Skip to main content
SpringerLink
Log in

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2020 (CT-RSA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12006))

Included in the following conference series:

Abstract

Memory fault attacks, inducing errors in computations, have been an ever-evolving threat to cryptographic schemes since their discovery for cryptography by Boneh et al. (Eurocrypt 1997). Initially requiring physical tampering with hardware, the software-based rowhammer attack put forward by Kim et al. (ISCA 2014) enabled fault attacks also through malicious software running on the same host machine. This led to concerning novel attack vectors, for example on deterministic signature schemes, whose approach to avoid dependency on (good) randomness renders them vulnerable to fault attacks. This has been demonstrated in realistic adversarial settings in a series of recent works. However, a unified formalism of different memory fault attacks, enabling also to argue the security of countermeasures, is missing yet.

In this work, we suggest a generic extension for existing security models that enables a game-based treatment of cryptographic fault resilience. Our modeling specifies exemplary memory fault attack types of different strength, ranging from random bit-flip faults to differential (rowhammer-style) faults to full adversarial control on indicated memory variables. We apply our model first to deterministic signatures to revisit known fault attacks as well as to establish provable guarantees of fault resilience for proposed fault-attack countermeasures. In a second application to nonce-misuse resistant authenticated encryption, we provide the first fault-attack treatment of the SIV mode of operation and give a provably secure fault-resilient variant.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://qtesla.org/.

  2. 2.

    https://pq-crystals.org/.

  3. 3.

    https://microsoft.github.io/Picnic/.

  4. 4.

    The adversary can opt to not modify the variable by returning a special symbol \(\bot \).

  5. 5.

    One can also argue that the notions form a strict hierarchy (i.e., that the reverse implications do not hold), if used to attack cryptographic schemes. E.g., bending an \(\mathcal {A}\)-known \(\lambda \)-bit string x to some random string r (say, to trigger randomness reuse in a scheme) is easily achieved via full faults, but only with probability \(2^{-\lambda /2}\) for differential faults with \(w=\lambda /2\). Similarly, flipping \(w=\lambda /2\) bits in x to 0 is easy with w-differential faults, but hard with random faults.

  6. 6.

    For completeness, observe that the fault attack described in the following applies also when introducing faults into r instead of m. Due to the usually larger size of m, facilitating bit flips in m through row-hammer attacks, we focus on faulting m, but note that similar results apply for faulting r.

  7. 7.

    Note that we treat the underlying (randomized) signature scheme \(\mathcal {S}\) as well as the hash function \(\mathsf {H}\) in a black-box manner both for the positive fault resilience results here, as well as for the generic fault attacks on \(\mathcal {S}_\mathsf {dr}\) before. Of course, studying the fault resilience of specific such constructions is a valuable target on its own, which we leave for future work.

  8. 8.

    Alternatively, one may include r as additional component in the ciphertext. This however degrades security to real-or-random indistinguishability in case of weak randomness values r.

  9. 9.

    Analogous to the signature case in Theorem 2, the first part of the statement again only serves as a baseline result. It shows that \(\mathsf {SIV\$}\) provides at least the security of SIV even if the added randomness \(r'\) is completely flawed.

References

  1. Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 339–353. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_18

    Chapter  Google Scholar 

  2. Aranha, D.F., Orlandi, C., Takahashi, A., Zaverucha, G.: Security of hedged Fiat-Shamir signatures under fault attacks. Cryptology ePrint Archive, Report 2019/956 (2019). https://eprint.iacr.org/2019/956

  3. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)

    Article  Google Scholar 

  4. Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)

    Article  Google Scholar 

  5. Barenghi, A., Pelosi, G.: A note on fault attacks against deterministic signature schemes. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 182–192. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44524-3_11

    Chapter  Google Scholar 

  6. Barthe, G., Dupressoir, F., Fouque, P.-A., Grégoire, B., Tibouchi, M., Zapalowicz, J.-C.: Making RSA–PSS provably secure against non-random faults. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 206–222. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_12

    Chapter  Google Scholar 

  7. Bellare, M., et al.: Hedged public-key encryption: how to protect against bad randomness. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 232–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_14

