RSA Implementation Attacks RSA Attacks 1 RSA q

RSA Implementation Attacks RSA Attacks 1

RSA q RSA o Public key: (e, N) o Private key: d q Encrypt M C = Me (mod N) q Decrypt q Digital signature o Sign h(M) q In protocols, sign “challenge”: S = Md (mod N) C M = Cd (mod N) RSA Attacks 2

Implementation Attacks q Attacks on RSA implementation o Not attacks on RSA algorithm per se q Timing attacks o Exponentiation is very expensive computation o Try to exploit differences in timing related to differences in private key bits q Glitching (fault induction) attack o Induced errors may reveal private key RSA Attacks 3

Modular Exponentiation Attacks we discuss arise from precise details of modular exponentiation q For efficiency, modular exponentiation uses some combination of q o o o q Repeated squaring Sliding window Chinese Remainder Theorem (CRT) Montgomery multiplication Karatsuba multiplication Next, we briefly discuss each of these RSA Attacks 4

Repeated Squaring q Modular exponentiation example o q A better way: repeated squaring o o o o q 520 = 95367431640625 = 25 (mod 35) 20 = 10100 base 2 (1, 101, 10100) = (1, 2, 5, 10, 20) Note that 2 = 1 2, 5 = 2 2 + 1, 10 = 2 5, 20 = 2 10 51= 5 (mod 35) 52= (51)2 = 52 = 25 (mod 35) 55= (52)2 51 = 252 5 = 3125 = 10 (mod 35) 510 = (55)2 = 100 = 30 (mod 35) 520 = (510)2 = 302 = 900 = 25 (mod 35) No huge numbers and it is efficient o In this example, 5 steps vs 20 for naïve method RSA Attacks 5

Repeated Squaring q Repeated Squaring algorithm // Compute y = xd (mod N) // where, in binary, d = (d 0, d 1, d 2, …, dn) with d 0 = 1 s=x for i = 1 to n s = s 2 (mod N) if di == 1 then s = s x (mod N) end if next i return s RSA Attacks 6

Sliding Window q. A simple time memory tradeoff for repeated squaring q Instead of processing each bit… q …process block of n bits at once o Use pre-computed lookup tables o Typical value is n = 5 RSA Attacks 7

Chinese Remainder Theorem (CRT) q We want to compute Cd (mod N) where N = pq q With CRT, we compute Cd modulo p and modulo q, then “glue” them together q Two modular reductions of size N 1/2 q o As opposed to one reduction of size N q CRT provides significant speedup RSA Attacks 8

CRT Algorithm We know C, d, N, p and q q Want to compute Cd (mod N) where N = pq q Pre-compute q dp = d (mod (p 1)) and dq = d (mod (q 1)) q And determine a and b such that a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q) RSA Attacks 9

CRT Algorithm q We have dp, dq, a and b satisfying dp = d (mod (p 1)) and dq = d (mod (q 1)) a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q) Given C, want to find Cd (mod N) q Compute: q And: q Solution is: q RSA Attacks 10

CRT Example q Suppose N = 33, p = 11, q = 3 and d = 7 q Pre-compute o Then e = 3, but not needed here dp = 7 (mod 10) = 7 and dq = 7 (mod 2) = 1 Also, a = 12 and b = 22 satisfy conditions q Suppose we are given C = 5 q o That is, we want to compute Cd = 57 (mod 33) o Find Cp = 5 (mod 11) = 5 and Cq = 5 (mod 3) = 2 o And xp = 57 = 3 (mod 11), xq = 21 = 2 (mod 3) q Easy to verify: 57 = 12 3 + 22 2 = 14 (mod 33) RSA Attacks 11

CRT: The Bottom Line q Looks like a lot of work q But it is actually a big “win” o Provides a speedup by a factor of 4 q Any disadvantage? o Factors p and q of N must be known o Violates “trap door” property? o Used only for private key operations RSA Attacks 12

Montgomery Multiplication q Very clever method to reduce work in modular multiplication o And therefore in modular exponentiation Consider computing ab (mod N) q Expensive part is modular reduction q Naïve approach requires division q In some cases, no division needed… q RSA Attacks 13

