1 / 35

Securing the Wireless World

Securing the Wireless World. Validation of Elliptic Curve Public Keys. Adrian Antipa * , Dan Brown * , Alfred Menezes + , Rene Struik * and Scott Vanstone +*. PKC 2003 Miami, Florida Jan 7, 2003. Presented by. Dan Brown. * Certicom Research + U. Waterloo. Outline.

keene
Download Presentation

Securing the Wireless World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Wireless World

  2. Validation of Elliptic CurvePublic Keys Adrian Antipa*, Dan Brown*, Alfred Menezes+, Rene Struik* and Scott Vanstone+* PKC 2003 Miami, Florida Jan 7, 2003 Presented by Dan Brown * Certicom Research + U. Waterloo

  3. Outline • ECC and Public Key Validation • Attacking ECIES, 1-Pass ECDH, & ECMQV • Inadequacy of Proof-of-Possession for ECPKV • Improving Attack: Power Order Curves • Modifying Attack for Compressed Points • Countermeasures and Conclusions

  4. Elliptic Curve Cryptography in Standards (incl. Drafts & Proposals) • ANSI X9: 62, 63, 92, … • IEEE: 1363-2000, P1363a, P1363.2, P802.15.3/4, … • ISO: 14888-3, 9496, 15496, 18033-2, … • FIPS: 186-2, 2XX, … • NESSIE, IPA Cryptrec, … • SECG: SEC1, SEC2, … • IETF: PKIX, IPSec, SMIME, TLS, … • SET, MediaPlayer, 5C, WAP, …

  5. Elliptic Curves in Cryptography • Usual elliptic curves (ANSI, SECG, FIPS): Ea,b(GF(p)):y2=x3+ax+b, Ea,b(GF(2m)):y2+xy=x3+ax2+b. • Group consists of: Pairs (x,y) satisfying curve equation, Point at infinity, “0”. • CRUCIAL FACT: b determinable from x,y,a.

  6. Coefficient b as Function of x,y,a

  7. Elliptic Curve Group Law • Usual formulae for EC group law: Do not use coefficient b, and Are the most efficient known. • Example: Over GF(p), compute 2(x,y) = (x’,y’): Set t = (3x2+a)/(2y). Set x’ = t2-2x. Set y’ = t(x-x’’)-y.

  8. Elliptic Curve Domain Parameters • Field size q. • Coefficients a, b of E=Ea,b(GF(q)). • Field representation (if q=2m). • Seed s (Optional). • Base point G on curve E. • Order n of G: should be prime. • Cofactor h such that #E = hn. Usually h belongs to {1,2,4}.

  9. Elliptic Curve Public Key Validation (ECPKV) • Input: Domain (E,n) and alleged point P. • Output: Valid or invalid. • Actions: Parse P and then output: Invalid if P = 0, Invalid if x or y invalid for GF(q), Invalid if equation for E fails for (x,y), Invalid if nP is not 0, (*) Valid otherwise. * Note: Naïve nP too slow (but tricks known).

  10. ECPKV: Why and When? • Why ECPKV: If not then: Private key stolen via following attacks. • When ECPKV: On any EC point to which an EC private key is applied: Static public key (ECDH, ECMQV), Ephemeral public key (ECDH, ECIES), Public keys for certification (ECDSA). • Scope: A variety of protocols are at risk.

  11. Elliptic Curve Integrated Encryption Scheme (ECIES) - Encryption • Input: Public key (static) Q in E, message M. • Output: Ciphertext (R,S,A). • Actions: • Set R = rG for random r in [1,n-1]. • Set (s,a) = KDF(x( rQ )). • Set S = SYM(s,M) and A = MAC(a,S). • Note: (R,r) ephemeral public-private key pair.

  12. ECIES - Decryption • Input: Private key q, ciphertext (R,S,A). • Output: Invalid; or valid and message M. • Actions: • Set (s,a) = KDF( x( qR )). • Valid if A=MAC (a,S) else invalid. • If valid, set M = SYM-1(s,S).

  13. Invalid Curve Attack on ECIES, Phase 1 • Choose small integer n’. • Find curve E’ = Ea,b’ with n’ |#E’. • Find point R’ of order n’ on E’. • Notation: Z’ indicates the adversary’s version of a variable Z. • Note: R’ generates “small subgroup” (cf. Lim and Lee, Crypto 97) of another group.

  14. Invalid Curve Attack, Phase 2 • Choose any message M’. • Pick random q’ in [1, n’-1]. • Compute (s’,a’) = KDF(x(q’R’)). • Compute S’=SYM(s’,M’) and A’=MAC(a’,S). • Send victim (R’,S’,A’).

  15. Victim Response to Phase 2 • Victim receives (R’,S’,A’). • Victim decrypts with (s,a) = KDF(x(qR’)). • If q=±q’ mod n’ then: x(qR’) = x(q’R’), (s,a) = (s’,a’), A’ = MAC(a’,S’) = MAC(a,S’), M = SYM-1(s,S’) = SYM-1(s’,S’) = M’, “Valid” ciphertext decryption.

  16. Invalid Curve Attack, Phase 3 • Observe reaction of victim. • Determine validity or invalidity of (R’,S’,A’) • Repeat Phase 2 until (R’,S’,A’) valid: If (R’,S’,A’) invalid, try another q’. • Conclude q = ±q’ mod n’. • This is partial information about victim’s private key q.

