Weaknesses in Current RSA Signature Schemes

This work presents several classes of messages that lead to data leakage during modular exponentiation. Such messages allow for the recovery of the entire secret exponent with a single power measurement. We show that padding schemes as defined by industry standards such as PKCS#1 and ANSI x9.31 are vulnerable to side-channel attacks since they meet the characteristics defined by our classes. Though PKCS#1 states that there are no known attacks against RSASSA-PKCS1-v1_5, the EMSA-PKCS1-v1_5 encoding in fact makes the scheme vulnerable to side-channel analysis. These attacks were validated against a real-world smartcard system, the Infineon SLE78, which ran our proof of concept implementation. Additionally, we introduce methods for the elegant recovery of the full RSA private key from blinded RSA CRT exponents.

[1]  Tatsuaki Okamoto Topics in Cryptology – CT-RSA 2004 , 2004, Lecture Notes in Computer Science.

[2]  David Chaum,et al.  Advances in Cryptology — EUROCRYPT’ 87 , 2000, Lecture Notes in Computer Science.

[3]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[4]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[5]  Akashi Satoh,et al.  Enhanced power analysis attack using chosen message against RSA hardware implementations , 2008, 2008 IEEE International Symposium on Circuits and Systems.

[6]  Thomas Jensen,et al.  Smart Card Programming and Security , 2001, Lecture Notes in Computer Science.

[7]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[8]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[9]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[10]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[11]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[12]  Jean-Pierre Seifert,et al.  High-Speed Modular Multiplication , 2004, CT-RSA.

[13]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[14]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[15]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[16]  C. D. Walter,et al.  Distinguishing Exponent Digits by Observing Modular Subtractions , 2001, CT-RSA.

[17]  Amit Sethi,et al.  Key Recovery Method for CRT Implementation of RSA , 2004, IACR Cryptol. ePrint Arch..

[18]  Benoit Feix,et al.  Simple Power Analysis on Exponentiation Revisited , 2010, CARDIS.

[19]  Holger Sedlak,et al.  Ein Public-Key-Code Kryptographie-Prozessor , 1986, it Inf. Technol..

[20]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[21]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[22]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[23]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[24]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[25]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[26]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[27]  Holger Sedlak,et al.  The RSA Cryptography Processor , 1987, EUROCRYPT.