Montgomery Multiplication q Consider product ab = c (mod N) o Where modulus is of form N = mk 1 Then there exist c 0 and c 1 such that c = c 1 mk + c 0 q Can rewrite this as c = c 1(mk 1) + (c 1 + c 0) = c 1 + c 0 (mod N) q In this case, if we can find c 1 and c 0, then no division is required in modular reduction q RSA Attacks 14

Montgomery Multiplication q For example, consider 3089 (mod 99) 3089 = 30 100 + 89 = 30(100 1) + (30 + 89) = 30 99 + (30 + 89) = 119 (mod 99) Only one subtraction required to compute 3089 (mod 99) q In this case, no division needed q RSA Attacks 15

Montgomery Multiplication q Montgomery analogous to previous example o But Montgomery works for any modulus N o Big speedup for modular exponentiation q Idea is to convert to “Montgomery form”, do multiplications, then convert back o Montgomery multiplication is highly efficient way to do multiplication and modular reduction o In spite of conversions to and from Montgomery form, this is a BIG win for exponentiation RSA Attacks 16

Montgomery Form Consider ab (mod N) q Choose R = 2 k with R > N and gcd(R, N) = 1 q Also, find R and N so that RR NN = 1 q Instead of a and b, we work with a = a. R (mod N) and b = b. R (mod N) q The numbers a and b are said to be in Montgomery form q RSA Attacks 17

Montgomery Multiplication q Given a = a. R (mod N), b = b. R (mod N) and RR NN = 1 q Compute a b = (a. R (mod N))(b. R (mod N)) = ab. R 2 Then, ab. R 2 denotes the product a b without any additional mod N reduction q Note that ab. R 2 need not be divisible by R due to the mod N reductions q RSA Attacks 18

Montgomery Multiplication q Given a = a. R (mod N), b = b. R (mod N) and RR NN = 1 Then a b = (a. R (mod N))(b. R (mod N)) = ab. R 2 q Want a b to be in Montgomery form q o That is, want ab. R (mod N), not ab. R 2 o Note that RR = 1 (mod N) Looks easy, since ab. R 2 R = ab. R (mod N) q But, want to avoid costly mod N operation q o Montgomery algorithm provides clever solution RSA Attacks 19

Montgomery Multiplication Given ab. R 2, RR NN = 1 and R = 2 k q Want to find ab. R (mod N) q o Without costly mod N operation (division) q Note: “mod R” and division by R are easy o Since R is a power of 2 Let X = ab. R 2 q Montgomery algorithm on next slide q RSA Attacks 20

Montgomery Reduction Have X = ab. R 2, RR NN = 1, R = 2 k q Want to find ab. R (mod N) q Montgomery reduction m = (X (mod R)) N (mod R) x = (X + m. N)/R if x N then x = x N // extra reduction end if return x q RSA Attacks 21

Montgomery Reduction q Why does Montgomery reduction work? o Recall that input is X = ab. R 2 o Claim: output is x = ab. R (mod N) q Must carefully examine main steps of Montgomery reduction algorithm: m = (X (mod R)) N (mod R) x = (X + m. N)/R RSA Attacks 22

Montgomery Reduction q Given X = ab. R 2 and RR NN = 1 o Note that N N = 1 (mod R) q Consider m = (X (mod R)) N (mod R) o In words: m is product of N and remainder of X/R q Therefore, X + m. N = X (X (mod R)) o Implies X + m. N divisible by R o Since R = 2 k, division is simply a shift q Consequently, it is trivial to compute x = (X + m. N)/R RSA Attacks 23

Montgomery Reduction q Given X = ab. R 2 and RR NN =1 o Note that R R = 1 (mod N) q Consider x = (X + m. N)/R q Then x. R = X + m. N = X (mod N) q And x. RR = XR (mod N) q Therefore x = x. RR = XR = ab. R 2 R = ab. R (mod N) RSA Attacks 24

Montgomery Example Suppose N = 79, a = 61 and b = 5 q Use Montgomery to compute ab (mod N) q Choose R = 102 = 100 q o For human readability, R is a power of 10 o For computer, choose R to be a power of 2 q Then a = 61 100 = 17 (mod 79) b = 5 100 = 26 (mod 79) RSA Attacks 25

