4087.en.html, Dec. 2010.

[14]

P.-A. Fouque and F. Valette. The doubling attack - why upwards is better than downwards. In C. Walter, Ç. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 269--280. Springer Berlin / Heidelberg, 2003.

[15]

J. Heyszl, A. Ibing, S. Mangard, F. De Santis, and G. Sigl. Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations. In A. Francillon and P. Rohatgi, editors, Smart Card Research and Advanced Applications, volume 8419 of Lecture Notes in Computer Science, pages 79--93. Springer International Publishing, 2014.

[16]

P. Horster, H. Petersen, and M. Michels. Meta-ElGamal signature schemes. In CCS '94: Proceedings of the 2nd ACM Conference on Computer and communications security, pages 96--107, New York, NY, USA, 1994. ACM.

Digital Library

[17]

M. Hutter, M. Medwed, D. Hein, and J. Wolkerstorfer. Attacking ECDSA-Enabled RFID Devices. In M. Abdalla, D. Pointcheval, P.-A. Fouque, and D. Vergnaud, editors, Applied Cryptography and Network Security, volume 5536 of Lecture Notes in Computer Science, pages 519--534. Springer Berlin Heidelberg, 2009.

Digital Library

[18]

ISO. ISO/IEC 15946-2: Information technology -- Security techniques -- Cryptographic techniques based on elliptic curves -- Part 1: Digital Signatures. International Organization for Standardization, 2002.

[19]

M. Joye and S.-M. Yen. The montgomery powering ladder. In B. Kaliski, Ç. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 1--11. Springer Berlin / Heidelberg, 2003.

Digital Library

[20]

P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO '99, pages 388--397, London, UK, 1999. Springer-Verlag.

Digital Library

[21]

H. Krawczyk, R. Canetti, and M. Bellare. RFC2104 - HMAC: Keyed-Hashing for Message Authentication, 1997.

Digital Library

[22]

J. López and R. Dahab. Fast multiplication on elliptic curves over GF(2m) without precomputation. In CHES '99: Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, pages 316--327, London, UK, 1999. Springer-Verlag.

Digital Library

[23]

R. McEvoy, M. Tunstall, C. C. Murphy, and W. P. Marnane. Differential power analysis of hmac based on sha-2, and countermeasures. In Information security applications, pages 317--332. Springer, 2007.

Digital Library

[24]

M. Medwed and M. E. Oswald. Template attacks on ECDSA. In 9th International Workshop, WISA 2008, Jeju Island, Korea, September 23-25, 2008, Revised Selected Papers, Lecture Notes in Computer Science, pages 14--27. Springer, 2009.

Digital Library

[25]

P. Q. Nguyen and I. E. Shparlinski. The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, codes and cryptography, 30(2):201--217, 2003.

Digital Library

[26]

T. Pornin. Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (Informational), Aug. 2013.

[27]

M. M. I. Taha and P. Schaumont. Side-Channel Analysis of MAC-Keccak. In 2013 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2013, Austin, TX, USA, June 2-3, 2013, pages 125--130, 2013.

[28]

C. D. Walter. Sliding Windows Succumbs to Big Mac Attack. In c. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems --- CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 286--299. Springer Berlin Heidelberg, 2001.

Digital Library

Cited By

Алексеев ЕAlekseev EАхметзянова ЛAkhmetzyanova LБабуева АBabueva AСмышляев СSmyshlyaev S(2021)О повышении безопасности схем подписи Эль-ГамаляImproving the security of ElGamal-type signaturesМатематические вопросы криптографииMatematicheskie Voprosy Kriptografii [Mathematical Aspects of Cryptography]10.4213/mvk37312:3(5-30)Online publication date: 4-Nov-2021
https://doi.org/10.4213/mvk373
Zagi LAziz B(2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020
https://doi.org/10.1109/ICISS50791.2020.9307568
Liu ZLonga PPereira GReparaz OSeo H(2018)FourQ on embedded devices with strong countermeasures against side-channel attacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2799844(1-1)Online publication date: 2018
https://doi.org/10.1109/TDSC.2018.2799844
Show More Cited By

Recommendations

Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing

Recently, numerous multireceiver identity-based encryption or identity-based broadcast encryption schemes have been introduced with bilinear pairing and probabilistic map-to-point MTP function. As the bilinear pairing and MTP functions are expensive ...
Constant-time callees with variable-time callers
SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

Side-channel attacks are a serious threat to security-critical software. To mitigate remote timing and cachetiming attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, ...
New ECDSA-Verifiable Multi-receiver Generalization Signcryption
HPCC '08: Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications

Multi-receiver signcryption is a new cryptographic primitive that simultaneously fulfills both the functions of signature and multi-receiver encryption. Generalized Multi-Receiver signcryption can provide authenticity or confidentiality separately under ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CS2 '16: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems

January 2016

61 pages

ISBN:9781450340656

DOI:10.1145/2858930

General Chair:
Martin Palkovic
VŠB - Technical University of Ostrava, Czech Republic
,
Program Chairs:
Giovanni Agosta
Politecnico di Milano, Italy
,
Alessandro Barenghi
Politecnico di Milano, Italy
,
Israel Koren
University of Massachusetts Amherst, MA, USA
,
Gerardo Pelosi
Politecnico di Milano, Italy

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Politecnico di Milano: Politecnico di Milano
HiPEAC: HiPEAC Network of Excellence

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 January 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CS2 '16

CS2 '16: Third Workshop on Cryptography and Security in Computing Systems

January 20, 2016

Prague, Czech Republic

Acceptance Rates

CS2 '16 Paper Acceptance Rate 10 of 19 submissions, 53%;

Overall Acceptance Rate 27 of 91 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
128
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Алексеев ЕAlekseev EАхметзянова ЛAkhmetzyanova LБабуева АBabueva AСмышляев СSmyshlyaev S(2021)О повышении безопасности схем подписи Эль-ГамаляImproving the security of ElGamal-type signaturesМатематические вопросы криптографииMatematicheskie Voprosy Kriptografii [Mathematical Aspects of Cryptography]10.4213/mvk37312:3(5-30)Online publication date: 4-Nov-2021
https://doi.org/10.4213/mvk373
Zagi LAziz B(2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020
https://doi.org/10.1109/ICISS50791.2020.9307568
Liu ZLonga PPereira GReparaz OSeo H(2018)FourQ on embedded devices with strong countermeasures against side-channel attacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2799844(1-1)Online publication date: 2018
https://doi.org/10.1109/TDSC.2018.2799844
Romailler YPelissier S(2017)Practical Fault Attack against the Ed25519 and EdDSA Signature Schemes2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC)10.1109/FDTC.2017.12(17-24)Online publication date: Sep-2017
https://doi.org/10.1109/FDTC.2017.12
Frieslaar IIrwin B(2016)Investigating Multi-Thread Utilization as a Software Defence Mechanism Against Side Channel AttacksProceedings of the 8th International Conference on Signal Processing Systems10.1145/3015166.3015176(189-193)Online publication date: 21-Nov-2016
https://dl.acm.org/doi/10.1145/3015166.3015176

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten