Graing Trees: a Fault Aack against the SPHINCS framework Laurent - - PowerPoint PPT Presentation

gra ing trees a fault a ack against the sphincs framework
SMART_READER_LITE
LIVE PREVIEW

Graing Trees: a Fault Aack against the SPHINCS framework Laurent - - PowerPoint PPT Presentation

Feb 23, 2023 235 likes •453 views

Introducon Hash-based signatures Graing trees Conclusion Graing Trees: a Fault Aack against the SPHINCS framework Laurent Castelnovi Ange Marnelli Thomas Prest Introducon Hash-based signatures Graing trees Conclusion

slide-1
SLIDE 1

Introducon Hash-based signatures Graing trees Conclusion

Graing Trees: a Fault Aack against the SPHINCS framework

Laurent Castelnovi Ange Marnelli Thomas Prest

slide-2
SLIDE 2

Introducon Hash-based signatures Graing trees Conclusion

Introducon

Hash-based signatures:

➳ Signatures based on the collision or preimage resistance of hash funcons ➳ Opmal from a security perspecve [Rom90] ➳ Post quantum: two proposals to NIST’s CFP [AE17, BDE+17]

Obvious queson: do they resist to fault aacks?

➳ Short answer: No. ➳ This talk: a fault aack against schemes of the SPHINCS family: ➵ The original SPHINCS [BHH+15] ➵ Gravity-SPHINCS [AE17] ➵ SPHINCS+ [BDE+17]

Let’s fault stuff!

slide-3
SLIDE 3

Introducon Hash-based signatures Graing trees Conclusion

Outline of this talk

1 Introducon 2 Hash-based signatures

1 One-me signatures (OTS) 2 Merkle’s construcon 3 Goldreich’s construcon 5 The SPHINCS framework

3 Graing trees

1 Outline of the aack 2 Faulng step 3 Graing step 4 Specifics of each scheme

4 Conclusion

slide-4
SLIDE 4

Introducon Hash-based signatures Graing trees Conclusion

One-me signatures (OTS) from hash funcons

A toy example:

➳ sk = (s1, s2) ∈ {0, 1}256×2 ➳ pk = (p1, p2) = (HN(s1), HN(s2)) ➳ Sign(m ∈ {0, . . . , N}):

sig(m) = (σ1, σ2) = (Hm(s1), HN−m(s2)) (1)

➳ Verify(m, sig): accept if and only if

( HN−m(σ1), Hm(σ2) ) = pk

➳ one signature ⇒ existenally unforgeable ➳ two signatures ⇒ existenal forgery for a proporon ≈ |m1−m2|

N

  • f the messages

For WOTS(+), the OTS used in schemes of the SPHINCS family:

  • ne signature

existenally unforgeable two signatures existenal forgery for a proporon

  • f the messages

Feature common to all hash-based signatures: From a valid signature, one can recover the public key.

slide-5
SLIDE 5

Introducon Hash-based signatures Graing trees Conclusion

One-me signatures (OTS) from hash funcons

A toy example:

➳ sk = (s1, s2) ∈ {0, 1}256×2 ➳ pk = (p1, p2) = (HN(s1), HN(s2)) ➳ Sign(m ∈ {0, . . . , N}):

sig(m) = (σ1, σ2) = (Hm(s1), HN−m(s2)) (1)

➳ Verify(m, sig): accept if and only if

( HN−m(σ1), Hm(σ2) ) = pk

➳ one signature ⇒ existenally unforgeable ➳ two signatures ⇒ existenal forgery for a proporon ≈ |m1−m2|

N

  • f the messages

For WOTS(+), the OTS used in schemes of the SPHINCS family:

➳ one signature ⇒ existenally unforgeable ➳ two signatures ⇒ existenal forgery for a proporon 2−34 of the messages

Feature common to all hash-based signatures: From a valid signature, one can recover the public key.

slide-6
SLIDE 6

Introducon Hash-based signatures Graing trees Conclusion

Merkle’s construcon [Mer90]

H H0 H00 pk000 sk000 pk001 sk001 H01 pk010 sk010 pk011 sk011 H1 H10 pk100 sk100 pk101 sk101 H11 pk110 sk110 pk111 sk111 Secret key Public key OTS keypair m pk sk H H Signature(m)

sk

m pk sk H H H deduced from Signature(m)

slide-7
SLIDE 7

Introducon Hash-based signatures Graing trees Conclusion

Merkle’s construcon [Mer90]

