TY - JOUR
T1 - Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes
AU - Basak Chowdhury, Animesh
AU - Mahapatra, Anushree
AU - Soni, Deepraj
AU - Karri, Ramesh
N1 - Funding Information:
This work was supported in part by ONR under Grant N00014-18-1-2058.
Publisher Copyright:
© 1982-2012 IEEE.
PY - 2022
Y1 - 2022
N2 - NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.
AB - NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.
KW - Hardware performance counters (HPCs)
KW - integrity verification
KW - postquantum cryptography (PQC)
KW - tamper detection
UR - http://www.scopus.com/inward/record.url?scp=85126510000&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85126510000&partnerID=8YFLogxK
U2 - 10.1109/TCAD.2022.3159749
DO - 10.1109/TCAD.2022.3159749
M3 - Article
AN - SCOPUS:85126510000
SN - 0278-0070
VL - 42
SP - 384
EP - 396
JO - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
JF - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
IS - 2
ER -