Practical Fault Injection on Deterministic Signatures: The Case of EdDSA

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)

Abstract

After recent vulnerabilities of implementations of deterministic signatures e.g. EdDSA have been revealed, it became evident that a secure deployment of those will require additional countermeasures. Nevertheless, this is not a simple task, as we show in this work. We demonstrate the easiness of fault attacks on EdDSA as implemented in the lightweight cryptographic library WolfSSL on a 32-bit micro-controller. We achieve a success rates of almost 100% by voltage glitching and electromagnetic fault injection. Even after adding certain checks as a countermeasure, the implementation remains vulnerable to fault injection. As only a single successful fault is needed to recover the key, this kind of implementation is an easy target for the attackers.

Keywords

ECC EdDSA Differential fault attack 

Notes

Acknowledgments

This work was supported in part by the Technology Foundation STW (Projects 13499 TYPHOON and 12624 SIDES) and The Netherlands Organization for Scientific Research NWO (project ProFIL 628.001.007) and by a project funded by DarkMatter LLC.

References

  1. 1.
    Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12510-2_13CrossRefGoogle Scholar
  2. 2.
    Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. Cryptology ePrint Archive, Report 2017/975 (2017). https://eprint.iacr.org/2017/975.pdf
  3. 3.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_20CrossRefGoogle Scholar
  4. 4.
    Barenghi, A., Breveglieri, L., Koren, I., Pelosi, G., Regazzoni, F.: Countermeasures against fault attacks on software implemented AES. In: Proceedings of the 5th Workshop on Embedded Systems Security - WESS 2010. ACM Press (2010)Google Scholar
  5. 5.
    Barenghi, A., Pelosi, G.: A note on fault attacks against deterministic signature schemes (short paper). In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 182–192. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44524-3_11CrossRefGoogle Scholar
  6. 6.
    Beckers, A., Balasch, J., Gierlichs, B., Verbauwhede, I.: Design and implementation of a waveform-matching based triggering system. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 184–198. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-43283-0_11CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Crypt. Eng. 2(2), 77–89 (2012)CrossRefMATHGoogle Scholar
  9. 9.
    Bertoni, G., Breveglieri, L., Koren, I., Maistri, P., Piuri, V.: Error analysis and detection procedures for a hardware implementation of the advanced encryption standard. IEEE Trans. Comput. 52(4), 492–505 (2003)CrossRefGoogle Scholar
  10. 10.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_8CrossRefGoogle Scholar
  11. 11.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_4Google Scholar
  12. 12.
    Carpi, R.B., Picek, S., Batina, L., Menarini, F., Jakobovic, D., Golub, M.: Glitch it if you can: parameter search strategies for successful fault injection. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 236–252. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08302-5_16Google Scholar
  13. 13.
    Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the Juniper Dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 468–479 (2016). http://doi.acm.org/10.1145/2976749.2978395
  14. 14.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001).  https://doi.org/10.1023/A:1011214926272MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  16. 16.
    Karpovsky, M., Kulikowski, K., Taubin, A.: Robust protection against fault-injection attacks on smart cards implementing the advanced encryption standard. In: 2004 International Conference on Dependable Systems and Networks. IEEE (2004)Google Scholar
  17. 17.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J.H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them. ACM SIGARCH Comput. Archit. News 42(3), 361–372 (2014)CrossRefGoogle Scholar
  18. 18.
    Kravitz, D.: Digital signature algorithm. US Patent 5,231,668, 27 July 1993. https://www.google.com/patents/US5231668
  19. 19.
    Perrin, T.: The XEdDSA and VXEdDSA Signature Schemes (2017). https://signal.org/docs/specifications/xeddsa/xeddsa.pdf. Accessed 11 Sept 2017
  20. 20.
    Picek, S., Batina, L., Jakobovic, D., Carpi, R.B.: Evolving genetic algorithms for fault injection attacks. In: 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). IEEE, May 2014Google Scholar
  21. 21.
    Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. Cryptology ePrint Archive, Report 2017/1014 (2017). http://eprint.iacr.org/2017/1014
  22. 22.
    FIPS PUB 180-4: Secure Hash Standard (SHS). Technical report, NIST, July 2015Google Scholar
  23. 23.
    Romailler, Y., Pelissier, S.: Practical fault attack against the Ed25519 and EdDSA signature schemes. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, September 2017Google Scholar
  24. 24.
    Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R.: Breaking Ed25519 in WolfSSL. Cryptology ePrint Archive, Report 2017/985 (2017). http://eprint.iacr.org/2017/985
  25. 25.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Crypt. 4(3), 161–174 (1991).  https://doi.org/10.1007/BF00196725MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36400-5_2CrossRefGoogle Scholar
  27. 27.
    Velegalati, R., Van Spyk, R., van Woudenberg, J.: Electro magnetic fault injection in practice. In: International Cryptographic Module Conference (ICMC) (2013)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands

Personalised recommendations