Presentation is loading. Please wait.

Presentation is loading. Please wait.

Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication

Published by标 凌 Modified over 7 years ago

Similar presentations

Presentation on theme: "Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication"— Presentation transcript:

1 Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication
Martin Hlaváč Department of Algebra, Charles University in Prague IT Security Department, Czech Insurance Corporation September 7, CHES 09, Lausanne, Switzerland

2 Electro-Magnetic Interface Active Authentication
Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

3 Electro-Magnetic Interface Active Authentication
Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Motivation & strong assumptions Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

4 Electro-Magnetic Interface Active Authentication
Outline Electronic Passport Electro-Magnetic Interface Active Authentication RSA-CRT with Mont. Multiplication Schindler's Attack, Tomoeda's Attack New attack Simulation Results Conclusion Motivation & strong assumptions Attack Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

5 Electronic travel document with chip that contains
Electronic Passport Electronic travel document with chip that contains MRZ (Machine Readable Zone) Photo, fingerprints?, eye retina? RSA Key pair for Active Authentication Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

6 Electronic Passport II.
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

7 Electronic Passport II.
FameXE RSA co-processor antenna interface Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

8 Electro-Magnetic Interface
HF range (13.56 MHz) Operation distance ~10 cm (4 in) Near-field communication transponder RFID terminal RFID internal network transponder field terminal field Can be seen as “high frequency transformer” Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

9 Active Authentication
passport's anti-cloning countermeasure optional simple challenge-response protocol based on RSA public key signed by national authority private key in protected memory challenge chosen by both, passport and reader chosen plaintext attacks do not work Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

10 Active Authentication II.
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

11 Active Authentication II.
chosen jointly Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

12 Electronic Passport II.
FameXE RSA co-processor antenna interface Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

13 FameXP exposure in EM field
Sensitive operation should not be visible Measurements by doc. Lórencz’s team, FEL CTU in Prague, april 2007 Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

14 FameXP exposure in EM field
Sensitive operation should not be visible s = md mod N S M S M S M S M S M S Measurements by doc. Lórencz’s team, FEL CTU in Prague, april 2007 Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

15 RSA with Chinese Remainder Theorem
Private RSA operation md mod N is computed using CRT as follows Faster then simple exponentiation Use of secret p,q make CRT vulnerable Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

16 RSA with Chinese Remainder Theorem
Private RSA operation md mod N is computed using CRT as follows Faster then simple exponentiation Use of secret p,q make CRT vulnerable Assumption n. 1: RSA blinding is NOT employed. (Time consuming.) Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

17 Montgomerry exponentiation
mod&div R=2512 fast Sliding windows (fixed window) exponentiation can NOT be used as it requires precomputation (i.e. a lot of memory) not available here We're not really working in Z_p but in Z_R. Since R>p, extra reduction is needed sometimes. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

18 Montgomerry exponentiation
mod&div R=2512 fast Assumption n. 2: No constant-time multiplication is used. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

19 Schindler's Timing Attack
With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

20 Schindler's Timing Attack
With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Careful choice of plaintext allows timing ACCA. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

21 Schindler's Timing Attack
With x fixed and B random in Zp, the probability final subtraction occurs during mont(x,B) is Careful choice of plaintext allows timing ACCA. Assumption n. 3: Amount of final subtractions is revealed. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

22 CCA attack by Tomoeda et al.
Tomoeda et al. observed “almost linear” modular relation between (function of) unknown factor p, and known amount of final substitutions Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

23 CCA attack by Tomoeda et al. II.
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

24 New attack – Basic Idea Martin Hlaváč (Charles University)
KP Attack on RSA-CRT w/Mont. Mul.

25 New attack – Basic Idea Multiply by N
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

26 New attack – Basic Idea Multiply by N Substitute
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

27 use Hidden Number Problem
New attack – Basic Idea Multiply by N Substitute use Hidden Number Problem Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

28 Precision of approximations
How good is “” in ? one-time pre-computation with 212 RSA instances 212 signatures per instance n bit precision if difference below 2-n Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

29 Precision of approximations II.
Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

30 Precision of approximations II.
As low as 1 bit. Not good enough for HNP. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

31 Precision of approximations II.
At least 4 bits. 7 bits on average. As low as 1 bit. Not good enough for HNP. Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

32 Instead of using max. number of FS, precompute ideal value
Tweaking nmax Instead of using max. number of FS, precompute ideal value Increases minimal precision by 1 bit Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

33 Classical tool to solve modular approximations for x
Hidden Number Problem Classical tool to solve modular approximations for x Create lattice spanned by Find lattice vector close to Hope it is Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

34 Simulated side information leakage
Experiments 5 RSA instances Simulated side information leakage 150 signatures filtered from app. 7000 Up to 4 final subtractions taken into account Minimal precision presumed from 3.5 to 8.5 bits Factorization found in 40 minutes for each instance Computing platform 20x Opteron 844 (1.8 GHz) Debian 64bit NTL/GMP Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

35 Is SCH information available in ePassport scenario? Other scenarios?
Future work Is SCH information available in ePassport scenario? Other scenarios? Extend to pure timing attack Improve attack Other tweaks to increase precision Handle RSA blinding Provide proof and limits when attack works probability Time complexity Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

36 New attack on RSA-CRT with Mont. Multiplication
Conclusion New attack on RSA-CRT with Mont. Multiplication Known plaintext only (previous attacks were CCA) Another use of lattices and LLL algorithm If assumptions are true, active authentication can be broken, i.e. e-passport cloned Attack possible in other scenarios Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

37 Thank you for your attention! Questions?
Martin Hlaváč Department of Algebra Charles University in Prague IT Security Department Czech Insurance Corporation Martin Hlaváč (Charles University) KP Attack on RSA-CRT w/Mont. Mul.

Download ppt "Known-Plaintext-Only Attack on RSA-CRT with Montgomerry Multiplication"

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
Capstone Project Presentation A Tool for Cryptography Problem Generation CSc 499 Mark Weston Winter 2006.

Capstone Project Presentation A Tool for Cryptography Problem Generation CSc 499 Mark Weston Winter 2006.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.

RSA Attacks 1 RSA Implementation Attacks RSA Attacks 2 RSA  RSA o Public key: (e,N) o Private key: d  Encrypt M C = M e (mod N)  Decrypt C M = C d.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.

Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
A Cryptography Tutorial Jim Xu College of Computing Georgia Tech

A Cryptography Tutorial Jim Xu College of Computing Georgia Tech
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.

Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March

Similar presentations

Ads by Google