Montgomery Example q Consider ab = 61 5 (mod 79) o Recall that R = 100 o So a = a. R = 17 (mod 79) and b = b. R = 26 (mod 79) Euclidean Algorithm gives 64 100 81 79 = 1 q Then R = 64 and N = 81 q Monty reduction to determine ab. R (mod 79) q First, X = a b = 17 26 = 442 = ab. R 2 q RSA Attacks 26

Montgomery Example q Given X = a b = ab. R 2 = 442 Also have R = 64 and N = 81 q Want to determine ab. R (mod 79) q By Montgomery reduction algorithm m = (X (mod R)) N (mod R) = 42 81 = 3402 = 2 (mod 100) x = (X + m. N)/R = (442 + 2 79)/100 = 600/100 = 6 q Verify: ab. R = 61 5 100 = 6 (mod 79) q RSA Attacks 27

Montgomery Example Have ab. R = 6 (mod 79) q But this number is in Montgomery form q Convert to non-Montgomery form q o Recall R R = 1 (mod N) o So ab. RR = ab (mod N) q For this example, R = 64 and N = 79 Find ab = ab. RR = 6 64 = 68 (mod 79) q Easy to verify ab = 61 5 = 68 (mod 79) q RSA Attacks 28

Montgomery: Bottom Line Easier to compute ab (mod N) directly, without using Montgomery algorithm! q However, for exponentiation, Montgomery is much more efficient q o For example, to compute Md (mod N) q To compute Md (mod N) o Convert M to Montgomery form o Do repeated (cheap) Montgomery multiplications o Convert final result to non-Montgomery form RSA Attacks 29

Karatsuba Multiplication q Most efficient way to multiply two numbers of about same magnitude o Assuming “+” is much cheaper than “ ” q For n-bit number o Karatsuba work factor: n 1. 585 o Ordinary “long” multiplication: n 2 q Based RSA Attacks on a simple observation… 30

Karatsuba Multiplication Consider the product (a 0 + a 1 10)(b 0 + b 1 10) q Naïve approach requires 4 multiplies to determine coefficients: a 0 b 0 + (a 1 b 0 + a 0 b 1)10 + a 1 b 1 102 q Same result with just 3 multiplies: q a 0 b 0 + [(a 0 + a 1)(b 0 + b 1) a 0 b 0 a 1 b 1]10 + a 1 b 1 102 RSA Attacks 31

Karatsuba Multiplication Does Karatsuba work for bigger numbers? q For example q c 0 + c 1 10 + c 2 102 + c 3 103 = C 0 + C 1 102 q Where C 0 = c 0 + c 1 10 and C 1 = c 2 + c 3 10 q Can apply Karatsuba recursively to find product of numbers of any magnitude RSA Attacks 32

Timing Attacks We discuss 3 different attacks q Kocher’s attack q o Systems that use repeated squaring but not CRT or Montgomery (e. g. , smart cards) q Schindler’s attack o Repeated squaring, CRT and Montgomery (no real systems use this combination) q Brumley-Boneh attack o CRT, Montgomery, sliding windows, Karatsuba (e. g. , open. SSL) RSA Attacks 33

Kocher’s Attack q Attack on repeated squaring o Does not work if CRT or Montgomery used o In most applications, CRT and Montgomery multiplication are used o Some resource-constrained devices only use repeated squaring q This RSA Attacks attack aimed at smartcards 34

Repeated Squaring q Repeated Squaring algorithm // Compute y = xd (mod N) // where, in binary, d = (d 0, d 1, d 2, …, dn) with d 0 = 1 s=x for i = 1 to n s = s 2 (mod N) if di == 1 then s = s x (mod N) end if next i return s RSA Attacks 35

Kocher’s Attack: Assumptions Repeated squaring algorithm is used q Timing of multiplication s x (mod N) in algorithm varies depending on s and x q o That is, multiplication is not constant-time Trudy can accurately emulate timings given putative s and x q Trudy can obtain accurate timings of private key operation, Cd (mod N) q RSA Attacks 36

