Seeing through MIST
given a Small Fraction of
an RSA Private Key
Colin D. Walter
[email protected]
Comodo Research Lab (Bradford, UK)
www.comodogroup.com
1/16
Overview
•
•
•
•
•
•
RSA 2003
History
The MIST Algorithm
Threat Assumptions – a Theorem.
First Reconstruction of the Key
Second Reconstruction of the Key
Conclusion
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
2/16
History
• C. D. Walter Exponentiation using Division Chains
IEEE TC 47, 1998
• C. D. Walter MIST: An Efficient, Randomized
Exponentiation Algorithm for Resisting Power Analysis
CT-RSA 2002, LNCS 2271
• C. D. Walter Some Security Aspects of the MIST
Randomized Exponentiation Algorithm
CHES 2002, LNCS 2523
• Boneh, Durfee & Frankel Exposing an RSA Private
Key given a Small Fraction of its Bits
AsiaCrypt 98, LNCS 1514
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
3/16
Reversed m-ary Expn
{ To compute: P = CD mod N }
QC;
P 1;
While D > 0 do
Begin
d  D mod m ;
If d  0 then
P  Qd × P mod N;
Q  Qm mod N;
D  D div m ;
{ Invariant: CD.Init = QD × P mod N }
End ;
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
4/16
The MIST Expn Algorithm
{ To compute: P = CD mod N }
QC;
P 1;
While D > 0 do
Begin
Choose a random base m (from {2,3,5}, say);
d  D mod m ;
If d  0 then
P  Qd × P mod N;
Q  Qm mod N;
D  D div m ;
{ Invariant: CD.Init = QD × P mod N }
End ;
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
5/16
Security Strength
THEOREM (CHES 2002)
After a MIST exponentiation CD mod N using a
typical, efficient choice of parameters:
• The number of exponents with the same pattern
of squares and multiplies is at least D3/5.
• The number of exponents with the same pattern
of operand sharing is about D1/3.
With just this information it is computationally
infeasible to search for D.
We will now improve these results
using knowledge of the public modulus N.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
6/16
Notation
The chosen digit/base pairs (di, mi) satisfy
D = d0+m0(d1+m1(d2+m2(...dn)...))
Define
Dj = dj+ mj(dj+1+mj+1(dj+2+mj+2(...dn)...))
δj = d0 + m0(d1 + m1 (d2 + m2(...dj–1)...))
μj = m0 m1 m2 ... mj–1
Then
δj = D mod μj
Dj = D div μj
D = μjDj + δj
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
7/16
A First Attack
• Let N = PQ for primes P and Q of equal bit length.
It is easy to show φ(N) lies in an interval of length < ⅛√N
So the top half of φ(N) is known (whatever base is chosen)
when N is known.
• Assume no exponent blinding.
Since the encryption key E is also known,
the top half of D becomes known to within E possibilities
(which the attacker can try in turn to find one which works).
• The attacker “guesses” the lower half of D: he uses DPA
to determine enough choices of digit/base pairs (d0,m0),
(d1,m1), (d2,m2), ..., (dj–1,mj–1) such that μj = ∏i mi > √D.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
8/16
A First Attack contd
The attacker has “guessed” μj and δj.
He then computes an approximation for
Dj = D div μj
using his approximation for D.
Since D is known to an accuracy with error less than μj,
Dj (the upper half of D) is determined
up to a choice of at most 2 values.
So D = μjDj+δj is determined
up to a couple of possibilities
– and the secret key is obtained.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
9/16
A First Attack contd
By the theorem applied to the lower half of D, the number of
choices for digit/base pairs is about N3/10 or N1/6
depending on how much we assume the attacker knows.
He has E choices for approximating D and perhaps 232 extra
choices if a 32-blinding factor is introduced.
Hence the search space is reduced to about
232EN3/10
or
232EN1/6
if the Sqr & Mult or op. sharing pattern is known.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
10/16
A First Attack - conclusion
– Of course, N3/10 and N1/6 are still over
100 bits for sensible key lengths
and so, even without key blinding,
this attack is computationally infeasible.
– The first attack given in the proceedings
tackles the similar, but more complex,
case of assuming
the most significant digits are guessed
instead of the least significant.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
11/16
A First Attack - as in paper
– If the most significant part Dj is guessed then
D div Dj = μj
is known almost exactly.
– μj is a product of powers of 2, 3, 5 only. This property
is so rare that the correct Dj is easily determined.
– The next digit/base pair (dj–1, mj–1) is chosen to give
μj–1 the same property – usually unique.
– So Dj, Dj–1, Dj–2, ..., D1, D0 = D are all obtained,
and the key recovered.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
12/16
The Second Attack
– This attack uses the Boneh et al. results (derived
from Coppersmith) to reduce the dimension of the
search space by a factor of 4 instead of 2.
– Theorem. Suppose N = PQ, μ > N1/4 and
P mod μ is known. Then it is possible to factor
N in time polynomial in log(N).
– Boneh uses this with μ as a power of 2.
We take μ as a product of base choices m.
Specifically, μ = μj for a large enough j.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
13/16
Second Attack contd
– If there is no key blinding, DE = 1+kφ(N)
for some k < E where φ(N) = (P–1)(N/P–1).
– Reducing mod μ changes unknown D to the
guessed δj and P to x = P mod μ, say.
– Now DE = 1+kφ(N) reduced mod μ
becomes a quadratic equation in x.
– We solve for x using CRT. Generally, there are
16 solutions or none (if 23×3×5 divides μ).
– Now we can apply the theorem to factor N.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
14/16
Second Attack conclusion
– There are N3/20 or N1/12 pattern-matching cases
of δj ≈ N¼ to consider;
– E possible choices for 1+kφ(N);
– B possible blinding factors, say (typically B = 232);
– log(N) time to construct & find roots of quadratic;
– log(N)-polynomial time to factorise N;
 We conclude that N can be factored in time
BEN3/20 or BEN1/12 times a poly in log(N).
 For no blinding, small E & short key
this may be computationally feasible.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
15/16
Conclusion
• A DPA attack on the MIST algorithm has
been augmented using knowledge of the RSA
public modulus in several ways.
• The attacks may become computationally
feasible if parameters are poorly chosen.
• Other standard algorithms provide no
strength against such attacks (e.g. m-ary).
• Standard approaches such as key blinding,
longer keys, & larger public exponent
all contribute to better security.
RSA 2003
Colin D. Walter, Comodo Research Lab, Bradford
Next Generation Digital Security Solutions
16/16