Lattice Attacks on Pairing-Based Signatures

Abstract

Practical implementations of cryptosystems often suffer from critical information leakage through side-channels (such as their power consumption or their electromagnetic emanations). For public-key cryptography on embedded systems, the core operation is usually group exponentiation – or scalar multiplication on elliptic curves – which is a sequence of group operations derived from the private-key that may reveal secret bits to an attacker (on an unprotected implementation).

We present lattice-based polynomial-time (heuristic) algorithms that recover the signer’s secret in popular pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the corresponding exponents are known by the attacker. Our techniques relies upon Coppersmith method and apply to all signatures in the so-called exponent-inversion framework in the standard security model (i.e. Boneh-Boyen and Gentry signatures) as well as in the random oracle model (i.e. Sakai-Kasahara signatures).

A Concrete Attack Examples Against Gentry Signatures

In this section, we present two attack examples on Gentry signatures for a 256-bit prime p with 3 signatures \((r_0,\sigma _0)\), \((r_1,\sigma _1)\) and \((r_2,\sigma _2)\) and one T-bit unknown block in each signature, with \(T=\lfloor 0.3\log _2(p)\rfloor \).

We recall that for \(i\in \{0,1,2\}\), \(\sigma _i = g^{s_i}\) where \(s_i=(y+r_i)/(x+m) \bmod p\), x and y are the secret keys and p, m and \(r_i\), \(i\in \{0,1,2\}\) are public information. In this example, we took the following random values:

• \(p=\texttt {\small 9b814891e89496e776bfeeebcac5c74130862914fe2b928d40c3a88323dcbaaf}\)

• \(m=\texttt {\small 440f4a9df2936c4aad3856ed0ea5cf3d131ef658fc36c2fa56763373288d5519}\)

• \(x=\texttt {\small 57a7b0913f5202e31555ec9538ff90f38a5e6c53b359edfe1106c8ee9518029a}\)

• \(y=\texttt {\small 259b67be7de53e0546860379bc31ab9bb30caf68c314a956a1719e18d4a24ae2}\)

• \(r_0=\texttt {\small 75c471becf6a9d86aa5480985a95702617892ba84b7662d6bdf3a3c1931abf3b}\)

• \(r_1=\texttt {\small 675e28ffbf96b29365ebda463c3a0a4290a284f9fed9ddd0ccdada587c1f0152}\)

• \(r_2=\texttt {\small 7961b0df3f0a286547f25da59a7c2a7c28764f4335a0aa2cd5a72ba2393a6cd3}\)

• \(s_0=\texttt {\small 45f185a8ce35c2b95b3e1aef9fc516ec9e840c9a5b6b36c70532b10145790401}\)

• \(s_1=\texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab4aafecae41fca50c713}\)

• \(s_2=\texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44aca2ad9f4406669e8744}\)

and \(T=\lfloor 0.3\log _2(p)\rfloor =76\).

In the first case, we suppose that we do not know any least significant bits of each signature and show that we are unable to find the unknown blocks since the Gröbner basis gives us a system of dimension 1.

In the second case, we suppose that we know \(T+2\) least significant bits of \(\sigma _0\) but do not know any least significant bits of \(s_1\), and \(s_2\). We also suppose that we do not know T intermediate bits of \(s_0\) and we show that in this case we are able to find the unknown blocks since the Gröbner basis gives us a system of dimension 0.

First Case

• We can write the signatures as:

  $$\begin{aligned} s_0&= 2^{T} \cdot \texttt {\small 45f185a8ce35c2b95b3e1aef9fc516ec9e840c9a5b6b3} +z_0, \\ s_1&= 2^{T} \cdot \texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab}+ z_1, \\ s_2&= 2^{T} \cdot \texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44a} +z_2, \end{aligned}$$

  where the T-bit numbers \(z_0\), \(z_1\) and \(z_2\) are the unknown blocks.

• We get the polynomial \(f(y_0,y_1,y_2)\) defined by:

  $$\begin{aligned} y_2&+ \texttt {\small 86acc2de9d15dab4df6a8114243623f246376c1103c29ee97a0dd7490f87eb33} \, y_1 \\&+ \texttt {\small 14d485b34b7ebc3297556dd7a68fa34eea4ebd03fa68f3a3c6b5d13a1454cf7b} \, y_0 \\&+ \texttt {\small 11f10fbe97565b062acfb71c6d98f596de6c1e236edaa9168d891d78d66e8c4a} \end{aligned}$$

  having as root \((z_0,z_1,z_2)\) modulo p.

• Constructing the lattice with \(m=4\), after the LLL reduction and the Gröbner basis computation, we obtain the system of polynomials

  $$\begin{aligned} \left\{ \begin{array}{rcl} f_1(y_0,y_1,y_2) &{} = &{} y_2 - y_0 - \texttt {5dba86c930521258343} \\ f_2(y_0,y_1,y_2) &{} = &{} y_1 - y_0 + \texttt {21c0667cce17b283cee} \end{array} \right. \end{aligned}$$

  having indeed \((z_0,z_1,z_2)\) as root over the integers. However, the dimension of the system is 1 and then we are a priori unable to find the unknown blocks.

Second Case

• We can write the signatures as:

  $$\begin{aligned} s_0&= \texttt {\small 36c70532b10145790401} +2^{79} \cdot z_0 + 2^{79+T} \cdot \texttt {\small 8be30b519c6b8572b67c35df3} \\ s_1&= 2^{T} \cdot \texttt {\small 8f63fe87fd0d67f6594ff44ba86a2755b2b6ad6a0b7ab} + z_1 \\ s_2&= 2^{T} \cdot \texttt {\small 57de02b444bb7716c021d21162c3727ba904ae6e4d44a} + z_2 \end{aligned}$$

  where the T-bit numbers \(z_0\), \(z_1\) and \(z_2\) are the unknown blocks.

• If one proceeds like in the attack, we obtain the polynomial \(f(y_0,y_1,y_2)\) defined by

  $$\begin{aligned} y_2&+ \texttt {\small 86acc2de9d15dab4df6a8114243623f246376c1103c29ee97a0dd7490f87eb33} \, y_1 \\&+ \texttt {\small 78836c7dbcc6bee53ea07b359a07fa111e09607336b452976acd0f0ec2a0c985} \, y_0 \\&+ \texttt {\small 77b82eec348f27f19cb7a6c1cc895cf7261093b80d067ea4eb7b8da90e1ae306} \end{aligned}$$

  having as root \((z_0,z_1,z_2)\) modulo p.

• Constructing the lattice with \(m=4\), after the LLL reduction and the Gröbner basis computation, one obtains the system of polynomials

  $$\begin{aligned} \left\{ \begin{array}{rcl} f_1(y_0,y_1,y_2) &{} = &{} y_2 - \texttt {ca2ad9f4406669e8744} \\ f_2(y_0,y_1,y_2) &{} = &{} y_1 - \texttt {4aafecae41fca50c713} \\ f_3(y_0,y_1,y_2) &{} = &{} y_0 - \texttt {f8a2dd93d081934b6d6} \end{array} \right. \end{aligned}$$

  having \((z_0,z_1,z_2)\) as root over the integers. The dimension of the system is 0 and one finds readily the unknown blocks.