210 likes | 475 Views
Cryptanalysis of a Provably secure CRT-RSA Algorithm. By: D. Wagner. Presented By: Dolly Sapra 2005H103012. Topics of discussion. What is CRT-RSA? Fault Attack on CRT-RSA A Provably secure Solution Cryptanalysis of the new solution Conclusion. Chinese Remainder Theorem.
E N D
Cryptanalysis of a Provably secure CRT-RSA Algorithm By: D. Wagner Presented By: Dolly Sapra 2005H103012
Topics of discussion • What is CRT-RSA? • Fault Attack on CRT-RSA • A Provably secure Solution • Cryptanalysis of the new solution • Conclusion
Chinese Remainder Theorem Let N = pq ; p and q are primes Xp = Np ( Np-1 mod p) Xq = Nq ( Nq-1 mod q) here, Np = N/p = q; Nq = N/q = p Ap = A mod p Aq = A mod q Then by CRT, A mod N = (ApXp + AqXq) mod N • In RSA,we want Mdmod N • Md replaces A
Chinese Remainder Theorem Let N = pq ; p and q are primes Xp = q ( q-1 mod p) Xq = p ( p-1 mod q) Mp = Md mod p Mq = Md mod q Then by CRT, Mdmod N = (MpXp + MqXq) mod N • By Fermat’s Theorem, • Md mod p = Md mod(p-1) mod p
CRT-RSA Let N = pq ; p and q are primes Xp = q ( q-1 mod p) Xq = p ( p-1 mod q) Mp = Md mod(p-1) mod p Mq = Md mod(q-1) mod q Then by CRT, Mdmod N = (Mp Xp + Mq Xq) mod N
CRT-RSA • No. of operations are more. • But, modular exponentiation uses shorter exponents. So CRT-RSA is faster. • This variant of the RSA signature algorithm is widely used on smartcards.
CRT-RSA • Smartcards compute RSA signatures • S(m) :=Md mod N using the CRT-RSA scheme. • Two signature parts • SP = Md mod(p-1) mod p • Sq = Md mod(q-1) mod q • are computed first. • They are combined using the CRT as • S(m) := CRT(Sp, Sq)
Fault Attack on CRT-RSA • Smartcards are particularly susceptible to fault attacks. • Here it is assumed, that an adversary can induce an error that causes Sp to be defective while Sq is computed correctly. • If the defective CRT-combination • S = CRT(Sp, Sq) mod N • is disclosed, the scheme is completely broken as gcd(Se – M mod N, N) = q.
Countermeasure • Choose a small prime t of about 32 bits to compute Sp = md mod pt and • Sq = mdmod qt • Check whether Sp =Sq mod t before combining them with the CRT. • Not Secure • It leaves the CRT-combination step to obtain the final signature modulo N unprotected. • It has a single point of failure when it checks if Sp =Sq mod t
The Provably Secure CRT-RSA we first generate random 80-bit primes t1, t2 dp = d mod f(p.t1) dq = d mod f(q.t2) et1= d-1 mod t1 et2= d-1 mod t2 1. Set Sp = mdpmod p.t1 2. Set Sq = mdqmod q.t2 3. Set S = CRT(Sp,Sq) mod N.t1.t2 4. Set c1 = (m –Set1 + 1)mod t1 5. Set c2 = (m –Set2 + 1)mod t2 6. Set Sig = Sc1-c2mod N. If no errors, we have c1 = c2 = 1, thus the algorithm produces the right result.
Threat Models #1: The attacker can cause a fault in a single bit. The attacker has full control over the timing and location of the fault. #2: The attacker can cause a fault in a single byte. The attacker has full control over the timing, but may have only partial control over the location of the fault and cannot predict the new faulty value that is introduced.
Threat Models (ctd.) #3: The attacker can cause a fault in a single byte. The attacker has only partial control over the timing and location of the fault, and cannot predict the new faulty value. #4: The attacker can cause a fault in a single variable. The attacker has only partial control over the timing and no control over the location; the targetted variable will be replaced by an entirely new random value not known to the attacker.
Provable security • The paper systematically enumerates many possible attacks and shows that these attacks do not work. • The paper claims security against Fault Models #2, #3, and #4. • There is no assurance that the attacks examined exhaust the space of all possible attacks. • So the risk is that other methods not anticipated by the designers of the cryptosystem might be able to defeat the scheme. • J. Blomer, M. Otto, J.-P. Seifert, “A new CRT-RSA algorithm secure against Bellcore attacks," ACM CCS 2003, ACM Press, pp.311-320, 2003.
A Fault Attack • A random transient fault that modifes the value of M as it is being read from memory in line 1 while leaving the value stored in memory unaffected, so that further reads will return the correct value of M. • It is assumed that the introduced error pattern e(m) is known or guessable by the attacker.
Fault Attack dp = d mod f(p.t1) dq = d mod f(q.t2) et1= d-1 mod t1 et2= d-1 mod t2
Fault Attack • Note here that f(c2) =1 and • f(c1) = (m – f(m) +1)mod t1 = (1 - e(m) )mod t1 • So, error occurs in output as - f(Sig) = f(S)f(c1)mod N • Also, • f(S) =S (mod q) but !=S (mod p) • f(S)e= m (mod q) but !=m (mod p) • If we were given f(S), we could factor N by computing gcd( f(S)e – M mod N, N) • But, we don’t have f(S), we have f(S)f(c1)
Fault Attack • So the problem reduces to taking f(c1)-th root of f(S)f(c1). • f(c1) = (1 - e(m) )mod t1 • e(m) is known or guessable by the adversary. So only t1is keeping adversary from knowing the secret. t1is 80-bits long, so guessing it by brute-force requires 280 attempts. • However there is another approach. • If (1-e(m) ) <t1 then we don’t need to know t1.
Fault Attack • The fault is called usablewhen f(c1) can be predicted, without knowledge of t1. • It was found by the author, • for a 1024-bit RSA modulus, a 80-bit prime t1, and a random single-byte error, a random single-byte fault in M has about a 4% chance of being usable in an attack, and in this case there were about 2550 different possible values of e(m). I.e to guess e(m), max 2550 attempts are needed.
Fault Attack in work • A transient random single-byte fault is induced in Mas it is read from memory in line 1. • Then observe the output f(Sig) of the computation, and for each of the 2550 possible values of f(c1), compute gcd(Mf(c1)–f(sig)e mod N, N )and check whether a non-trivial factor of N is obtained or not. • If not, repeat the attack, iteratively inducing faults. • On average,this will be done about 25 times before factoring N, and the total workload is about • 25 x2550 =(approx.) 216modular multiplications.
Fault Attack in work • If instead of assuming that the attacker can introduce random single-byte faults, we assume that the attacker can inject random faults that affect a single 32-bit word, then the complexity of the attack increases to about 32 faults and about 32 x 232= 238modular multiplications. • The attack requires only loose control over the timing and location of the fault. Thus, it is within Fault Model #3.
Conclusion • The above cryptanalysis shows that the proposed CRT-RSA algorithm is not secure against Fault Models #3 and #4, despite the fact that it was claimed to be secure against these kinds of attacks and should not be used.