Cold Boot Attacks in the Discrete Logarithm Setting

Poettering, Bertram; Sibborn, Dale L.

doi:10.1007/978-3-319-16715-2_24

Cited by 12 publications

(6 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because the last assumption may not be reasonable and their introduced key recovery algorithm does not use further redundancy, the algorithm might not be able to recover keys affected by relatively high values of noise in a bit-flipping model. A later work by Poettering and Sibborn [11] reviewed two practical elliptic curve cryptography implementations to find exploitable in-memory representations. In particular, they analysed two scenarios obtained from two elliptic curve implementations from TLS libraries: the windowed non-adjacent form (wNAF) representation used in OpenSSL and the comb-based approach used in PolarSSL.…”

Section: Discrete Logarithm Settingmentioning

confidence: 99%

Cold Boot Attacks on LUOV

Villanueva-Polanco

2020

Applied Sciences

View full text Add to dashboard Cite

This research article assesses the feasibility of cold boot attacks on the lifted unbalanced oil and Vinegar (LUOV) scheme, a variant of the UOV signature scheme. This scheme is a member of the family of asymmetric cryptographic primitives based on multivariable polynomials over a finite field K and has been submitted as candidate to the ongoing National Institute of Standards and Technology (NIST) standardisation process of post-quantum signature schemes. To the best of our knowledge, this is the first time that this scheme is evaluated in this setting. To perform our assessment of the scheme in this setting, we review two implementations of this scheme, the reference implementation and the libpqcrypto implementation, to learn the most common in-memory private key formats and next develop a key recovery algorithm exploiting the structure of this scheme. Since the LUOV’s key generation algorithm generates its private components and public components from a 256-bit seed, the key recovery algorithm works for all the parameter sets recommended for this scheme. Additionally, we tested the effectiveness and performance of the key recovery algorithm through simulations and found the key recovery algorithm may retrieve the private seed when α = 0.001 (probability that a 0 bit of the original secret key will flip to a 1 bit) and β (probability that a 1 bit of the original private key will flip to a 0 bit) in the range { 0.001 , 0.01 , 0.02 , … , 0.15 } by enumerating approximately 2 40 candidates.

show abstract

Section: Discrete Logarithm Settingmentioning

confidence: 99%

Cold Boot Attacks on LUOV

Villanueva-Polanco

2020

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…Since knowing such an upper bound may not be practical and small redundancy in the secret key was exploited, their key-recovery algorithm is not expected to recover keys if these are subjected to a high level of noise, or if a bit-flipping model is assumed. A follow-up work by Poettering and Sibborn [32] also studied this attack in the discrete logarithm setting, more concretely in the elliptic curve cryptography setting. Their work was more practical, since they had a deep review of two implementations for elliptic curve cryptography.…”

Section: Discrete Logarithm Settingmentioning

confidence: 99%

Cold Boot Attacks on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism

Villanueva-Polanco

Angulo-Madrid

2020

Applied Sciences

View full text Add to dashboard Cite

This research paper evaluates the feasibility of cold boot attacks on the Supersingular Isogeny Key Encapsulation (SIKE) mechanism. This key encapsulation mechanism has been included in the list of alternate candidates of the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization Process. To the best of our knowledge, this is the first time this scheme is assessed in the cold boot attacks setting. In particular, our evaluation is focused on the reference implementation of this scheme. Furthermore, we present a dedicated key-recovery algorithm for SIKE in this setting and show that the key recovery algorithm works for all the parameter sets recommended for this scheme. Moreover, we compute the success rates of our key recovery algorithm through simulations and show the key recovery algorithm may reconstruct the SIKE secret key for any SIKE parameters for a fixed and small α=0.001 (the probability of a 0 to 1 bit-flipping) and varying values for β (the probability of a 1 to 0 bit-flipping) in the set {0.001,0.01,…,0.1}. Additionally, we show how to integrate a quantum key enumeration algorithm with our key-recovery algorithm to improve its overall performance.

show abstract

“…Our algorithm is reminiscent of the cold boot attack of Heninger and Shacham against factorization [14] and its numerous follow-ups, such as [13,19,23]. This is interesting, as these cold boot attacks do not really have a natural polynomial-time counterpart in the discrete logarithm setting (even the attack of Poettering and Sibborn [24] is basically exponential). Applied to a leaky exponentiation algorithm, our algorithm of sidechannel provides such a counterpart.…”

Section: A Polynomial Time Algorithm For 1-bit Leaksmentioning

confidence: 99%

Recovering Secrets From Prefix-Dependent Leakage

Ferradi

Géraud

Guilley

et al. 2020

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

AbstractWe discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm.Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to k-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.

show abstract

Cold Boot Attacks in the Discrete Logarithm Setting

Cited by 12 publications

References 20 publications

Cold Boot Attacks on LUOV

Cold Boot Attacks on LUOV

Cold Boot Attacks on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism

Recovering Secrets From Prefix-Dependent Leakage

Contact Info

Product

Resources

About