Attacking Deterministic Signature Schemes using Fault Attacks

Many digital signature schemes rely on random numbers that are unique and non-predictable per signature. Failures of random number generators may have catastrophic effects such as compromising private signature keys. In recent years, many widely-used cryptographic technologies adopted deterministic signature schemes because they are presumed to be safer to implement. In this paper, we analyze the security of deterministic ECDSA and EdDSA signature schemes and show that the elimination of random number generators in these schemes enables new kinds of fault attacks. We formalize these attacks and introduce practical attack scenarios against EdDSA using the Rowhammer fault attack. EdDSA is used in many widely used protocols such as TLS, SSH and IPSec, and we show that these protocols are not vulnerable to our attack. We formalize the necessary requirements of protocols using these deterministic signature schemes to be vulnerable, and discuss mitigation strategies and their effect on fault attacks against deterministic signature schemes

Short Double- and N-Times-Authentication-Preventing Signatures from ECDSA and More

Double-authentication-preventing signatures (DAPS) are signatures designed with the aim that signing two messages with an identical first part (called address) but different second parts (called payload) allows to publicly extract the secret signing key from two such signatures. A prime application for DAPS is disincentivizing and/or penalizing the creation of two signatures on different payloads within the same address, such as penalizing double spending of transactions in Bitcoin by the loss of the double spender\u27s money. So far DAPS have been constructed from very specific signature schemes not used in practice and using existing techniques it has proved elusive to construct DAPS schemes from signatures widely used in practice. This, unfortunately, has prevented practical adoption of this interesting tool so far. In this paper we ask whether one can construct DAPS from signature schemes used in practice. We affirmatively answer this question by presenting novel techniques to generically construct provably secure DAPS from a large class of discrete logarithm based signatures. This class includes schemes like Schnorr, DSA, EdDSA, and, most interestingly for practical applications, the widely used ECDSA signature scheme. The resulting DAPS are highly efficient and the shortest among all existing DAPS schemes. They are nearly half of the size of the most efficient factoring based schemes (IACR PKC\u2717) and improve by a factor of 100 over the most efficient discrete logarithm based ones (ACM CCS\u2715). Although this efficiency comes at the cost of a reduced address space, i.e., size of keys linear in the number of addresses, we will show that this is not a limitation in practice. Moreover, we generalize DAPS to any N>2, which we denote as N-times-authentication-preventing signatures (NAPS). Finally, we also provide an integration of our ECDSA-based DAPS into the OpenSSL library and perform an extensive comparison with existing approaches

Secure End-to-End Communications in Mobile Networks

2009 - 2010Cellular communication has become an important part of our daily life. Besides using cell phones for voice communication, we are now able to access the Internet, conduct monetary transactions, send voice, video and text messages and new services continue to be added. The frequencies over which voice is transmitted are public, so voice encryption is necessary to avoid interception of the signal over the air. But once the signal reaches the operators Base Station (BS), it will be transmitted to the receiver over a wired or wireless mean. In either case, no protection is de ned. This does not seem a problem, but this is not true. Along the path across operator network, voice is at risk. It will only be encrypted again, with a di erent key, from the BS to the receiver if the receiver is herself a mobile user. Moreover, voice encryption is not mandatory. The choice whether or not to accept an unprotected communication is up to the network. When adopted, the same encryption algorithm is used for sending SMS messages between mobile telephones and base stations and for encrypting of calls. Unfortunately, vulnerabilities in this encryption systems were already revealed more than 10 years ago and more continue to be discovered. Currently the most popular communication technologies are the GSM and the UMTS. The UMTS is in use as a successor to GSM. Along with mobile phone services, It provides rapid data communication. The security algo- rithms in UMTS di ers from GSM in two important ways: encryption and mutual authentication. Although security standards have been improved, the end- to-end security is not provided... [edited by Author]IX n.s