On Bugs and Ciphers: New Techniques in Cryptanalysis
Total Page:16
File Type:pdf, Size:1020Kb
On Bugs and Ciphers: New Techniques in Cryptanalysis Yaniv Carmeli Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 On Bugs and Ciphers: New Techniques in Cryptanalysis Research Thesis Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Yaniv Carmeli Submitted to the Senate of the Technion | Israel Institute of Technology Adar 5775 Haifa March 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 The research thesis was done under the supervision of Prof. Eli Biham in the Computer Science Department. The generous financial support of the Technion is gratefully acknowledged. Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Contents Abstract 1 1 Introduction 3 2 Bug Attacks 9 2.1 Introduction . 9 2.1.1 Introduction to Side Channel Attacks (SCA) . 13 2.1.2 Fault Attacks . 14 2.2 Overview of Our Methods and Notations . 15 2.2.1 Multiplication of Big Numbers . 16 2.2.2 Notations . 16 2.2.3 Methods . 16 2.2.4 Complexity Analysis . 17 2.2.5 Exponentiation Algorithms . 17 2.2.6 Remarks . 18 2.3 Bug Attack on CRT-RSA with One Chosen Ciphertext . 19 2.4 Bug Attacks on LTOR Exponentiations . 20 2.4.1 Bug Attacks on Pohlig-Hellman . 21 2.4.2 Bug Attacks on RSA . 25 2.4.3 Bug Attacks on OAEP . 29 2.5 Bug Attacks on RTOL Exponentiations . 30 2.5.1 Bug Attacks on Pohlig-Hellman . 30 2.5.2 Bug Attacks on RSA . 32 2.5.3 Bug Attacks on OAEP Implementations that use RTOL 34 2.6 Bug Attacks Using the Legendre Symbol and Square Roots . 35 2.6.1 Bug Attacks on Pohlig-Hellman Implementations that use RTOL . 35 i Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 2.6.2 Bug Attacks on Pohlig-Hellman Implementations that use LTOR . 38 2.7 Vulnerabilities of Other Kind of Schemes . 44 2.7.1 Elliptic Curve Schemes . 44 2.7.2 Bug Attacks on Symmetric Primitives . 45 2.8 Summary and Countermeasures . 45 2.A Brief Descriptions of Several Cryptosystems . 46 2.A.1 The Pohlig-Hellman Cryptosystem and Pohlig-Hellman- Shamir Protocol . 46 2.A.2 The RSA Cryptosystem . 48 2.A.3 RSA Decryption Using CRT . 48 2.A.4 OAEP . 49 2.B Known Hardware Bugs . 50 3 Efficient Reconstruction of RC4 Keys from Internal States 53 3.1 Introduction . 53 3.1.1 Previous Attacks . 54 3.1.2 Outline of Our Contribution . 57 3.1.3 Organization of the Chapter . 58 3.2 The RC4 Stream Cipher . 58 3.2.1 Properties of RC4 Keys . 60 3.2.2 Notations . 60 3.3 Previous Techniques . 61 3.4 Our Observations . 63 3.4.1 Subtracting Equations . 64 3.4.2 Using Counting Methods . 66 3.4.3 The Sum of the Key Bytes . 67 3.4.4 Adjusting Weights and Correcting Equations . 69 3.4.5 Refining the Set of Equations . 70 3.4.6 Heuristic Pruning of the Search . 72 3.5 The Algorithm . 73 3.6 Efficient Implementation . 73 3.7 Discussion . 76 ii Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 4 An Improvement of Linear Cryptanalysis with Addition Op- erations with Applications to FEAL-8X 79 4.1 Introduction . 79 4.2 The Cipher FEAL-8X . 81 4.2.1 An Equivalent Description of FEAL-8X . 83 4.3 First Attack { Finding the Key Using 215 Known Plaintexts . 84 4.3.1 The Linear Approximations . 85 4.3.2 The Basic Attack . 85 4.3.3 Matching Subkeys from the Backward and Forward Directions . 88 4.3.4 Retrieving the Rest of the Subkeys . 89 4.4 Our Partitioning Technique { Finding The Key Using 214 Known Plaintexts . 91 4.4.1 A Simplified Example . 92 4.4.2 The Attack . 94 4.5 Attacking FEAL-8X Using 210 Known Plaintexts with Com- plexity 262 ............................. 95 4.6 Attacks with a Few Known or Chosen Plaintexts . 96 4.6.1 Differential and Linear Exhaustive Search Attacks . 96 4.6.2 Meet in the Middle Attacks . 98 4.7 Summary . 99 4.A Retrieving The FEAL-8X Key from the Actual Subkeys . 100 4.A.1 The Key Processing Algorithm . 100 4.A.2 Finding the Key . 102 4.B Efficient Implementation . 104 א Abstract in Hebrew iii Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Figures 3.1 Two Probable Alternatives to the Positions of the Indices i and j Right Before the Assignment S[i0] x Occurred . 71 4.1 The outline of FEAL-8 and of the F -function . 