Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)

Published byClara Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)"— Presentation transcript:

1 1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter colin.walter@comodogroup.com Comodo Research Lab (Bradford, UK) www.comodogroup.com

2 2/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Overview History The M IST Algorithm Threat Assumptions – a Theorem. First Reconstruction of the Key Second Reconstruction of the Key Conclusion

3 3/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions History C. D. Walter Exponentiation using Division Chains IEEE TC 47, 1998 C. D. Walter M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis CT-RSA 2002, LNCS 2271 C. D. Walter Some Security Aspects of the M IST Randomized Exponentiation Algorithm CHES 2002, LNCS 2523 Boneh, Durfee & Frankel Exposing an RSA Private Key given a Small Fraction of its Bits AsiaCrypt 98, LNCS 1514

4 4/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Reversed m-ary Exp n { To compute: P = C D mod N } Q  C ; P  1 ; While D > 0 do Begin d  D mod m ; If d  0 then P  Q d × P mod N; Q  Q m mod N; D  D div m ; { Invariant: C D.Init = Q D × P mod N } End ;

5 5/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions The M IST Exp n Algorithm { To compute: P = C D mod N } Q  C ; P  1 ; While D > 0 do Begin Choose a random base m (from {2,3,5}, say); d  D mod m ; If d  0 then P  Q d × P mod N; Q  Q m mod N; D  D div m ; { Invariant: C D.Init = Q D × P mod N } End ;

6 6/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Security Strength THEOREM (CHES 2002) After a M IST exponentiation C D mod N using a typical, efficient choice of parameters: The number of exponents with the same pattern of squares and multiplies is at least D 3/5. The number of exponents with the same pattern of operand sharing is about D 1/3. With just this information it is computationally infeasible to search for D. We will now improve these results using knowledge of the public modulus N.

7 7/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Notation The chosen digit/base pairs (d i, m i ) satisfy D = d 0 +m 0 (d 1 +m 1 (d 2 +m 2 (...d n )...)) Define D j = d j + m j (d j+1 +m j+1 (d j+2 +m j+2 (...d n )...)) δ j = d 0 + m 0 (d 1 + m 1 (d 2 + m 2 (...d j–1 )...)) μ j =m 0 m 1 m 2... m j–1 Then δ j =D mod μ j D j =D div μ j D =μ j D j + δ j

8 8/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions A First Attack Let N = PQ for primes P and Q of equal bit length. It is easy to show φ(N) lies in an interval of length < ⅛√N So the top half of φ(N) is known (whatever base is chosen) when N is known. Assume no exponent blinding. Since the encryption key E is also known, the top half of D becomes known to within E possibilities (which the attacker can try in turn to find one which works). The attacker “guesses” the lower half of D: he uses DPA to determine enough choices of digit/base pairs (d 0,m 0 ), (d 1,m 1 ), (d 2,m 2 ),..., (d j–1,m j–1 ) such that μ j = ∏ i m i > √D.

9 9/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions A First Attack cont d The attacker has “guessed” μ j and δ j. He then computes an approximation for D j = D div μ j using his approximation for D. Since D is known to an accuracy with error less than μ j, D j (the upper half of D) is determined up to a choice of at most 2 values. So D = μ j D j +δ j is determined up to a couple of possibilities –and the secret key is obtained.

10 10/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions A First Attack cont d By the theorem applied to the lower half of D, the number of choices for digit/base pairs is about N 3/10 or N 1/6 depending on how much we assume the attacker knows. He has E choices for approximating D and perhaps 2 32 extra choices if a 32-blinding factor is introduced. Hence the search space is reduced to about 2 32 EN 3/10 or 2 32 EN 1/6 if the Sq r & Mult or op. sharing pattern is known.

11 11/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions A First Attack - conclusion –Of course, N 3/10 and N 1/6 are still over 100 bits for sensible key lengths and so, even without key blinding, this attack is computationally infeasible. –The first attack given in the proceedings tackles the similar, but more complex, case of assuming the most significant digits are guessed instead of the least significant.

12 12/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions A First Attack - as in paper –If the most significant part D j is guessed then D div D j = μ j is known almost exactly. –μ j is a product of powers of 2, 3, 5 only. This property is so rare that the correct D j is easily determined. –The next digit/base pair (d j–1, m j–1 ) is chosen to give μ j–1 the same property – usually unique. –So D j, D j–1, D j–2,..., D 1, D 0 = D are all obtained, and the key recovered.

13 13/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions The Second Attack –This attack uses the Boneh et al. results (derived from Coppersmith) to reduce the dimension of the search space by a factor of 4 instead of 2. –Theorem. Suppose N = PQ, μ > N 1/4 and P mod μ is known. Then it is possible to factor N in time polynomial in log(N). –Boneh uses this with μ as a power of 2. We take μ as a product of base choices m. Specifically, μ = μ j for a large enough j.

14 14/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Second Attack cont d –If there is no key blinding, DE = 1+kφ(N) for some k < E where φ(N) = (P–1)(N/P–1). –Reducing mod μ changes unknown D to the guessed δ j and P to x = P mod μ, say. –Now DE = 1+kφ(N) reduced mod μ becomes a quadratic equation in x. –We solve for x using CRT. Generally, there are 16 solutions or none (if 2 3 ×3×5 divides μ). –Now we can apply the theorem to factor N.

15 15/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Second Attack conclusion –There are N 3/20 or N 1/12 pattern-matching cases of δ j ≈ N ¼ to consider; –E possible choices for 1+kφ(N); –B possible blinding factors, say (typically B = 2 32 ); –log(N) time to construct & find roots of quadratic; –log(N)-polynomial time to factorise N;  We conclude that N can be factored in time BEN 3/20 or BEN 1/12 times a poly in log(N).  For no blinding, small E & short key this may be computationally feasible.

16 16/16RSA 2003Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions Conclusion A DPA attack on the M IST algorithm has been augmented using knowledge of the RSA public modulus in several ways. The attacks may become computationally feasible if parameters are poorly chosen. Other standard algorithms provide no strength against such attacks (e.g. m-ary). Standard approaches such as key blinding, longer keys, & larger public exponent all contribute to better security.Standard approaches such as key blinding, longer keys, & larger public exponent all contribute to better security.

Download ppt "1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)"

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK www.co.umist.ac.uk.

Is there Safety in Numbers against Side Channel Leakage? Colin D. Walter UMIST, Manchester, UK
RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
Public Key Encryption Algorithm

Public Key Encryption Algorithm
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci

By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.

C ● O ● M ● O ● D ● O RESEARCH LAB Longer Keys may Facilitate Side Channel Attacks (Bradford, UK) Colin.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Simple Backdoors for RSA Key Generation Scott Dial.

Simple Backdoors for RSA Key Generation Scott Dial.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Similar presentations

Ads by Google