Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Similar documents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

Partial Key Exposure: Generalized Framework to Attack RSA

Algorithmic Number Theory and Public-key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

RSA. Ramki Thurimella

Correcting Errors in Private Keys Obtained from Cold Boot Attacks

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Mathematics of Cryptography

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

On the Design of Rebalanced RSA-CRT

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

A New Attack on RSA with Two or Three Decryption Exponents

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

10 Public Key Cryptography : RSA

Cryptography. pieces from work by Gordon Royle

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public-Key Cryptosystems CHAPTER 4

New attacks on RSA with Moduli N = p r q

Public Key Cryptography

Introduction to Modern Cryptography. Benny Chor

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

A new attack on RSA with a composed decryption exponent

Lecture V : Public Key Cryptography

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

On the Security of Multi-prime RSA

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Practical Fault Countermeasures for Chinese Remaindering Based RSA

Tunable balancing of RSA

New Partial Key Exposure Attacks on RSA

Protecting RSA Against Fault Attacks: The Embedding Method

Better Algorithms for MSB-side RSA Reconstruction

Public Key Algorithms

Attacks on RSA & Using Asymmetric Crypto

Sliding right into disaster - Left-to-right sliding windows leak

CS March 17, 2009

Asymmetric Encryption

Carmen s Core Concepts (Math 135)

New RSA Vulnerabilities Using Lattice Reduction Methods

Introduction to Public-Key Cryptosystems:

Chapter 11 : Private-Key Encryption

Ti Secured communications

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

RSA RSA public key cryptosystem

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

The security of RSA (part 1) The security of RSA (part 1)

The RSA Cipher and its Algorithmic Foundations

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Breaking Plain ElGamal and Plain RSA Encryption

New Partial Key Exposure Attacks on RSA

Chapter 8 Public-key Cryptography and Digital Signatures

Public Key Cryptography

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Iterated Encryption and Wiener s attack on RSA

Public-Key Encryption: ElGamal, RSA, Rabin

CIS 551 / TCOM 401 Computer and Network Security

ICS141: Discrete Mathematics for Computer Science I

dit-upm RSA Cybersecurity Cryptography

8.1 Principles of Public-Key Cryptosystems

Efficient RSA Cryptosystem with Key Generation using Matrix

PKCS #1 v2.0 Amendment 1: Multi-Prime RSA

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Optimal Use of Montgomery Multiplication on Smart Cards

CRYPTOGRAPHY AND NUMBER THEORY

10 Modular Arithmetic and Cryptography

MaTRU: A New NTRU-Based Cryptosystem

COMP424 Computer Security

Number Theory & Modern Cryptography

RSA ENCRYPTION USING THREE MERSENNE PRIMES

5199/IOC5063 Theory of Cryptology, 2014 Fall

Basic elements of number theory

1 Number Theory Basics

An Overview of Homomorphic Encryption

Basic elements of number theory

Introduction to Cybersecurity Cryptography (Part 5)

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

An Approach Towards Rebalanced RSA-CRT with Short Public Exponent

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Number Theory. Modular Arithmetic

Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors

Public Key Cryptography

Correcting Errors in RSA Private Keys

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Discrete Mathematics GCD, LCM, RSA Algorithm

basics of security/cryptography

Transcription:

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012

Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming Weight Decryption Exponents

The RSA Public Key Cryptosystem Invented by Rivest, Shamir and Adleman in 1977. Most popular public key cryptosystem. Used in Electronic commerce protocols.

RSA in a Nutshell Key Generation Algorithm Choose primes p, q (generally same bit size, q < p < 2q) Construct modulus N = pq, and φ(n) = (p 1)(q 1) Set e, d such that d = e 1 mod φ(n) Public key: (N, e) and Private key: d Encryption Algorithm: C = M e mod N Decryption Algorithm: M = C d mod N

RSA and Factorization The primes p, q guard the secret of RSA. Factoring N = pq implies attack on RSA. [the reverse is not proved yet] However, as of today, factoring N is infeasible for log 2 (N) > 768 And practical RSA uses log 2 (N) = 1024, 2048 (recommended) Simple factoring of N = pq does not seem to be an efficient solution!

