Abstract
Cryptographic and physical leakage attacks on devices and systems which implement cryptosystems, is an area of much recent activities. One type of attacks are what is called kleptographic attacks which are mounted against black-box cryptosystems. They are issued by and serve solely the designer/manufacturer giving it unique advantage. Kleptographic attacks are capable of leaking the private keys of users securely and subliminally to the manufacturer of the black-box system (based on the availability of public values, such as keys (produced when the system is initiated) or signature/ciphertext values (produced by systems in operation). These attacks provide a very high level of security against reverse-engineering since even if the black-box is successfully reverse-engineered, no information can be obtained that compromises the secrets of the users (thus, the unique advantage of the attacker is retained).
Numerous open questions remain in the area. One issue is that the only key generation procedure with known attack is the RSA/ factoring based PKC, while for Discrete Logarithm based keys attacks are not known. Similarly open, is the existence of bandwidth-optimal leakage attacks, namely attacks on a “single signature” in Discrete Logarithm based signatures (both in the full group and prime order sub-group cases).
In this paper, we solve the above open questions. We develop new attack techniques, which unlike earlier attacks, require only one value in order to leak the secret. This gives an attack on modular exponentiation keys. We then show how to implement an attack on ElGamal signature which leaks the private key in each signature, and which requires only 160 bits of smoothness in p - 1, where p is the common ElGamal prime. The attack utilizes the Newton channel. This channel, however, does not extend to DSA, since DSA operates in a prime order subgroup of Z p. In the second part of this work, we nevertheless show a subliminal channel attack on DSA that assumes the existence of a small amount of non-volatile memory in the device. This gives a kleptographic attack against DSA that leaks the private key in each signature as well. Non-volatility is only needed to assure the polynomial indistinguishability of the outputs of the devices under attack from that of a normal devices’ outputs. We investigate our non-volatility assumption against hardware feasibility (in quite a popular EEPROM devices, used in manufacturing of smart-cards).
Chapter PDF
Similar content being viewed by others
Key words
References
R. Anderson, S. Vaudenay, B. Preneel, K. Nyberg. The Newton Channel. In Workshop on Information Hiding, Isaac Newton Institute, 1996. (also downloaded from Ross Anderson’s homepage).
M. Bellare, S. Goldwasser and D. Micciancio. Pseudo-Random Number Generation within Cryptographic Algorithms: the DSS Case. In Advances in Cryptology—CRYPTO’ 97, Springer-Verlag.
W. Diffie, M. Hellman. New Directions in Cryptography. In volume IT-22, n. 6of IEEE Transactions on Information Theory, pages 644–654, Nov. 1976.
Proposed Federal Information Processing Standard for Digital Signature Standard (DSS). In volume 56, n. 169 of Federal Register, pages 42980–42982, 1991.
T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology—CRYPTO’ 84, pages 10–18, 1985. Springer-Verlag.
O. Goldreich, S. Goldwasser, and S. Micali, How to Construct Random Functions. In Journal of the ACM, 33(4), pages 210–217, 1986.
J. Lacy, D. Mitchell, W. Schell. CryptoLib: Cryptography in Software. In Proceedings of the IV UNIX Security Symposium, USENIX Association.
K. Nyberg, R. Rueppel. Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem. In Advances in Cryptology—Eurocrypt’ 94, pages 182–193, 1994. Springer-Verlag.
S. C. Pohlig. An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance. In IEEE Transactions on Information Theory, v. 24, n. 1, pages 106–110, 1978.
J. M. Pollard. Monte Carlo Methods for Index Computation (mod p). In Mathematics of Computation, v. 32, n. 143, pages 918–924, 1978.
B. Schneier. Applied Cryptography, 1994. John Wiley and Sons, Inc.
C. Schnorr. Efficient Signature Generation by Smart Cards. In Journal of Cryptology, v. 4, pages 161–174, 1991.
G. J. Simmons. The subliminal Channel and Digital Signatures. In Advances in Cryptology—Eurocrypt’ 84, pages 51–57, 1985.
G. J. Simmons. Subliminal Communication is Easy Using the DSA. In Advances in Cryptology—Eurocrypt’ 93, 1993.
G. J. Simmons. Subliminal Channels: past and present. In European Tra. on Telecommunications V. 5, 1994, pages 459–473, 1994.
A. Young, M. Yung. The Dark Side of Black-Box Cryptography. In Advances in Cryptology—CRYPTO’ 96, pages 89–103, Springer-Verlag.
A. Young, M. Yung. Kleptography: Using Cryptography against Cryptography. In Advances in Cryptology—Eurocrypt’ 97, pages 62–74. Springer-Verlag.
A. Young, M. Yung. The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems. In Advances in Cryptology—CRYPTO’ 97, Springer-Verlag.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Young, A., Yung, M. (2001). Bandwidth-Optimal Kleptographic Attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds) Cryptographic Hardware and Embedded Systems — CHES 2001. CHES 2001. Lecture Notes in Computer Science, vol 2162. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44709-1_20
Download citation
DOI: https://doi.org/10.1007/3-540-44709-1_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42521-2
Online ISBN: 978-3-540-44709-2
eBook Packages: Springer Book Archive