Wagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006

Size: px

Start display at page:

Download "Wagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006"

Lindsey Walters
6 years ago
Views:

1 Wagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006 Johannes Blömer Paderborn University Institute for Computer Science Paderborn, Germany Martin Otto Siemens AG Corporate Technology CT IC3 Munich, Germany

2 Content The "Secure CRT-RSA Algorithm" Wagner s Attack (random faults) Flaw Wagner s Attack (bit and byte version) Outlook: fixing the algorithm Conclusion Page 2 10 Oct 2006 Martin Otto Siemens AG, CT IC3

3 The BOS-Algorithm S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 CRT-RSA, enhanced with two strong primes error detection step d e ti 1 modϕ(t i ) infective computation Presented at CCS 2003 by Blömer, Otto, Seifert Aims at protecting CRT-RSA against Bellcore-attacks Page 3 10 Oct 2006 Martin Otto Siemens AG, CT IC3

4 How The Protection Is Intended To Works S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 CRT-RSA, enhanced with two strong primes error detection step d e ti 1 modϕ(t i ) infective computation If no error occurred: c 1 = (m m (d e t 1 ) )+1 1mod t 1 If an error occurs: c 2 = (m m)+1 1mod t 2 w.h.p. Final exponentiation: S ig=s c 1 c 2 Page 4 10 Oct 2006 Martin Otto Siemens AG, CT IC3

5 Wagner s Attack (random fault version) What is a random fault? x E x+e(x), where e(x) R [ x, 2 l(x) x 1] Special random fault as proposed by Wagner: Faults do not change the 160 most significant bits number 160 motivated by l(t 1 )=l(t 2 )=80 Attack aims on N in last line: S ig=s c 1c 2 Attack aims at disclosing t 1 and t 2 Fact: Knowledge of t 1 and t 2 breaks the BOS-scheme For details, see the original CCS 03 paper Page 5 10 Oct 2006 Martin Otto Siemens AG, CT IC3

6 Wagner s Attack: Exploiting a Faulty N (1) S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 Attack targets N (c 1 c 2 = 1) 1. Gather a correct final result S ig=m d 2. Re-run on same input, attack N in last line S ig 3. Gather a faulty final result S ig=m d mod Ñ Page 6 10 Oct 2006 Martin Otto Siemens AG, CT IC3

7 Wagner s Attack: Exploiting a Faulty N (2) S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 S= (S )+k N, with 0 k<2 161, if l(t 1 t 2 ) Attack targets N (c 1 c 2 = 1) 4. S ig S ig S S ig S (S k N) mod Ñ S ig S ig k (N Ñ) mod Ñ 5. Analysis shows: w.h.p. we have that S ig S ig = x k Page 7 10 Oct 2006 Martin Otto Siemens AG, CT IC3

8 Wagner s Attack: Exploiting a Faulty N (3) S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 S= (S )+k N, with 0 k<2 161, if l(t 1 t 2 ) c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 5. Analysis shows: w.h.p. we have that Attack targets N (c 1 c 2 = 1) S ig S ig = x k 6. Several attacks and gcd computations reveal k 7. Still, we wish to learn t 1 or t 2... Page 8 10 Oct 2006 Martin Otto Siemens AG, CT IC3

9 Wagner s Attack: The Flaw S p m d modϕ(p t1) mod p t 1 S q m d modϕ(q t2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (m S e t 1 + 1) mod t 1 c 2 (m S e t 2 + 1) mod t 2 S ig S c 1 c 2 S= (S )+k N, with 0 k<2 161, if l(t 1 t 2 ) S ig=s Attack assumes that k=(s S ig)/n= t 1 t 2 However, k<t 1 t 2, and any value inz t1 t 2 is possible Attack does not reveal t 1 or t 2, it is invalid Page 9 10 Oct 2006 Martin Otto Siemens AG, CT IC3

10 Wagner s Attack (bit and byte fault version) Fault: m E m+e(m), bit fault: e(m)=±2 k (byte fault similar) Assume that m has been attacked in Line 1: S p m d modϕ(p t 1) mod p t 1 Checking step: c 1 = (m m)+1 1 e(m) mod t 1 Infective Step: S ig=s c 1 Fact: given c 1, we have p=gcd(m c 1 S ige, N) Fact: for many e(m), reduction mod t 1 does not happen Fact: all c 1 bit faults can be efficiently enumerated Fact: scheme can be broken easily Page Oct 2006 Martin Otto Siemens AG, CT IC3

11 Enhancement For Bit/Byte Faults S p m d modϕ(p t 1) mod p t 1 S q m d modϕ(q t 2) mod q t 2 S CRT(S p, S q ) t 1 t 2 c 1 (r 1 (m S e t 1 )+1) mod t 1 c 2 (r 2 (m S e t 2 )+1) mod t 2 S ig S γ error detection step introducing 2 γ=c 1 c 2 More general: useγ= f (c 1, c 2, r) with r random Similar to Ciet, Joye at FDTC 2005:γ= r c 1 +(2 l(t i ) r) c 2 2 l(t i ) Choose r as: r=dor r=s or r 1 = p, r 2 = q,...? Page Oct 2006 Martin Otto Siemens AG, CT IC3

12 Conclusion BOS-Algorithm facing random faults Attack as presented at CCS 04 contains flaw Scheme remains unbroken Open point: Can we define (and realize) special fault models to break this algorithm? BOS-Algorithm facing bit and byte faults Original proposal broken easily We propose several ways to correct weakness (without proof) Still consider such faults as hard to achieve on modern hardware Page Oct 2006 Martin Otto Siemens AG, CT IC3

Lost in Translation. Fault Analysis of Infective Security Proofs. Alberto Battistello and Christophe Giraud(y)

Lost in Translation. Fault Analysis of Infective Security Proofs. Alberto Battistello and Christophe Giraud(y) Lost in Translation of Infective Security Proofs Alberto Battistello and Christophe Giraud(y) Oberthur Technologies Security Group {a.battistello,c.giraud}@oberthur.com September 11, 2015 Overview Overview