Regular 2 w -ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures

With the growing demand of efficient cryptosystems, their secure implementations against various side-channel attacks and the fault attack are also requested from the practice. Several countermeasures are proposed so far, and this paper proposes a new regular 2 ^w -ary right-to-left exponentiation algorithm, which can be equipped with very efficient DPA (differential power attack) and FA (fault attack) countermeasures. Since its regular behavior clearly prevents the simple power analysis attack, the new algorithm gives a strong resistance to all the well-known major implementation attacks. This paper also gives a variant of the new algorithm for securely implementing the RSA cryptosystem with CRT (Chinese Remainder Theorem).     

有效解决RSA共模攻击的素数生成方案

RSA公钥密码体制是一种被广泛使用的公钥密码体制。为了求取RSA加密体制的加解密密钥,首先需要获得两个大素数。因此,大素数的选取及使用是保证RSA安全性的一个重要环节,不当的素数选取及使用将会使其很容易遭受攻击,共模攻击即为较常见的一种。针对这一问题,论文提出一种新的素数生成方案,保证为每一用户生成不同的大素数,消除RSA体制在使用中遭受共模攻击的可能,提高体制的安全性。     

Using templates to distinguish multiplications from squaring operations

Since side channel analysis was introduced as a method to recover secret information from an otherwise secure cryptosystem, many countermeasures have been proposed to prevent leakage from secure devices. Among these countermeasures is side channel atomicity that makes operations indistinguishable using side channel analysis. In this paper, we present practical results of an attack on RSA signature generation, protected in this manner, based on the expected difference in Hamming weight between the result of a multiplication and a squaring operation. This work presents the first attack that we are aware of where template analysis can be used without requiring an open device to characterize an implementation of a given cryptographic algorithm. Moreover, an attacker does not need to know the plaintexts being operated on and, therefore, blinding and padding countermeasures applied to the plaintext do not hinder the attack in anyway.     

Clustering Collision Power Attack on RSA-CRT

In this paper, we propose two new attack algorithms on RSA implementations with CRT (Chinese remainder theorem). To improve the attack efficiency considerably, a clustering collision power attack on RSA with CRT is introduced via chosen-message pairs. This attack method is that the key parameters d_p and d_q are segmented by byte, and the modular multiplication collisions are identified by k-means clustering. The exponents d_p and d_q were recovered by 12 power traces of six groups of the specific message pairs, and the exponent d was obtained. We also propose a second order clustering collision power analysis attack against RSA implementation with CRT, which applies double blinding exponentiation. To reduce noise and artificial participation, we analyze the power points of interest by preprocessing and k-means clustering with horizontal correlation collisions. Thus, we recovered approximately 91% of the secret exponents manipulated with a single power curve on RSA-CRT with countermeasures of double blinding methods.     

慎用中国剩余定理提高RSA算法效率

模幂运算的效率决定了RSA密码系统的执行速度。由于中国剩余定理对于提高RSA算法的模幂运算效率有显著作用,因而被广泛使用。但直接使用中国剩余定理是不安全的,容易受到出错攻击。文章就介绍了一种出错攻击方法,并给出了一些对抗这一攻击的具体措施。     

Cryptanalysis of a Type of CRT-Based RSA Algorithms

It is well known that the Chinese Remainder Theorem(CRT)can greatly improve the performances of RSA cryptosystem in both running times and memory requirements.However,if the implementation of CRT-based RSA is careless,an attacker can reveal some secret information by exploiting hardware fault cryptanalysis.In this paper,we present some fault attacks on a type of CRT-RSA algorithms namely BOS type schemes including the original BOS scheme proposed by Bl(?)mer,Otto,and Seifert at CCS 2003 and its modified scheme proposed by Liu et al.at DASC 2006.We first demonstrate that if some special signed messages such as m=0,±1 are dealt carelessly,they can be exploited by an adversary to completely break the security of both the BOS scheme and Liu et al.'s scheme.Then we present a new permanent fault attack on the BOS scheme with a success probability about 25%.Lastly,we propose a polynomial time attack on Liu et al.'s CRT-RSA algorithm,which combines physical fault injection and lattice reduction techniques when the public exponent is short.     

