Méthodes algébriques pour l'analyse de sécurité des implantations d'algorithmes cryptographiques

The 10th Hilbert problem, which consists in finding integer solutions to polynomial equations is a crucial problem in cryptanalysis, which has been proven to be undecidable. However, Coppersmith published in 1996 a method based on lattice reduction, which allows to efficiently find all small solutions to some polynomial equations. Many applications of this method have risen in public key cryptanalysis, especially when the cryptosystem is executed on embedded systems and part of the secret key is revealed through physical attacks performed on the device. In this context, we propose in this thesis a physical attack on the RSA signature scheme when the CRT mode is used, where an application of Coppersmith's method allows to complete the information previously obtained by the physical attack. We also propose a new deterministic algorithm based on Coppersmith's method for factoring integers of the form N=p^{r}q^{s} in polynomial time, under the condition that r and/or s are sufficiently large. Finally, if the applications of Coppersmith's method are numerous, in practice, since the lattices to be reduced are huge, the small solutions can only be recovered until a bound which is smaller than the enounced theoretical bound. Thus, another contribution of this thesis lies in the proposition of two methods which allow to speed up the execution time of Coppersmith's algorithm. When both speedups are combined, the new algorithm performs hundreds of times faster for typical parameters, which allows to reach the theoretical bound in many cases.Le 10ème problème de Hilbert, consistant à trouver les solutions entières d'équations polynomiales est un problème crucial en cryptanalyse. Si ce dernier a été prouvé indécidable, Coppersmith publia en 1996 une méthode basée sur la réduction de réseaux permettant de trouver efficacement l'ensemble des petites solutions de certaines équations polynomiales. De nombreuses applications de cette méthode ont vu le jour dans le domaine de la cryptanalyse à clé publique, notamment lorsque le cryptosystème est exécuté sur un système embarqué et qu'une partie de la clé secrète est dévoilée par la réalisation d'attaques physiques sur le dispositif. Dans ce contexte, nous proposons une attaque physique sur le schéma de signature RSA en mode CRT où une application de la méthode de Coppersmith permet de compléter l'information obtenue par l'attaque physique. Nous proposons également un nouvel algorithme déterministe basé sur la méthode de Coppersmith pour factoriser les entiers de la forme N=p^{r}q^{s} en temps polynomial lorsque r ou s sont suffisamment grands. Enfin, si les applications de la méthode de Coppersmith sont nombreuses, en pratique, du fait que les réseaux à réduire soient gigantesques, les petites solutions ne peuvent être retrouvées que jusqu'à une borne qui est plus petite que la borne théorique annoncée. Aussi, une autre contribution de cette thèse consiste en la proposition de deux méthodes permettant une accélération du temps d'exécution de l'algorithme de Coppersmith. Lorsque les deux méthodes sont combinées, le nouvel algorithme s'effectue des centaines de fois plus rapidement pour des paramètres typiques, permettant ainsi dans de nombreux cas d'atteindre la borne théorique

Improved Factorization of N=prqsN=p^rq^s

Bones et al. showed at Crypto 99 that moduli of the form $N=p^rq$ can be factored in polynomial time when $r \geq \log p$. Their algorithm is based on Coppersmith\u27s technique for finding small roots of polynomial equations. Recently, Coron et al. showed that $N=p^rq^s$ can also be factored in polynomial time, but under the stronger condition $r \geq \log^3 p$. In this paper, we show that $N=p^rq^s$ can actually be factored in polynomial time when $r \geq \log p$, the same condition as for $N=p^rq$

High-order Polynomial Comparison and Masking Lattice-based Encryption

The main protection against side-channel attacks consists in computing every function with multiple shares via the masking countermeasure. For IND-CCA secure lattice-based encryption schemes, the masking of the decryption algorithm requires the high-order computation of a polynomial comparison. In this paper, we describe and evaluate a number of different techniques for such high-order comparison, always with a security proof in the ISW probing model. As an application, we describe the full high-order masking of the NIST standard Kyber, with a concrete implementation on ARM Cortex M architecture, and a t-test evaluation

Improved Gadgets for the High-Order Masking of Dilithium

We present novel and improved high-order masking gadgets for Dilithium, a post-quantum signature scheme that has been standardized by the National Institute of Standards and Technologies (NIST). Our proposed gadgets include the ShiftMod gadget, which is used for efficient arithmetic shifts and serves as a component in other masking gadgets. Additionally, we propose a new algorithm for Boolean-to-arithmetic masking conversion of a $\mu$-bit integer $x$ modulo any integer $q$, with a complexity that is independent of both $\mu$ and $q$. This algorithm is used in Dilithium to mask the generation of the random variable $y$ modulo $q$. Moreover, we describe improved techniques for masking the Decompose function in Dilithium. Our new gadgets are proven to be secure in the $t$-probing model. We demonstrate the effectiveness of our countermeasures by presenting a complete high-order masked implementation of Dilithium that utilizes the improved gadgets described above. We provide practical results obtained from a C implementation and compare the performance improvements provided by our new gadgets with those of previous work

A Variant of Coppersmith\u27s Algorithm with Improved Complexity and Efficient Exhaustive Search

Coppersmith described at Eurocrypt 96 a polynomial-time algorithm for finding small roots of univariate modular equations, based on lattice reduction. In this paper we describe the first improvement of the asymptotic complexity of Coppersmith\u27s algorithm. Our method consists in taking advantage of Coppersmith\u27s matrix structure, in order to apply LLL algorithm on a matrix whose elements are smaller than those of Coppersmith\u27s original matrix. Using the $L^2$ algorithm, the asymptotic complexity of our method is $O(\log^{6+\epsilon} N)$ for any $\epsilon > 0$, instead of $O(\log^{8+\epsilon} N)$ previously. Furthermore, we devise a method that allows to speed up the exhaustive search which is usually performed to reach Coppersmith\u27s theoretical bound. Our approach takes advantage of the LLL performed to test one guess, to reduce complexity of the LLL performed for the next guess. Experimental results confirm that it leads to a considerable performance improvement

Factoring N=prqsN=p^r q^s for Large rr and ss

International audienceBoneh et al. showed at Crypto 99 that moduli of the form N = p^r q can be factored in polynomial time when r ≃ log(p). Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that N = p^r q^s can also be factored in polynomial time when r or s is at least (log p)^3; therefore we identify a new class of integers that can be efficiently factored.We also generalize our algorithm to moduli with k prime factors N = \prod_{i=1}^k p_i^{r_i} ; we show that a non-trivial factor of N can be extracted in polynomial-time if one of the exponents r_i is large enough

Factoring N=p^r q^s for Large r and s

Boneh et al. showed at Crypto 99 that moduli of the form N=p^r q can be factored in polynomial time when r=log p. Their algorithm is based on Coppersmith\u27s technique for finding small roots of polynomial equations. In this paper we show that N=p^r q^s can also be factored in polynomial time when r or s is at least (log p)^3; therefore we identify a new class of integers that can be efficiently factored. We also generalize our algorithm to moduli N with k prime factors; we show that a non-trivial factor of N can be extracted in polynomial-time if one of the k exponents is large enough

Algebraic methods for security analysis of cryptographic algorithms implementations

Le 10ème problème de Hilbert, consistant à trouver les solutions entières d'équations polynomiales est un problème crucial en cryptanalyse. Si ce dernier a été prouvé indécidable, Coppersmith publia en 1996 une méthode basée sur la réduction de réseaux permettant de trouver efficacement l'ensemble des petites solutions de certaines équations polynomiales. De nombreuses applications de cette méthode ont vu le jour dans le domaine de la cryptanalyse à clé publique, notamment lorsque le cryptosystème est exécuté sur un système embarqué et qu'une partie de la clé secrète est dévoilée par la réalisation d'attaques physiques sur le dispositif. Dans ce contexte, nous proposons une attaque physique sur le schéma de signature RSA en mode CRT où une application de la méthode de Coppersmith permet de compléter l'information obtenue par l'attaque physique. Nous proposons également un nouvel algorithme déterministe basé sur la méthode de Coppersmith pour factoriser les entiers de la forme N=p^{r}q^{s} en temps polynomial lorsque r ou s sont suffisamment grands. Enfin, si les applications de la méthode de Coppersmith sont nombreuses, en pratique, du fait que les réseaux à réduire soient gigantesques, les petites solutions ne peuvent être retrouvées que jusqu'à une borne qui est plus petite que la borne théorique annoncée. Aussi, une autre contribution de cette thèse consiste en la proposition de deux méthodes permettant une accélération du temps d'exécution de l'algorithme de Coppersmith. Lorsque les deux méthodes sont combinées, le nouvel algorithme s'effectue des centaines de fois plus rapidement pour des paramètres typiques, permettant ainsi dans de nombreux cas d'atteindre la borne théorique.The 10th Hilbert problem, which consists in finding integer solutions to polynomial equations is a crucial problem in cryptanalysis, which has been proven to be undecidable. However, Coppersmith published in 1996 a method based on lattice reduction, which allows to efficiently find all small solutions to some polynomial equations. Many applications of this method have risen in public key cryptanalysis, especially when the cryptosystem is executed on embedded systems and part of the secret key is revealed through physical attacks performed on the device. In this context, we propose in this thesis a physical attack on the RSA signature scheme when the CRT mode is used, where an application of Coppersmith's method allows to complete the information previously obtained by the physical attack. We also propose a new deterministic algorithm based on Coppersmith's method for factoring integers of the form N=p^{r}q^{s} in polynomial time, under the condition that r and/or s are sufficiently large. Finally, if the applications of Coppersmith's method are numerous, in practice, since the lattices to be reduced are huge, the small solutions can only be recovered until a bound which is smaller than the enounced theoretical bound. Thus, another contribution of this thesis lies in the proposition of two methods which allow to speed up the execution time of Coppersmith's algorithm. When both speedups are combined, the new algorithm performs hundreds of times faster for typical parameters, which allows to reach the theoretical bound in many cases

High Order Masking of Look-up Tables with Common Shares

Masking is an effective countermeasure against side-channel attacks. In this paper, we improve the efficiency of the high-order masking of look-up tables countermeasure introduced at Eurocrypt 2014, based on a combination of three techniques, and still with a proof of security in the Ishai-Sahai-Wagner (ISW) probing model. The first technique consists in proving security under the stronger t-SNI definition, which enables to use n = t+1 shares instead of n = 2t+1 against t-th order attacks. The second technique consists in progressively incrementing the number of shares within the countermeasure, from a single share to n, thereby reducing the complexity of the countermeasure. The third technique consists in adapting the common shares approach introduced by Coron et al. at CHES 2016, so that half of a randomized look-up table can be pre-computed for multiple SBoxes. We show that our techniques perform well in practice. In theory, the combination of the three techniques should lead to a factor 10.7 improvement in efficiency, for a large number of shares. For a practical implementation with a reasonable number of shares, we get a 4.8 speed-up factor for AES

Improved High-Order Conversion From Boolean to Arithmetic Masking

Masking is a very common countermeasure against side channel attacks. When combining Boolean and arithmetic masking, one must be able to convert between the two types of masking, and the conversion algorithm itself must be secure against side-channel attacks. An efficient high-order Boolean to arithmetic conversion scheme was recently described at CHES 2017, with complexity independent of the register size. In this paper we describe a simplified variant with fewer mask refreshing, and still with a proof of security in the ISW probing model. In practical implementations, our variant is roughly 25% faster