360 likes | 375 Views
A Timing-Resistant Elliptic Curve Backdoor in RSA. What is Kleptography?. Kleptography is the study of stealing information securely and subliminally. Kleptography is dedicated to researching ways of obtaining such data in an undetectable fashion with high security guarantees.
E N D
What is Kleptography? • Kleptography is the study of stealing information securely and subliminally. • Kleptography is dedicated to researching ways of obtaining such data in an undetectable fashion with high security guarantees. • It is a formal cryptographic study of backdoor designs.
What is the goal of kleptography? • To develop a robust backdoor within a cryptosystem that: • Provides the attacker with the desired secret information (e.g., private key of the unwary user) • Cannot be detected in black-box implementations (I/O access only) except by the attacker • If a reverse-engineer (i.e., not the attacker) breaches the black-box, then the previously stolen information remains confidential (secure against reverse-engineering). Ideally, confidentiality holds going forward as well. • The successful reverse-engineer will learn that the attack is carried out, BUT will be unable to use the backdoor. • It is the design of cryptographic Trojan horses that are robust against reverse-engineering.
Background – Crypto ’96, EC and Crypto 97 • We introduced the notion of kleptography [YY96,YY97]. • An asymmetric backdoor is a covert backdoor that can only be used by the attacker, even if the full specification is made public. The first example RSA composite that hides in its high order bits one of its primes (in the ROM). • A kleptographic attack (SETUP) must be indistinguishable: • Under black-box queries, the device with the backdoor must appear to be the same as the device without the backdoor. • The hidden composite must be well encrypted • The encrypting RSA was half the size • We also showed DH based klepto attacks.
Normal RSA Key Generation • Let e be the public RSA exponent that is shared by all the users (e.g., e is often taken to be 216+1) • choose a large number p randomly (e.g., p is 512 bits long) • if p is composite or gcd(e,p - 1) 1 then goto step 1 • choose a large number q randomly • if q is composite or gcd(e,q - 1) 1 then goto step 3 • output the public key (n=pq,e) and the private key p Note that the private exponent d is found by solving for (d,k) in ed + k(n) = 1 (using the extended Euclidean alg.)
RSA Encryption/Decryption • Let d be the private exponent where ed = 1 mod (p-1)(q-1) • Let Zn* denote the set of numbers in {1,2,3,…,n-1} that are relatively prime to n • To encrypt m ÎZn* compute: c = me mod n • To decrypt the ciphertext c compute: m = cd mod n
Kleptographic RSA Key Generation • The key generation algorithm is modified to contain a cryptotrojan. The cryptotrojan contains the attacker’s public key y. This is an earlier version of the attack [YY96,YY97], more mature versions exist [YY04,YY05]. • choose a large value s randomly (e.g., 512-bits) • compute p = H(s) where H is a cryptographic one-way function • if p is composite then goto step 1 • choose a large value RND randomly • compute c as the asymmetric encryption of s under y [1/2 size modulus] • solve for (q,r) in (c || RND) = pq + r • if q is composite then goto step 1 • output the public key (n=pq,e) and the private key p Note that n is about 1024 bits in length
Recovering the RSA Private Key • The private key is recovered as follows: • The attacker obtains the public key (n,e) of the user • Let u be the 512 uppermost bits of n • The attacker sets c1 = u and c2 = u+1 (c2 accounts for a potential borrow bit having been taken from the computation n = pq = (c || RND) – r • The attacker decrypts c1 and c2 to get s1 and s2, respectively • Either p1 = H(s1) or p2 = H(s2) will divide n evenly • Only the attacker can perform this operation since only the attacker knows the needed private decryption key.
Definition of a SETUP A SETUP attack is an algorithmic modification C’ of a cryptosystem C with the following properties: • Halting Correctness: C and C' are efficient algorithms. • Output Indistinguishability: The outputs of C and C' are computationally indistinguishable to all efficient algorithms except for the attacker A. • Confidentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements. • Confidentiality of C': The outputs of C' only compromise the security of the cryptosystem that C’ implements with respect to the attacker A. • Ability to compromise C': With overwhelming probability the attacker A can decrypt, forge, or otherwise cryptanalyze at least one private output of C' given a sufficient number of public outputs of C'.