Kocher’s Attack q Recover private key bits one (or a few) at a time o Private key: d = d 0, d 1, …, dn with d 0 = 1 o Recover bits in order, d 1, d 2, d 3, … q Do not need to recover all bits o Can efficiently recover low-order bits when enough high-order bits are known o Coppersmith’s algorithm RSA Attacks 37

Kocher’s Attack Suppose bits d 0, d 1, …, dk 1, are known q We want to determine bit dk q Randomly select Cj for j = 0, 1, …, m 1, obtain timings T(Cj) for Cjd (mod N) q For each Cj emulate steps i = 1, 2, …, k 1 of repeated squaring q At step k, emulate dk = 0 and dk = 1 q Variance of timing difference will be smaller for correct choice of dk q RSA Attacks 38

Kocher’s Attack q For example o Suppose private key is 8 bits o That is, d = (d 0, d 1, …, d 7) with d 0 = 1 Trudy is sure that d 0 d 1 d 2 d 3 {1010, 1001} q Trudy generates random Cj, for each… q o She obtains the timing T(Cj) and o Emulates d 0 d 1 d 2 d 3 = 1010 and d 0 d 1 d 2 d 3 = 1001 q Let i be emulated timing for bit i o Depends on bit value that is emulated RSA Attacks 39

Kocher’s Attack Private key is 8 bits q Trudy is sure that d 0 d 1 d 2 d 3 {1010, 1001} q Trudy generates random Cj, for each… q Define i to be emulated timing for bit i q o For i < m let i…m be shorthand for i + i+1 + … + m Trudy tabulates T(Cj) and 0… 3 q She computes variances q o Smaller variance “wins” q See next slide for fictitious example… RSA Attacks 40

Kocher’s Attack q Suppose Trudy obtains timings q For d 0 d 1 d 2 d 3 = 1010 Trudy finds E(T(Cj) 0… 3) = 6 and var(T(Cj) 0… 3) = 1/2 q For d 0 d 1 d 2 d 3 = 1001 Trudy finds E(T(Cj) 0… 3) = 6 and var(T(Cj) 0… 3) = 1 q Kocher’s attack implies d 0 d 1 d 2 d 3 = 1010 RSA Attacks 41

Kocher’s Attack q Why does small variance win? o More bits are correct, so less variance q More precisely, define i == emulated timing for bit i ti == actual timing for bit i o Assume var(ti) = var(t) for all i u == measurement “error” q In the previous example, o Correct case: var(T(Cj) 0… 3) = 4 var(t) + var(u) o Incorrect case: var(T(Cj) 0… 3) = 6 var(t) + var(u) RSA Attacks 42

Kocher’s Attack: Bottom Line q Simple and elegant attack o Works provided only repeated squaring used o Limited utility—most RSA use CRT, Monty, etc. Why does this fail if CRT, etc. , used? q Timing variations due to CRT, Montgomery, etc. , included in error term u q Then var(u) would overwhelm variance due to repeated squaring q o We see precisely why this is so later… RSA Attacks 43

Schindler’s Attack Assume repeated squaring, Montgomery algorithm and CRT are all used q Not aimed at any real system q o Optimized systems also use Karatsuba for numbers of same magnitude and “long” multiplication for other numbers o Schindler’s attack will not work in such cases q But this attack is an important stepping stone to next attack (Brumley-Boneh) RSA Attacks 44

Schindler’s Attack q Montgomery RSA Attacks algorithm 45

Schindler’s Attack q Repeated RSA Attacks squaring with Montgomery 46

Schindler’s Attack q CRT is also used o For each mod N reduction, where N = pq o Compute mod p and mod q reductions o Use repeated squaring algorithm on previous slide for both q Trudy chooses ciphertexts Cj o Obtains accurate timings of Cjd (mod N) o Goal is to recover d RSA Attacks 47

Schindler’s Attack q Takes advantage of “extra reduction” q Suppose a = a. R (mod N) and B random o That is, B is uniform in {0, 1, 2, …, N 1} q Schindler RSA Attacks determined that 48

