Attacking Deterministic Signature Schemes Using Fault Attacks

Many digital signature schemes rely on random numbers that are unique and non-predictable per signature. Failures of random number generators may have catastrophic effects such as compromising private signature keys. In recent years, many widely-used cryptographic technologies adopted deterministic signature schemes because they are presumed to be safer to implement. In this paper, we analyze the security of deterministic ECDSA and EdDSA signature schemes and show that the elimination of random number generators in these schemes enables new kinds of fault attacks. We formalize these attacks and introduce practical attack scenarios against EdDSA using the Rowhammer fault attack. EdDSA is used in many widely used protocols such as TLS, SSH, and IPSec, and we show that these protocols are not vulnerable to our attack. We formalize the necessary requirements of protocols using these deterministic signature schemes to be vulnerable, and discuss mitigation strategies and their effect on fault attacks against deterministic signature schemes.

[1]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[4]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[5]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[6]  Elaine B. Barker Digital Signature Standard (DSS) [includes Change Notice 1 from 12/30/1996] | NIST , 1994 .

[7]  S. Goldwasser Improved Identification Schemes Based on Error-Correcting Codes , 1995 .

[8]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[9]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[10]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[11]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[12]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[13]  Serge Vaudenay,et al.  The Security of DSA and ECDSA , 2003, Public Key Cryptography.

[14]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[15]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[16]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[17]  A. Joux Authentication Failures in NIST version of GCM , 2006 .

[18]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[19]  H. Edwards A normal form for elliptic curves , 2007 .

[20]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[21]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[22]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[23]  Sheila Frankel,et al.  IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap , 2011, RFC.

[24]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[25]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[26]  Thomas Pornin Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) , 2013, RFC.

[27]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[28]  Shay Gueron,et al.  The Fragility of AES-GCM Authentication Algorithm , 2014, 2014 11th International Conference on Information Technology: New Generations.

[29]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[30]  Tibor Jager,et al.  Practical Invalid Curve Attacks on TLS-ECDH , 2015, ESORICS.

[31]  Tanja Lange,et al.  EdDSA for more curves , 2015, IACR Cryptol. ePrint Arch..

[32]  Florian Weimer Factoring RSA Keys With TLS Perfect Forward Secrecy , 2015 .

[33]  S. Josefsson,et al.  Using EdDSA with Ed25519/Ed448 in the Internet X.509 Public Key Infrastructure , 2015 .

[34]  M. Schmid ECDSA-Application and Implementation Failures , 2015 .

[35]  Yoav Nir Using Edwards-curve Digital Signature Algorithm (EdDSA) in the Internet Key Exchange (IKEv2) , 2016 .

[36]  Yuan Xiao,et al.  One Bit Flips, One Cloud Flops: Cross-VM Row Hammer Attacks and Privilege Escalation , 2016, USENIX Security Symposium.

[37]  Yanick Fratantonio,et al.  Drammer: Deterministic Rowhammer Attacks on Mobile Platforms , 2016, CCS.

[38]  Juraj Somorovsky,et al.  Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS , 2016, WOOT.

[39]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[40]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[41]  Stefan Mangard,et al.  Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript , 2015, DIMVA.

[42]  Rui Qiao,et al.  A new approach for rowhammer attacks , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[43]  Alessandro Barenghi,et al.  A Note on Fault Attacks Against Deterministic Signature Schemes , 2016, IWSEC.

[44]  Niccolas A. Ricci Rowhammering: a physical approach to gaining unauthorized access , 2016 .

[45]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[46]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.

[47]  Guido Bertoni,et al.  Breaking Ed25519 in WolfSSL , 2018, IACR Cryptol. ePrint Arch..

[48]  Reza Azarderakhsh,et al.  A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies , 2017, Financial Cryptography.

[49]  Robert Edmonds,et al.  Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC , 2017, RFC.

[50]  Sylvain Pelissier,et al.  Practical Fault Attack against the Ed25519 and EdDSA Signature Schemes , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[51]  L. Batina,et al.  Breaking Ed 25519 in WolfSSL , 2017 .

[52]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.