Formal Aspects • There is a formal “security model and definitions” [CTRSA-05] • The design employs tools of modern cryptography: indistinguishability, random oracle assumption regarding strong hash functions, etc. • There is a proof of security of the design (in the model). It is “fun” to use formal methodology and proof techniques to prove the “security of klepto” which gives us a new notion in modern cryptography that of “provable insecurity” • As mentioned trapdoor is half the size? What’s next? (it may be a problem).
Background - Intuition Behind SAC ’05 • Elliptic Curve Cryptography gives smaller ciphertexts (with point compression) than RSA [RSA78] with a comparable security parameter. → The use of ECC in kleptography [YY96,YY97]. BUT how do we ensure the backdoor is hidden with the ECC approach?? This is what SAC ’05 solved. • IDEA: The use of a twisted pair of binary curves gives a DH key exchange value that is (essentially) a bit string selected uniformly at random. → This suggests that we can embed a kleptographic DH key exchange value in the upper order bits of n = pq and achieve indistinguishability of backdoor RSA key pairs vs. “normal” RSA key pairs. Hen: Derive prime from exchanged key (in the ROM)…
Binary Curves Background • Curve Ea,b is given by the Weierstrass equation, y2 +xy = x3 +ax2 + b • Here the coefficients a and b are in F2m and b ≠ 0. • m is prime to avoid the GHS attack [GHS02]. • curve must provide a suitable setting for EC-DDH [JN03] • curve must satisfy the MOV condition
Property of Twisted Curves F2m/F2 F2m/F2 • Recall that if the trace Tr (a) ≠ Tr (a') then Ea,b and Ea',b are “twists” of one another [Ka86,Ka88,Ka91]. • When two such curves form a twist then for every x F2m there exists a y F2m such that (x,y) is a point on Ea,b or Ea',b • The two possibilities are as follows. • Either (x,y) and (x,x+y) are points on the same curve, or • (x,y) = (0,b) is on both curves.
Timing Attacks • So we solved the “space gap issue” in general-- Now it is time to deal with timing attacks. QUESTION:Is it true that klepto RSA keygen is always slower than regular keygen?? • [Kucner Kutylowsky ‘01] indeed showed timing attacks. • First Answer: positive answer, i.e., backdoor computations are “extra” computations always seemingly above and beyond what is “needed” to generate random RSA prime pairs. • To dispute this one can develop a general theory etc. etc. etc. (difficulty to compare time etc. and may lead to asympt. But non concrete result) • Algorithmic Engineering Methodology: On the other hand one methodology is to concentrate on one “accepted” specific algorithm and via “algorithmic engineering” trying to beat it (the algorithm and its code is the adversary to overcome)
What we will show in fact: • So here we rather chose a “common” implementation of RSA key generation (OpenSSL) and developed an attack against it. (This is an established implementation, not likely to be changed frequently). • Second Answer: We demonstrate a negative answer in this case to the above question, giving a concrete practical answer (crypto engineering type of treatment). How Klepto implementation based on OpenSSL is not slower than the OpenSSL RSA KeyGen.
Our contributions • We present the first timing-resistant asymmetric backdoor in RSA (the work by Crépeau-Slakmon CT-RSA ‘03 constituted symmetric backdoors [CS03] where attack exploits symmetric keys– not immune to reverse engineering). The backdoor we present is based on [YY05] but is substantially redesigned. • We present the first benchmarks of the backdoor’s running time. • We present a backdoor (that we built into OpenSSL) that has a running time that is evenfasterthan normal OpenSSL RSA key generation and show… …that the particulars of the prime incremental search method/trial-division can have a very significant impact on timing-resistance engineering.
Highlights of Carefully Chosen Speed-Ups • [YY05] does NOT do the following: • use incremental prime search/trial division • minimize the number of Miller-Rabin iterations (Damgård-Land-Pom) • exploit Non-Adjacent Form (NAF)for scalar multiplication • At first we made the following improvements: • use the OpenSSL incremental search/fast trial division • minimize the number of Miller-Rabin iterations • use wNAF splitting [Mö02] in the asymmetric backdoor • eliminated point halving during key generation ([YY05] uses point halving).
