Attacking RSACRT Signatures with Faults on Montgomery Multiplication - PowerPoint PPT Presentation

Attacking RSA–CRT Signatures with Faults on Montgomery Multiplication Pierre-Alain Fouque (INRIA) Nicolas Guillermin (DGA) Delphine Lerestreux (DGA) Mehdi Tibouchi (NTT) Jean-Christophe Zapalowicz (INRIA) CHES 2012 Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 1 / 15

About this talk Cryptanalysis of RSA–CRT signatures which use of the efficient Montgomery Multiplication whatever the encoding function Fault attacks Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 2 / 15

Montgomery multiplication algorithm Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x ( R constant) y · R − 1 mod q = xy · R mod q CIOS (¯ x , ¯ y ) = ¯ x ¯ Classical representation − → Montgomery representation: CIOS ( x , R 2 mod q ) = xR = ¯ x Montgomery representation − → Classical representation: CIOS (¯ x , 1 ) = xR = x Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Montgomery multiplication algorithm Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x ( R constant) y · R − 1 mod q = xy · R mod q CIOS (¯ x , ¯ y ) = ¯ x ¯ Classical representation − → Montgomery representation: CIOS ( x , R 2 mod q ) = xR = ¯ x Montgomery representation − → Classical representation: CIOS (¯ x , 1 ) = xR = x Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Montgomery multiplication algorithm Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x ( R constant) y · R − 1 mod q = xy · R mod q CIOS (¯ x , ¯ y ) = ¯ x ¯ Classical representation − → Montgomery representation: CIOS ( x , R 2 mod q ) = xR = ¯ x Montgomery representation − → Classical representation: CIOS (¯ x , 1 ) = xR = x Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Exponentiation algorithms Square-and-Multiply MSB Montgomery Ladder 1: function E XP L ADDER ( x , d , q ) x ← CIOS ( x , R 2 mod q ) ¯ 2: 1: function E XP MSB ( x , d , q ) 3: A ← R mod q x ← CIOS ( x , R 2 mod q ) 2: ¯ 4: for i = t down to 0 do 3: A ← R mod q 5: if d i = 0 then 4: for i = t down to 0 do 6: x ← CIOS ( A , ¯ ¯ x ) 5: A ← CIOS ( A , A ) 7: A ← CIOS ( A , A ) 6: if d i = 1 then 8: else if e i = 1 then 7: A ← CIOS ( A , ¯ x ) 9: A ← CIOS ( A , ¯ x ) return CIOS ( A , 1 ) = x d mod q 10: ¯ x ← CIOS (¯ x , ¯ 8: x ) return CIOS ( A , 1 ) = x d mod q 11: Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 4 / 15

RSA–CRT signature p , q : two secret primes N = pq : public modulus e : public exponent d : secret exponent ed ≡ 1 mod (( p − 1 )( q − 1 )) RSA signature : S ≡ M d mod N RSA–CRT signature : 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: or    S = Garner ( S p , S q ) mod N 5: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

RSA–CRT signature p , q : two secret primes N = pq : public modulus e : public exponent d : secret exponent ed ≡ 1 mod (( p − 1 )( q − 1 )) RSA signature : S ≡ M d mod N RSA–CRT signature : 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: or    S = Garner ( S p , S q ) mod N 5: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