  17. Invalid Curve Attack, Phase 4 • Note: q2=(±q’)2=(q’)2 mod n’. • Repeat Phase 1 to 3 with various n’. Example: for small primes n’. • Learn q2 mod n’ for various n’. • Chinese Remainder Theorem Combines info about q, Deduces q2 exactly as integer. • Find q by ordinary square root of q2.

  18. Cost of Attack on ECIES • # of ciphertexts: (n1+…+nk)/4 where ni is ith prime and n1…nk > n2.

  19. Attack on Ephemeral-Static ECDH • If responder (victim) uses shared key before initiator (adversary): • But, in practice, initiator (adversary) uses key first. • NOTE: Biehl, Meyer, Müller (Crypto 2000).

  20. 1-Pass Menezes-Qu-Vanstone (MQV) Alice (Attacker) Bob (Victim) Static Key Static Key Ephemeral Key

  21. Attack on 1-Pass ECMQV • Same idea as ECIES but … • Attacker needs invalid static key (certified). • Attacker needs CA to certify invalid key. • Attacker needs CA to skip ECPKV. • Standards for PKI do not require (EC)PKV. • Standards for PKI require POP. • Does “proof-of-possession” stop attack?

  22. Proof of Possession via Certificate Requests • Certificate request is a self-signed public key and identity information. • Signature “proves” possession of private key, which helps avoid certain other attacks. • ECDSA natural choice for EC public key.

  23. Elliptic Curve Digital Signature Algorithm (ECDSA) - Verification • A pair (r,s) is a valid signature • On message M, • For public key Q, • For EC domain (E,G,n) and • For hash function H, If: r and s integers are in [1,n-1], and r=x((H(M)/s mod n)G+(r/s mod n)Q) mod n.

  24. Valid ECDSA Signature with Invalid Public Key • Input: Message M, valid EC domain (E,G,n), invalid public key info Q’ and n’. • Output: Valid signature (r,s) on M in domain (E,G,n) under invalid public key Q’. • Actions: • Choose s in [1,n-1] and a in [1,n’-1]. • Set r = x((H(M)/s mod n) G + aQ’) mod n. • If not a=(r/s mod n) mod n’ try again.

  25. Invalid Curve Attack on ECMQV • Choose invalid static public keys of orders n1, n2, …, nk. • Generate ECDSA certificate requests. • Get invalid static keys certified by lazy CA. • Send invalid static and ephemeral keys to victim. • Learn victim’s (static) private key.

  26. Special Curves for Accelerating Attack • Pohlig-Hellman approach works if #E’ is divisible by powers of small primes. • Example: NIST field GF(2521-1). • Let E’=E-3,0:y2=x3-3x (supersingular). • Then #E’ = 2521. • Attack uses 521 ciphertexts (< 11548). • Problem 1: Find #E’(GF(2m))=2m. • Problem 2: Find #E’(GF(p))=2m (or 2md).

  27. Elliptic Curve Point Compression • Compressed point (x,z) where z=0 or z=1. • Decompression solves quadratic for y. • Bit z determines which y, if any, to use for the decompressed point (x,y).

  28. Invalid Compressed Points • Fixing x leaves 0,1, or 2 solutions for y. • Half of x have 0 solutions for y. • Element x invalid if y has 0 solutions. • Compressed point (x’,z) invalid if x’ invalid. • Reject invalid compressed points. • Can an invalid compressed point be “used”?

  29. Invalid Decompression in GF(p) • Fact: If p=3 mod 4, then y2=w can be solved as y=f(w)=w(p+1)/4 mod p. • Proof: y2=w(p+1)/2=wp-(p-1)/2=w(w/p) mod p, where (w/p) is the Legendre symbol, which is 1 (or 0) if w has a square root and –1 if not. • Note: If x invalid, an invalid compressed point (x,z) can be decompressed to (x,y) where y=(x3+ax+b)(p+1)/4.

  30. 1-Time Setup: Finding Low Order Invalid Compressed Points • Fact: If x invalid then y2=-(x3+ax+b) mod p, since if w has no square root then f(w)2=-w. • Output: Invalid x with (x,y) of low order m • Actions: • Find division polynomial in x and b’. • Substitute b’ = -2(x3+ax+b). • Find invalid root x of subbed poly. • Problem 3: Setup cost as Schoof for #E?

  31. Order 11 Invalid Compressed Point • Consider the octet string: 02 2f 8c 8c 8a 7c b1 1c 06 aa a3 4b 23 4f 7d 88 cd b9 9f d7 66 4a 00 a4 d7. • Parses under FIPS 186-2 EC domain P-192 (secp192r1) to invalid compressed point. • Non-validated decompression gives order 11. • Found with Maple, by solving degree 60 poly.

  32. Countermeasures • Best: Validate EC public keys: Ephemeral and static, When verifying and decrypting, In key agreement. • Special EC arithmetic: Eg: Koblitz curves (used for efficiency). “Frobenius” map is f:(x,y) -> (x2,y2). Invalid curves: f moves off curve. Invalid curve attack seems to fail.

  33. ECPKV in Standards

  34. Conclusions • Elliptic curve private keys risk being compromised if applied to invalid EC points. • Standards have not provided adequate warning about this attack.

  35. References • I. Biehl, B. Meyer, and V. Müller, “Differential fault analysis on elliptic curve cryptosystems”, Advances in Cryptology – CRYPTO 2000, Lecture Notes in Computer Science 1880, pp. 131-146. • C. Lim and P. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup”, Advances in Cryptology - CRYPTO 97, Lecture Notes in Computer Science 1294, pp. 249-263.

More Related