Schindler’s Attack Repeated squaring aka square and multiply o Square: s = Montgomery(s , s ) o Multiply: s = Montgomery(s , t ) q Probability of extra reduction in “multiply”: q q Probability of extra reduction in “square”: RSA Attacks 49

Schindler’s Attack q Consider using CRT q First step is q Where q Suppose in this computation there are k 0 multiples and k 1 squares q Expected number of extra reductions: RSA Attacks 50

Schindler’s Attack q Expected extra reductions: q Discontinuity every integer multiple of p RSA Attacks at 51

Schindler’s Attack How to take advantage of this? q If chosen ciphertext C 0 is close to C 1 q o By continuity, timing T(C 0) close to T(C 1) However, if C 0 < kp < C 1, then T(C 0) T(C 1) is “large” due to discontinuity q Note: total number of extra reductions include those for factors p and q q o Discontinuities at all multiples of p and q RSA Attacks 52

Schindler’s Attack: Algorithm Select initial value x and offset q Let Ci = x + i for i = 0, 1, 2, … q Compute ti = T(Ci+1) T(Ci) for i = 0, 1, 2, … q Eventually, “bracket” a multiple of p q o That is, Ci < kp < Ci+1 o Detect this since ti is large q Then compute gcd(n, N) for all Ci n Ci+1 o gcd(kp, N) = p and gcd(n, N) = 1 otherwise RSA Attacks 53

Schindler’s: Bottom Line q Clever attack if repeated squaring, Montgomery multiplication and CRT used o Crucial insight: extra reductions in Montgomery algorithm create timing issue q However, attack not applicable to any realworld implementation o Optimized implementations also use Karatsuba o Karatsuba tends to counteract timing difference caused by extra reduction RSA Attacks 54

Brumley-Boneh Attack q CRT, Montgomery multiplication, sliding windows and Karatsuba q Optimized RSA uses all of these q Brumley-Boneh attack is robust o Works against Open. SSL over a network o Network timing variations are large q The RSA Attacks ultimate timing attack (to date) 55

Brumley-Boneh Attack q Designed to attack RSA in Open. SSL o Highly optimized implementation o CRT, repeated squaring, Monty multiply, sliding window (5 bits) o Karatsuba multiply for numbers of same magnitude; long multiplication otherwise Kocher’s attack fails due to CRT q Schindler’s attack fails due to Karatsuba q Brumley-Boneh extends Schindler’s attack q RSA Attacks 56

Brumley-Boneh Attack q RSA in Open. SSL has two timing issues o Montgomery extra reductions o Karatsuba versus long multiplication q These 2 tend to counteract each other o More extra reductions (slower) occur when Karatsuba multiply (faster) is used o Fewer extra reductions (faster) occur when long multiply (slower) is used RSA Attacks 57

Brumley-Boneh Attack Consider C , the Montgomery form of C q Suppose C is close to p with C > p q o Number of extra Montgomery reductions is small o Since C (mod p) is small, long multiply is used q Suppose C is close to p with C < p o Number of extra Montgomery reductions is large o Since C (mod p) also close to p, Karatsuba multiply q What to do? RSA Attacks 58

Brumley-Boneh Attack q Two timing effects: Montgomery extra reductions and Karatsuba effect o Each dominates at different points in attack Implies Schindler’s could not recover bits where Karatsuba effect dominates q Brumley-Boneh recovers factor p of modulus N = pq one bit at a time q o In this sense, analogous to Kocher’s attack, but unlike Schindler’s attack RSA Attacks 59

Brumley-Boneh Attack: Step 1 q Denote bits of p as p = (p 0, p 1, p 2, …, pn) o Where p 0 = 1 Suppose p 1, p 2, …, pi 1 have been determined q Choose C 0 = (p 0, p 1, …, pi 1, 0, 0, …, 0) q Choose C 1 = (p 0, p 1, …, pi 1, 1, 0, …, 0) q Note o If pi is 1, then C 0 < C 1 p o If pi is 0, then C 0 p < C 1 q RSA Attacks 60

