160 likes | 264 Vues
Seeing through M IST given a Small Fraction of an RSA Private Key. Colin D. Walter colin.walter@comodogroup.com Comodo Research Lab (Bradford, UK) www.comodogroup.com. Overview. History The M IST Algorithm Threat Assumptions – a Theorem. First Reconstruction of the Key
E N D
Seeing through MISTgiven a Small Fraction of an RSA Private Key Colin D. Walter colin.walter@comodogroup.com Comodo Research Lab (Bradford, UK) www.comodogroup.com
Overview • History • The MIST Algorithm • Threat Assumptions – a Theorem. • First Reconstruction of the Key • Second Reconstruction of the Key • Conclusion Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
History • C. D. Walter Exponentiation using Division Chains IEEE TC 47, 1998 • C. D. Walter MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis CT-RSA 2002, LNCS 2271 • C. D. WalterSome Security Aspects of the MIST Randomized Exponentiation Algorithm CHES 2002, LNCS 2523 • Boneh, Durfee & FrankelExposing an RSA Private Key given a Small Fraction of its Bits AsiaCrypt 98, LNCS 1514 Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Reversed m-ary Expn { To compute: P = CDmod N } Q C ; P 1 ; While D > 0 do Begin d D mod m ; If d 0 then P Qd× P mod N; Q Qmmod N; D D div m ; { Invariant: CD.Init= QD× P mod N } End ; Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
The MIST Expn Algorithm { To compute: P = CDmod N } Q C ; P 1 ; While D > 0 do Begin Choose a random base m (from {2,3,5}, say); d D mod m ; If d 0 then P Qd× P mod N; Q Qmmod N; D D div m ; { Invariant: CD.Init= QD× P mod N } End ; Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Security Strength THEOREM (CHES 2002)After a MIST exponentiation CDmod N using a typical, efficient choice of parameters: • The number of exponents with the same pattern of squares and multiplies is at least D3/5. • The number of exponents with the same pattern of operand sharing is about D1/3. With just this information it is computationally infeasible to search for D. We will now improve these results using knowledge of the public modulus N. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Notation The chosen digit/base pairs(di, mi) satisfy D = d0+m0(d1+m1(d2+m2(...dn)...)) Define Dj = dj+ mj(dj+1+mj+1(dj+2+mj+2(...dn)...)) δj = d0 + m0(d1 + m1 (d2 + m2(...dj–1)...)) μj = m0 m1 m2 ... mj–1 Then δj = Dmodμj Dj = Ddivμj D = μjDj + δj Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
A First Attack • Let N = PQfor primes P and Q of equal bit length. It is easy to show φ(N) lies in an interval of length < ⅛√N So the top half of φ(N) is known (whatever base is chosen) when N is known. • Assume no exponent blinding. Since the encryption key E is also known, the top half of Dbecomes known to within Epossibilities (which the attacker can try in turn to find one which works). • The attacker “guesses” the lower half ofD: he uses DPA to determine enough choices of digit/base pairs (d0,m0), (d1,m1), (d2,m2), ..., (dj–1,mj–1) such that μj = ∏i mi > √D. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
A First Attack contd The attacker has “guessed”μjandδj. He then computes an approximation for Dj = D div μj using his approximation for D. Since D is known to an accuracy with error less than μj, Dj(the upper half of D)is determined up to a choice of at most 2 values. SoD = μjDj+δjis determined up to a couple of possibilities • and the secret key is obtained. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
A First Attack contd By the theorem applied to the lower half of D, the number of choices for digit/base pairs is about N3/10 or N1/6depending on how much we assume the attacker knows. He has E choices for approximating D and perhaps 232 extra choices if a 32-blinding factor is introduced. Hence the search space is reduced to about 232EN3/10or 232EN1/6 if the Sqr & Mult or op. sharing pattern is known. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
A First Attack - conclusion • Of course, N3/10 and N1/6 are still over 100 bits for sensible key lengths and so, even without key blinding, this attack is computationally infeasible. • The first attack given in the proceedings tackles the similar, but more complex, case of assuming the most significant digits are guessed instead of the least significant. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
A First Attack - as in paper • If the most significant part Dj is guessed then D div Dj= μj is known almost exactly. • μj is a product of powers of 2, 3, 5 only. This property is so rare that the correct Dj is easily determined. • The next digit/base pair (dj–1, mj–1) is chosen to give μj–1 the same property – usually unique. • So Dj, Dj–1, Dj–2, ..., D1, D0 = D are all obtained, and the key recovered. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
The Second Attack • This attack uses the Boneh et al. results (derived from Coppersmith) to reduce the dimension of the search space by a factor of 4 instead of 2. • Theorem. Suppose N = PQ, μ > N1/4 and P mod μ is known. Then it is possible to factor N in time polynomial in log(N). • Boneh uses this with μ as a power of 2. We take μ as a product of base choices m. Specifically, μ = μj for a large enough j. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Second Attack contd • If there is no key blinding, DE = 1+kφ(N) for some k < Ewhere φ(N) = (P–1)(N/P–1). • Reducing mod μ changes unknown Dto the guessed δj and P to x = P modμ, say. • Now DE = 1+kφ(N) reduced mod μ becomes a quadratic equation in x. • We solve for x using CRT. Generally, there are 16 solutions or none (if 23×3×5 divides μ). • Now we can apply the theorem to factor N. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Second Attack conclusion • There are N3/20orN1/12pattern-matching cases of δj ≈ N¼ to consider; • E possible choices for 1+kφ(N); • B possible blinding factors, say (typically B = 232); • log(N) time to construct & find roots of quadratic; • log(N)-polynomial time to factorise N; • We conclude that N can be factored in time BEN3/20 or BEN1/12 times a poly in log(N). • For no blinding, small E & short key this may be computationally feasible. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions
Conclusion • A DPA attack on the MIST algorithm has been augmented using knowledge of the RSA public modulus in several ways. • The attacks may become computationally feasible if parameters are poorly chosen. • Other standard algorithms provide no strength against such attacks (e.g. m-ary). • Standard approaches such as key blinding, longer keys, & larger public exponent all contribute to better security. Colin D. Walter, Comodo Research Lab, Bradford Next Generation Digital Security Solutions