对一个公钥密码体制的连分式攻击算法

公钥密码是实现网络安全和信息安全的重要技术之一,而传统的公钥密码算法速度较慢。为克服这一缺点,一些快速公钥密码算法被提出。对其中一个快速公钥密码算法的安全性进行分析,指出该算法的解密无须通过整数分解,使用连分数算法就可以在多项式时间内求解出该方案的一个等价密钥,使用该等价密钥就能对任意密文进行解密。因此,该公钥密码算法是不安全的,从而提出一种新的连分式攻击算法,实验结果证明了该算法的有效性。     

应用n—adic展开的快速Harn体制

摘应用n-adic展开方法给出了Ham密码体制的改进体制，其安全性与原体制的相同。在加密t块消息时，实行一次加密；解密时仅用一次RSA和E1Gamal解密以及求解一个模n的线性方程组。而在原体制中，加密时需重复应用t次RSA与ElGamal加密；解密时需重复应用t次RSA与E1Gamal解密。由于解线性方程组的速度较快，故当消息分块t较大时，无论在加密阶段还是在解密阶段，改进后的体制具有更好的运行效率。     

RSA公钥密码算法差分计时攻击研究

RSA密码算法执行过程中的模幂运算时间是不固定的,精确测量解密过程中泄露出的时间差异信息即可推断出相关密钥。为此,研究RSA公钥密码算法的实现和计时攻击原理,分析RSA解密运算过程,找出RSA在计时攻击中存在的安全缺陷。在简单计时攻击的基础上,提出基于从左到右“平方-乘法”模幂运算的RSA差分计时攻击算法,并介绍相应的防御措施。     

Novel fault attack resistant architecture for elliptic curve cryptography

Hardware implementations of cryptosystems are susceptible to fault attacks. By analyzing the side channel information from implementation, the attacker can retrieve the secret information. Generally, in the hardware implementations, validations of results are reported at the end of the computation. If faults are injected at the input side of computation, all the computations performed afterward are wasteful and this is a potential situation which can leak the secret key information using side channel attacks. The current work proposes fault attack resistant implementation of an elliptic curve cryptosystem using a shared point validator unit, zero-one detector, and double coherence check by modified Montgomery Powering Ladder Algorithm. The architecture is robust to fault attacks along with power and area efficiency.     

一种可有效并行的RSA算法的研究*

提出了一种改进RSA算法来提升RSA算法的解密性能。该改进算法在Multi-Power RSA算法的基础上通过将解密时的一些计算量转移到加密方的方式来加速RSA算法的解密过程。理论分析和实验结果表明,该改进算法不仅提升了RSA算法的解密性能,且该算法易于并行实现,可使得基于多核平台的RSA密码系统的整体性能得到进一步提升。     

SECURITY OF NUMBER THEORETIC PUBLIC KEY CRYPTOSYSTEMS AGAINST RANDOM ATTACK,III

This paper concludes the discussion we began in the last two issues of CRYPTOLOGIA. A typical message receiver using an RSA public key cryptosystem believes that the secret nontrivial factors p and q of his public coding modulus m are primes. But he need not know that p or q are prime, or even square free. We give a few examples below. In some of them the “RSA public key cryptosystem” based on integers P and Q erroneously thought both to be prime works perfectly, but is more vulnerable to a cryptanalytic attack of the type G. J. Simmons and J. N. Norris [7] have suggested. In other cases these cryptosystems malfunction in an obvious fashion likely to be apprehended quickly by the message receiver. After the examples we prove all the results in I and II except a few which, like Theorems 1.1, 1.2 and 1.3, are obvious corollaries of other results in those papers.     