Brumley-Boneh Attack: Step 2 q q Obtain decryption times T(C 0) and T(C 1) Let = T(C 0) T(C 1) pi = 0 q If C 0 < C 1 < p then is small pi = 1 q If C 0 < p < C 1 then is large used to set large/small thresholds q Works provided that extra reduction or Karatsuba dominates at each step o Previous o See next slide… RSA Attacks 61

Brumley-Boneh Attack: Step 2 q If pi = 1 then C 0 < C 1 < p o Extra reductions are about the same o Karatsuba multiply used since mod p magnitudes are same o Expect to be “small” q If pi = 0 then C 0 < p < C 1 o If extra reduction dominate, T(C 0) T(C 1) > 0 o If Karatsuba vs long dominates, T(C 0) T(C 1) < 0 o In either case, expect to be “large” RSA Attacks 62

Brumley-Boneh Attack: Step 3 q Repeat steps 1 and 2 q Recover bits pi 1, pi+2, pi+3, … q When half of bits of p recovered, use Coppersmiths algorithm to factor N q Then exponent d easily recovered RSA Attacks 63

Brumley-Boneh Attack: Real-World Issues q In Open. SSL, sliding windows used o Greatly reduces number of multiplies o Statistical methods must be used—repeated measurements, test nearby values, etc. q Open. SSL attack over a network o Statistical methods needed o Attack is surprisingly robust q Over realistic network, 1024 -bit modulus factored with 1. 4 M chosen ciphertexts RSA Attacks 64

Brumley-Boneh: Bottom Line q. A major cryptanalytic achievement q Surprising that it is robust enough to overcome network variations q Resulted in changes to Open. SSL o And other RSA implementations q Brumley-Boneh RSA Attacks is a realistic threat! 65

Preventing Timing Attack Several methods have been suggested q Best solution is RSA Blinding q To decrypt C generate random r then Y = re. C (mod N) q Decrypt Y then multiply by r 1 (mod N): r 1 Yd = r 1(re. C)d = r 1 r. Cd = Cd (mod N) q Since r is random, Trudy cannot obtain timing info from choice of C q o Slight performance penalty RSA Attacks 66

Glitching Attack q Induced error reveals private key q CRT leads to simple glitching attack q A single glitch may allow Trudy to factor the modulus! q A realistic threat to smartcards o And other systems where attacker has physical access (e. g. , trusted computing) RSA Attacks 67

CRT q Consider CRT for signing M q Let Mp = M (mod p) and Mq = M (mod q) q Let dp = d (mod (p 1)) and dq = d (mod (q 1)) q Sign: S = Md (mod N) = axp + bxq (mod N) a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q) RSA Attacks 68

Glitching Attack q Trudy forces a single error to occur q Suppose x q computed in place of xq o But xp computed correctly o That is, error in Mq or xq computation is S = axp + bx q (mod N) q Trudy knows error has occurred since (S )e (mod N) M q “Signature” RSA Attacks 69

Glitching Attack q Trudy has forced an error q Trudy has S = axp + bx q (mod N) a = 1 (mod p) and a = 0 (mod q) b = 0 (mod p) and b = 1 (mod q) q Then S (mod p) = xp = (M (mod p))d (mod (p 1)) o Follows from definitions of xp and a RSA Attacks 70

Glitching Attack Trudy has forced an error, so that S (mod p) = xp = (M (mod p))d (mod (p 1)) q It can be shown (S )e = M (mod p) q o That is, (S )e M = kp for some k q Also, (S )e M (mod q) o Then (S )e M not a multiple of the factor q q Therefore, gcd(N, (S )e M) reveals nontrivial factor of N, namely, p RSA Attacks 71

Glitching: Bottom Line q Single glitch can break some systems q A realistic threat q Even if probability of error is small, advantage lies with attacker q Glitches can also break some RSA implementations where CRT not used RSA Attacks 72

Conclusions q Timing attacks are real! o Serious issue for public key (symmetric key? ) Glitching attacks also serious in some cases q These attacks not traditional cryptanalysis q o Here, Trudy does not play by the rules q Crypto security—more than strong algorithms o Also need “strong” implementations o Good guys must think outside the box o Attackers will exploit any weak link RSA Attacks 73