Fooling Primality Tests on Smartcards

Abstract

We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by Albrecht et al. [1], where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smartcards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman [30] style attacks, leading to private key recovery.

Out of nine smartcards (produced by five major manufacturers) we tested (See https://crocs.fi.muni.cz/papers/primality_esorics20 for more information), all but one have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, making it difficult to mitigate in already deployed smartcards.

Appendices

Appendix

1 The Miller-Rabin Primality Test

The MR test [23, 32] was one of the first practical primality tests and to this day remains very popular because of its simplicity and efficiency. In particular, we believe that if a low-resource device such as a smartcard (shortened as card for the rest of text) uses a primality test, MR is the most probable choice (perhaps followed by the Lucas test, which does not seem to be that widespread, and a Ballie-PSW test, which is a combination of these two), as most other tests are too resource-heavy.

However, the MR test cannot be used to prove that a number is prime; only compositeness can be proven. It relies on the fact that there exist no nontrivial roots of unity modulo a prime. More precisely, let n be the number we want to test for primality and let \(n-1 = 2^s d\), where d is odd. If n is prime, Fermat’s Little Theorem implies that for any \(1 \le a < n\), we have either \(a^d\equiv 1 \pmod {n}\) or \(a^{2^i d}\equiv -1 \pmod {n}\) for some \(0 \le i < s\). By taking the contrapositive, if there is some \(1 \le a < n\) such that none of these congruences hold, then n is composite (and a is called a witness of compositeness for n). However, if at least one of the congruences holds, then we say that n is pseudoprime with respect to base a (or that a is a non-witness of compositeness for n, or also a liar for n). There is the Monier-Rabin bound [24] for the number S(n) of such bases (that are less than n): \(S(n) \le \frac{\varphi (n)}{4}\), where \(\varphi \) is the Euler totient function.

Since \(\varphi (n) \approx n\) for large n, we get a practical upper bound for the number of inputs that pass the test for a given a. Thus if we repeat the test t times for random a’s, the probability of fooling the MR test will be at most \((\frac{1}{4})^t\).

The fact that the a’s were picked randomly is crucial for the guarantees above. If the bases are fixed and known in advance (as in [1]), it is possible to construct a pseudoprime (see Appendix 2), i.e., a number that passes the test with respect to these bases.

2 Constructing Pseudoprimes

We will briefly describe how to generate pseudoprimes having 3 prime factors with respect to given distinct prime bases \(a_1,\dots , a_t\) according to [1] and [3], where more details can be found. The whole method can be summarised as follows:

1. 1.

   Choose t odd prime bases \(a_1< \dots < a_t\) (we always choose the first t smallest primes) and let \(A:=\{a_1,\dots ,a_t\}\).

2. 2.

   Let \(k_1 = 1\) and choose distinct coprime \(k_2,k_3 \in \mathbb {Z}\), \(k_2,k_3 > a_t\) (see Table 1).

3. 3.

   For each \(a\in A\), compute the set \(S_a\) of primes p reduced modulo 4a s.t. \(\left( \frac{a}{p}\right) = -1\). This can be done constructively by looping over values \(x\in \{1,2,\dots , 4a-1\}\) and adding x to \(S_a\) iff \(\left( \frac{x}{a}\right) (-1)^{(x-1)(a-1)/4} = -1\) (using quadratic reciprocity).

4. 4.

   For each \(a\in A\), compute the intersection \(R_a:= \bigcap _{j=1}^{3} k_j^{-1}(S_{a} + k_j -1),\) where \(k_j^{-1}(S_{a} + k_j -1)\) denotes the set \(\{k_j^{-1}(s + k_j -1) \mod 4a \mid s \in S_a \}\) for each \(a\in A\). If any are empty, go back to step 2.

5. 5.

   For each \(a\in A\), randomly pick an element \(r_a \in R_a\).

6. 6.

   Using the Chinese Remainder Theorem, find \(p_1\) such that

   $$ p_1 \equiv k_3^{-1} \pmod {k_2}, p_1 \equiv k_2^{-1} \pmod {k_3} \text { and } p_1 \equiv r_a \pmod {4a} \text { for all } a\in A.$$
7. 7.

   Compute \(p_2=k_2(p_1-1)+1\) and \(p_3=k_3(p_1-1)+1\). If all \(p_1,p_2,p_3\) are primes, then \(p_1p_2p_3\) is pseudoprime with respect to all bases \(a\in A\). Otherwise, go back to step 4 (or even 2 or 1 after a certain amount of time has passed).

If we take \(a_1=2\) and enforce the condition \(p_1\equiv 3 \pmod {8}\) (by slightly tweaking some steps above), the constructed pseudoprimes will meet the Monier-Rabin bound (maximizing the probability of passing the test for a random base choice) and will also pass the MR test for any composite base with no prime divisors greater than \(a_t\) [1].

Recall that Carmichael numbers are composite n that divide \(a^{n-1}-1\) for all \(a\in \mathbb {Z}\) coprime to n. Equivalently, a composite integer n is a Carmichael number if and only if n is square-free, and \(p-1 \mid n-1\) for all prime divisors p of n [24]. The pseudoprimes generated in this way are automatically Carmichael numbers [1] and we are using this fact in Sect. 4.8.

1.1 2.1 Generated Domain Parameters

The generated domain parameters and scripts used to generate them and produce our results are available at https://crocs.fi.muni.cz/papers/primality_esorics20.

3 Examples of Attacks

1.1 3.1 ECDSA/ECDH: Composite n

This case uses the 10-factor n parameters as specified in Appendix 2.1. Such a smooth order of the curve allows for a direct application of the Pohlig-Hellman algorithm for computing discrete logarithms to obtain the private key.

The SAGE [36] code (embedded) recovered the private key on a 256-bit curve in just about 7 s on an ordinary laptop. Computing such a discrete logarithm on a standard 256-bit curve is currently computationally infeasible.

1.2 3.2 ECDSA/ECDH: Composite p

This case uses the 10-factor p parameters as specified in Appendix 2.1. Such a curve with composite p can be decomposed into ten much smaller curves modulo the prime divisors of p. On these curves, it is trivial to compute the discrete logarithm of the public key. The resulting discrete logarithm (and the private key) is then recovered via the CRT.

The SAGE code (embedded) recovered the private key on a 256-bit curve in about 9 s on an ordinary laptop.

1.3 3.3 DSA/DH: Composite q

In case of composite q in DSA/DH, the Pohlig-Hellman algorithm for computing discrete logarithms applies again. The SAGE code (embedded) computed the private key of a public key using the 1024 bit DSA/DH parameters given in Appendix 2.1 in 35 min on one Intel Xeon X7560 @ 2.26 GHz processor.

1.4 3.4 DSA/DH: Composite p

We have used the CADO-NFS [35] implementation of the Number Field Sieve, to demonstrate the ease of computing the discrete logarithm of a public key using the 1024 bit DSA/DH parameters given in Appendix 2.1. We computed the discrete logarithm in the order q subgroup of \(\mathbb {Z}_{p_1}^*\) as it defined the smallest group of only 336 bits.

The computation took 70 min to recover the private key on three Intel Xeon X7560 @ 2.26 GHz processors (24 cores total), with total CPU time of 22 h. Furthermore, this computation is generic for all public keys using the given domain parameters. The per-key computation is trivial and takes a few minutes at most.

Only one computation of the discrete logarithm on prime 1024 bit DSA/DH parameters is publicly known [15]. It used the fact that the prime was trapdoored and ran much faster than random parameters. Even then, it took two months on a large computation cluster, with a total CPU time of 385 CPU years.