82 4.2 Equivalent Description of FEAL-8X Without Whitening at the End . 84 4.3 Approximation 1 { A six-round approximation with bias 2−6 86 4.4 Approximation 2 { A six-round approximation with bias 2−6 87 4.5 The Approximation of the Seventh Round . 92 4.6 The Key Processing Algorithm and the Fk Function . 101 iv Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Algorithms 2.1 The Two Basic Exponentiation Algorithms . 18 2.2 Basic Adaptive Chosen-Ciphertext Attack Against Pohlig- Hellman with LTOR . 22 2.3 Improved Adaptive Chosen-Ciphertext Attack Against Pohlig- Hellman with LTOR . 23 2.4 Adaptive Chosen-Ciphertext Attack Against RSA with LTOR 26 2.5 Chosen-Ciphertext Attack Against RSA with LTOR . 28 2.6 Chosen-Ciphertext Attack Against Pohlig-Hellman with RTOL 31 2.7 Chosen-Ciphertext attack against RSA with RTOL . 33 2.8 Adaptive Chosen-Ciphertext Attack Against RSA-OAEP with RTOL . 35 2.9 Chosen-Ciphertext Attack Against Pohlig-Hellman with RTOL 37 2.10 Known-Plaintext Attack Against Pohlig-Hellman with RTOL 38 2.11 Chosen-Ciphertext Attack Against Pohlig-Hellman with LTOR 42 2.12 Known-Plaintext Attack Against Pohlig-Hellman with LTOR 44 3.1 The RC4 Algorithms . 59 3.2 The FIND KEY Algorithm . 74 3.3 The Recursive REC SUBROUTINE Algorithm . 75 4.1 Basic Attack on FEAL-NX with 215 messages . 88 4.2 Breaking FEAL in 2112 Time and Only 5 Known Plaintexts . 97 4.3 Efficient Implementation of the Attack in Algorithm 4.1 . 105 v Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 List of Tables 2.1 Summary of the Presented Bug Attacks . 47 3.1 The Probabilities Given by Theorem 3.2 . 62 3.2 Success Probabilities and Running Time of the RecoverKey Algorithm of [65] . 64 3.3 Probabilities that s is Among the Four Highest Counters . 69 3.4 Empirical Results of The Proposed Attack . 77 4.1 The Subkeys of FEAL-8X and the Actual Subkeys of the Equivalent Descriptions . 83 4.2 A mapping between the standard notation for FEAL subkeys and the notation used in this appendix . 100 4.3 Relation Between the Bytes of the Decryption Actual Subkeys and the Subkeys of the Cipher . 102 4.4 Relation Between the Bytes of the Encryption Actual Subkeys and the Subkeys of the Cipher . 102 1 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 Abstract This research thesis presents three independent contributions to cryptanal- ysis. The first contribution is Bug Attacks, a new type of side-channel attack that takes advantages of bugs in hardware or software. The best known example of a bug in hardware is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most ap- plications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. Bugs may also be planted by tampering with otherwise bug-free hardware. Recent documents leaked by Edward Sonwden show that this is a method which is used by the US against intelligence targets. The second contribution is an efficient algorithm for the retrieval of the RC4 secret key, given an internal state. The algorithm we present is several orders of magnitude faster than previously published algorithms. In the case of a 40-bit key, it takes only about 0.02 seconds to retrieve the key, with success probability of 86.4%. Even in cases where our algorithm cannot retrieve the entire key, it can retrieve partial information about the key. The key can also be retrieved if some of the bytes of the initial permutation are incorrect or missing. The third contribution is an improvement to the linear cryptanalysis of ciphers that use addition operations, which we demonstrate on the block cipher FEAL-8X. Since its introduction 27 years ago, FEAL played a key role in the development of many cryptanalytic techniques, including dif- 1 Technion - Computer Science Department - Ph.D. Thesis PHD-2015-01 - 2015 ferential and linear cryptanalysis. For its 25th anniversary Mitsuru Matsui announced a challenge for an improved known plaintext attack on FEAL-8X. We describe our attack as part of this challenge and introduce improvements to linear cryptanalysis that allow us to recover the key given 214 known plain- texts in about 14 hours of computation, and led us to win the challenge.