Attacking Deterministic Signature Schemes Using Fault Attacks

Poddebniak, Damian; Somorovsky, Juraj; Schinzel, Sebastian; Lochter, Manfred; Rösler, Paul

doi:10.1109/eurosp.2018.00031

Cited by 35 publications

(27 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In several works concurrent and closely related to that by Poddebniak et al [48], Romailler and Pelissier [54], Ambrose et al [1], as well as Samwel et al [56,55] studied differential fault and side-channel attacks on deterministic signatures in general and the ECDSA and EdDSA schemes specifically, also revisiting a previous result by Barenghi and Pelosi [5]. Notably, all works agree that adding randomness back into the signing process is necessary in order to prevent the described fault attacks.…”

Section: Introductionmentioning

confidence: 69%

“…Poddebniak et al [48] now show that the introduced determinism in such schemes enables new kinds of fault attacks. More specifically, they formalize how rowhammer-style attacks can be deployed to recover signing keys by injecting faults in the deterministic computation of ECDSA and EdDSA signatures.…”

Section: Introductionmentioning

confidence: 99%

“…Razavi et al [50] already demonstrated how bit-flipping attacks in RSA public-keys stored by the SSH protocol for authentication [61] enable easy factorization and thereby break the authentication system. More recently, Poddebniak et al [48] formalized rowhammer-style attacks that specifically target the setting of deterministic signature schemes, opening up a new type of attack vector in this area.…”

Section: Introductionmentioning

confidence: 99%

“…In their work, Poddebniak et al [48,Section 9] touch upon a number of countermeasures. Notably, they specifically highlight that the commonly suggested countermeasure to verify the signature before releasing it in order to check correctness of the computation [20,41] turns out to be ineffective in protecting against their attack: the resulting signature is actually valid for the message modified through the fault attack.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

Fischlin

Günther

2020

Topics in Cryptology – CT-RSA 2020

View full text Add to dashboard Cite

Memory fault attacks, inducing errors in computations, have been an ever-evolving threat to cryptographic schemes since their discovery for cryptography by Boneh et al. (Eurocrypt 1997). Initially requiring physical tampering with hardware, the software-based rowhammer attack put forward by Kim et al. (ISCA 2014) enabled fault attacks also through malicious software running on the same host machine. This led to concerning novel attack vectors, for example on deterministic signature schemes, whose approach to avoid dependency on (good) randomness renders them vulnerable to fault attacks. This has been demonstrated in realistic adversarial settings in a series of recent works. However, a unified formalism of different memory fault attacks, enabling also to argue the security of countermeasures, is missing yet. In this work, we suggest a generic extension for existing security models that enables a game-based treatment of cryptographic fault resilience. Our modeling specifies exemplary memory fault attack types of different strength, ranging from random bit-flip faults to differential (rowhammerstyle) faults to full adversarial control on indicated memory variables. We apply our model first to deterministic signatures to revisit known fault attacks as well as to establish provable guarantees of fault resilience for proposed fault-attack countermeasures. In a second application to nonce-misuse resistant authenticated encryption, we provide the first fault-attack treatment of the SIV mode of operation and give a provably secure fault-resilient variant.

show abstract

Section: Introductionmentioning

confidence: 69%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

Fischlin

Günther

2020

Topics in Cryptology – CT-RSA 2020

View full text Add to dashboard Cite

show abstract

“…This modification acts as a protection against very weak entropy sources but is not necessary to the security of the signature and was not present in ancestors of qTESLA. Unfortunately, adding this determinism also enabled some side-channel attacks [27,7]. Hence, the authors of qTESLA decided to take the middle ground by keeping the deterministic design but also seeding the oracle with a fresh random value r 7 .…”

Section: Masking-friendly Designmentioning

confidence: 99%

An Efficient and Provable Masked Implementation of qTESLA

Gérard

Rossi

2020

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Now that the NIST's post-quantum cryptography competition has entered in its second phase, the time has come to focus more closely on practical aspects of the candidates. While efficient implementations of the proposed schemes are somewhat included in the submission packages, certain issues like the threat of side-channel attacks are often lightly touched upon by the authors. Hence, the community is encouraged by the NIST to join the war effort to treat those peripheral, but nonetheless crucial, topics. In this paper, we study the lattice-based signature scheme qTESLA in the context of the masking countermeasure. Continuing a line of research opened by Barthe et al. at Eurocrypt 2018 with the masking of the GLP signature scheme, we extend and modify their work to mask qTESLA. Based on the work of Migliore et al. in ACNS 2019, we slightly modify the parameters to improve the masked performance while keeping the same security. The masking can be done at any order and specialized gadgets are used to get maximal efficiency at order 1. We implemented our countermeasure in the original code of the submission and performed tests at different orders to assess the feasibility of our technique.

show abstract

A taxonomy of endpoint vulnerabilities and affected blockchain architecture layers

Noor,

Mustafa

2024

Concurrency and Computation

View full text Add to dashboard Cite

Blockchain technology has gained significant attention and adoption due to its decentralized nature, and promising secure and immutable transactions. The interpretation of Blockchain's components has been presented in an innovative manner, illustrating the features they enable or manage. However, its networks do not appear so immune to vulnerabilities like any other technological system. Among the typical weaknesses, endpoint vulnerabilities refer to weaknesses in the endpoints that interact with the blockchain network. They pose a significant risk to the security and integrity of the entire system. These vulnerabilities can affect blockchain networks including smart contract vulnerabilities, wallet vulnerabilities, and communication vulnerabilities. In view of the absence of any viable taxonomic description and associated value, we attempted a novel comprehensive classification of endpoint vulnerabilities. The proposed taxonomy is designed to logically categorize and classify the various endpoint vulnerabilities through a pictorial representation. It encompasses wallet vulnerabilities, malware, cryptojacking and human negligence. Additionally, this paper proposes a novel approach to mapping endpoint vulnerabilities to the blockchain abstract layer. It gives a unique way to study the vulnerabilities and layers' relation. Finally, the corresponding violated principles behind the vulnerabilities have been identified and indicated. By providing a structured taxonomy of endpoint vulnerabilities, this paper aims to enhance the understanding of the security challenges associated with blockchain applications. By understanding and addressing the taxonomy of endpoint vulnerabilities, blockchain practitioners and researchers can enhance blockchain networks' overall security and trustworthiness, paving the way for broader adoption and utilization of this transformative technology. It may have implications in terms of identifying, linking, developing control, and finally mitigating endpoint vulnerabilities in the rapidly changing environment.

show abstract

Attacking Deterministic Signature Schemes Using Fault Attacks

Cited by 35 publications

References 20 publications

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

An Efficient and Provable Masked Implementation of qTESLA

A taxonomy of endpoint vulnerabilities and affected blockchain architecture layers

Contact Info

Product

Resources

About