Based on the attack formulated by Gerardo Pelosi and Alessandro Barenghi we have implemented the following two active side channel attacks against the deterministic version of the Digital Signature Algorithm as specified in the RFC 6979. These attacks can lead directly to a leak of the private key and therefore breaking the authenticity of the signatures created using this algorithm.
These attacks were tested on:
- Xubuntu 14.04 3.19.0-31-generic
- libgcrypt 1.6.4
1 - Download the latest version of libgcrypt
2 - Copy the file dsa.c inside libgcrypt/cipher/ ( overwrite the existing one )
3 - Compile the libgcrypt with:
cd $PATH_TO_LIBGCRYPY
./configure --enable-maintainer-mode && make
sudo make install
4 - Go to the project root folder
5 - Make sure that you will compile the following file with the libgcrypt just compiled!
6 - Compile the file that generates the various keypairs and generate them
gcc -o key_gen utils/dsa_key_generation.c `libgcrypt-config --cflags --libs`
./key_gen
7 - Compile the attack you want to test and run it
gcc -o attack attacks/attack1.c `libgcrypt-config --cflags --libs`
./attack
8 - Done! :)
1 - Obtain the correct signature s = k^(-1)(m + x*r) (1)
2 - Obtain the faulty signature s_tilde = k^(-1)(m + x*r_tilde) (2)
3 - Write the system with the equation (1) and (2)
4 - Solving for x and k we can obtain the private key x
This attack runs with a time complexity of O(c).
For this attack we consider two level: a bit level and a byte level. In the first case the fault injected flips only one bit, while in the second case it flips at most 1 byte.
1 - Obtain the correct signature s = k^(-1)(m + x*r) (1)
2 - Obtain the faulty signature s_tilde = k_tilde^(-1)(m + x*r)
3 - Express k_tilde as (k +/- 2^i)
4 - Compose the fraction s/s_tilde
5 - Solve the fraction for k and then retrive the private key x
We have to bruteforce all the possible values for i so the algorithm runs in O(n).
For a better and a complete explanation of these attacks see the crypto_report.pdf inside the folder /doc.