Highlights continued… • Even after the above changes, our backdoor key generator was still slower than OpenSSL RSA key generation. • Main discovery: • We then devised an extended incremental search algorithm (modification of OpenSSL incremental search/fast trial division algorithm). • We show how this design allows our construction to resist timing analysis by running faster than OpenSSL RSA key gen. • Work is based on actual implementation experimentations (all done by A. Young)
Parameters for Experiment • m is the prime 257 (avoids GHS attack) • We use a = 0 in the curve Ea,b = E0,b and a = 1 in the curve Ea,b = E1,b • The irreducible trinomial is f(z) = z257+z12 + 1 • # of points on E0,b is 4q0, # of points on E1,b is 2q1 • We used the following values for b, q0, and q1 : b = 197D4C3C909B4C8EAC18BB296C11BFB18C80B37C0C62AFD8E5F00104C46EEAF0B q0 = 800000000000000000000000000000005EB3E3179500E2B5D2F8EA6DCC363C1F q1 = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF429839D0D5FE3A945A0E2B24679387C3
Speed-ups in Elliptic Curve Key Exchange • There are four bases: G0,G1,Y0,Y1. • A curve a is selected and then the wNAF splitting values for Ga,Ya are “loaded”. • This enables fast scalar multiplication over the base points Ga,Ya. • “Alice” chooses the scalar K randomly such that KGa is a random bit string (a was chosen randomly in proportion to the # of points on each curve). • Alice reduces K to get k and computes the shared DH secret kYa. • This is faster than [YY05] in which k was chosen first and then point-halving was applied to k to get K.
DH key exchange over a twist in GF(2m) without halving GenDHExchangeValues(): Input: none Output: spub,spriv {0,1}m+1 1. with probability (4q0-1)/2m+1 set a = 0 and with probability (2q1-1)/2m+1 set a = 1 2. if a = 0 set (r,cof) = (q0, 4) else set (r,cof) = (q1,2) 3. set groupg = NewCurve(p,a,b) and set groupy = NewCurve(p,a,b) 4. if a = 1 then 5. LoadwNAFsplit(groupg, groupValsG1, groupPointsG1) 6. LoadwNAFsplit(groupy, groupValsY1, groupPointsY1) 7. else 8. LoadwNAFsplit(groupg, groupValsG0, groupPointsG0) 9. LoadwNAFsplit(groupy, groupValsY0, groupPointsY0) 10. SetGenerator(groupg, Ga, 2(2-a)r,cof) 11. SetGenerator(groupy, Ya,r,cof) 12. choose K uniformly at random such that 0 < K < 2(2-a)r 13. set k = K 14 if (K r) then set k = FastKmodr(K,r) 15. P = FastPointMul(groupg,K) /* compute P = KGa */ 16. spub = PointCompress(groupg,P) 17. P = FastPointMul(groupy,k) /* compute P = kYa */ 18. spriv = PointCompress(groupg,P) 19. return (spub,spriv)
Recovering the DH secret RecoverDHSharedSecret(spub,x0,x1): Input: spub {0,1}m+1 and EC private keys x0,x1 Output: spriv {0,1}m+1 1. set (v, r, cof) = (0, q0, 4) 2. ((U,V),w) = PointDecompress(0,spub) 3. if (w = 0) then 4. compute ((U,V),w) = PointDecompress(1, spub) 5. set (v, r, cof) = (1, q1, 2) 6. set a = v and set group = NewCurve(p,a,b) 7. let P1 be the point corresponding to (U,V) 8. P1 = PointDouble(group, P1) 9. if (v = 0) then set P1 = PointDouble(group, P1) 10. SetGenerator(group, P1, r, cof) 11. P2 = PointMul(group, xa) /* compute P2 = xaP1 */ 12. return spriv = PointCompress(group, P2)
Backdoor Design Strategy • Our strategy was twofold: • Model the backdoor RSA key generator after the existing OpenSSL RSA prime pair generator. • Determine how to make the backdoor run faster via efficiency improvements. Failing that, determine a minimal change (ideally) that enables the backdoor key generator to run faster than OpenSSL. • We found the OpenSSL RSA prime pair generator to be quite fast. • We found that we had to change the prime search algorithm a little to make the backdoor key generator run faster than the OpenSSL key generator. • Again: this is crypto engineering/ algorithms engineering
Deciding Acceptable Primes • We use PrimeChecksForSize that takes as input the bit length of a candidate prime and returns a positive integer specifying the number of iterations of Miller-Rabin [Mi76,Ra80]. • The number of Miller-Rabin iterations is based on the “average case error estimates for the strong probable prime test” [DLP93]. • For 1024, 2048, and 4096 bit numbers it does 2, 2, and 3 Miller-Rabin iterations, respectively. IsAcceptablePrimeFast(e, len, p1) returns true if and only if p1 is an acceptable RSA prime. len is the required bit length of p1 and e is the RSA exponent.
