Itamar Zimerman,Eliya Nachmani,Lior Wolf

DOI: https://doi.org/10.48550/arXiv.2106.04876

2021-06-09

Abstract:Cold boot attacks inspect the corrupted random access memory soon after the power has been shut down. While most of the bits have been corrupted, many bits, at random locations, have not. Since the keys in many encryption schemes are being expanded in memory into longer keys with fixed redundancies, the keys can often be restored. In this work, we combine a novel cryptographic variant of a deep error correcting code technique with a modified SAT solver scheme to apply the attack on AES keys. Even though AES consists of Rijndael S-box elements, that are specifically designed to be resistant to linear and differential cryptanalysis, our method provides a novel formalization of the AES key scheduling as a computational graph, which is implemented by a neural message passing network. Our results show that our methods outperform the state of the art attack methods by a very large margin.

Cryptography and Security,Information Theory,Machine Learning

Gustavo Banegas,Ricardo Villanueva-Polanco

DOI: https://doi.org/10.1007/s12095-022-00625-z

2023-02-16

Cryptography and Communications

Abstract:This paper presents a general strategy to recover a block cipher secret key in the cold boot attack setting. More precisely, we propose a key-recovery method that combines key enumeration algorithms and Grover's quantum algorithm to recover a block cipher secret key after an attacker has procured a noisy version of it via a cold boot attack. We also show how to implement the quantum component of our algorithm for several block ciphers such as AES, PRESENT and GIFT, and LowMC. Additionally, since evaluating the third-round post-quantum candidates of the National Institute of Standards and Technology (NIST) post-quantum standardization process against different attack vectors is of great importance for their overall assessment, we show the feasibility of performing our hybrid attack on Picnic, a post-quantum signature algorithm being an alternate candidate in the NIST post-quantum standardization competition. According to our results, our method may recover the Picnic private key for all Picnic parameter sets, tolerating up to 40 % of noise for some of the parameter sets. Furthermore, we provide a detailed analysis of our method by giving the cost of its resources, its running time, and its success rate for various enumerations.

computer science, theory & methods,mathematics, applied

Yue Qin,Chi Cheng,Jintai Ding

DOI: https://doi.org/10.1007/978-3-030-29962-0_24

2019-01-01

Abstract:In CT-RSA 2019, Bauer et al. have analyzed the case when the public key is reused for the NewHope key encapsulation mechanism (KEM), a second-round candidate in the NIST Post-quantum Standard process. They proposed an elegant method to recover coefficients ranging from -6 to 4 in the secret key. We repeat their experiments but there are two fundamental problems. First, even for coefficients in [-6, 4] we cannot recover at least 262 of them in each secret key with 1024 coefficients. Second, for the coefficient outside [-6, 4], they suggested an exhaustive search. But for each secret key on average there are 10 coefficients that need to be exhaustively searched, and each of them has 6 possibilities. This makes Bauer et al.'s method highly inefficient. We propose an improved method, which with 99.22% probability recovers all the coefficients ranging from - 6 to 4 in the secret key. Then, inspired by Ding et al.'s key mismatch attack, we propose an efficient strategy which with a probability of 96.88% succeeds in recovering all the coefficients in the secret key. Experiments show that our proposed method is very efficient, which completes the attack in about 137.56 ms using the NewHope parameters.

Mengce Zheng,Honggang Hu,Zilong Wang

DOI: https://doi.org/10.1007/s11432-015-5325-7

2016-01-01

Science China Information Sciences

Abstract:In this paper, we demonstrate that there exist weak keys in the RSA public-key cryptosystem with the public exponent e = N α ≤ N 0.5. In 1999, Boneh and Durfee showed that when α ≈ 1 and the private exponent d = N β < N 0.292, the system is insecure. Moreover, their attack is still effective for 0.5 < α < 1.875. We propose a generalized cryptanalytic method to attack the RSA cryptosystem with α ≤ 0.5. For \(c = \left\lfloor {\frac{{1 - \alpha }}{\alpha }} \right\rfloor \) and e γc ≡ d (mod e c), when γ, β satisfy \(\gamma < 1 + \frac{1}{c} - \frac{1}{{2\alpha c}}and\beta < \alpha c + \frac{7}{6} - \alpha \gamma c - \frac{1}{3}\sqrt {6\alpha + 6\alpha c + 1 - 6\alpha \gamma c} \), we can perform cryptanalytic attacks based on the LLL algorithm. The basic idea is an application of Coppersmith’s techniques and we further adapt the technique of unravelled linearization, which leads to an optimized lattice. Our advantage is that we achieve new attacks on RSA with α ≤ 0.5 and consequently, there exist weak keys in RSA for most α.

