Abstract
The paper describes a new attack on RSA–CRT employing Montgomery exponentiation. Given the amount of so-called final subtractions during the exponentiation of a known message (not chosen, just known), it creates an instance of the well known Hidden Number Problem (HNP, [2]). Solving the problem reveals the factorization of RSA modulus, i.e. breaks the scheme.
The main advantage of the approach compared to other attacks [14,17] is the lack of the chosen plaintext condition. The existing attacks, for instance, cannot harm so-called Active Authentication (AA) mechanism of the recently deployed electronic passports. Here, the challenge, i.e. the plaintext, is jointly chosen by both parties, the passport and the terminal, thus it can not be conveniently chosen by the attacker. The attack described here deals well with such a situation and it is able to solve the HNP instance with 150 measurements filtered from app. 7000. Once the secret key used by the passport during AA is available to the attacker, he can create a fully functional copy of the RFID chip in the passport he observes.
A possible way to obtain the side information needed for the attack within the electromagnetic traces is sketched in the paper. Having no access to high precision measurement equipment, its existence has not been experimentally verified, yet. The attack, however, should be taken into account by the laboratories testing the resilience of (not only) electronic passports to the side channel attacks.
Chapter PDF
Similar content being viewed by others
Keywords
References
Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem (shortened version). In: Mehlhorn, K. (ed.) STACS 1985. LNCS, vol. 182, pp. 13–20. Springer, Heidelberg (1984)
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
Finkenzeller, K.: RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification, 2nd edn. John Wiley & Sons, Chichester (2003)
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)
International Civil Aviation Organization (ICAO). Development of a Logical Data Structure – LDS for Optional Capacity Expansion Technologies, http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=39693
International Civil Aviation Organization (ICAO). Doc 9303, Machine Readable Travel Documents, http://www2.icao.int/en/MRTD/Pages/Doc9393.aspx
International Organization for Standardization. ISO/IEC 7816 – Identification cards – Contactless integrated circuit cards – Proximity cards, http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=39693
International Organization for Standardization. ISO/IEC 7816 – Identification cards – Integrated circuit(s) with contacts, http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38770
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)
Montgomery, P.L.: Modular multiplication without trial division. Mathematics of Computation 44, 519–521 (1985)
Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto 1997. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)
Nguyen, P.Q., Shparlinski, I.: The insecurity of the Digital Signature Algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)
Philips Electronics N.V. P5CD072 – Secure Dual Interface PKI Smart Card Controller, http://www.nxp.com/acrobat_download/other/identification/sfs095412.pdf
Schindler, W.: A timing attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
Shoup, V.: NTL: A Library for doing Number Theory (2008), http://www.shoup.net/ntl/
Tomoeda, Y., Miyake, H., Shimbo, A., Kawamura, S.-i.: An SPA-based extension of Schindler’s timing attack against RSA using CRT. IEICE Transactions 88-A(1), 147–153 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hlaváč, M. (2009). Known–Plaintext–Only Attack on RSA–CRT with Montgomery Multiplication. In: Clavier, C., Gaj, K. (eds) Cryptographic Hardware and Embedded Systems - CHES 2009. CHES 2009. Lecture Notes in Computer Science, vol 5747. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04138-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-04138-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04137-2
Online ISBN: 978-3-642-04138-9
eBook Packages: Computer ScienceComputer Science (R0)