Hey everyone, The patched version of rw.cpp is attached. It contains the patch proposed by the authors of the paper. A patch to CryptoJPM should go live within the next 24 hours.
We should offer the corrected file at least in the wiki at least at the rabin-williams page (there's no such page yet) or maybe at the main page. We could also note on the main page that there's an security issue with rabin-williams and one should patch the file with the provided one. Concerning the how could the bug be in there: Someone tried to protect Rabin-Williams against timing attacks by blinding the signed value. This defense works. However as the blinding factor seems not to be chosen carefully enough it looks like x^2=y^2 (mod n), with x and y being signatures on a message and n being the modulus always holds and in some bad cases if some properties of the blinding factor comes into the mix one can factor n using GCD(n,y-x). I'm not sure if this explication makes sense, but read the paper <https://eprint.iacr.org/2015/368.pdf> for the full details. BR JPM Am 24.04.2015 um 12:34 schrieb Jean-Pierre Münch: > Hey Guys, > > there's a recent publication claiming to have broken Crypto++'s > Rabin-Wiliams signature scheme. > The author claims to be able to recover the private key as soon as the > same message is signed twice under the same private key. > I haven't yet read the paper but wanted to inform you guys ASAP. > > Paper <https://eprint.iacr.org/2015/368.pdf> > CVE-2015-2141 > > As soon as I've read the paper I'll inform you guys about the details > and a possible fix which will go live in CryptoJPM asap. > > BR > > JPM > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
// rw.cpp - written and placed in the public domain by Wei Dai
#include "pch.h"
#include "rw.h"
#include "nbtheory.h"
#include "asn.h"
#ifndef CRYPTOPP_IMPORTS
NAMESPACE_BEGIN(CryptoPP)
void RWFunction::BERDecode(BufferedTransformation &bt)
{
BERSequenceDecoder seq(bt);
m_n.BERDecode(seq);
seq.MessageEnd();
}
void RWFunction::DEREncode(BufferedTransformation &bt) const
{
DERSequenceEncoder seq(bt);
m_n.DEREncode(seq);
seq.MessageEnd();
}
Integer RWFunction::ApplyFunction(const Integer &in) const
{
DoQuickSanityCheck();
Integer out = in.Squared()%m_n;
const word r = 12;
// this code was written to handle both r = 6 and r = 12,
// but now only r = 12 is used in P1363
const word r2 = r/2;
const word r3a = (16 + 5 - r) % 16; // n%16 could be 5 or 13
const word r3b = (16 + 13 - r) % 16;
const word r4 = (8 + 5 - r/2) % 8; // n%8 == 5
switch (out % 16)
{
case r:
break;
case r2:
case r2+8:
out <<= 1;
break;
case r3a:
case r3b:
out.Negate();
out += m_n;
break;
case r4:
case r4+8:
out.Negate();
out += m_n;
out <<= 1;
break;
default:
out = Integer::Zero();
}
return out;
}
bool RWFunction::Validate(RandomNumberGenerator &rng, unsigned int level) const
{
bool pass = true;
pass = pass && m_n > Integer::One() && m_n%8 == 5;
return pass;
}
bool RWFunction::GetVoidValue(const char *name, const std::type_info
&valueType, void *pValue) const
{
return GetValueHelper(this, name, valueType, pValue).Assignable()
CRYPTOPP_GET_FUNCTION_ENTRY(Modulus)
;
}
void RWFunction::AssignFrom(const NameValuePairs &source)
{
AssignFromHelper(this, source)
CRYPTOPP_SET_FUNCTION_ENTRY(Modulus)
;
}
// *****************************************************************************