Incremental Search/Fast Trial Division Tricks • Goal: fast incremental search for a prime p1 such that p1-1 is not divisible by small primes (so check that p1 and p1-1 aren’t divisible by small primes). • We use a 2048 element array primes[ ] for trial division • Candidate prime p1 is already odd and is reduced modulo primes[1], primes[2],…, primes[2047] and the results are stored in the mods[ ] array. • The 32-bit word delta is successively incremented by 2. • The candidate prime p1 passes the fast trial division if for i = 1 to 2047: ((mods[i] + delta) mod primes[i] 1) • OpenSSL gives up on p1 if, before delta overflows, p1 is a successful candidate but is found to be composite. • We change this to give up p1 only if delta overflows.
Namely.. • The search for the prime is incremented +2 as long as the size in bits of the incremented value is of the same bit length. • Update of trial division is faster • Now though, the prime drawing method is skewed. So we point this out and assume that it actually does not change much the distribution and postulated this as an assumption: prove it or use it to attack the method.
Using Incremental Search andFast Trial Division GenPrimeWithPRNGFast(seed, key, D, len, e): Input: seed, key, D {0,1}128, required bit length len, RSA exponent e Output: An acceptable prime p1 1. PseudoRndGenAES1281(seed, key, D) /* initialize the PRNG, D is the “date” */ 2. p1 = PseudoRndGenAES1280(len/8) /* return next len/8 bytes of PRNG stream */ 3. set the 2 most significant bits and the least significant bit of p1 to 1 4. for i = 1 to NUMPRIMES - 1 step 1 do: /* NUMPRIMES = 2048 */ 5. mods[i] = p1 mod primes[i] /* primes[ ] stores the first 2048 primes */ 6. delta = 0 7. for i = 1 to NUMPRIMES - 1 step 1 do: 8. if ((mods[i] + delta) mod primes[i] 1) 9. delta = delta + 2 10. if (delta > MAXDELTA) then goto step 2 11. goto step 7 12. if (IsAcceptablePrimeFast(e, len, prime + delta) = false) 13. delta = delta + 2 14. if (delta > MAXDELTA) then goto step 2 15. goto step 7 16. PseudoRndGenAES1282() /* zeroize values and free memory */ 17. set p1 = p1 + delta and return p1
Final Building Blocks DHSecretToPRNGParams(spriv) outputs (seed,key,D) • Recall that |spriv| = m+1 bits. In our case m = 257. • Right shifts spriv by 2 bits to derive 256 bits for use in the PRNG. • 128 of these bits are used for key and the other 128 for seed • The “date” value D is a fixed (randomly selected) 128-bit value GenPrimeWithOracleIncr(spriv,len,e) returns an acceptable prime p1 • Calls DHSecretToPRNGParams(spriv) to get (seed, key, D) • Outputs p1 where p1 = GenPrimeWithPRNGFast(seed,key,D,len,e)
Backdoor Key Pair Generator GetPrimesFast(bits, e, spub, spriv): 1. len = bits/2 2. p1 = GenPrimeWithOracleIncr(spriv, len, e) 3. = bits - (8 + m + 1) 4. choose r1R {0,1}7 and r2R {0,1} 5. set nc = 1 || r1 || spub || r2 6. solve for (q1,r) in nc = q1 p1 + r 7. if (|q1| ≠ len or the 2nd most significant bit of q1 is not 1) then goto step 4 8. set the least significant bit of q1 to 1 9. for i = 1 to NUMPRIMES - 1 step 1 do: 10. mods[i] = q1 mod primes[i] 11. delta = 0 12. for i = 1 to NUMPRIMES - 1 step 1 do: 13. if ((mods[i] + delta) mod primes[i] 1) 14. delta = delta + 2 15. if (delta > MAXDELTA) then goto step 4 16. goto step 12 17. if (IsAcceptablePrimeFast(e, len, q1 + delta) = false) 18. delta = delta + 2 19. if (delta > MAXDELTA) then goto step 4 20. goto step 12 21. set q1 = q1 + delta and return pair of acceptable RSA primes (p1, q1)
Security • We replaced the random oracle in [YY05] with a heuristic PRNG (for provability assume it is a RO). • The PRNG is based on ANSI X9.17 with DES replaced with AES-128. • Security is therefore a heuristic argument. • RECALL POSSIBLE WEAKNESS: In comparison to OpenSSL we changed the incremental search/fast trial division algorithm (to get speed). • SO, it may be possible to sample prime pairs and see a difference w.r.t. OpenSSL. • We leave this issue as open. • OBSERVATION: This suggests a cryptanalyst could/should focus on differences resulting from differing incremental search/trial division strategies.
