Page 1
IntroductionDescription of the attack
Conclusion
Why One Should Also Secure RSA Public Key Elements
Eric Brier, Benoıt Chevallier-Mames,Mathieu Ciet and Christophe Clavier
Gemalto, Security Labs
CHES 2006, Yokohama - October 13, 2006
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 2
IntroductionDescription of the attack
Conclusion
Outline
1 IntroductionPrevious workOur attackThe threat model
2 Description of the attackCommon PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
3 ConclusionSome interesting propertiesCounter-measuresOpen problems
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 3
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Outline
1 IntroductionPrevious workOur attackThe threat model
2 Description of the attackCommon PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
3 ConclusionSome interesting propertiesCounter-measuresOpen problems
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 4
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
What is it about ?
Fault analysis on public key cryptosystems by corrupting the value of publicparameters
Motivation
It is usualy considered less important to secure public parameters than privateones
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 5
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
What is it about ?
Fault analysis on public key cryptosystems by corrupting the value of publicparameters
Motivation
It is usualy considered less important to secure public parameters than privateones
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 6
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 7
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 8
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 9
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 10
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 11
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 12
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 13
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 14
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 15
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Previous work
Elliptic Curve Cryptosystems
Differential Fault Attacks on Elliptic Curve Cryptosystems [BMV00], Crypto2000
Elliptic Curve Cryptosystems in the Presence of Permanent and TransientFaults [CJ05], Designs Codes and Cryptography, 2005
Principle: alter public parameters of the curve to make the DL base pointto be of small order.
RSA
On authenticated computing and RSA-based authentication [Sei05],ACM-CCS 2005
Is it wise to publish your Public RSA Keys? [GS06], FDTC 2006
These works allow a chosen message forged signature to be accepted (e.g.malicious applet), but . . .
Do not reveal the signer’s RSA key
Rely on some specific fault model
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 16
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 17
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 18
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 19
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 20
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 21
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 22
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 23
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
Our attack
Our attack also works by modifying only public elements, but . . .
. . . applies also to other RSA functions (in standard mode, no CRT):
signature (with predictible padding, e.g. FDH or PFDH)
decryption
Allows a full break of the secret key (private exponent d is revealed)
Comes in three flavours, one of which does not rely on any fault model
Not realized in practice, but validated by extensive simulations
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 24
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
The threat model
Given a public RSA key (e, n), the attacker is able to obtain many faultysignatures for known varying inputs.
A faulty signature is one computed modulo a corrupted modulus value n′:
s ′ = µd mod n′
Example: On a smart card, the modulus value is altered during transfertfrom NVM to RAM.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 25
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
The threat model
Given a public RSA key (e, n), the attacker is able to obtain many faultysignatures for known varying inputs.
A faulty signature is one computed modulo a corrupted modulus value n′:
s ′ = µd mod n′
Example: On a smart card, the modulus value is altered during transfertfrom NVM to RAM.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 26
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
The threat model
Given a public RSA key (e, n), the attacker is able to obtain many faultysignatures for known varying inputs.
A faulty signature is one computed modulo a corrupted modulus value n′:
s ′ = µd mod n′
Example: On a smart card, the modulus value is altered during transfertfrom NVM to RAM.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 27
IntroductionDescription of the attack
Conclusion
Previous workOur attackThe threat model
The threat model
Given a public RSA key (e, n), the attacker is able to obtain many faultysignatures for known varying inputs.
A faulty signature is one computed modulo a corrupted modulus value n′:
s ′ = µd mod n′
Example: On a smart card, the modulus value is altered during transfertfrom NVM to RAM.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 28
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Outline
1 IntroductionPrevious workOur attackThe threat model
2 Description of the attackCommon PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
3 ConclusionSome interesting propertiesCounter-measuresOpen problems
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 29
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 30
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 31
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 32
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 33
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 34
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 35
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Common Principle
Our attack comes with three variants:
1 The bias based variantDoes not rely on any fault model
2 The collision based variant
3 The full consistency exploitation variant
All variants aim at accumulating the knowledge of d mod qj for manysmall primes qj .
Whenever Yj
qj > d
d may be retrieved using Chinese Remainder Theorem techniques.
Variants 2 and 3 rely on a fault model, but need much less faultinjections than variant 1 (and than [Sei05]).
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 36
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 37
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 38
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 39
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 40
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 41
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 42
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
The attacker obtains many signatures for the computation of which themodulus was corrupted:
s ′i = µdi mod n′i i = 1, 2, . . .
µi = hash(mi )
Inputs mi may be arbitrarily chosen
He thus collects many couples (µi , s′i , n
′i )
Faulty moduli n′i are unknown from the attacker who only knows (µi , s′
i )
For any given small prime q, let p be the smallest prime s.t. q | p − 1(Possible generalization : qe | ϕ(pa))
Considering equations ′i = µd
i mod p ,
a statistical process on the collection (µi , s′i )i will reveal the value d mod q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 43
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:
DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 44
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 45
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 46
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 47
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 48
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
Notation
Let q | p − 1, and µ ∈ (Z/pZ)∗
We denote:DL(µ, s ′, p) the discrete logarithm of s ′ to the base µ (provided s′ ∈ 〈µ〉)
DL(µ, s ′, p, q) = DL(µ, s ′, p) mod q (provided q | ordp(µ))
Theorem
If p | n′ then, whenever DL(µ, s ′, p, q) exists, we have:
DL(µ, s ′, p, q) = d mod q
If p - n′ then, DL(µ, s ′, p, q) is supposed to be uniformly randomlydistributed over the integers modulo q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 49
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
As the sum of two components, the statistical distribution ofDL(µ, s ′, p, q) shows a bias:
With probability p−1p
, DL(µ, s′, p, q) is drawn from a uniform distribution
With probability 1p, DL(µ, s′, p, q) is drawn from a Dirac distribution
centered on d mod q
With enough faulty samples, the statistical bias in the distribution ofDL(µ, s ′, p, q) will make the correct value d mod q emerge
The private exponent of a 1024-bit key is fully retrieved within 20,000 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 50
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
As the sum of two components, the statistical distribution ofDL(µ, s ′, p, q) shows a bias:
With probability p−1p
, DL(µ, s′, p, q) is drawn from a uniform distribution
With probability 1p, DL(µ, s′, p, q) is drawn from a Dirac distribution
centered on d mod q
With enough faulty samples, the statistical bias in the distribution ofDL(µ, s ′, p, q) will make the correct value d mod q emerge
The private exponent of a 1024-bit key is fully retrieved within 20,000 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 51
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
As the sum of two components, the statistical distribution ofDL(µ, s ′, p, q) shows a bias:
With probability p−1p
, DL(µ, s′, p, q) is drawn from a uniform distribution
With probability 1p, DL(µ, s′, p, q) is drawn from a Dirac distribution
centered on d mod q
With enough faulty samples, the statistical bias in the distribution ofDL(µ, s ′, p, q) will make the correct value d mod q emerge
The private exponent of a 1024-bit key is fully retrieved within 20,000 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 52
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
As the sum of two components, the statistical distribution ofDL(µ, s ′, p, q) shows a bias:
With probability p−1p
, DL(µ, s′, p, q) is drawn from a uniform distribution
With probability 1p, DL(µ, s′, p, q) is drawn from a Dirac distribution
centered on d mod q
With enough faulty samples, the statistical bias in the distribution ofDL(µ, s ′, p, q) will make the correct value d mod q emerge
The private exponent of a 1024-bit key is fully retrieved within 20,000 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 53
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The bias based variant
As the sum of two components, the statistical distribution ofDL(µ, s ′, p, q) shows a bias:
With probability p−1p
, DL(µ, s′, p, q) is drawn from a uniform distribution
With probability 1p, DL(µ, s′, p, q) is drawn from a Dirac distribution
centered on d mod q
With enough faulty samples, the statistical bias in the distribution ofDL(µ, s ′, p, q) will make the correct value d mod q emerge
The private exponent of a 1024-bit key is fully retrieved within 20,000 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 54
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:
the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 55
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:
the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 56
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:
the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 57
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:the correct value n of the modulus,
a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 58
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:the correct value n of the modulus,a given fault model,
assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 59
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 60
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 61
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Dictionary of faulty moduli
Let S be the set of all reachable values for a faulty modulus
This dictionary depends on:the correct value n of the modulus,a given fault model,assumptions on fault injection precision, chip architecture,counter-measures. . .