针对RSA算法软件应用的故障攻击研究

原有的RSA故障攻击针对的都是运行在智能卡等硬件上的算法,为研究针对RSA软件实现方式的故障攻击,剖析中国剩余定理软件实现算法,提出针对OpenSSL密码库的RSA算法软件实现的故障攻击算法,给出一种只需要一次错误签名的改进攻击方案。通过仿真实验验证算法的可行性,并给出抵御此类攻击的有效措施。     

基于一般访问结构的多重秘密共享方案

基于Shamir的门限方案和RSA密码体制，提出一个一般访问结构上的秘密共享方案．参与者的秘密份额是由各参与者自己选择，秘密分发者不需要向各参与者传送任何秘密信息．当秘密更新、访问结构改变或参与者加入／退出系统时，各参与者的份额不需要更新．秘密份额的长度小于或等于秘密的长度．每个参与者只需维护一个秘密份额就可以实现对多个秘密的共享．在秘密恢复过程中，每个参与者能够验证其他参与者是否进行了欺骗．方案的安全性是基于Shamir的门限方案和RSA密码体制的安全性．     

RSA密码算法的功耗轨迹分析及其防御措施

针对RSA密码算法的电路,提出了一种新的功耗分析攻击方法--功耗轨迹分析.该方法的基本特点是通过处理电路的功率信号,从信号的轨迹图形中获取RSA算法的敏感信息（如密钥）,因此,功耗轨迹分析能够有效地攻击现有的多种形式的RSA实现方案.同时还探讨了RSA密码电路防御攻击的措施：直接在算法中添加冗余的伪操作能够抵御功耗轨迹分析攻击,但是这会导致电路功耗增大和速度降低.进而还提出了一种将RSA算法中的伪操作随机化的新方法.该方法能够在保证电路安全性的同时又节省电路功耗和运算时间.     

RSA公钥密码算法的计时攻击与防御

计时攻击根据密码算法在密码设备中运行时的执行时间差异,分析和判断密码算法的各种有效信息,是最具威胁的旁路攻击方式之一。该文研究RSA加密算法和计时攻击的原理,分析RSA解密过程,阐述针对基于模幂算法的RSA计时攻击的原理,讨论如何抵御该计时攻击。     

RSA密码算法的一种新的快速软件实现方法

在介绍标准RSA密码系统的基础上，利用计算近似最短加法链算法给出了软件实现模幂运算的一种改进方法；基于求解孙子定理的混合基数计算算法(MRC)改进了RSA的解密方法；最后，结合快速有效的素数测试方法提出了一种能够快速软件实现RSA密码算法的新方法，并分析比较了各相关算法的计算效率。实验结果表明：利用该方法实现的RSA密码软件系统，可使加、解密运算速度平均提高6~10倍。     

一种有效的RSA算法改进方案

RSA算法的解密性能与大数模幂运算的实现效率有着直接的关系。提出一种RSA算法的改进方案,通过将RSA解密时的一些运算量转移到加密方,并且运用多素数原理使得解密时大数模幂运算的模位数和指数位数减小。实验结果表明该方案不仅提高了RSA密码系统的安全性,而且提升了RSA密码系统解密的性能,且该方案易于并行实现,可使得基于多核平台的RSA系统的性能得到进一步提升。     

最新电压毛刺(Power Glitch)攻击与防御方法研究

电压毛刺(Power Glitch)攻击是通过快速改变输入到芯片的电压,使得芯片里的某些晶体管受到影响,引起一个或多个触发器进入错误状态,从而导致处理器会跳过或实施错误的操作,使芯片内隐藏的信息随着产生的错误而泄露出来。对电压毛刺攻击与防御技术的最新进展情况进行了综述。在攻击方面,针对攻击目的的不同,详细介绍了RSA-CRT签名运算、RSA非CRT签名运算、对非易失存储器的攻击技术。防御技术分别介绍了电压毛刺检测电路和掩码,并分析了各种防御方案的优缺点。     

基于CRT的低成本RSA芯片设计

提出了一种基于改进的Montgomery算法和中国剩余定理(CRT)的RSA签名芯片的VLSI实现.由于采用了新颖的调度算法,实现了用576b的模乘单元来完成1152b的RSA模幂运算,从而大大降低了芯片面积;此外,CRT的引入使得整个系统的数据吞吐率与传统的1024bRSA系统相当.实验结果显示:芯片完成一次1024b的模幂运算需要约1.2M个时钟周期,而芯片规模在54K个等效门以下;如果系统时钟频率选取40MHz,系统签名速率可以达到30Kbps.