Zhenyu Huang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-35999-6_2

2012-01-01

Abstract:The family of Max-PoSSo problems is about solving polynomial systems with noise, and is analogous to the well-known Max-SAT family of problems when the ground field is. In this paper, we present a new method called ISBS for solving the family of Max-PoSSo problems over. This method is based on the ideas of incrementally solving polynomial system and searching the values of polynomials with backtracking. The ISBS method can be combined with different algebraic methods for solving polynomial systems, such as the Gröbner Basis method or the Characteristic Set(CS) method. By combining with the CS method, we implement ISBS and apply it in Cold Boot attacks. A Cold Boot attack is a type of side channel attack in which an attacker recover cryptographic key material from DRAM relies on the data remanence property of DRAM. Cold Boot key recovery problems of block ciphers can be modeled as Max-PoSSo problems over. We apply the ISBS method to solve the Cold Boot key recovery problems of AES and Serpent, and obtain some experimental results which are better than the existing ones. © 2013 Springer-Verlag Berlin Heidelberg.

Zhijie Jerry Shi,Fan Zhang

2006-01-01

Abstract:Elliptic curve cryptography (ECC) has attracted a lot of attention because it can provide similar levels of security with much shorter keys than the arithmetic of multiple-precision integers in finite fields, which has been widely used in many public-key and key-exchange algorithms. Small key sizes are especially important to resource constrained devices as shorter keys require less storage space and consume less power to transmit and compute. However, ECC algorithms are vulnerable to power analysis attacks, which exploit the instantaneous power consumptions of computing devices to retrieve secret data. Many countermeasures have been proposed to make ECC implementations secure against power analysis. One of the approaches is randomized algorithms that generate different power traces even if the input of the algorithm is the same. For example, the randomized scalar point multiplication algorithm proposed by Oswald et al. combines two algorithms and uses random variables to decide which algorithm to follow at different stages of the execution. The randomized algorithm can thwart traditional power analysis attacks. However, in this paper, we propose an effective attack on the randomized algorithms. Our attack does not require a large number of power traces and has a very high success rate.

CHENG Wei,GU Da-wu,GUO Zheng,ZHANG Lei

DOI: https://doi.org/10.3969/j.issn.1002-0802.2011.06.043

2011-01-01

Abstract:As a fast RSA implementation,RSA-CRT is widely applied to computing-limited devices,such as smart cards.This paper describes a side channel attack against RSA-CRT implementation.By properly choosing input data,the power consumption of the intermediate value after the modular reduction is analyzed.This attack first determines the size of one of the primes,then based on it,takes another DPA attack and gets the byte-by-byte prime.The simulation experiment shows that this attack is effective,and relative to MRED,could reduce the number of needed power traces and raise the attack efficiency.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

HP Jiang,ZG Mao

DOI: https://doi.org/10.1109/icasic.2003.1277457

2003-01-01

Abstract:Power analysis attacks could be used to analyze the key information according to leakage information depending on the operation of cryptography algorithm and its hardware. They are highly effective with low cost. In this paper, an improved RSA algorithm against power analysis was proposed based on its basic theory. DPA attack for RSA specially, is discussed in details. In order to maximize the capability/cost, mask technique and removing intermediate value method are introduced into RSA system, which only cost more than 33.4% timing to realizing secure RSA algorithm, and its security was better greatly with a little cost, which would be meaningful for the security of a common crypto-system.