Example
Model: random register value Architecture: 8 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 256 92DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Example
Model: random register value Architecture: 32 bits Injection: precise (no CM)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 23292DC1423********FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 62
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Example
Model: random register value Arch.: 8 bits Injection: unprecise (random order or delay)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
**DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
92**14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 21592DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
(1024 bits) · · ·92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256**FB
92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9**
Example
Model: fixed register value (0) Arch.: 32 bits Injection: unprecise (random order or delay)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
000000000A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 32 92DC142300000000FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
(1024 bits) · · ·92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE290200000000
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 63
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
Example
Model: random register value Arch.: 8 bits Injection: unprecise (random order or delay)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
**DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
92**14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 21592DC**230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
(1024 bits) · · ·92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256**FB
92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9**
Example
Model: fixed register value (0) Arch.: 32 bits Injection: unprecise (random order or delay)
n 92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
000000000A32B821FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
|S | = 32 92DC142300000000FF23ED094B18A0C83729420C928CD020A0EE29023256F9FB
(1024 bits) · · ·92DC14230A32B821FF23ED094B18A0C83729420C928CD020A0EE290200000000
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 64
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 65
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 66
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 67
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 68
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 69
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The collision based variant
The collision based variant needs a dictionary S of possible faulty moduli.
It aims at identifying, for some (µi , s′i ), which faulty modulus value n′i ∈ S
actually occured.
Definition
Let ν ∈ S , a hit for ν is the identification of some (µi , s′i ) for which n′i = ν
Once a hit for n′i is obtained, it is possible to derive d mod q for (almost)all primes q verifying q | p − 1 where p is a known prime factor of n′i :
d mod q = DL(µi , s′i , p, q)
Each hit yields more than 50 bits of modular information about d onaverage.
→ Only about 10 to 20 hits suffice to recover the private exponent.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 70
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 71
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 72
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 73
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 74
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 75
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 76
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 77
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 78
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 79
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
How to identify hits ?
For as much ν ∈ S as possible, find some marker (pν , qν) verifying:
qν is a not too small prime (say 106 to 109)
qν | pν − 1 and pν | ν
For each i = 1, 2, . . ., compute DL(µi , s′i , pν , qν) for all markers (pν , qν).
Each DL(µi , s′i , pν , qν) gives an hypothesis for d mod qν which is . . .
correct if n′i = ν
random in˘0, . . . , qν − 1
¯with high probability if n′i 6= ν
A hit will be identified as soon as a collision of DL will occur for some qν :
DL(µi , s′i , pν , qν) = DL(µj , s
′j , pν , qν) =⇒ n′i = n′j = ν
(see the paper for a discussion on false positive occurence probability)
The number of required fault is O(q
tα|S |).
(t = # of hits and α · |S| = # of markers)
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 80
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 81
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 82
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 83
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯
Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 84
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 85
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The full consistency exploitation variant needs a dictionary S of possiblefaulty moduli.
The principle is to check some intra-signature and inter-signatureconsistencies.
Definition
For any ν ∈ S and any prime q, let Ψ(ν, q) =˘p : p | ν and q | p − 1
¯Intra-signature consistency
For any faulty signature (µi , s′i , n
′i ), and for any prime q:˛˘
DL(µi , s′i , p, q) : p ∈ Ψ(n′i , q)
¯˛6 1
Any candidate modulus ν for the signature (µi , s′i ) must be excluded as
soon as ˛˘DL(µi , s
′i , p, q) : p ∈ Ψ(ν, q)
¯˛> 2 for some q
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 86
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
Inter-signature consistency
For any faulty signatures (µi1 , s′i1 , n
′i1) and (µi2 , s
′i2 , n
′i2), and any prime q:˛˘
DL(µi1, s′
i1, p, q) : p ∈ Ψ(n′
i1, q)
¯∪
˘DL(µi2
, s′i2
, p, q) : p ∈ Ψ(n′i2
, q)¯˛
6 1
Any couple (ν1, ν2) of candidate moduli for the signatures (µi1 , s′i1) and
(µi2 , s′i2) must be excluded (as not being simultaneously valid) if the
consistency is not verified for some q.
The consistency check may be generalized to sets of candidate moduliwith respect to sets of signatures.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 87
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
Inter-signature consistency
For any faulty signatures (µi1 , s′i1 , n
′i1) and (µi2 , s
′i2 , n
′i2), and any prime q:˛˘
DL(µi1, s′
i1, p, q) : p ∈ Ψ(n′
i1, q)
¯∪
˘DL(µi2
, s′i2
, p, q) : p ∈ Ψ(n′i2
, q)¯˛
6 1
Any couple (ν1, ν2) of candidate moduli for the signatures (µi1 , s′i1) and
(µi2 , s′i2) must be excluded (as not being simultaneously valid) if the
consistency is not verified for some q.
