Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection

Similar documents
Fault Analysis of Stream Ciphers

Cryptanalysis of LILI-128

An Introduction to Cryptography

CRYPTOGRAPHY. Sharafat Ibn Mollah Mosharraf TOUCH-N-PASS EXAM CRAM GUIDE SERIES. Special Edition for CSEDU. Students CSE, DU )

REVISIONS LTR DESCRIPTION DATE APPROVED - Initial Release 11/5/07 MDB A ECR /9/08 MDB

Pseudorandom bit Generators for Secure Broadcasting Systems

Fault Analysis of Stream Ciphers

Reducing IPTV Channel Zapping Time Based on Viewer s Surfing Behavior and Preference

Example the number 21 has the following pairs of squares and numbers that produce this sum.

Sequences and Cryptography

CASE HISTORY#3 COOLING TOWER GEARBOX BEARING FAULT. Barry T. Cease Cease Industrial Consulting

Logical Fallacies. Good or Bad?

XYZ Cinemas - ecna Configuration 12/12/2013 Table of Contents

10G E-PON ONU PR-30 Transceiver (20km)

Stream Cipher. Block cipher as stream cipher LFSR stream cipher RC4 General remarks. Stream cipher

Cost Analysis of Integrated Terminal Mobility and Personal Mobility Managements in Mobile Communication Networks

1 Introduction Steganography and Steganalysis as Empirical Sciences Objective and Approach Outline... 4

A High-Resolution Flash Time-to-Digital Converter Taking Into Account Process Variability. Nikolaos Minas David Kinniment Keith Heron Gordon Russell

Installation & Operation Manual. BEC PM1 Controller Time/Flow/Volume Controller. Water Control Solutions

Contents INFORMATION FLOW TRACK - TRAIN

Design for Test. Design for test (DFT) refers to those design techniques that make test generation and test application cost-effective.

Cryptography CS 555. Topic 5: Pseudorandomness and Stream Ciphers. CS555 Spring 2012/Topic 5 1

Notes Generator Verification SDT Project

Cable Certification. General Testing Criteria (Applies to all cable certification testing) Attachment E Cable Certification

Sequencing. Lan-Da Van ( 范倫達 ), Ph. D. Department of Computer Science National Chiao Tung University Taiwan, R.O.C. Fall,

Product Specification. RoHS-6 Compliant 10Gb/s 10km XFP Optical Transceiver FTLX1412M3BCL

10Gb/s 40km DWDM XFP Optical Transceiver

Testing Digital Systems II

From Theory to Practice: Private Circuit and Its Ambush

LFSR stream cipher RC4. Stream cipher. Stream Cipher

10G/1G E-PON ONU SFP+ Bidi Optical Transceiver (20km) P3157-8D20-RSP

New Address Shift Linear Feedback Shift Register Generator

Applying Models in your Testing Process

Sigma 1 - Axis Servo Motor and Cables - Troubleshooting Guide

Release Notes. Multi-Band EPI C2P. Release February 2013

Outline. Why do we classify? Audio Classification

RYKO Italia s.r.l. V. Casale Morano Po (Al) t f

FORENSIC CASEBOOK. By Bob Huddleston, Eastman Chemical Co. One of the most common. reasons for marriage failure

Marks and Grades Project

Realizing Waveform Characteristics up to a Digitizer s Full Bandwidth Increasing the effective sampling rate when measuring repetitive signals

Automatic Commercial Monitoring for TV Broadcasting Using Audio Fingerprinting

KAMIENIEC. analog resonant phase rotator. Model of operator s manual rev. 1977/1.0

Sequential Logic Counters and Registers

Black and Frozen Frame Detection

Analysis of local and global timing and pitch change in ordinary

VLSI Technology used in Auto-Scan Delay Testing Design For Bench Mark Circuits

11.1 As mentioned in Experiment 10, sequential logic circuits are a type of logic circuit where the output

Department of Computer Science, Cornell University. fkatej, hopkik, Contact Info: Abstract:

DSA-1. The Prism Sound DSA-1 is a hand-held AES/EBU Signal Analyzer and Generator.

Friday 5 June 2015 Morning

Building Trust in Online Rating Systems through Signal Modeling

This is an extended version of:

MAGIC THipPro. Signalling and Control with. Configuration Guide. using the example of a LAWO crystal mixing console. Version: March 26 th, 2018

Problem Points Score USE YOUR TIME WISELY USE CLOSEST DF AVAILABLE IN TABLE SHOW YOUR WORK TO RECEIVE PARTIAL CREDIT

Analogue Versus Digital [5 M]

Gluten-Free Certification Program (GFCP) Trademark Usage Guide

Chapter 7 Counters and Registers

Exercise 4. Data Scrambling and Descrambling EXERCISE OBJECTIVE DISCUSSION OUTLINE DISCUSSION. The purpose of data scrambling and descrambling

Securing Scan Design Using Lock & Key Technique

LFSR Test Pattern Crosstalk in Nanometer Technologies. Laboratory for Information Technology University of Hannover, Germany

MATHEMATICAL APPROACH FOR RECOVERING ENCRYPTION KEY OF STREAM CIPHER SYSTEM

Scan. This is a sample of the first 15 pages of the Scan chapter.

