Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes

Animesh Basak Chowdhury; Anushree Mahapatra; Deepraj Soni; Ramesh Karri

doi:10.1109/TCAD.2022.3159749

Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes

Animesh Basak Chowdhury, Anushree Mahapatra, Deepraj Soni, Ramesh Karri

Research output: Contribution to journal › Article › peer-review

Abstract

NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.

Original language	English (US)
Pages (from-to)	384-396
Number of pages	13
Journal	IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Volume	42
Issue number	2
DOIs	https://doi.org/10.1109/TCAD.2022.3159749
State	Published - 2022

Keywords

Hardware performance counters (HPCs)
integrity verification
postquantum cryptography (PQC)
tamper detection

ASJC Scopus subject areas

Software
Computer Graphics and Computer-Aided Design
Electrical and Electronic Engineering

Access to Document

10.1109/TCAD.2022.3159749

Cite this

Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes. / Basak Chowdhury, Animesh; Mahapatra, Anushree; Soni, Deepraj et al.
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 42, No. 2, 2022, p. 384-396.

Research output: Contribution to journal › Article › peer-review

@article{9401580725484ad9a0bec79b09e7cd70,

title = "Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes",

abstract = "NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.",

keywords = "Hardware performance counters (HPCs), integrity verification, postquantum cryptography (PQC), tamper detection",

author = "{Basak Chowdhury}, Animesh and Anushree Mahapatra and Deepraj Soni and Ramesh Karri",

note = "Funding Information: This work was supported in part by ONR under Grant N00014-18-1-2058. Publisher Copyright: {\textcopyright} 1982-2012 IEEE.",

year = "2022",

doi = "10.1109/TCAD.2022.3159749",

language = "English (US)",

volume = "42",

pages = "384--396",

journal = "IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems",

issn = "0278-0070",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "2",

}

TY - JOUR

T1 - Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes

AU - Basak Chowdhury, Animesh

AU - Mahapatra, Anushree

AU - Soni, Deepraj

AU - Karri, Ramesh

PY - 2022

Y1 - 2022

N2 - NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.

AB - NIST is standardizing postquantum cryptography (PQC) algorithms that are resilient to the computational capability of quantum computers. Past works show malicious subversion with cryptographic software algorithm subversion attacks (ASAs) that weaken the implementations. We show that PQC digital signature (DS) codes can be subverted in line with previously reported flawed implementations (2008) (Bernstein et al., 2016) that generate verifiable, but less-secure signatures, demonstrating the risk of such attacks. Since all processors have built-in hardware performance counters (HPCs), there exists a body of work proposing a low-cost machine learning (ML)-based integrity checking of software using HPC fingerprints. However, such HPC-based approaches may not detect subversion of PQC codes. A miniscule percentage of qualitative inputs when applied to the PQC codes improves this accuracy to 98%. We propose gray-box fuzzing as a preprocessing step to obtain inputs to aid the proposed HPC-based method.

KW - Hardware performance counters (HPCs)

KW - integrity verification

KW - postquantum cryptography (PQC)

KW - tamper detection

UR - http://www.scopus.com/inward/record.url?scp=85126510000&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85126510000&partnerID=8YFLogxK

U2 - 10.1109/TCAD.2022.3159749

DO - 10.1109/TCAD.2022.3159749

M3 - Article

AN - SCOPUS:85126510000

SN - 0278-0070

VL - 42

SP - 384

EP - 396

JO - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

JF - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

IS - 2

ER -

Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature Schemes

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this