52 Things: Number 33: How does the Bellcore attack work against RSA with CRT?
52 Things: Number 33: How does the Bellcore attack work against RSA with CRT?
52 Things: Number 33: How does the Bellcore attack work against RSA with CRT?
52件事:第33件:Bellcore攻击如何使用CRT对抗RSA?
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. In this blog post we discuss a possible attack on RSA-CRT.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在这篇博客文章中,我们讨论了RSA-CRT可能受到的攻击。
Note: This follows the paper by
注:本文紧随论文之后Dan Boneh, Richard A. DeMillo, Richard J. Lipton: On the importance of Eliminating Errors in Cryptographic Computations.
Dan Boneh,Richard A.DeMillo,Richard J.Lipton:论密码计算中消除错误的重要性。
In the 52 Things: Number 21 blog post, it discusses how the Chinese Remainder theorem method can improve the performance of RSA. Here we show that if the hardware (or software) used to implement RSA produces errors or faults from time to time, then an attack can be used to break RSA with high probability.
在52 Things:Number 21的博客文章中,它讨论了中国余数定理方法如何提高RSA的性能。在这里,我们展示了如果用于实现RSA的硬件(或软件)不时产生错误或故障,那么可以使用攻击来高概率地破坏RSA。
RSA[1] was one of the first practical public key cryptosystems used for secure data transmission. Developed by Rivest, Shamir and Adleman in 1977, it is based on the difficulty of factoring the product of two large prime numbers. Direct attacks on RSA involve trying to factorise the modulus. Boneh, DeMillo and Lipton wanted to find an attack on RSA that avoids directly factoring the modulus. They show that erroneous cryptographic values jeopardise security by enabling an attacker to expose secret information. We are going to look specifically at the attack on RSA-CRT.
RSA[1]是最早用于安全数据传输的实用公钥密码系统之一。它由Rivest、Shamir和Adleman于1977年开发,基于分解两个大素数的乘积的困难。对RSA的直接攻击涉及试图分解模数。Boneh、DeMillo和Lipton希望找到一种对RSA的攻击,避免直接分解模数。它们表明,错误的加密值使攻击者能够暴露秘密信息,从而危及安全。我们将特别关注RSA-CRT受到的攻击。
First, a brief description of RSA. Formally, let N=pq be the product of two large prime numbers each n2 bits long. If we have a message x∈ZN, we encrypt the message using a secret signing exponent d by S=xd mod N. The modular exponentiation of x is computationally expensive. For a more efficient implementation we can first compute
首先,简单描述RSA。形式上,设 N=pq 是两个大素数的乘积,每个素数长 n2 位。如果我们有一个消息#2,我们使用秘密签名指数#3乘#4对消息进行加密。 x 的模幂运算在计算上是昂贵的。为了更高效的实现,我们可以首先计算S1=xd mod p and S2=xd mod q, S1=xd mod p 和 S2=xd mod q , then use the Chinese Remainder Theorem (CRT)[2] to construct the signature
然后利用中国剩余定理(CRT)[2]构造签名S=xd mod N.
It can be shown that this RSA with CRT scheme is particularly susceptible to software or hardware errors. If we contain two signatures of the same message. One signature being the correct one, the other the faulty signature. Once again, letting x∈ZN be the message
可以看出,这种带有CRT的RSA方案特别容易受到软件或硬件错误的影响。如果我们包含同一消息的两个签名。一个签名是正确的,另一个是错误的签名。再次,让 x∈ZN 成为信息and S=xd mod N 和 S=xd mod N being the correct signature. Then S^ be a faulty signature. From above, S is computed by first finding S1 and S2. Similarly, S^ is computed by first finding S^1 and
是正确的签名。那么 S^ 就是一个错误的签名。从上面, S 是通过首先找到 S1 和 S2 来计算的。类似地,#4是通过首先查找 S^1 来计算的,并且S^2, suppose that the error occurred while computing only one of S1^,S2^. If we assume the fault occurred while computing S^1 but no error occurred during the computation of S^2, i.e.
,假设仅计算 S1^,S2^ 中的一个时发生错误。如果我们假设故障发生在计算#1时,但在计算#2时没有发生错误,即。S1≠S^1 mod p and S^2=S2 This means that S=S^ mod q but S≠S^ mod p.
S1≠S^1 mod p 和 S^2=S2 这意味着#2但#3。 Therefore, 因此
因此可以容易地将N作为因子。这表明,对于一个错误的特征,可以很容易地将模量N作为因子。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。在这篇博客文章中,我们讨论了RSA-CRT可能受到的攻击。
Note: This follows the paper by
注:本文紧随论文之后Dan Boneh, Richard A. DeMillo, Richard J. Lipton: On the importance of Eliminating Errors in Cryptographic Computations.
Dan Boneh,Richard A.DeMillo,Richard J.Lipton:论密码计算中消除错误的重要性。
In the 52 Things: Number 21 blog post, it discusses how the Chinese Remainder theorem method can improve the performance of RSA. Here we show that if the hardware (or software) used to implement RSA produces errors or faults from time to time, then an attack can be used to break RSA with high probability.
在52 Things:Number 21的博客文章中,它讨论了中国余数定理方法如何提高RSA的性能。在这里,我们展示了如果用于实现RSA的硬件(或软件)不时产生错误或故障,那么可以使用攻击来高概率地破坏RSA。
RSA[1] was one of the first practical public key cryptosystems used for secure data transmission. Developed by Rivest, Shamir and Adleman in 1977, it is based on the difficulty of factoring the product of two large prime numbers. Direct attacks on RSA involve trying to factorise the modulus. Boneh, DeMillo and Lipton wanted to find an attack on RSA that avoids directly factoring the modulus. They show that erroneous cryptographic values jeopardise security by enabling an attacker to expose secret information. We are going to look specifically at the attack on RSA-CRT.
RSA[1]是最早用于安全数据传输的实用公钥密码系统之一。它由Rivest、Shamir和Adleman于1977年开发,基于分解两个大素数的乘积的困难。对RSA的直接攻击涉及试图分解模数。Boneh、DeMillo和Lipton希望找到一种对RSA的攻击,避免直接分解模数。它们表明,错误的加密值使攻击者能够暴露秘密信息,从而危及安全。我们将特别关注RSA-CRT受到的攻击。
First, a brief description of RSA. Formally, let N=pq be the product of two large prime numbers each n2 bits long. If we have a message x∈ZN, we encrypt the message using a secret signing exponent d by S=xd mod N. The modular exponentiation of x is computationally expensive. For a more efficient implementation we can first compute
首先,简单描述RSA。形式上,设 N=pq 是两个大素数的乘积,每个素数长 n2 位。如果我们有一个消息#2,我们使用秘密签名指数#3乘#4对消息进行加密。 x 的模幂运算在计算上是昂贵的。为了更高效的实现,我们可以首先计算S1=xd mod p and S2=xd mod q, S1=xd mod p 和 S2=xd mod q , then use the Chinese Remainder Theorem (CRT)[2] to construct the signature
然后利用中国剩余定理(CRT)[2]构造签名S=xd mod N.
It can be shown that this RSA with CRT scheme is particularly susceptible to software or hardware errors. If we contain two signatures of the same message. One signature being the correct one, the other the faulty signature. Once again, letting x∈ZN be the message
可以看出,这种带有CRT的RSA方案特别容易受到软件或硬件错误的影响。如果我们包含同一消息的两个签名。一个签名是正确的,另一个是错误的签名。再次,让 x∈ZN 成为信息and S=xd mod N 和 S=xd mod N being the correct signature. Then S^ be a faulty signature. From above, S is computed by first finding S1 and S2. Similarly, S^ is computed by first finding S^1 and
是正确的签名。那么 S^ 就是一个错误的签名。从上面, S 是通过首先找到 S1 和 S2 来计算的。类似地,#4是通过首先查找 S^1 来计算的,并且S^2, suppose that the error occurred while computing only one of S1^,S2^. If we assume the fault occurred while computing S^1 but no error occurred during the computation of S^2, i.e.
,假设仅计算 S1^,S2^ 中的一个时发生错误。如果我们假设故障发生在计算#1时,但在计算#2时没有发生错误,即。S1≠S^1 mod p and S^2=S2 This means that S=S^ mod q but S≠S^ mod p.
S1≠S^1 mod p 和 S^2=S2 这意味着#2但#3。 Therefore, 因此
gcd(S−S^,N)=q
so N can be factored easily. This shows that with one faulty signature, the modulus N can be easily factored.因此可以容易地将N作为因子。这表明,对于一个错误的特征,可以很容易地将模量N作为因子。
The Working Class Must Lead!