Patrick Simmons

DOI: https://doi.org/10.48550/arXiv.1104.4843

2011-04-26

Abstract:Disk encryption has become an important security measure for a multitude of clients, including governments, corporations, activists, security-conscious professionals, and privacy-conscious individuals. Unfortunately, recent research has discovered an effective side channel attack against any disk mounted by a running machine\cite{princetonattack}. This attack, known as the cold boot attack, is effective against any mounted volume using state-of-the-art disk encryption, is relatively simple to perform for an attacker with even rudimentary technical knowledge and training, and is applicable to exactly the scenario against which disk encryption is primarily supposed to defend: an adversary with physical access. To our knowledge, no effective software-based countermeasure to this attack supporting multiple encryption keys has yet been articulated in the literature. Moreover, since no proposed solution has been implemented in publicly available software, all general-purpose machines using disk encryption remain vulnerable. We present Loop-Amnesia, a kernel-based disk encryption mechanism implementing a novel technique to eliminate vulnerability to the cold boot attack. We offer theoretical justification of Loop-Amnesia's invulnerability to the attack, verify that our implementation is not vulnerable in practice, and present measurements showing our impact on I/O accesses to the encrypted disk is limited to a slowdown of approximately 2x. Loop-Amnesia is written for x86-64, but our technique is applicable to other register-based architectures. We base our work on loop-AES, a state-of-the-art open source disk encryption package for Linux.

Cryptography and Security

Mengce Zheng,Noboru Kunihiro,Yuanzhi Yao

DOI: https://doi.org/10.1016/j.tcs.2021.08.001

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:RSA (Rivest-Shamir-Adleman) cryptosystem is the most popular asymmetric key cryptographic algorithm used in computer science and information security. Recently, an RSA-like cryptosystem was proposed using a novel product that arises from a cubic field connected to the cubic Pell equation. The relevant key equation is e d ≡ 1 mod ( p 2 + p + 1 ) ( q 2 + q + 1 ) with N = p q. This RSA variant is claimed to be robust against the Wiener's attack and hence the bit-size of the private key could be shorter, namely d < N 1 / 4. In this paper, we explore the further security analysis and investigate the potential small private exponent attack. We show that such RSA variant is particularly vulnerable to the lattice-based method. To be specific, we can carry out the lattice-based small private exponent attack if d < N 2 − 2, which is less secure than the standard RSA. Furthermore, we conduct numerical experiments to verify the validity of the proposed attack.

CaiSen Chen,Tao Wang,YingZhan Kou,XiaoCen Chen,Xiong Li

DOI: https://doi.org/10.1016/j.jss.2012.07.020

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:The previous I-Cache timing attacks on the RSA algorithm which exploit the instruction path of a cipher are mostly proof-of-concept, and it is harder to put them into practice than D-Cache timing attacks. We propose a trace-driven timing attack model on the RSA algorithm via spying on the whole I-Cache, instead of the partial instruction cache to which the multiplication function mapped, by analyzing the complications in the previous I-Cache timing attack on the RSA algorithm. Then, an improved analysis algorithm of the exponent using the characteristic of the window size in SWE algorithm is provided, which could further reduce the search space of the key bits than the former. We further demonstrate how to recover the private key d from the scattered known bits of d"p and d"q, through demonstrating some conclusions and validating it by experimentation. In addition, an error detection mechanism to detect some erroneous decisions of the operation sequences is provided to reduce the number of the erroneous recovered bits, and improve the precision of decision. We implement an I-Cache timing attack on RSA of OpenSSL in a practical environment, the experimental results show that the feasibility and effectiveness of I-Cache timing attack can be improved.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/itng.2007.152

2007-01-01

Abstract:Power analysis can exploit the instantaneous power consumptions of elliptic curve cryptography (ECC) devices and retrieve secret keys. Many countermeasures have been proposed to make ECC implementations secure. One of the approaches is the randomized algorithms proposed by Oswald et al., which combine two scalar point multiplication algorithms and use random variables to decide which algorithm to follow at different stages of the computation. In this paper, we describe a power analysis attack that can break randomized automata proposed by Oswald et al. effectively, even with a small number of power traces

Hung-Min Sun,Mu-En Wu,Cheng-Ta Yang

DOI: https://doi.org/10.1587/transfun.e92.a.2326

2009-01-01

Abstract:This investigation proposes two methods for embedding backdoors in the RSA modulus N = pq rather than in the public exponent e. This strategy not only permits manufacturers to embed backdoors in an RSA system, but also allows users to choose any desired public exponent, such as e = 2(16) + 1, to ensure efficient encryption. This work utilizes lattice attack and exhaustive attack to embed backdoors in two proposed methods, called RSA(SBLT) and RSA(SBES), respectively. Both approaches involve straightforward steps, making their running time roughly the same as that of normal RSA key-generation time, implying that no one can detect the backdoor by observing time imparity.