H H0 H00 pk000 sk000 pk001 sk001 H01 pk010 sk010 pk011 sk011 H1 H10 pk100 sk100 pk101 sk101 H11 pk110 sk110 pk111 sk111 Secret key Public key OTS keypair m pk001 sk001 H01 H1 Signature(m) σsk000(m) pk sk H H H deduced from Signature(m)

slide-8
SLIDE 8

Introducon Hash-based signatures Graing trees Conclusion

Merkle’s construcon [Mer90]

H H0 H00 pk000 sk000 pk001 sk001 H01 pk010 sk010 pk011 sk011 H1 H10 pk100 sk100 pk101 sk101 H11 pk110 sk110 pk111 sk111 Secret key Public key OTS keypair m pk001 sk001 H01 H1 Signature(m) σsk000(m) pk000 sk000 H00 H0 H deduced from Signature(m)

slide-9
SLIDE 9

Introducon Hash-based signatures Graing trees Conclusion

Goldreich’s construcon (abstract) [Gol86] Merkle tree OTS keypair

slide-10
SLIDE 10

Introducon Hash-based signatures Graing trees Conclusion

Goldreich’s construcon (detailed)

H pk0 sk0 H0 pk00 sk00 H00 pk000 sk000 pk001 sk001 pk01 sk01 H01 pk010 sk010 pk011 sk011 pk1 sk1 H1 pk10 sk10 H10 pk100 sk100 pk101 sk101 pk11 sk11 H11 pk110 sk110 pk111 sk111 Secret key Public key OTS keypair Signature(m) deduced from Signature(m) m σsk000(m) σsk00(H00) σsk0(H0) pk001 sk001 pk01 sk01 pk1 sk1 pk000 sk000 pk00 sk00 pk0 sk0 H H0 H00

slide-11
SLIDE 11

Introducon Hash-based signatures Graing trees Conclusion

The SPHINCS framework

FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS FTS

Merkle tree OTS keypair

FTS

FTS keypair

➳ Common to SPHINCS [BHH+15], Gravity-SPHINCS [AE17] and SPHINCS+ [BDE+17] ➳ Typical parameters: layers = 8, height of each Merkle tree = 8, total height = 64

slide-12
SLIDE 12

Introducon Hash-based signatures Graing trees Conclusion

Outline of the aack

Observaons useful for our aack:

➳ In all hash-based signatures:

[a valid signature σsk(m)] ⇒ [one can recover pk]

➳ For the OTS used in SPHINCS:

[2 signatures] ⇒ [one can forge for 1 message over 234] Outline of our aack:

1 Faulng step. We provoke a fault to make an OTS sign two different values 2 Graing step. We use the compromised OTS to obtain an universal forgery

slide-13
SLIDE 13

Introducon Hash-based signatures Graing trees Conclusion

The faulng step

FTS

m . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ... ... ...

Merkle tree OTS keypair

FTS

FTS keypair Signature(m) Fault area

The faulng step:

➳ One normal sig(m), one faulted sig(m) ➳ Target the Merkle tree just below the top ➳ We may fault any computaon ”below” the

authencaon path Regular vs faulted signature:

➳ Two ̸= values are computed for the root of the

faulted Merkle tree

➳ The top OTS signs two ̸= values

Features of this fault: One fault Lile precision required Stealthy

slide-14
SLIDE 14

Introducon Hash-based signatures Graing trees Conclusion

The faulng step

FTS

m . . . . . . . . . . . . . . . . . . . . . . . . . . . ... ... ... ...

Merkle tree OTS keypair

FTS

FTS keypair Signature(m) Fault area

The faulng step:

➳ One normal sig(m), one faulted sig(m) ➳ Target the Merkle tree just below the top ➳ We may fault any computaon ”below” the

authencaon path Regular vs faulted signature:

➳ Two ̸= values are computed for the root of the

faulted Merkle tree

➳ The top OTS signs two ̸= values

Features of this fault:

➳ One fault ➳ Lile precision required ➳ Stealthy

slide-15
SLIDE 15

Introducon Hash-based signatures Graing trees Conclusion

The graing step

FTS FTS

m . . . . . . . . . . . . . . . . . . . . . . . . . . . ?? ... ... ... Graed tree, generated by the aacker