The consistency check may be generalized to sets of candidate moduliwith respect to sets of signatures.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 88
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
Inter-signature consistency
For any faulty signatures (µi1 , s′i1 , n
′i1) and (µi2 , s
′i2 , n
′i2), and any prime q:˛˘
DL(µi1, s′
i1, p, q) : p ∈ Ψ(n′
i1, q)
¯∪
˘DL(µi2
, s′i2
, p, q) : p ∈ Ψ(n′i2
, q)¯˛
6 1
Any couple (ν1, ν2) of candidate moduli for the signatures (µi1 , s′i1) and
(µi2 , s′i2) must be excluded (as not being simultaneously valid) if the
consistency is not verified for some q.
The consistency check may be generalized to sets of candidate moduliwith respect to sets of signatures.
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 89
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 90
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 91
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 92
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 93
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 94
IntroductionDescription of the attack
Conclusion
Common PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
The full consistency exploitation variant
The paper describes an algorithm which, for a set of t signatures:
Exhibits the list of all sets of t candidate moduli which are fully consistentwith the signatures
Assign a confidence index to each such set of candidate moduli
Combinatorial explosion prevents to use this algorithm when S is too large.(typically |S | > 10, 000)
This full consistency exploitation method allows to identify nearly t hitswhen considering t signatures.
This method recovers the private exponent within only 10 to 20 faults
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 95
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Outline
1 IntroductionPrevious workOur attackThe threat model
2 Description of the attackCommon PrincipleThe bias based variantThe collision based variantThe full consistency exploitation variant
3 ConclusionSome interesting propertiesCounter-measuresOpen problems
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 96
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Some interesting properties
Our new attack present some notable properties:
The first fault attack on RSA ever published, which reveals the privateexponent by only corrupting public elements of the key. 1 2 3
The first fault attack on standard RSA ever published, which does not rely onany fault model, nor any implementation assumption. 1
The fault attack on standard RSA, which reveals the private exponent with thesmallest number of required faults. 3
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 97
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Some interesting properties
Our new attack present some notable properties:
The first fault attack on RSA ever published, which reveals the privateexponent by only corrupting public elements of the key. 1 2 3
The first fault attack on standard RSA ever published, which does not rely onany fault model, nor any implementation assumption. 1
The fault attack on standard RSA, which reveals the private exponent with thesmallest number of required faults. 3
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 98
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Some interesting properties
Our new attack present some notable properties:
The first fault attack on RSA ever published, which reveals the privateexponent by only corrupting public elements of the key. 1 2 3
The first fault attack on standard RSA ever published, which does not rely onany fault model, nor any implementation assumption. 1
The fault attack on standard RSA, which reveals the private exponent with thesmallest number of required faults. 3
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 99
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Some interesting properties
Our new attack present some notable properties:
The first fault attack on RSA ever published, which reveals the privateexponent by only corrupting public elements of the key. 1 2 3
The first fault attack on standard RSA ever published, which does not rely onany fault model, nor any implementation assumption. 1
The fault attack on standard RSA, which reveals the private exponent with thesmallest number of required faults. 3
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 100
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 101
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 102
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 103
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 104
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 105
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Counter-measures
The previously described fault attack on standard RSA is very efficient onnon-protected implementations, but . . .
. . . many counter-measures exist that may prevent this attack:
The integrity of the modulus may be ensured by a consistency check(checksum, . . . )
The private exponent may be randomized
The signature computation may be verified, and no signature is returned ifthe verification fails
. . .
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 106
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Open problems
The fault attack presented here raises some open questions:
In standard mode, is it possible to recover the RSA private key by onlycorrupting the modulus when the private exponent is randomized ?
Is it possible to adapt the attack in the case of a probabilistic padding withrandomness recovery (e.g. RSA-PSS) ?
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 107
IntroductionDescription of the attack
Conclusion
Some interesting propertiesCounter-measuresOpen problems
Open problems
The fault attack presented here raises some open questions:
In standard mode, is it possible to recover the RSA private key by onlycorrupting the modulus when the private exponent is randomized ?
Is it possible to adapt the attack in the case of a probabilistic padding withrandomness recovery (e.g. RSA-PSS) ?
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 108
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 109
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 110
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 111
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 112
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
In the submission:
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 113
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
In the submission:
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 114
ERRATUM
In this paper:
Our paper DID NOT introduce the first fault attack on standard RSA !
In the submission:
APOLOGIES !
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama
Page 115
The end
Thank you for your attention !
Questions ?
Eric Brier, Benoıt Chevallier-Mames, Mathieu Ciet and Christophe Clavier CHES 2006, Yokohama