Majid Mumtaz,Luo Ping

DOI: https://doi.org/10.1016/j.ins.2020.05.075

IF: 8.1

2020-01-01

Information Sciences

Abstract:Standard RSA cryptosystem becomes vulnerable, when private key d < N-0.292 is used inside CryptoChips of constrained devices, thus an alternate scheme is the Common Prime RSA (CP-RSA) variant, which provides cryptographic (decryption/signing) operations. In this paper, we perform a cryptanalytic attack on CP-RSA using lattice basis reduction method that is used to exploit possible vulnerabilities of RSA small private key attacks. In addition, we performed detail experiments on CP-RSA weak or overestimated bounds and compare results to the past studies. Our implemented cryptanalytic attack implicates more precise and direct method to exploit the CP-RSA existing theoretical and experimental bounds. Also, our results prove that CP-RSA is an effective approach that provides resistance against standard RSA small private key attacks. (C) 2020 Elsevier Inc. All rights reserved.

Ting-Yu Lin,Hung-Min Sun,Mu-En Wu

2006-01-01

Abstract:Young and Yung devised various backdoors for RSA key generation. However, due to their backdoor constructing method, the two MSBs of the modulus n generated by their systems have di¤erent distribution than that generated by the normal RSA. Thus, someone may observe the abnormal distribution of n to detect the existence of backdoors. Recently, Crepéau and Slakmon further suggested four simple ways to construct RSA backdoor mechanisms. Although their schemes have roughly the same running time as the normal RSA, they are still not StrongSETUPs. Hence, in this paper, we propose three RSA backdoor cryptosystems. The …rst two, RSA-SBLT and RSA-SBES, have the same advantages as Crépeau and Slakmon’s RSA-HP but provide new ways to construct the backdoors. As for our third backdoor cryptosystem, RSA-BDH, we exploit the relationship between p and q to devise a backdoor which can solve the problem occurring in Young and Yong’s methods successfully. Moreover, we prove that RSA-BDH is a real Strong-SETUP based on DH assumption.

Mengce Zheng

DOI: https://doi.org/10.1109/ACCESS.2024.3349633

2023-10-19

Abstract:We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.

Cryptography and Security

Yi Wu,Xingjun Wu

DOI: https://doi.org/10.1109/ISCE.2017.8355552

2017-01-01

Abstract:As one of the international public-key cryptographic standards, RSA is widely used in Smart IC card which is in the context of such a large number of users. The RSA key-generation inside the card IC is the most time-consumption procedure during the mass production of the cards. To reduce the time complexity, an optimized RSA key generation algorithm is proposed in this paper. The optimized algorithm was implemented to generate RSA key pairs based on the smart card chip called THD88. Experiments show the time to generate a 1024-bits RSA key-pair is 4.76 seconds on average under the system clock frequency of 20MHz, and is much less than other similar products. Testing results show that the time-consumption distribution fits 3 sigma distribution, and meets the requirements of the engineering application as well.

lihui wang,qing li,zhimin zhang,weijun shan,davidwei zhang

DOI: https://doi.org/10.2991/iset-15.2015.33

2015-01-01

Abstract:Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems such as RSA. They are especially suited to smartcards because of the limited memory and computational power available on these devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a novel simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Joseph McMahan,Weilong Cui,Liang Xia,Jeff Heckey,Frederic T. Chong,Timothy Sherwood

DOI: https://doi.org/10.1109/hst.2017.7951806

2017-05-01

Abstract:On-chip memory is regarded by most secure system designers as a safe memory space, beyond the eyes of all but the most sophisticated attackers. Once a value is overwritten or the power has been removed, it is assumed that the data stored inside fully ceases to persist. However, as writes occur, the bit cells gradually wear; if data is written in an asymmetric way (with repeated writes of the same data), the stored information can later be partially reconstructed solely from statistical measurements of the cells&#x27; startup states. We present a technique for measuring the vulnerability of memory systems to such wear-in leakage, modeling the process as the recovery of bits from a noisy channel. We demonstrate our techniques on a 130nm SRAM device and demonstrate that if no countermeasures are used, a very simple prediction model is able to correctly reconstruct 27% of the bits of the written secret — enough to probabilistically reconstruct an RSA key.