Goal of the aacker:

➳ Sign his own tree with the

compromised OTS Naïve approach:

➳ Generate trees unl a suitable

  • ne is found

➳ Time: 234× (generate a tree)

Adapve approach:

➳ Only modify the top of the

graed tree

➳ Time: 234+ (generate a tree)

slide-16
SLIDE 16

Introducon Hash-based signatures Graing trees Conclusion

Specifics of each scheme and countermeasures

Selecon of the FTS index:

1 SPHINCS: idx ← H(r, m), where r is private

⇒ very easy

2 Gravity-SPHINCS: idx ← H(r, m), where r ← H(sk, m)

⇒ easy

3 SPHINCS+: idx ← H(r, pk, m), where r ← H(sk, $, m)

⇒ no control on the FTS index anymore, but sll easy Height of the top Merkle tree:

1 SPHINCS and SPHINCS+: no more than 8 2 Gravity-SPHINCS: 20

Countermeasures:

1 Generic: redundancy 2 Specific: ?

slide-17
SLIDE 17

Introducon Hash-based signatures Graing trees Conclusion

Conclusion

Key takeaways:

1 A fault aack on schemes of the SPHINCS family 2 Universal forgery with one fault 3 Fault model is very weak: 1

lile to no control on the me of the fault

2

lile to no control on the precision of the fault

3

independent of underlying hash funcon(s)

4 Stealthy 5 Specific countermeasures are ineffecve (to our knowledge)

Related works: This work was based on Laurent Castelnovi’s Master thesis [Cas17] Independently studied by Genêt [Gen17] and Kannwischer [Kan17]

slide-18
SLIDE 18

Introducon Hash-based signatures Graing trees Conclusion

Conclusion

Key takeaways:

1 A fault aack on schemes of the SPHINCS family 2 Universal forgery with one fault 3 Fault model is very weak: 1

lile to no control on the me of the fault

2

lile to no control on the precision of the fault

3

independent of underlying hash funcon(s)

4 Stealthy 5 Specific countermeasures are ineffecve (to our knowledge)

Related works:

➳ This work was based on Laurent Castelnovi’s Master thesis [Cas17] ➳ Independently studied by Genêt [Gen17] and Kannwischer [Kan17]

slide-19
SLIDE 19

Introducon Hash-based signatures Graing trees Conclusion

https://eprint.iacr.org/2018/102

Thanks!

slide-20
SLIDE 20

Introducon Hash-based signatures Graing trees Conclusion

Jean-Philippe Aumasson and Guillaume Endignoux. Improving stateless hash-based signatures. Cryptology ePrint Archive, Report 2017/933, 2017. https://eprint.iacr.org/2017/933. Daniel J. Bernstein, Christoph Dobraunig, Maria Eichlseder, Sco Fluhrer, Stefan-Lukas Gazdag, Andreas Hülsing, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Marn M. Lauridsen, Florian Mendel, Ruben Niederhagen, Chrisan Rechberger, Joost Rijneveld, and Peter Schwabe. SPHINCS+, 2017. https://sphincs.org/. Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox-O’Hearn. SPHINCS: praccal stateless hash-based signatures. In EUROCRYPT 2015, volume 9056 of LNCS, pages 368–397. Springer, 2015. Laurent Castelnovi. Sécurité physique de schémas cryptographiques post-quanques. Master thesis, 2017. Available at https://tprest.github.io/Publications/rapport-laurent-castelnovi.pdf. Aymeric Genêt. Hardware aacks against hash-based cryptographic algorithms.

slide-21
SLIDE 21

Introducon Hash-based signatures Graing trees Conclusion

Master thesis, 2017. Available at https://infoscience.epfl.ch/record/253317. Oded Goldreich. Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In CRYPTO ’86, volume 263 of LNCS, pages 104–110. Springer, 1986. Mahias Kannwischer. Physical aack vulnerability of hash-based signature schemes. Master thesis, 2017. Available at https://www.cdc.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_ CDC/Documents/theses/Matthias_Kannwischer.master.pdf. Ralph C. Merkle. A cerfied digital signature. In CRYPTO’ 89, volume 435 of LNCS, pages 218–238. Springer, 1990. John Rompel. One-way funcons are necessary and sufficient for secure signatures. In STOC, pages 387–394. ACM, 1990.