RSA–CRT signature p , q : two secret primes N = pq : public modulus e : public exponent d : secret exponent ed ≡ 1 mod (( p − 1 )( q − 1 )) RSA signature : S ≡ M d mod N RSA–CRT signature : 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: 4 × faster!! or    S = Garner ( S p , S q ) mod N 5: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: or    S = Garner ( S p , S q ) mod N 5: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: or    S = Garner ( S p , S q ) mod N 5: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) S p ← M d mod p − 1 mod p 2: S q ← M d mod q − 1 mod q 3:   S = CRT ( S p , S q ) mod N   4: or    S = Garner ( S p , S q ) mod N 5: return S Attack S p → � S → � S p S S p � = M d mod p � S q = M d mod q S e � = M mod p S e = M mod q � � gcd ( � S e − M mod N , N ) = q Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) 2: M ← µ ( m ) ∈ Z N S p ← M d mod p − 1 mod p µ = deterministic encoding function ⇒ Attack works! 3: S q ← M d mod q − 1 mod q 4:   S = CRT ( S p , S q ) mod N   5: or    S = Garner ( S p , S q ) mod N 6: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) 2: M ← µ ( m ) ∈ Z N S p ← M d mod p − 1 mod p µ = deterministic encoding function ⇒ Attack works! 3: S q ← M d mod q − 1 mod q 4:   S = CRT ( S p , S q ) mod N   5: µ = probabilistic encoding function: or    S = Garner ( S p , S q ) mod N 6: return S Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) 2: M ← µ ( m ) ∈ Z N S p ← M d mod p − 1 mod p µ = deterministic encoding function ⇒ Attack works! 3: S q ← M d mod q − 1 mod q 4:   S = CRT ( S p , S q ) mod N   5: µ = probabilistic encoding function: or    S = Garner ( S p , S q ) mod N 6: return S random sent with signature ⇒ Attack works! Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack 1: function S IGN RSA–CRT ( M ) 2: M ← µ ( m ) ∈ Z N S p ← M d mod p − 1 mod p µ = deterministic encoding function ⇒ Attack works! 3: S q ← M d mod q − 1 mod q 4:   S = CRT ( S p , S q ) mod N   5: µ = probabilistic encoding function: or    S = Garner ( S p , S q ) mod N 6: return S random sent with signature ⇒ Attack works! otherwise, in general (RSA–PSS . . . ) ⇒ No attack! Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

For now: We focus on hardware designs for RSA signatures using: RSA–CRT Montgomery multiplication regardless of the encoding function Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 7 / 15

Null faults: Presentation Fault model: force a small precomputed value to zero Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Presentation Fault model: force a small precomputed value to zero 1: function CIOS( ¯ x , ¯ y ) 2: a ← 0 y mod 2 r y 0 ← ¯ ¯ 3: r : size of the registers k s.t R = 2 rk ( R > q , gcd ( q , R ) = 1) 4: for j = 0 to k − 1 do a 0 ← a mod 2 r 5: y 0 ) · q ′ mod 2 r q ′ = − q − 1 mod 2 r precomputed u j ← ( a 0 + ¯ x j · ¯ 6: � a + ¯ x j · ¯ y + u j · q � 7: a ← division implemented as right shift 2 r 8: if a ≥ q then a ← a − q yR − 1 mod q return a = ¯ x ¯ 9: Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Presentation Fault model: force a small precomputed value to zero 1: function CIOS( ¯ x , ¯ y ) 2: a ← 0 y mod 2 r y 0 ← ¯ ¯ 3: r : size of the registers k s.t R = 2 rk ( R > q , gcd ( q , R ) = 1) 4: for j = 0 to k − 1 do a 0 ← a mod 2 r 5: y 0 ) · q ′ mod 2 r q ′ = − q − 1 mod 2 r precomputed u j ← ( a 0 + ¯ x j · ¯ 6: � a + ¯ x j · ¯ y + u j · q � 7: a ← division implemented as right shift 2 r 8: if a ≥ q then a ← a − q yR − 1 mod q return a = ¯ x ¯ 9: Objective: S = S q + q · ( q − 1 · ( S p − S q ) mod p ) (Garner) If � S q = 0 then gcd ( � S , N ) = q with a single faulted signature Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Attacks 2 possible recombinations: S = S q + q · ( q − 1 · ( S p − S q ) mod p ) Garner: ⇒ S q in classical representation required 2 attacks: Attacking CIOS ( A , 1 ) ( A = S q ) Attacking consecutive CIOS steps Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15