Correcting Errors in Private Keys Obtained from Cold Boot Attacks

Transcription

1 Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU / 17

2 Contents Cold boot attacks Problem definition Our algorithm Breaking Countermeasures Conclusion 2 / 17

3 Cold Boot Attacks Cold boot attacks Halderman et al. [USENIX 08] ( Table: Error rate of cold boot attacks (example) Temperature Seconds w/o power Error rate Operating Temperature % % 50 C 60 no errors % 3 / 17

4 Previous Works: RSA-CRT Cryptosystem RSA-CRT C d (mod N) C dp (mod p), C dq (mod q), and Chinese remainder theorem where d p d mod (p 1), d q d mod (q 1) Private key: (p, q, d, d p, d q ) Previous Results Using equations in variables N, e, p, q, d, dp, d q Table: Previous Results - Recovering Private Keys Scenario Reference Less than 0.73 fraction of p, q, d, d p, d q is unknown Heninger-Shacham (Crypto 09) Error rate of p, q, d, d p, d q is less than Henecka-May-Meurer (Crypto 10) 4 / 17

5 Problem Definition Definition Let G be a finite cyclic group of order q, generated by g. Given an erroneous value x Z q with error rate δ, and y = g x G, recover the correct value x. Applications DL-based Cryptosystem: (pk, sk) = (g x, x) Standard RSA Cryptosystem: (ct, msg) = (C, C d ) where sk = d 5 / 17

6 Previous Works: Splitting System Definition (Splitting System) Let n and t be even integers with 0 < t < n. An (n, t)-splitting system is a pair (X, B) that satisfies the following properties: 1 X = n and B is a set of n 2 -subsets of X called blocks. 2 For every Y X such that Y = t, there exists a block B i B such that B i Y = t 2. An (n, t)-splitting system with N blocks is denoted by (N; n, t)-splitting system. Lemma (Coppersmith) For all even integers n and t with 0 < t < n, there exists an ( n 2 ; n, t)-splitting system for Z n. 6 / 17

7 Applications of Splitting System Applications Low Hamming Weight Exponent (LWHE) DLP Recovering the private key from an unidirectional erroneous key which has missing bits [Forque et al., CHES 06] Idea: when x = , LHWE DLP: x = x =? Unidirectional Error: x = x =? Bidirectional Error: x = x =? 7 / 17

8 Example I Setup G = 2 Z 2039 of order 1019, pk : y = g x = 1571 (sk : x = = 941), x : x =? Naive Method (Exhaustive Search): Choose t bits from n bits and change corresponding bits (t: the number of error bits) Complexity: ( ) mod 2039 ( ) ( ) ( ) ( ) 10 = / 17

9 Example II Our Idea: From t = 0 with sequentially increase, When t = 4, x = U 1,1 = U 1,2 = U 1,j = U 2,k = = = mod mod mod 2039 x = = ( ) (( ) ( ) ( ) ( )) Complexity: = / 17

10 Our Algorithm Algorithm 1 Recovering private key from the erroneous key x INPUT: (g, y, x, n, δ) OUTPUT: x such that y = g x for t = 1 to nδ do for i = 0 to n/2 1 do set B 1,i and B 2,i to [i, i + n/2) n and [i + n/2, i) n, respectively set U 1,i and U 2,i while possible T 1,j s do set U 1,j compute g U 1,j and store (U 1,j, g U 1,j ) in the table Tab end while while possible T 2,k s do set U 2,k compute yg U 2,k find yg U 2,k among g U 1,j s in Tab if collision yg U 2,k = g U 1,j occurs then return U 1,j + U 2,k end if end while initialize the table Tab end for end for 10 / 17

11 Complexity of Basic Algorithm I Computation: Storage: nδ t=1 ( ) n/2 n t/2 ( n/2 ) ( nδ /2) Table: Complexity of exhaustive search, Algorithm 1 and unidirectional case (n = 160) Upper bound of Complexity error rate (δ) Exhaustive search Algorithm 1 Uni-direction / 17

12 Complexity of Basic Algorithm II Table: Complexity of exhaustive search, Algorithm 1 and unidirectional case in RSA (n = 1024) Upper bound of Complexity error rate Exhaustive search Algorithm 1 Uni-direction / 17

13 Applying to Countermeasures: Coron and Kocher s Method I Coron and Kocher s Method [Crypto 96, CHES 99] x x = x + rq where r is a n r -bit random integer C x C x in G Applying our algorithm to Coron and Kocher s method Table: Lower bound of n r to provide 2 80 complexity (n = 160) Upper bound of error rate Lower bound of n r Table: Lower bound of n r to provide 2 80 complexity in RSA (n = 1024) Upper bound of error rate Lower bound of n r / 17

14 Countermeasures:Clavier and Joye s Method I Clavier and Joye s Method [CHES 01] x = x1 + x 2 where x 1 is an random integer, C x C x1 C x2 in G Algorithm 2 Recovering private key from the erroneous keys x 1, x 2 INPUT: (g, y, x 1, x 2, n, δ) OUTPUT: x such that y = g x for t 1 = 1 to nδ do while possible T 1 s do set x 1 compute g x 1 and store (x 1, g x 1 ) in the table Tab end while end for for t 2 = 1 to nδ do while possible T 2 s do set x 2 compute yg x 2 find yg x 2 among g x 1 s in the table Tab if collision occurs then return x 1 + x 2 end if end while end for 14 / 17

15 Countermeasures:Clavier and Joye s Method II nδ ( ) nδ n ( ) n Computation: 2, Storage: t 1=1 t 1 t 1=1 Table: Recovering complexity on Clavier and Joye s method (n = 160) Upper bound of Complexity error rate Exhaustive search Algorithm 2 Uni-direction > > Table: Recovering complexity on Clavier and Joye s method (n = 1024) Upper bound of Complexity error rate Exhaustive search Algorithm 2 Uni-direction > > t 1 15 / 17

16 Conclusion Provide the algorithm to recover the DL from an erroneous exponent Apply to the DL-based cryptosystem and the standard RSA Consider breaking countermeasures using our algorithm 16 / 17

17 Conclusion Provide the algorithm to recover the DL from an erroneous exponent Apply to the DL-based cryptosystem and the standard RSA Consider breaking countermeasures using our algorithm ***** Thank you!! ***** 17 / 17