securing the wireless world

Saturday, April 22, 2023

Securing the Wireless World

Saturday, April 22, 2023

Presented by

Validation of Elliptic CurvePublic Keys

Dan Brown

Adrian Antipa*, Dan Brown*, Alfred Menezes+, Rene Struik* and Scott Vanstone+*

PKC 2003Miami, Florida

Jan 7, 2003

* Certicom Research + U. Waterloo


Outline

• ECC and Public Key Validation• Attacking ECIES, 1-Pass ECDH, & ECMQV• Inadequacy of Proof-of-Possession for ECPKV• Improving Attack: Power Order Curves• Modifying Attack for Compressed Points• Countermeasures and Conclusions


Elliptic Curve Cryptography in Standards (incl. Drafts & Proposals)• ANSI X9: 62, 63, 92, …• IEEE: 1363-2000, P1363a, P1363.2,

P802.15.3/4, …• ISO: 14888-3, 9496, 15496, 18033-2, …• FIPS: 186-2, 2XX, …• NESSIE, IPA Cryptrec, …• SECG: SEC1, SEC2, …• IETF: PKIX, IPSec, SMIME, TLS, …• SET, MediaPlayer, 5C, WAP, …


Elliptic Curves in Cryptography

• Usual elliptic curves (ANSI, SECG, FIPS):Ea,b(GF(p)):y2=x3+ax+b,Ea,b(GF(2m)):y2+xy=x3+ax2+b.

• Group consists of:Pairs (x,y) satisfying curve equation, Point at infinity, “0”.

• CRUCIAL FACT: b determinable from x,y,a.


Coefficient b as Function of x,y,a


Elliptic Curve Group Law

• Usual formulae for EC group law: Do not use coefficient b, and Are the most efficient known.

• Example: Over GF(p), compute 2(x,y) = (x’,y’):

Set t = (3x2+a)/(2y).Set x’ = t2-2x.Set y’ = t(x-x’’)-y.


Elliptic Curve Domain Parameters

• Field size q.• Coefficients a, b of E=Ea,b(GF(q)).• Field representation (if q=2m).• Seed s (Optional).• Base point G on curve E.• Order n of G: should be prime.• Cofactor h such that #E = hn.

Usually h belongs to {1,2,4}.


Elliptic Curve Public Key Validation (ECPKV)• Input: Domain (E,n) and alleged point P.• Output: Valid or invalid.• Actions: Parse P and then output:

Invalid if P = 0,Invalid if x or y invalid for GF(q),Invalid if equation for E fails for (x,y),Invalid if nP is not 0, (*)Valid otherwise.

* Note: Naïve nP too slow (but tricks known).


ECPKV: Why and When?

• Why ECPKV: If not then:Private key stolen via following attacks.

• When ECPKV: On any EC point to which an EC private key is applied:

Static public key (ECDH, ECMQV),Ephemeral public key (ECDH, ECIES), Public keys for certification (ECDSA).

• Scope: A variety of protocols are at risk.


Elliptic Curve Integrated Encryption Scheme (ECIES) - Encryption• Input: Public key (static) Q in E, message M.• Output: Ciphertext (R,S,A).• Actions:• Set R = rG for random r in [1,n-1].• Set (s,a) = KDF(x( rQ )).• Set S = SYM(s,M) and A = MAC(a,S).

• Note: (R,r) ephemeral public-private key pair.


ECIES - Decryption

• Input: Private key q, ciphertext (R,S,A).• Output: Invalid; or valid and message M.• Actions:• Set (s,a) = KDF( x( qR )).• Valid if A=MAC (a,S) else invalid.• If valid, set M = SYM-1(s,S).


Invalid Curve Attack on ECIES, Phase 1

• Choose small integer n’.• Find curve E’ = Ea,b’ with n’ |#E’.• Find point R’ of order n’ on E’.

• Notation: Z’ indicates the adversary’s version of a variable Z.

• Note: R’ generates “small subgroup” (cf. Lim and Lee, Crypto 97) of another group.


Invalid Curve Attack, Phase 2

• Choose any message M’.• Pick random q’ in [1, n’-1].• Compute (s’,a’) = KDF(x(q’R’)).• Compute S’=SYM(s’,M’) and A’=MAC(a’,S).• Send victim (R’,S’,A’).


Victim Response to Phase 2

• Victim receives (R’,S’,A’).• Victim decrypts with (s,a) = KDF(x(qR’)).• If q=±q’ mod n’ then:

x(qR’) = x(q’R’),(s,a) = (s’,a’),A’ = MAC(a’,S’) = MAC(a,S’),M = SYM-1(s,S’) = SYM-1(s’,S’) = M’,“Valid” ciphertext decryption.



• Observe reaction of victim.• Determine validity or invalidity of (R’,S’,A’) • Repeat Phase 2 until (R’,S’,A’) valid:

If (R’,S’,A’) invalid, try another q’.• Conclude q = ±q’ mod n’.• This is partial information about victim’s

private key q.



• Note: q2=(±q’)2=(q’)2 mod n’.• Repeat Phase 1 to 3 with various n’.

Example: for small primes n’.• Learn q2 mod n’ for various n’.• Chinese Remainder Theorem

Combines info about q,Deduces q2 exactly as integer.

• Find q by ordinary square root of q2.


Cost of Attack on ECIES

• # of ciphertexts: (n1+…+nk)/4 where ni is ith prime and n1…nk > n2.

Bits in q Ciphertexts192 1996224 2548256 3275384 6735521 11548


Attack on Ephemeral-Static ECDH

• If responder (victim) uses shared key before initiator (adversary):

• But, in practice, initiator (adversary) uses key first.• NOTE: Biehl, Meyer, Müller (Crypto 2000).

Bits in q Ciphertexts192 61(1)224 68(1)256 76(1)384 105(1)521 134(1)


1-Pass Menezes-Qu-Vanstone (MQV)

Static Key

Static Key

Ephemeral Key

Alice(Attacker)

Bob(Victim)


Attack on 1-Pass ECMQV

• Same idea as ECIES but …• Attacker needs invalid static key (certified).• Attacker needs CA to certify invalid key.• Attacker needs CA to skip ECPKV.• Standards for PKI do not require (EC)PKV.• Standards for PKI require POP.• Does “proof-of-possession” stop attack?


Proof of Possession via Certificate Requests• Certificate request is a self-signed public key

and identity information.• Signature “proves” possession of private key,

which helps avoid certain other attacks.• ECDSA natural choice for EC public key.


Elliptic Curve Digital Signature Algorithm (ECDSA) - Verification• A pair (r,s) is a valid signature

• On message M,• For public key Q, • For EC domain (E,G,n) and • For hash function H,

If:r and s integers are in [1,n-1], and

r=x((H(M)/s mod n)G+(r/s mod n)Q) mod n.


Valid ECDSA Signature with Invalid Public Key• Input: Message M, valid EC domain (E,G,n),

invalid public key info Q’ and n’.• Output: Valid signature (r,s) on M in domain

(E,G,n) under invalid public key Q’.• Actions:• Choose s in [1,n-1] and a in [1,n’-1].• Set r = x((H(M)/s mod n) G + aQ’) mod n.• If not a=(r/s mod n) mod n’ try again.


Invalid Curve Attack on ECMQV

• Choose invalid static public keys of orders n1, n2, …, nk.

• Generate ECDSA certificate requests.• Get invalid static keys certified by lazy CA.• Send invalid static and ephemeral keys to

victim.• Learn victim’s (static) private key.


Special Curves for Accelerating Attack

• Pohlig-Hellman approach works if #E’ is divisible by powers of small primes.

• Example: NIST field GF(2521-1).• Let E’=E-3,0:y2=x3-3x (supersingular).• Then #E’ = 2521.• Attack uses 521 ciphertexts (< 11548).• Problem 1: Find #E’(GF(2m))=2m.• Problem 2: Find #E’(GF(p))=2m (or 2md).


Elliptic Curve Point Compression

• Compressed point (x,z) where z=0 or z=1.• Decompression solves quadratic for y.• Bit z determines which y, if any, to use for the

decompressed point (x,y).


Invalid Compressed Points

• Fixing x leaves 0,1, or 2 solutions for y.• Half of x have 0 solutions for y.• Element x invalid if y has 0 solutions.• Compressed point (x’,z) invalid if x’ invalid.• Reject invalid compressed points.• Can an invalid compressed point be “used”?


Invalid Decompression in GF(p)

• Fact: If p=3 mod 4, then y2=w can be solved as y=f(w)=w(p+1)/4 mod p.

• Proof: y2=w(p+1)/2=wp-(p-1)/2=w(w/p) mod p, where (w/p) is the Legendre symbol, which is 1 (or 0) if w has a square root and –1 if not.

• Note: If x invalid, an invalid compressed point (x,z) can be decompressed to (x,y) where y=(x3+ax+b)(p+1)/4.


1-Time Setup: Finding Low Order Invalid Compressed Points• Fact: If x invalid then y2=-(x3+ax+b) mod p,

since if w has no square root then f(w)2=-w.

• Output: Invalid x with (x,y) of low order m• Actions:• Find division polynomial in x and b’.• Substitute b’ = -2(x3+ax+b). • Find invalid root x of subbed poly.• Problem 3: Setup cost as Schoof for #E?


Order 11 Invalid Compressed Point

• Consider the octet string:

02 2f 8c 8c 8a 7c b1 1c 06 aa a3 4b 23 4f 7d 88 cd b9 9f d7 66 4a 00 a4 d7.

• Parses under FIPS 186-2 EC domain P-192 (secp192r1) to invalid compressed point.

• Non-validated decompression gives order 11.• Found with Maple, by solving degree 60 poly.


Countermeasures

• Best: Validate EC public keys: Ephemeral and static, When verifying and decrypting,In key agreement.

• Special EC arithmetic: Eg: Koblitz curves (used for efficiency).“Frobenius” map is f:(x,y) -> (x2,y2).Invalid curves: f moves off curve.Invalid curve attack seems to fail.


ECPKV in Standards

Standard Scheme Primitive Format

Informative Security AnnexIEEE 1363.2000

Optional Assumed Absent (noted)Optional, LL97 noted

ANSI X9.63 (2000)

Mandatory Absent Mandatory Optional, LL97 noted

SEC1 (2000)

Optional Absent MandatoryOptional, LL97 noted

FIPS 2XX Not published yet


Conclusions

• Elliptic curve private keys risk being compromised if applied to invalid EC points.

• Standards have not provided adequate warning about this attack.


References

• I. Biehl, B. Meyer, and V. Müller, “Differential fault analysis on elliptic curve cryptosystems”, Advances in Cryptology – CRYPTO 2000, Lecture Notes in Computer Science 1880, pp. 131-146.

• C. Lim and P. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup”, Advances in Cryptology - CRYPTO 97, Lecture Notes in Computer Science 1294, pp. 249-263.

securing the wireless world

Documents