Square and Multiply Input: x, y, N Output: x y mod N 1 z = y, u = 1, v = x; 2 while z > 0 do 3 if z 1 mod 2 then 4 u = uv mod N; end 5 = v endv 2 mod N; z = z 2 ; 6 return u. Algorithm 1: The fast square and multiply algorithm for modular exponentiation. l y = log 2 y many squares w y = wt(bin(y)) many multiplications

Square and Multiply algorithm Cost of calculating x y mod N Squares: l y (bit length of y) Multiplications: w y ly 2 (weight of y) Total Modular Multiplications: l y + w y 3 2 l y Total Bit Operations: 3 2 l y l 2 N

The CRT-RSA Cryptosystem Improves the decryption efficiency of RSA, 4 folds! Invented by Quisquater and Couvreur in 1982. The most used variant of RSA in practice. PKCS #1 standard: store the RSA secret parameters as a tuple (p, q, d, d p, d q, q 1 mod p).

Chinese Remainder Theorem(CRT) Theorem Let r, s be integers such that gcd(r, s) = 1. Given integers a, b, there exists unique x < rs such that 1. x a mod r 2. x b mod s

CRT-RSA: Faster approach for decryption Two decryption exponents (d p, d q ) where d p d mod (p 1) and d q d mod (q 1). To decrypt the ciphertext C, one needs C p C dp mod p and C q C dq mod q. Calculating x y : l y = log 2 y many squares w y = wt(bin(y)) many multiplications

Efficiency of CRT-RSA Decryption For e = 2 16 + 1, we have l dp l dq l N 2 C dp mod p requires 3 2 l d p l 2 p 3 16 l3 N C dq mod q requires 3 2 l d q l 2 q 3 16 l3 N many bit operation many bit operation Total bit operations for decryption is 3 8 l3 N

CRT-RSA: Faster through low Hamming weight Lim and Lee (SAC 1996) and later Galbraith, Heneghan and McKee (ACISP 2005): d p, d q with low Hamming weight. Maitra and Sarkar (CT-RSA-2010): large low weight factors in d p, d q. The security analysis of all these schemes argue that the exhaustive search for the low Hamming weight factors in the decryption exponents is the most efficient approach to attack such a scheme.

Galbraith, Heneghan and McKee (ACISP 2005) 1 2 3 4 Input: l e, l N, l k Output: p, d p Choose an l e bit odd integer e; Choose random l k bit integer k p coprime to e; Find odd integer d p such that d p e 1 mod k p ; p = 1 + edp 1 k p ; (l e, l N, l d, l k ) = (176, 1024, 338, 2) with w dp = w dq = 38 Comparison in decryption: 2 3 2 338 5122 2 (338+38) 512 2 26% Faster

Security of the Algorithm Brute force search Lattice attack by May (Crypto 2002) Lattice attack by Bleichenbacher and May (PKC2006) Lattice attack by Jochemsz and May (Crypto 2007)

Security of the Algorithm Brute force search Lattice attack by May (Crypto 2002) Lattice attack by Bleichenbacher and May (PKC2006) Lattice attack by Jochemsz and May (Crypto 2007) But..

The Tool for Cryptanalysis Heninger and Shacham: Reconstructing RSA private keys from random key bits. Crypto 2009. Some bits are not available. Henecka, May and Meurer: Correcting Errors in RSA Private Keys (Crypto 2010). w dp, w dq are taken significantly smaller than the random case. Take the all zero bit string as error-incorporated (noisy) presentation of d p, d q. If the error rate is significantly small, one can apply the error correcting algorithm of Henecka et al to recover the secret key. Time complexity of the error-correction heuristic: τ. The strategy attacks the schemes of SAC 1996 and ACISP 2005 in τo(e) time. For our scheme in CT-RSA 2010, it is τo(e 3 ).

Attack Algorithm 1 2 3 4 5 6 7 Input: N, e, k p, k q and a, C Output: Set A, containing possible guesses for p. Initialize b = 0, A =, A 1 = ; while b < l N 2 do A = {0, 1} a A 1 ; For each possible options p A, calculate q = (p ) 1 N mod 2 b+a ; For each p, q, calculate d p = (1 + kp(p 1)) e 1 mod 2 b+a, d q = (1 + kq(q 1)) e 1 mod 2 b+a ; If the number of 0 s taking together the binary patterns of d p, d q in the positions b to b + a 1 from the least significant side is less than C, then delete p from A; If b 0 and A =, then terminate the algorithm and report failure; 8 A 1 = A; b = b + a; end 9 Report A;