// private key operations:
// generate a random private key
void InvertibleRWFunction::GenerateRandom(RandomNumberGenerator &rng, const
NameValuePairs &alg)
{
int modulusSize = 2048;
alg.GetIntValue("ModulusSize", modulusSize) ||
alg.GetIntValue("KeySize", modulusSize);
if (modulusSize < 16)
throw InvalidArgument("InvertibleRWFunction: specified modulus
length is too small");
AlgorithmParameters primeParam =
MakeParametersForTwoPrimesOfEqualSize(modulusSize);
m_p.GenerateRandom(rng, CombinedNameValuePairs(primeParam,
MakeParameters("EquivalentTo", 3)("Mod", 8)));
m_q.GenerateRandom(rng, CombinedNameValuePairs(primeParam,
MakeParameters("EquivalentTo", 7)("Mod", 8)));
m_n = m_p * m_q;
m_u = m_q.InverseMod(m_p);
}
void InvertibleRWFunction::BERDecode(BufferedTransformation &bt)
{
BERSequenceDecoder seq(bt);
m_n.BERDecode(seq);
m_p.BERDecode(seq);
m_q.BERDecode(seq);
m_u.BERDecode(seq);
seq.MessageEnd();
}
void InvertibleRWFunction::DEREncode(BufferedTransformation &bt) const
{
DERSequenceEncoder seq(bt);
m_n.DEREncode(seq);
m_p.DEREncode(seq);
m_q.DEREncode(seq);
m_u.DEREncode(seq);
seq.MessageEnd();
}
Integer InvertibleRWFunction::CalculateInverse(RandomNumberGenerator &rng,
const Integer &x) const
{
DoQuickSanityCheck();
ModularArithmetic modn(m_n);
Integer r, rInv;
do { // do this in a loop for people using small numbers for testing
r.Randomize(rng, Integer::One(), m_n - Integer::One());
rInv = modn.MultiplicativeInverse(r);
} while (rInv.IsZero() || (Jacobi(r % m_p,m_p)==-1) || (Jacobi(r %
m_q,m_q)==-1));
Integer re = modn.Square(r);
re = modn.Multiply(re, x); // blind
Integer cp=re%m_p, cq=re%m_q;
if (Jacobi(cp, m_p) * Jacobi(cq, m_q) != 1)
{
cp = cp.IsOdd() ? (cp+m_p) >> 1 : cp >> 1;
cq = cq.IsOdd() ? (cq+m_q) >> 1 : cq >> 1;
}
#pragma omp parallel
#pragma omp sections
{
#pragma omp section
cp = ModularSquareRoot(cp, m_p);
#pragma omp section
cq = ModularSquareRoot(cq, m_q);
}
Integer y = CRT(cq, m_q, cp, m_p, m_u);
y = modn.Multiply(y, rInv); // unblind
y = STDMIN(y, m_n-y);
if (ApplyFunction(y) != x) // check
throw Exception(Exception::OTHER_ERROR, "InvertibleRWFunction:
computational error during private key operation");
return y;
}
bool InvertibleRWFunction::Validate(RandomNumberGenerator &rng, unsigned int
level) const
{
bool pass = RWFunction::Validate(rng, level);
pass = pass && m_p > Integer::One() && m_p%8 == 3 && m_p < m_n;
pass = pass && m_q > Integer::One() && m_q%8 == 7 && m_q < m_n;
pass = pass && m_u.IsPositive() && m_u < m_p;
if (level >= 1)
{
pass = pass && m_p * m_q == m_n;
pass = pass && m_u * m_q % m_p == 1;
}
if (level >= 2)
pass = pass && VerifyPrime(rng, m_p, level-2) &&
VerifyPrime(rng, m_q, level-2);
return pass;
}
bool InvertibleRWFunction::GetVoidValue(const char *name, const std::type_info
&valueType, void *pValue) const
{
return GetValueHelper<RWFunction>(this, name, valueType,
pValue).Assignable()
CRYPTOPP_GET_FUNCTION_ENTRY(Prime1)
CRYPTOPP_GET_FUNCTION_ENTRY(Prime2)
CRYPTOPP_GET_FUNCTION_ENTRY(MultiplicativeInverseOfPrime2ModPrime1)
;
}
void InvertibleRWFunction::AssignFrom(const NameValuePairs &source)
{
AssignFromHelper<RWFunction>(this, source)
CRYPTOPP_SET_FUNCTION_ENTRY(Prime1)
CRYPTOPP_SET_FUNCTION_ENTRY(Prime2)
CRYPTOPP_SET_FUNCTION_ENTRY(MultiplicativeInverseOfPrime2ModPrime1)
;
}
NAMESPACE_END
#endif
smime.p7s
Description: S/MIME Cryptographic Signature
