We then compute two partial signatures, each using one of these two numbers the first partial signature, s1, equals m dp (mod p), while the second, s2, equals m dq (mod q). Given the private exponent d, we calculate two values, dp and dq, as: dp=d (mod (p-1)) and dq=d (mod (q-1)). The CRT splits up the single large calculation into two smaller ones before stitching their results together. For this reason, many cryptography libraries use the Chinese Remainder Theorem (CRT) to speed up decryption and signing.
This algorithm is effective, but when the numbers involved increase to the necessary size for security, the computation begins to take an extremely long time. Here, s represents the signature, m the message, d the private exponent, and n the public key. Normally, an RSA signing operation would use this algorithm: s=m d (mod n). After analyzing both a toy program and the mbed TLS implementation of RSA, I identified bits in memory that leak private keys when flipped. I analyzed fault attacks at a low level rather than in a mathematical context. I looked at an optimization of RSA signing that uses the Chinese Remainder Theorem (CRT) and induced calculation faults that reveal private keys. This spring and summer, as an intern at Trail of Bits, I researched modeling fault attacks on RSA signatures.
0 kommentar(er)