The Heuristic: Henecka et al Theorem Let a = ln l N, γ 4ɛ 2 0 = (1 + 1 a ) ln 2 4 and C = a + 2aγ 0. We also consider that the parameters k p, k q of CRT-RSA are known. Then 2+ ln 2 2ɛ one can obtain p in time O(l 2 N ) with success probability greater than 1 2ɛ2 ln l N 1 l N if δ 1 2 γ 0 ɛ. To maximize δ, ɛ should converge to zero and in such a case a tends to infinity. Then the value of γ 0 converges to 0.416. Thus, asymptotically Algorithm 3 works when δ is less than 0.5 0.416 = 0.084. Since in this case a becomes very large, the algorithm will not be efficient and may not be implemented in practice. This is the reason, experimental results could not reach the theoretical bounds as studied in the work of Henecka et al.

CRT-RSA Cryptanalysis Following the idea of Henecka et al, one can cryptanalyze CRT-RSA having w dp, w dq 0.04l N in O(e poly(l N )) time. For each possible option of k p, k q (this requires O(e) time), one needs to apply the Algorithm to obtain p. For small e the attack remains efficient.

Improving the Heuristic While applying the heuristic of Henecka et al, we noted a few modifications that can improve the performance significantly. Different values of the threshold Multiple constraints on each round

1 2 3 4 5 6 7 Input: N, e, k, k p, k q, p, q, d, d p, d q, a, B and threshold parameters Output: Set A, containing possible guesses for p. Initialize b = 0, A =, A 1 = ; while b < l N 2 do A = {0, 1} a A 1 ; For each possible options p A, calculate q = (p ) 1 N mod 2 b+a ; Calculate d = (1 + k (N + 1 p q )) e 1 ) mod 2 b+a, d p = (1 + k p(p 1)) e 1 mod 2 b+a, d q = (1 + k q(q 1)) e 1 mod 2 b+a ; Calculate µ i s for i = 1 to 31 comparing least significant b + a bits of the noisy strings and the corresponding possible partial solution strings of length b + a, i.e., through the positions 0 to b + a 1; If µ i < C a+b i for any i [1,..., 31], delete the solution from A; 8 If A > B, reduce C a+b 31 by 1 and go to Step 7; 9 If b 0 and A =, then terminate the algorithm and report failure; 10 A 1 = A; b = b + a; end 11 Report A; Algorithm 2: Improved Error Correction algorithm.

Improving the Heuristic (Experimental Results) Upper bound of δ [H] Success probability (expt.) δ th. expt. [H] our our expt. (p, q) 0.084 0.08 0.22 0.61 0.12 (p, q, d) 0.160 0.14 0.15 0.52 0.17 (p, q, d, d p, d q) 0.237 0.20 0.21 0.50 0.25 We run the strategy till we obtain all the bits of p. It is known that if one obtains the least significant half of p, then it is possible to obtain the factorization of N efficiently

Experimental results: parameters d p, d q δ 0.08 0.09 0.10 0.11 0.12 0.13 Suc. prob. 0.59 0.27 0.14 0.04 - - Time (sec.) 307.00 294.81 272.72 265.66 - - Suc. prob. 0.68 0.49 0.25 0.18 0.08 0.02 Time (sec.) 87.41 84.47 80.18 74.57 79.33 76.04 Lim et al (SAC 1996) l N = 768, l dp = 384, w dp = 30, e = 257; δ 30 384 = 0.078 l N = 768, l dp = 377, w dp = 45, e = 257; δ = w dp l dp 0.12 Galbraith et al (ACISP 2005) (l e, l dp, l kp ) = (176, 338, 2), w dp = 38 δ 38 338 0.11 Maitra et al (CT-RSA 2010) δ 0.08

Conclusion Application of the recently proposed error correction strategy of secret keys for RSA by Henecka et al to actual cryptanalysis. We studied two kinds of schemes. CRT-RSA decryption keys are of low weight as (SAC 1996, ACISP 2005). We demonstrate complete break in a few minutes for 1024 bit RSA moduli. The decryption exponents are not of low weight, but they contain large low weight factors (CT-RSA 2010). Actual break is not possible, but clear cryptanalytic result. We had a detailed look at the actual error correction algorithm of Henecka et al. We provide significant improvements as evident from experimental results. We could demonstrate that the theoretical bound given by Henecka et al can also be crossed using our heuristic.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback