Abstract
In this paper we show that, paradoxically, what looks like a “universal improvement” or a “straight-forward improvement” which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous “improvements”. This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators). We use our case studies to draw conclusions about certain investigations required in studying implementations and suggested improvements of cryptosystems; looking at them in the context of their operating environments (combined with their potential adversarial settings). We call these investigations observability analysis.
Supported in part by the Computer & Communication Research Laboratories, Industrial Technology Research Institute, Republic of China.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
RSA Laboratories. PKCS #1 v2.0: RSA cryptography standard, October 1, 1998. Available at http://www.rsasecurity.com/rsalabs/pkcs/.
RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard, Draft 2, January 5, 2001. Available at http://www.rsasecurity.com/rsalabs/pkcs/.
F. Bao, R. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, and T.-H. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, eds, Security Protocols, vol. 1361 of Lecture Notes in Computer Science, pp. 115–124, Springer-Verlag, 1998.
Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption — How to encrypt with RSA. In A. De Santis, ed., Advances in Cryptology-EUROCRYPT’94, vol. 950 of Lecture Notes in Computer Science, pp. 92–111, Springer-Verlag, 1995.
Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology-CRYPTO’98, vol. 1462 of Lecture Notes in Computer Science, pp. 1–12, Springer-Verlag, 1998.
Daniel Bleichenbacher, Burt Kaliski, and Jessica Staddon. Recent results on PKCS #1: RSA encryption standard. RSA Laboratories’ Bulletin, no. 7, June 1998.
Dan Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2):203–213, 1999.
Dan Boneh, Richard A. DeMillo and Richard J. Lipton. On the importance of checking cryptographic protocols for faults. In W. Fumy, ed., Advances in Cryptology-EUROCRYPT’97, vol. 1233 of Lecture Notes in Computer Science, pp. 37–51, Springer-Verlag, 1997.
Dan Boneh, Antoine Joux, and Phong Q. Nguyen. Why Textbook El Gamal and RSA encryption are insecure. In T. Okamoto, ed., Advances in Cryptology-ASIACRYPT2000, vol. 1976 of Lecture Notes in Computer Science, pp. 30–43, Springer-Verlag, 2000.
Don Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 10(4):233–260, 1997.
Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In H. Imai and Y. Zheng, eds., Public Key Cryptography, vol. 1560 of Lecture Notes in Computer Science, pp. 53–68, Springer-Verlag, 1999.
Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.
Henri Gilbert, Dipankar Gupta, Andrew Odlyzko, and Jean-Jacques Quisquater. Attacks on Shamir’s ‘RSA for paranoids’. Information Processing Letters, 68:197–199, 1998.
Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270–299, 1984.
Marc Joye, Arjen K. Lenstra, and Jean-Jacques Quisquater. Chinese remaindering cryptosystems in the presence of faults. Journal of Cryptology, 12(4):241–245, 1999.
Marc Joye, Pascal Paillier, and Sung-Ming Yen. Secure evaluation of modular functions. In R.J. Hwang and C.K. Wu, eds., Proc. of the 2001 International Workshop on Cryptology and Network Security (CNS 2001), pp. 227–229, Taipei, Taiwan, September 26–28, 2001.
Marc Joye, Jean-Jacques Quisquater, Feng Bao, and Robert H. Deng. RSA-type signatures in the presence of transient faults. In M. Darnell, ed., Cryptography and Coding, vol. 1355 of Lecture Notes in Computer Science, pp. 155–160, Springer-Verlag, 1997.
Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology-CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208–222, Springer-Verlag, 2001.
Burton S. Kaliski Jr. Comments on a new attack on cryptographic devices. RSA Laboratories Technical Note, October 23, 1996.
Çetin K. Koç. RSA hardware implementation. Technical Report TR 801, RSA Laboratories, April 1996.
Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In M. Wiener, editor, Advances in Cryptology-CRYPTO’99, vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, Springer-Verlag, 1999.
James Manger. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS #1. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, pp. 230–238, Springer-Verlag, 2001.
Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proc. of the 22nd ACM Annual Symposium on the Theory of Computing (STOC’ 90), pp. 427–437, ACM Press, 1990.
Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5–12, 1995.
Jean-Jacques Quisquater and Chantal Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18:905–907, 1982.
Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, ed., Advances in Cryptology-CRYPTO’91, vol. 576 of Lecture Notes in Computer Science, pp. 433–444, Springer-Verlag, 1992.
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.
Adi Shamir. RSA for paranoids. Cryptobytes, 1(2):1–4, 1995.
Adi Shamir. Patent US 5.991.415: Method and apparatus for protecting public key schemes from timing and fault attacks, 12 May 1997.
Adi Shamir. How to check modular exponentiation. Presented at the rump session of EUROCRYPT’97, Konstanz, Germany, 11–15th May 1997.
Victor Shoup. OAEP reconsidered. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.
Sung-Ming Yen and Marc Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers, 49(9):967–970, 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Joye, M., Jean-Jacques, Q., Sung-Ming, Y., Yung, M. (2002). Observability Analysis - Detecting When Improved Cryptosystems Fail -. In: Preneel, B. (eds) Topics in Cryptology — CT-RSA 2002. CT-RSA 2002. Lecture Notes in Computer Science, vol 2271. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45760-7_2
Download citation
DOI: https://doi.org/10.1007/3-540-45760-7_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43224-1
Online ISBN: 978-3-540-45760-2
eBook Packages: Springer Book Archive