Experiment 7: Bit Error Rate (BER) Measurement in the Noisy Channel

3D IC Test through Power Line Methodology. Alberto Pagani

Chapter 11 State Machine Design

1550 nm / 3 Gb/s Medium Power Single Optical SM Digital Diagnostic Transmitter FVD2-1TR-SM50

1. Introduction. Abstract. 1.1 Logic Criteria

Arbitrary Waveform Generator

ETSI TS V6.0.0 ( )

Query By Humming: Finding Songs in a Polyphonic Database

EEE ALERT signal for 100GBASE-KP4

Main Display (Red) Displays the incident light level or the function name.

The Mitsubishi DX-TL5000 DVR

INTERNATIONAL TELECOMMUNICATION UNION SPECIFICATIONS OF MEASURING EQUIPMENT

Personalized TV Recommendation with Mixture Probabilistic Matrix Factorization

ONE-WAY DATA TRANSMISSION FOR CABLE APPLICATIONS WEGENER COMMUNICATIONS, INC.

Slide Set 8. for ENCM 501 in Winter Term, Steve Norman, PhD, PEng

G.709 FEC testing Guaranteeing correct FEC behavior

MEMORY ERROR COMPENSATION TECHNIQUES FOR JPEG2000. Yunus Emre and Chaitali Chakrabarti

Tear and Destroy: Chain voting and destruction problems shared by Prêt à Voter and Punchscan and a solution using Visual Encryption

Fault Analysis of GRAIN-128

Permutation-based cryptography for the Internet of Things

TEST PATTERNS COMPRESSION TECHNIQUES BASED ON SAT SOLVING FOR SCAN-BASED DIGITAL CIRCUITS

Component Video Matrix Switcher Series ITEM NO.: YS04MA, YS04MD

Micro/Junior/Pro PL7 Micro PLC Functions Upcounting. TLX DS 37 PL7 40E engv4

ASYNCHRONOUS COUNTER CIRCUITS

FIBRE CHANNEL CONSORTIUM

CWDM / 3 Gb/s Medium Power Optical SM Digital Diagnostic Transmitter/Receiver FVD2-1TR-SM30-XX

Power (dbm) λ (nm) LINK DISTANCE SDI Bit Rate Max. Link Distance (km) 3G-SDI 2.97Gbps 30 HD-SDI 1.485Gbps 30 SD-SDI 270Mbps 30

Toward Metrics for Monitoring Time Reliability NIST Access to Assured and Accurate Time Workshop

Future Performance of the LCLS

8/30/2010. Chapter 1: Data Storage. Bits and Bit Patterns. Boolean Operations. Gates. The Boolean operations AND, OR, and XOR (exclusive or)

Randomness analysis of A5/1 Stream Cipher for secure mobile communication

Testing of Cryptographic Hardware

SC24 Magnetic Field Cancelling System

The Keyboard. the pitch of a note a half step. Flats lower the pitch of a note half of a step. means HIGHER means LOWER

ED3. Digital Encoder Display Page 1 of 13. Description. Mechanical Drawing. Features

Avigilon View Software Release Notes

Power-Driven Flip-Flop p Merging and Relocation. Shao-Huan Wang Yu-Yi Liang Tien-Yu Kuo Wai-Kei Tsing Hua University

VHDL Implementation of Logic BIST (Built In Self Test) Architecture for Multiplier Circuit for High Test Coverage in VLSI Chips

Transcription:

Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection Sung-Ming Yen 1 and Dongryeol Kim 2 1 Dept of Computer Science and Information Engineering National Central University, Taiwan, ROC http://www.csie.ncu.edu.tw/~yensm/lcis.html 2 Information Security Policy Division Korea Information Security Agency, Korea 1

Outline : 1. Preliminary Background of CRT-based Cryptanalysis 2. Review: Two CRT-based RSA Computation Based on Fault Infection 3. Cryptanalysis of CRT-based RSA with Fault Infection 4. Conclusions 2

1. Introduction and Preliminary Background RSA speedup with CRT CRT-based fault attack 3

RSA Speedup with CRT RSA speedup based on CRT: Given p, q, (n=p*q), d, and m, S=m d mod n can be sped up by s p =(m mod p) d mod (p-1) mod p s q =(m mod q) d mod (q-1) mod q Gauss s CRT recombination S=CRT(s p, s q ) [(s p q (q -1 mod p)+s q p (p -1 mod q)] mod n = [s p X p + s q X q ] mod n Garner s CRT recombination S=CRT(s p, s q ) s q + [(s p -s q ) (q -1 mod p) mod p] q 4