Performance ave. for Fast SETUP Alg. Table 1. Performance Averages for Fast SETUP Algorithm Pentium 4, 2.79 GHz, 512 MB RAM, Ubuntu Linux
Average RSA key generation/recovery time Table 2. Average RSA key generation/recovery time in seconds
Conclusion • We presented an asymmetric backdoor in RSA key generation that uses a twisted pair of binary curves. • We presented an algorithms engineering approach to investigating speed of alternative (kleptographic) implementation against an established system • We presented a number of speed-ups, one of which enables the backdoor key pair generator to run faster than the OpenSSL RSA key generator. • This suggests that asymmetric backdoors in RSA can resist timing analysis, but this is an example against one alg. (more work is needed on this problem). • Note also: We used Kleptographic motivation as an engine for deriving new algorithmic ideas at various levels (special implementation speedups, better use of theory, faster methods that can be used elsewhere)
References (1 of 2) • [CS03] C. Crépeau, A. Slakmon, “Simple Backdoors for RSA Key Generation,” In The Cryptographers' Track at the RSA Conference, pp. 403-416, 2003. • [DLP93] I. Damgård, P. Landrock, C. Pomerance, “Average Case Error Estimates for the Strong Probable Prime Test,” In Math. Comp., 61(203):177-194, 1993. • [GHS02] P. Gaudry, F. Hess, N. Smart, “Constructive and Destructive Facets of Weil Descent on Elliptic Curves,” In Journal of Cryptology, v. 15, pp. 19-46, 2002. • [JN03] A. Joux, K. Nguyen. Separating DDH from CDH in Cryptographic Groups. In Journal of Cryptology, v. 16, n. 4, pages 239-247, 2003. • [Ka86] B. S. Kaliski. A Pseudo-Random Bit Generator Based on Elliptic Logarithms. In Advances in Cryptology—Crypto '86, pages 84-103, 1986. • [Ka88] B. S. Kaliski. Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools. PhD Thesis, MIT, Feb. 1988. • [Ka91] B. S. Kaliski. One-Way Permutations on Elliptic Curves. In Journal of Cryptology, v. 3, n. 3, pages 187-199, 1991.
References (2 of 2) • [Mi76] G. L. Miller, “Riemann's Hypothesis and Tests for Primality,” In J. Comp. Syst. Sci., v. 13, n. 3, pp. 300-317, 1976. • [Mö02] B. Möller, “Improved Techniques for Fast Exponentiation,” In Information Security and Cryptology—ICISC '02, pp. 298-312, 2002. • [Mö04] B. Möller. A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts. In ESORICS '04, pages 335-351, 2004. • [Ra80] M. O. Rabin, “Probabilistic Algorithms for Testing Primality,” In J. Number Th., v. 12, pp. 128-138, 1980. • [RSA78] R. Rivest, A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, CACM 21(2), 1978. • [YY96] A. Young, M. Yung. The Dark Side of Black-Box Cryptography, or: Should we trust Capstone? In Advances in Cryptology—Crypto '96, pages 89-103, 1996. • [YY97] A. Young, M. Yung. Kleptography: Using Cryptography Against Cryptography. In Advances in Cryptology—Eurocrypt '97, pages 62-74, 1997. • [YY05] A. Young, M. Yung, “A Space Efficient Backdoor in RSA and its Applications,” Selected Areas in Cryptography—SAC 2005.