    Chapter  Google Scholar 

  8. Bellare, M., Cash, D.: Pseudorandom functions and permutations provably secure against related-key attacks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 666–684. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_36

    Chapter  Google Scholar 

  9. Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_26

    Chapter  Google Scholar 

  10. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_22

    Chapter  Google Scholar 

  11. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography and application to virus protection. In: 27th ACM STOC, pp. 45–56. ACM Press, May/Jun 1995

    Google Scholar 

  12. Bellare, M., Kohno, T.: Hash function balance and its impact on birthday attacks. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 401–418. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_24

    Chapter  Google Scholar 

  13. Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1

    Chapter  Google Scholar 

  14. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press, November 1993

    Google Scholar 

  15. Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34

    Chapter  Google Scholar 

  16. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9

    Chapter  Google Scholar 

  17. Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_8

    Chapter  Google Scholar 

  18. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259

    Chapter  Google Scholar 

  19. Blömer, J., Günther, P.: Singular curve point decompression attack. In: 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 71–84 (2015)

    Google Scholar 

  20. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4

    Chapter  Google Scholar 

  21. Breitner, J., Heninger, N.: Biased nonce sense: lattice attacks against weak ECDSA signatures in cryptocurrencies. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 3–20. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_1

    Chapter  Google Scholar 

  22. Brengel, M., Rossow, C.: Identifying key leakage of bitcoin users. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 623–643. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_29

    Chapter  Google Scholar 

  23. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness. https://competitions.cr.yp.to/caesar.html

  24. CERT Vulnerability Notes Database: Vulnerability note VU#925211: Debian and Ubuntu OpenSSL packages contain a predictable random number generator (2008). https://www.kb.cert.org/vuls/id/925211

  25. Coron, J.-S., Mandal, A.: PSS is secure against random fault attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 653–666. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_38

    Chapter  Google Scholar 

  26. Dobraunig, C., Eichlseder, M., Korak, T., Lomné, V., Mendel, F.: Statistical fault attacks on nonce-based authenticated encryption schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 369–395. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_14

    Chapter  Google Scholar 

  27. Dobraunig, C., Mangard, S., Mendel, F., Primas, R.: Fault attacks on nonce-based authenticated encryption: application to keyak and ketje. In: Cid, C., Jacobson, M.J. (eds.) SAC 2018. LNCS, vol. 11349, pp. 257–277. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-10970-7_12

    Chapter  Google Scholar 

  28. Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the windows random number generator. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F. (eds.) ACM CCS 2007, pp. 476–485. ACM Press, October 2007

    Google Scholar 

  29. Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC, November 2007. nIST Special Publication 800–38D

    Google Scholar 

  30. fail0verflow: Console hacking 2010: PS3 epic fail. In: 27th Chaos Communication Congress. Chaos Computer Club (2010)

    Google Scholar 

  31. Fischlin, M., Günther, F.: Modeling memory faults in signature and authenticated encryption schemes. Cryptology ePrint Archive, Report 2019/1053 (2019). https://eprint.iacr.org/2019/1053

  32. Fouque, P.-A., Guillermin, N., Leresteux, D., Tibouchi, M., Zapalowicz, J.-C.: Attacking RSA–CRT signatures with faults on montgomery multiplication. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 447–462. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_26

    Chapter  Google Scholar 

  33. Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Algorithmic tamper-proof (ATP) security: theoretical foundations for security against hardware tampering. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 258–277. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_15

    Chapter  Google Scholar 

  34. Goldberg, I., Wagner, D.: Randomness and the Netscape browser. Dr. Dobb’s J. 21, 66–71 (1996)

    Google Scholar 

  35. Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 109–119. ACM Press, October 2015

    Google Scholar 

  36. Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: 2006 IEEE Symposium on Security and Privacy, pp. 371–385. IEEE Computer Society Press, May 2006

    Google Scholar 

  37. Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits II: keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 308–327. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_19

    Chapter  MATH  Google Scholar 

  38. Joux, A.: Authentication failures in NIST version of GCM (2006). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf

  39. Joye, M., Lenstra, A.K., Quisquater, J.J.: Chinese remaindering based cryptosystems in the presence of faults. J. Cryptol. 12(4), 241–245 (1999)

    Article  Google Scholar 

  40. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA 2014, pp. 361–372. IEEE Press, Piscataway, NJ, USA (2014)

    Google Scholar 

  41. Lenstra, A.K.: Memo on RSA signature generation in the presence of faults (1996)

    Google Scholar 

  42. May, T.C., Woods, M.H.: A new physical mechanism for soft errors in dynamic memories. In: 16th International Reliability Physics Symposium, pp. 33–40, April 1978

    Google Scholar 

  43. McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_27

    Chapter  Google Scholar 

  44. M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_6

    Chapter  Google Scholar 

  45. Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_15

    Chapter  Google Scholar 

  46. National Institute of Standards and Technology: Digital Signature Standard (DSS) (FIPS PUB 186–4), July 2013

    Google Scholar 

  47. Perrin, T.: The XEdDSA and VXEdDSA signature schemes (2016). https://signal.org/docs/specifications/xeddsa/

  48. Poddebniak, D., Somorovsky, J., Schinzel, S., Lochter, M., Rösler, P.: Attacking deterministic signature schemes using fault attacks. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, pp. 338–352. IEEE, April 2018

    Google Scholar 

  49. Pornin, T.: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (Informational), August 2013. https://www.rfc-editor.org/rfc/rfc6979.txt

  50. Razavi, K., Gras, B., Bosman, E., Preneel, B., Giuffrida, C., Bos, H.: Flip Feng Shui: hammering a needle in the software stack. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 1–18. USENIX Association, August 2016

    Google Scholar 

  51. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002

    Google Scholar 

  52. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22

    Chapter  MATH  Google Scholar 

  53. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  54. Romailler, Y., Pelissier, S.: Practical fault attack against the Ed25519 and EdDSA signature schemes. In: 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 17–24 (2017)

    Google Scholar 

  55. Samwel, N., Batina, L.: Practical fault injection on deterministic signatures: the case of EdDSA. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 306–321. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_17

    Chapter  Google Scholar 

  56. Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R.: Breaking Ed25519 in WolfSSL. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 1–20. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_1

    Chapter  MATH  Google Scholar 

  57. Schmidt, B.: [curves] EdDSA specification (2016). https://moderncrypto.org/mail-archive/curves/2016/000768.html

  58. Signal: Technical documentation. https://whispersystems.org/docs/

  59. Takahashi, A., Tibouchi, M.: Degenerate fault attacks on elliptic curve parameters in OpenSSL. In: 2019 IEEE European Symposium on Security and Privacy, EuroS&P 2019. IEEE, June 2019, to appear

    Google Scholar 

  60. Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_23

    Chapter  Google Scholar 

  61. Ylonen, T., Lonvick, C. (ed.) The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), January 2006. https://www.rfc-editor.org/rfc/rfc4252.txt, updated by RFCs 8308, 8332

Download references

Acknowledgments

Felix Günther is supported in part by Research Fellowship grant GU 1859/1-1 of the German Research Foundation (DFG) and National Science Foundation (NSF) grants CNS-1526801 and CNS-1717640. This work has been co-funded by the DFG as part of project P2 within the CRC 1119 CROSSING. Most of the work on this paper was done while Felix Günther was at UC San Diego.

Author information

Authors and Affiliations

  1. Cryptoplexity, Technische Universität Darmstadt, Darmstadt, Germany

    Marc Fischlin

  2. Department of Computer Science, ETH Zürich, Zürich, Switzerland

    Felix Günther

Authors
  1. Marc Fischlin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Felix Günther
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Felix Günther .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Stanislaw Jarecki

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fischlin, M., Günther, F. (2020). Modeling Memory Faults in Signature and Authenticated Encryption Schemes. In: Jarecki, S. (eds) Topics in Cryptology – CT-RSA 2020. CT-RSA 2020. Lecture Notes in Computer Science(), vol 12006. Springer, Cham. https://doi.org/10.1007/978-3-030-40186-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-40186-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-40185-6

  • Online ISBN: 978-3-030-40186-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation