 Welcome to the last session, last technical session on just 2018. So this session will be on fault attacks, fault attacks too. So the first paper is on new Bleichenbacher records, fault attacks on QDSA signature. The work is a joint work between Kyoto University and Entity Labs. And the work will be presented by Akira Takahashi. Thank you for the introduction. So I'm Akira Takahashi, currently a master's student at Kyoto University in Japan. So today I'm going to present our recent results on Black-Hamburgers attack, and also our new fault attacks on QDSA signature scheme. This is a joint work with Meditibish and Masayuki Abe from Entity Secure Platform Laboratories. So here's the outline of the state stock. First, I'm going to introduce the problem we've addressed in this work. And then I'm going to present our three main contributions of the paper. So as a motivating example, let me briefly describe the Schnorr signature scheme, which is one of the simplest and most widely used digital signature scheme. So as everyone probably knows, the DSA and the ECDSA, those are the most notable variants of the Schnorr signature. As for the provable security, Schnorr signature is known to be secure in the random awkward model if the discrete log problem is hard. Also another important feature of the Schnorr is that it relies on an ephemeral random value known as nonce. So let's have a look at this nonce in the Schnorr signature. So here Alice is a signer holding a secret key D, chosen from integer mod n, where n is a large prime. And whenever Alice generates a new signature, she first samples this integer k from z over nz uniformly and at random. And this integer k is typically called nonce. And it usually satisfies this congruent relation. And since s and h, those are the public information as a part of the signature, of course, Alice should never disclose her nonce to anyone else. Otherwise, it would be very easy to recover the secret key. Also, Alice should never use the same exact k more than once. So these are well known facts. But what if this k is slightly biased? For example, as showing this figure, what if k's top bits are all c to 0? Or what if nonce k is partially leaked? Actually, even in such cases, by collecting sufficiently many signatures, adversely it could still bypass the discrete log problem and consequently steal the secret key by solving so-called hidden number problem. So we can see that nonce is a very sensitive part of the Schnorr signature, dsa and ecdsa as well. And it is very crucial to evaluate the risk of biased or leaked nonces. So in this context, our contribution can be summarized as follows. First, we optimize the statistical attack framework known as Blyhember's attack against noncedential signatures. Second, as a separate contribution, we propose new fault attacks against specific Schnorr like signatures called qdsa in order to obtain a few bits of nonces. And combining those two contributions together, we implemented a full secret key recovery attack against Schnorr like signatures, which was instantiated over a 252-bit group using only two or three bit nonce leaks. And actually, these targeted parameters have set new records in the implementation of Blyhember's attack. So here's the summary of the previous published records of attacks against nonces, including both Blyhember's attack and the lattice attacks as well. Basically, we solved this three-bit leak case and much harder two-bit leak case. And to the best of our knowledge, these targeted parameters have never been broken before. So now I'm going to present our first contribution, the optimization of Blyhember's attack. So what is Blyhember's nonce attack? It was originally already proposed 18 years ago by Daniel Blyhember, but it was only recently revisited by those two papers, the Maldau Tower at the chess 2013 and Araniel Tower at the Egecrete 2014. The main idea of the Blyhember's attack is to quantify the nonce bias by defining the so-called bias function, which is real valued between 0 and 1, and the final peak of it. Though I don't have much time to formally describe this bias function, essentially, the bias function becomes 0 if the nonce is uniformly distributed. And if the nonce is biased, then this bias function becomes close to 1. And essentially, the most important and costly phase of the Blyhember's attack is so-called range reduction of integers h. And this phase is necessary to detect the bias peak correctly and efficiently. So what do we have to do exactly during the range reduction? So we are first given s signatures, and we want to find the sufficiently many linear combinations of those h values. And these linear combinations have to satisfy two conditions. First, the resulting linear combination should be smaller than the certain threshold value. Second, the coefficients of the linear combination should be as sparse as possible. So those are the required conditions for the Blyhember's attack to work correctly. Also, please note that this range reduction problem looks like knapsack problem. But the main difference is that in the range reduction problem, we have to find many linear combinations instead of a single, exact knapsack solution. So the previous works I mentioned before have tried to address this range reduction problem in different ways. But unfortunately, their approaches were not very optimal, especially if the nonce biases is quite small. For example, at the Demalda et al's work, they used the BKZ lattice reduction algorithm. But with this approach, the resulting coefficients of the linear combinations are not sparse enough if the nonce bias is small. Also, another important approach is the certain difference conducted by Alanyato. But the certain difference requires many inputs and consequently consumes a huge memory space. So we took different approach. So here we apply the Schreppel-Schamier's knapsack algorithm. Actually, the use of Schreppel-Schamier was already mentioned by Blyhember, but interestingly, its merits have never been examined in the previous work. So what's good about Schreppel-Schamier? So first, the Schreppel-Schamier is highly space efficient. And second, it can be highly parallelizable by making use of how great Graham Jules variant of Schreppel-Schamier. So our range reduction algorithm was specifically inspired by this variant. So here's the brief overview of how the Schreppel-Schamier based range reduction works. So we first split the input integer list into four separate lists and sort them. Second, we search for the linear combinations of two whose top consecutive bits coincide with some certain fixed value and sort them and push them into two separate lists. And finally, we take the differences between those linear combinations of two. And since now it's guaranteed that the collision happened in the top bits, with good probability we can get very small linear combinations for each round. So that's the basic idea. We analyze this algorithm in detail and they observe a well-balanced time-space trade-offs. So here, as you can see, compared to the previous approach, sort of a difference, that our range reduction algorithm is much more space efficient. But the drawback is that the time complexity got a bit worse. But in practice, the Schreppel-Schamier-based range reduction still terminates within a reasonable time frame by making use of large-scale polarization technique, which I'm going to revisit in the implementation section. So now I will go over our second contribution, the fault attacks on QDSA signature scheme. The QDSA signature, which stands for the quotient digital signature algorithm, is a recent high-speed variant of Schnauer signature proposed by Renez and Smith at Egypt Crypt last year. The important feature of the QDSA is that it can be instantiated with a curve to 519-mongomeric curve. So this means that the signature generation algorithm can benefit from highly efficient mongomeric ladder, mongomeric ladder-based scalar multiplication, in which Y coordinate is not used at all. Also, please note that in QDSA, the non-scale is deterministically generated. Here, our technical idea is quite simple. So we basically exploit this group structure of curve to 519, which, as you can see, include non-prime and lower-order points. So by injecting an appropriate fault to the base point of the curve to 519, we can perturb it to non-prime or lower-order points. And using this 40 base point as an input to the ladder function, by looking at the resulting 40 output, we can obtain partial information of the secret scalar k, which is used as a non-synational QDSA signature. So here I give our fundamental observation on why our attack works against the QDSA signature. First, if we attack the EC-Synor or EC-DSA, since they use Y coordinate as well, if we perturb the point, the resulting point is not likely on the original curve anymore, that's why our fault attacks wouldn't make sense against such schemes. On the other hand, this QDSA makes use of X on the arithmetic, and therefore, it does not involve Y coordinate. The perturb point, the P-tuder, is necessary on the curve itself or its twist. So that's why, even after injecting a fault, we can still confidently make use of the structure of the underlying original curve. So following this observation, we proposed two types of fault attacks on curve 25 of 19. The first one is random, same ferment fault against the program memory. So using this fault attack, we can obtain the three least significant bits of the nodes. The second one is instruction skipping fault against the base point initialization. So this fault attacks only reveals two LSB of the nodes. It is much easier to achieve in practice. And we verify that this attack indeed works against the QDSA using the chip whisper light against the AVR microcontroller. The countermeasure is quite simple, just multiplying the noses by this common multiple of the curve cofactor and the twist cofactor. And this technique is commonly known as cofactor killing or clamping. So especially for curve 25 of 19's case, we can just multiply the noses K by this common multiple 8. So this clamping technique completely throws our proposed fault attacks. OK, so now I'm going to present our main result, the implementation of the noses attack against the signal like signature. So here's our main result. So we attacked QDSA using only two bit leaks. And first, as an input, we simulated 2 to the 40 QDSA signatures out of which we used only 2 to the 26 instances, having smaller H values. And we fed them into Blackhember's attack. And we highly paralyzed the implementation. So in this experiment, we used 256 threads in total. And after the first trial of the Blackhember's attack, we successfully recovered the top bits of the secret key. Also, as expected, the memory consumption was quite modest. So in this experiment, we only used 15 gigabytes of memory. Also, the CPU time was rather long. Thanks to the large-scale parallelization, the actual experiment finished only after 16 days. Also, once we know the top bits of the secret key, we can recover the remaining bits of the secret key by iteratively applying Blackhember's attack. And this procedure took only less than six hours. Also, please note that our estimation shows that a certain difference, the previous approach, would require much more signatures, which would be equivalent to the 2 terabytes of memory. So I would say that this attack would have been much more difficult to achieve in practice using the previous range reduction algorithm. Also, we attacked a bit easier case using 3-bit non-slicks. So here, of course, the woke up time was much shorter than the previous one. And since the CPU time was less than 10 days, also the memory consumption was less than 3 gigabytes, we can say that the Blackhember's attack would be even feasible using a small laptop. Also, it turned out that attacking with certain difference is possible. And of course, as expected, that sort and difference range reduction was much faster than the Shreve-Peshami based one. However, the memory consumption was over 100 gigabytes. And it required billions of signatures, which would not fit in the commonly used laptop. So let's conclude. So in the first contribution, we optimized Blackhember's attack and successfully overcame the memory barrier of previous approach by applying Knapsack algorithm. In the second contribution, we proposed new fault attacks on QDSS signature instantiated over CUB25519. And here we discovered yet another situation where adversely could learn the partial information of non-slicks. Also, the important lesson here is that the cofactor killing is a crucial countermeasure when using X-only arithmetic of Montgomery's curve. And finally, we implemented a non-slick attack and presented the first large-scale polarization of the Blackhember's attack and successfully set the new records of non-slick attack. And of course, our parallel implementation of the Blackhember's attack is publicly available on GitHub page, so please check it out. Thank you very much. So we have some time for questions. Thank you for the nice talk. So I have a question. What kind of fault model you have assumed in this case? Can you explain the fault model? So in the first fault model, I mean, the fault that makes it possible to review the 3SB. So we basically assumed that the optical fault, in order to induce the bit flip. And in the second model, we basically used the clock glitch. OK, so clock glitch resulted in single bit flip only? Sorry? The clock glitch resulted in bit flips only? No, no. The clock glitch was just used to skip the one instruction to set the X coordinate of the base point. Oh, I see. OK. Thank you. So are there any other questions? So I have one question. So you mentioned about the Montgomery ladder being implemented using X coordinates. So what if I also have projective coordinates to implement? Like, will that actually work? So if you just use the X and Z, for example, as coordinates. So we basically assumed the X, Z in this experiment. So that's what exactly we need. It works. OK, so are there any questions? If not, then let's thank the speaker. Thank you.