Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection Sung-Ming Yen 1 and Dongryeol Kim 2 1 Dept of Computer Science and Information Engineering National Central University, Taiwan, ROC http://www.csie.ncu.edu.tw/~yensm/lcis.html 2 Information Security Policy Division Korea Information Security Agency, Korea 1
Outline : 1. Preliminary Background of CRT-based Cryptanalysis 2. Review: Two CRT-based RSA Computation Based on Fault Infection 3. Cryptanalysis of CRT-based RSA with Fault Infection 4. Conclusions 2
1. Introduction and Preliminary Background RSA speedup with CRT CRT-based fault attack 3
RSA Speedup with CRT RSA speedup based on CRT: Given p, q, (n=p*q), d, and m, S=m d mod n can be sped up by s p =(m mod p) d mod (p-1) mod p s q =(m mod q) d mod (q-1) mod q Gauss s CRT recombination S=CRT(s p, s q ) [(s p q (q -1 mod p)+s q p (p -1 mod q)] mod n = [s p X p + s q X q ] mod n Garner s CRT recombination S=CRT(s p, s q ) s q + [(s p -s q ) (q -1 mod p) mod p] q 4
CRT-based Fault Attack Fault attack on the computation of s p & s q Given a faulty result of S =CRT(s p, s q ) q=gcd((s e - m) mod n, n) Random error Random error s p CRT S s q 5
Shamir s Countermeasure Shamir s countermeasure (extend modulus then reduce modulus) s pr =m pr d pr mod pr d s qr =m qr qr mod qr where m pr = m mod pr & d pr = d mod ψ(pr) and r is a random prime. Output S only if (s pr mod r) = (s qr mod r) S=CRT(s p, s q ) =CRT(s pr mod p, s qr mod q) 6
Other possible countermeasures: (All need and strictly depend on the reliability of a comparison operation!) Compute S twice and compare the results Given S = m d mod n, verify whether m?= S e mod n 7
Attack on Shamir s Method Possible attacks on the Zero flag! Implementation of checking (s pr mod r) =? (s qr mod r) Implementation of a?= b SUB a,b (or CMP a,b) JZ (jump if zero) It highly depends on the zero flag! 8
Another reported CRT-based attack The main weakness: It s assumed that correctness of s pr and s qr implies the correctness of both s p and s q where s p = s pr mod p possibly s p <-- s pr mod p The checking of whether (s pr mod r) =? (s qr mod r) cannot detect the error in s p 9
Importance of CRT-based Attack It has already been widely employed But a single fault total break down False alarm attack on RSA+CRT may be initiated by any malicious attacker Denial of service attack So, any potential CRT-based attack should be carefully considered 10
2. Review: Two CRT-based RSA Computation Based on Fault Infection No fault-free decision procedure will be assumed in the countermeasure! 11
Fault Infective CRT Speedup No checking procedure will be assumed that should be fault free When a random error occurred in s p (or s q ) it will influence computation of s q (or s p ) or the overall computation of S (for example CRT(s p, s q ) or CRT(s p, s q ) is not accessible) 12
The CRT-1 Protocol Parameter selection: n=p q (usual key pair e & d=e -1 modψ(n)) additional key pair e r & d r =e r -1 modψ(n) d r =d r (r is a small integer) 13
The protocol: Compute k p = m/p & k q = m/q where x means floor function Compute m d r mod n with CRT speedup s p =A d r mod (p-1) mod p where A=m mod p s q = d r mod (p-1) mod q e where  = ((s r p mod p)+k p p) mod q Based on CRT S=CRT(s p, s q ) (à r ) mod n e where Ã=(s r q mod q)+k q q 14
If the computation is fault free: Message reconstruction 1: s q = d r mod (p-1) mod q e where  = ((s r p mod p)+k p p) mod q = m mod q Message reconstruction 2: S=CRT(s p, s q ) (à r ) mod n e where Ã=(s r q mod q)+k q q =m 15
The CRT-2 Protocol Parameter selection: n=p q (usual key pair e & d=e -1 modψ(n)) additional key pair e r & d r =e r -1 modψ(n) d r =d r (r is a small integer) 16
The protocol: Compute k p = m/p & k q = m/q Compute m d r mod n with CRT speedup s p =A d r mod (p-1) mod p where A=m mod p s q =A d r mod (p-1) mod q Based on CRT S=CRT(s p, s q ) (Â r ) mod n where Â= (m 1 +m 2 )/2 e m 1 =(s r p mod p)+k p p m 2 =(s q e r mod q)+k q q 17
If the computation is fault free: Message reconstruction: S=CRT(s p, s q ) (Â r ) mod n where Â= (m 1 +m 2 )/2 e m 1 =(s r p mod p)+k p p =m m 2 =(s q e r mod q)+k q q =m 18
3. Cryptanalysis of CRT-based RSA with Fault Infection Exploiting faults that usual CRT-based attack did not consider 19
Attack Exploiting Fault on Temporary Parameters Attacks exploit faults that usual CRT-based attack did not consider Exploiting faults on temporary parameters that usual CRT speedup does NOT required It has been overlooked previously 20
Attack on CRT-1 Protocol In the CRT-1 protocol: Suppose k p, s p, and s q are correct but k q becomes incorrect (when computed or accessed) k q --> k q We got S =m d +R*q mod n (R: random integer) leads to q=gcd((s e - m), n) It can be proven that fault on k p disables the above attack 21
Attack on CRT-2 Protocol In the CRT-2 protocol: Suppose k p, s p, and s q are correct but k q becomes incorrect (when computed or accessed) k q --> k q We got S =m d +R*q mod n (R: random integer) leads to q=gcd((s e - m), n) Fault on k p leads to p=gcd((s e - m), n) 22
4. Conclusions 23
24 Basic consideration: Do not make unreasonable assumption, e.g., all the checking operations are error free Important thing to remind again: Be careful about all CRT-based attack Explicit fault/attack Implicit fault/attack The false alarm attack may lead to the DoS attack One technical issue to notice: More checking operations being used will lead to a less reliable countermeasure Open problem: Is error free checking operation necessary? More research is still necessary