Cold Boot Attacks on LUOV

This research article assesses the feasibility of cold boot attacks on the lifted unbalanced oil and Vinegar (LUOV) scheme, a variant of the UOV signature scheme. This scheme is a member of the family of asymmetric cryptographic primitives based on multivariable polynomials over a finite field K and has been submitted as candidate to the ongoing National Institute of Standards and Technology (NIST) standardisation process of post-quantum signature schemes. To the best of our knowledge, this is the first time that this scheme is evaluated in this setting. To perform our assessment of the scheme in this setting, we review two implementations of this scheme, the reference implementation and the libpqcrypto implementation, to learn the most common in-memory private key formats and next develop a key recovery algorithm exploiting the structure of this scheme. Since the LUOV’s key generation algorithm generates its private components and public components from a 256-bit seed, the key recovery algorithm works for all the parameter sets recommended for this scheme. Additionally, we tested the effectiveness and performance of the key recovery algorithm through simulations and found the key recovery algorithm may retrieve the private seed when α = 0.001 (probability that a 0 bit of the original secret key will flip to a 1 bit) and β (probability that a 1 bit of the original private key will flip to a 0 bit) in the range { 0.001 , 0.01 , 0.02 , … , 0.15 } by enumerating approximately 2 40 candidates.

Download Full-text

Cold Boot Attacks on the Supersingular Isogeny Key Encapsulation (SIKE) Mechanism

Applied Sciences ◽

10.3390/app11010193 ◽

2020 ◽

Vol 11 (1) ◽

pp. 193

Author(s):

Ricardo Villanueva-Polanco ◽

Eduardo Angulo-Madrid

Keyword(s):

Success Rates ◽

Secret Key ◽

Enumeration Algorithm ◽

Key Recovery ◽

Recovery Algorithm ◽

Key Encapsulation Mechanism ◽

Standardization Process ◽

Overall Performance ◽

Post Quantum Cryptography ◽

First Time

This research paper evaluates the feasibility of cold boot attacks on the Supersingular Isogeny Key Encapsulation (SIKE) mechanism. This key encapsulation mechanism has been included in the list of alternate candidates of the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization Process. To the best of our knowledge, this is the first time this scheme is assessed in the cold boot attacks setting. In particular, our evaluation is focused on the reference implementation of this scheme. Furthermore, we present a dedicated key-recovery algorithm for SIKE in this setting and show that the key recovery algorithm works for all the parameter sets recommended for this scheme. Moreover, we compute the success rates of our key recovery algorithm through simulations and show the key recovery algorithm may reconstruct the SIKE secret key for any SIKE parameters for a fixed and small α=0.001 (the probability of a 0 to 1 bit-flipping) and varying values for β (the probability of a 1 to 0 bit-flipping) in the set {0.001,0.01,…,0.1}. Additionally, we show how to integrate a quantum key enumeration algorithm with our key-recovery algorithm to improve its overall performance.

Download Full-text

A Comprehensive Study of the Key Enumeration Problem

Entropy ◽

10.3390/e21100972 ◽

2019 ◽

Vol 21 (10) ◽

pp. 972 ◽

Cited By ~ 2

Author(s):

Ricardo Villanueva-Polanco

Keyword(s):

Main Memory ◽

Side Channel ◽

Secret Key ◽

Side Channel Attack ◽

Enumeration Algorithm ◽

Key Recovery ◽

Recovery Algorithm ◽

Enumeration Problem ◽

Enumeration Algorithms ◽

Recovery Problem

In this paper, we will study the key enumeration problem, which is connected to the key recovery problem posed in the cold boot attack setting. In this setting, an attacker with physical access to a computer may obtain noisy data of a cryptographic secret key of a cryptographic scheme from main memory via this data remanence attack. Therefore, the attacker would need a key-recovery algorithm to reconstruct the secret key from its noisy version. We will first describe this attack setting and then pose the problem of key recovery in a general way and establish a connection between the key recovery problem and the key enumeration problem. The latter problem has already been studied in the side-channel attack literature, where, for example, the attacker might procure scoring information for each byte of an Advanced Encryption Standard (AES) key from a side-channel attack and then want to efficiently enumerate and test a large number of complete 16-byte candidates until the correct key is found. After establishing such a connection between the key recovery problem and the key enumeration problem, we will present a comprehensive review of the most outstanding key enumeration algorithms to tackle the latter problem, for example, an optimal key enumeration algorithm (OKEA) and several nonoptimal key enumeration algorithms. Also, we will propose variants to some of them and make a comparison of them, highlighting their strengths and weaknesses.

Download Full-text

Secret key-private key generation over three terminals: Capacity region

2014 IEEE International Symposium on Information Theory ◽

10.1109/isit.2014.6875011 ◽

2014 ◽

Cited By ~ 4

Author(s):

Huishuai Zhang ◽

Lifeng Lai ◽

Yingbin Liang ◽

Hua Wang

Keyword(s):

Key Generation ◽

Capacity Region ◽

Secret Key ◽

Private Key

Download Full-text

Dismantling the AUT64 Automotive Cipher

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.46-69 ◽

2018 ◽

pp. 46-69

Author(s):

Christopher Hicks ◽

Flavio D. Garcia ◽

David Oswald

Keyword(s):

Block Cipher ◽

Authentication Protocol ◽

Secret Key ◽

Vehicle Manufacturer ◽

Key Recovery ◽

Worst Case ◽

Remote Keyless Entry ◽

First Time ◽

Key Recovery Attacks ◽

Complete Specification

AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilization and remote keyless entry systems. In this paper, we present for the first time full details of AUT64 including a complete specification and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversification scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation flaws, break both the 8 and 24 round configurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 237.3 offline encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 248.3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible offline computation.

Download Full-text

ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.242-276 ◽

2018 ◽

pp. 242-276 ◽

Cited By ~ 3

Author(s):

Sayandeep Saha ◽

Debdeep Mukhopadhyay ◽

Pallab Dasgupta

Keyword(s):

Defense Mechanisms ◽

Block Ciphers ◽

Fault Analysis ◽

Proof Of Concept ◽

Secret Key ◽

Cryptographic Primitives ◽

Differential Fault Analysis ◽

Comprehensive Knowledge ◽

Fault Characterization ◽

First Time

Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single cryptoprimitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [BPP+17] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 214.

Download Full-text

Secure Secret Key and Private Key Generation in Source-Type Model With a Trusted Helper

IEEE Access ◽

10.1109/access.2020.2974626 ◽

2020 ◽

Vol 8 ◽

pp. 34611-34628

Author(s):

Shixun Gong ◽

Xiaofeng Tao ◽

Na Li ◽

Haowei Wang ◽

Zhu Han

Keyword(s):

Type Model ◽

Key Generation ◽

Secret Key ◽

Private Key ◽

Source Type

Download Full-text

The Capacity Region of the Source-Type Model for Secret Key and Private Key Generation

IEEE Transactions on Information Theory ◽

10.1109/tit.2014.2340400 ◽

2014 ◽

Vol 60 (10) ◽

pp. 6389-6398 ◽

Cited By ~ 16

Author(s):

Huishuai Zhang ◽

Lifeng Lai ◽

Yingbin Liang ◽

Hua Wang

Keyword(s):

Type Model ◽

Key Generation ◽

Capacity Region ◽

Secret Key ◽

Private Key ◽

Source Type

Download Full-text

RSS-based secret key generation in underwater acoustic networks: advantages, challenges, and performance improvements

IEEE Communications Magazine ◽

10.1109/mcom.2016.7402258 ◽

2016 ◽

Vol 54 (2) ◽

pp. 32-38 ◽

Cited By ~ 24

Author(s):

Yu Luo ◽

Lina Pu ◽

Zheng Peng ◽

Zhijie Shi

Keyword(s):

Key Generation ◽

Secret Key ◽

Underwater Acoustic ◽

Secret Key Generation ◽

Performance Improvements ◽

Acoustic Networks ◽

Underwater Acoustic Networks ◽

And Performance

Download Full-text

Beyond Cache Attacks

ACM Transactions on Embedded Computing Systems ◽

10.1145/3433653 ◽

2021 ◽

Vol 20 (2) ◽

pp. 1-23

Author(s):

Johanna Sepúlveda ◽

Mathieu Gross ◽

Andreas Zankl ◽

Georg Sigl

Keyword(s):

Secret Key ◽

Enabling Technology ◽

Communication Structure ◽

Cryptographic Primitives ◽

Key Recovery ◽

Bus Arbitration ◽

Time Division ◽

The Impact ◽

The Internet Of Things ◽

Cache Attacks

System-on-Chips (SoCs) are a key enabling technology for the Internet-of-Things (IoT), a hyper-connected world where on- and inter-chip communication is ubiquitous. SoCs usually integrate cryptographic hardware cores for confidentiality and authentication services. However, these components are prone to implementation attacks. During the operation of a cryptographic core, the secret key may passively be inferred through cache observations. Access-driven attacks exploiting these observations are therefore a vital threat to SoCs operating in IoT environments. Previous works have shown the feasibility of these attacks in the SoC context. Yet, the SoC communication structure can be used to further improve access-based cache attacks. The communication attacks are not as well-understood as other micro-architectural attacks. It is important to raise the awareness of SoC designers of such a threat. To this end, we present four contributions. First, we demonstrate an improved Prime+Probe attack on four different AES-128 implementations (original transformation tables, T 0 -Only, T 2KB , and S-Box). As a novelty, this attack exploits the collisions of the bus-based SoC communication to further increase its efficiency. Second, we explore the impact of preloading on the efficiency of our communication-optimized attack. Third, we integrate three countermeasures ( shuffling , mini-tables , and Time-Division Multiple Access (TDMA) bus arbitration ) and evaluate their impact on the attack. Although shuffling and mini-tables countermeasures were proposed in previous work, their application as countermeasures against the bus-based attack was not studied before. In addition, TDMA as a countermeasure for bus-based attacks is an original contribution of this work. Fourth, we further discuss the implications of our work in the SoC design and its perspective with the new cryptographic primitives proposed in the ongoing National Institute of Standard and Technology Lightweight Cryptography competition. The results show that our improved communication-optimized attack is efficient, speeding up full key recovery by up to 400 times when compared to the traditional Prime+Probe technique. Moreover, the protection techniques are feasible and effectively mitigate the proposed improved attack.

Download Full-text

Key Recovery Algorithm of Erroneous RSA Private Key Bits Using Generalized Probabilistic Measure

Journal of the Korea Institute of Information Security and Cryptology ◽

10.13089/jkiisc.2016.26.5.1089 ◽

2016 ◽

Vol 26 (5) ◽

pp. 1089-1097

Author(s):

Yoo-Jin Baek

Keyword(s):

Key Recovery ◽

Probabilistic Measure ◽

Recovery Algorithm ◽

Private Key

Download Full-text