CRT-based Fault Attack Fault attack on the computation of s p & s q Given a faulty result of S =CRT(s p, s q ) q=gcd((s e - m) mod n, n) Random error Random error s p CRT S s q 5

Shamir s Countermeasure Shamir s countermeasure (extend modulus then reduce modulus) s pr =m pr d pr mod pr d s qr =m qr qr mod qr where m pr = m mod pr & d pr = d mod ψ(pr) and r is a random prime. Output S only if (s pr mod r) = (s qr mod r) S=CRT(s p, s q ) =CRT(s pr mod p, s qr mod q) 6

Other possible countermeasures: (All need and strictly depend on the reliability of a comparison operation!) Compute S twice and compare the results Given S = m d mod n, verify whether m?= S e mod n 7

Attack on Shamir s Method Possible attacks on the Zero flag! Implementation of checking (s pr mod r) =? (s qr mod r) Implementation of a?= b SUB a,b (or CMP a,b) JZ (jump if zero) It highly depends on the zero flag! 8

Another reported CRT-based attack The main weakness: It s assumed that correctness of s pr and s qr implies the correctness of both s p and s q where s p = s pr mod p possibly s p <-- s pr mod p The checking of whether (s pr mod r) =? (s qr mod r) cannot detect the error in s p 9

Importance of CRT-based Attack It has already been widely employed But a single fault total break down False alarm attack on RSA+CRT may be initiated by any malicious attacker Denial of service attack So, any potential CRT-based attack should be carefully considered 10

2. Review: Two CRT-based RSA Computation Based on Fault Infection No fault-free decision procedure will be assumed in the countermeasure! 11

Fault Infective CRT Speedup No checking procedure will be assumed that should be fault free When a random error occurred in s p (or s q ) it will influence computation of s q (or s p ) or the overall computation of S (for example CRT(s p, s q ) or CRT(s p, s q ) is not accessible) 12

The CRT-1 Protocol Parameter selection: n=p q (usual key pair e & d=e -1 modψ(n)) additional key pair e r & d r =e r -1 modψ(n) d r =d r (r is a small integer) 13

The protocol: Compute k p = m/p & k q = m/q where x means floor function Compute m d r mod n with CRT speedup s p =A d r mod (p-1) mod p where A=m mod p s q = d r mod (p-1) mod q e where  = ((s r p mod p)+k p p) mod q Based on CRT S=CRT(s p, s q ) (à r ) mod n e where Ã=(s r q mod q)+k q q 14

If the computation is fault free: Message reconstruction 1: s q = d r mod (p-1) mod q e where  = ((s r p mod p)+k p p) mod q = m mod q Message reconstruction 2: S=CRT(s p, s q ) (à r ) mod n e where Ã=(s r q mod q)+k q q =m 15

The CRT-2 Protocol Parameter selection: n=p q (usual key pair e & d=e -1 modψ(n)) additional key pair e r & d r =e r -1 modψ(n) d r =d r (r is a small integer) 16

The protocol: Compute k p = m/p & k q = m/q Compute m d r mod n with CRT speedup s p =A d r mod (p-1) mod p where A=m mod p s q =A d r mod (p-1) mod q Based on CRT S=CRT(s p, s q ) (Â r ) mod n where Â= (m 1 +m 2 )/2 e m 1 =(s r p mod p)+k p p m 2 =(s q e r mod q)+k q q 17

If the computation is fault free: Message reconstruction: S=CRT(s p, s q ) (Â r ) mod n where Â= (m 1 +m 2 )/2 e m 1 =(s r p mod p)+k p p =m m 2 =(s q e r mod q)+k q q =m 18

3. Cryptanalysis of CRT-based RSA with Fault Infection Exploiting faults that usual CRT-based attack did not consider 19

Attack Exploiting Fault on Temporary Parameters Attacks exploit faults that usual CRT-based attack did not consider Exploiting faults on temporary parameters that usual CRT speedup does NOT required It has been overlooked previously 20

Attack on CRT-1 Protocol In the CRT-1 protocol: Suppose k p, s p, and s q are correct but k q becomes incorrect (when computed or accessed) k q --> k q We got S =m d +R*q mod n (R: random integer) leads to q=gcd((s e - m), n) It can be proven that fault on k p disables the above attack 21

Attack on CRT-2 Protocol In the CRT-2 protocol: Suppose k p, s p, and s q are correct but k q becomes incorrect (when computed or accessed) k q --> k q We got S =m d +R*q mod n (R: random integer) leads to q=gcd((s e - m), n) Fault on k p leads to p=gcd((s e - m), n) 22

4. Conclusions 23

24 Basic consideration: Do not make unreasonable assumption, e.g., all the checking operations are error free Important thing to remind again: Be careful about all CRT-based attack Explicit fault/attack Implicit fault/attack The false alarm attack may lead to the DoS attack One technical issue to notice: More checking operations being used will lead to a less reliable countermeasure Open problem: Is error free checking operation necessary? More research is still necessary

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback