정보보호학회논문지 (Journal of the Korea Institute of Information Security & Cryptology)

  • 제18권4호
  • /
  • Pages.17-25
  • /
  • 2008
  • /
  • 1598-3986(pISSN)
  • /
  • 2288-2715(eISSN)
한국정보보호학회 (Korea Institute of Information Security and Cryptology)
권호 표지
DOI QR코드

DOI QR Code

비교연산을 사용하지 않는 오류주입 공격에 안전한 CRT 기반의 RSA

Secure RSA with CRT Protected Against Fault Attacks without using Checking Procedure

  • 김성경 (고려대학교 정보경영공학전문대학원) ;
  • 김태현 (고려대학교 정보경영공학전문대학원) ;
  • 한동국 (한국전자통신연구원) ;
  • 박영호 (세종사이버대학교) ;
  • 홍석희 (고려대학교 정보경영공학전문대학원)
  • Kim, Sung-Kyoung (Graduate School of Information Management and Security, Korea University) ;
  • Kim, Tae-Hyun (Graduate School of Information Management and Security, Korea University) ;
  • Han, Dong-Guk (Electronics and Telecommunications Research Institute) ;
  • Park, Young-Ho (Sejong cyber University) ;
  • Hong, Seok-Hie (Graduate School of Information Management and Security, Korea University)
  • 발행 : 2008.08.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

중국인의 나머지 정리(Chinese Remainder Theorem)를 이용한 RSA 암호 시스템(RSA CRT)은 모듈러 지수승 연산이 기존의 제곱 연산을 반복하는 것보다 빠르게 계산될 수 있기 때문에 표준으로 권장하고 있다. 그러나 1996년 Bellcore가 RSA CRT의 오류주입 공격에 대해서 발표한 이래로 RSA CRT의 안전성 문제가 대두되었다. 1997년 Shamir가 오류 주입을 확인하는 비교 연산을 이용한 대응 방법을 소개하였고, 곧이어 이러한 비교연산도 안전하지 않다고 알려졌다. 최근 Yen이 오류주입 공격에 안전한 두 가지의 CRT 연산 프로토콜을 제안하였으며 이 프로토콜은 오류 주입을 확인하는 비교연산이 존재하지 않는다. 그러나 FDTC 2006에서 Yen의 두 CRT 연산 프로토콜에 대한 공격 방법이 소개되었다. 본 논문에서는 FDTC 2006에서 제시된 공격 방법에도 안전한 두 CRT 연산 프로토콜을 제안한다. 제안하는 방법은 비트연산(AND)의 특성을 이용하며 추가적인 연산을 고려하지 않아도 된다.

Because Chinese Remainder Theorem based RSA (RSA CRT) offers a faster version of modular exponentiation than ordinary repeated squaring, it is promoting with standard. Unfortunately there are major security issues associated with RSA CRT, since Bellcore announced a fault-based cryptanalysis against RSA CRT in 1996. In 1997, Shamir developed a countermeasure using error free immune checking procedure. And soon it became known that the this checking procedure can not effect as the countermeasures. Recently Yen proposed two hardware fault immune protocols for RSA CRT, and this two protocols do not assume the existence of checking procedure. However, in FDTC 2006, the method of attack against the Yen's two protocols was introduced. In this paper, the main purpose is to present a countermeasure against the method of attack from FDTC 2006 for CRT-RSA. The proposed countermeasure use a characteristic bit operation and dose not consider an additional operation.

키워드

참고문헌

  1. J.-J. Quisquater and C. Couvreur, 'Fast decipherment algorithm for RSA publickey cryptosystem,' Electronics Letters, Vol. 18, No. 21, pp. 905-907, 1982 https://doi.org/10.1049/el:19820617
  2. Bellcore Press Release, 'New threat model breaks crypto codes', Sept 1996, http://www.bellcore.com/PRESS/ADVSRY96/facts.html
  3. D. Boneh, R.A. DeMillo, R.J. Lipton, 'On the importance of checking cryptographic protocols for fault', EUROCRYPT'97, Springer-Verlag, LNCS 1233, pp. 37-51, 1997
  4. ChangKyun Kim, JaeCheol Ha, Sung-Hyun Kim, Seokyu Kim, Sung-Ming Yen and SangJae Moon, 'A Secure and Practical CRT-Based RSA to Resist Side Channel Attacks', ICCSA 2004, LNCS 3043, pp. 150-158, 2004
  5. C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, 'Fault attacks on RSA with CRT: Concrete results and practical countermeasures,' Proceedings of Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS 2523, pp. 260-275, Springer-Verlag, 2003
  6. M.Joye, A.K.Lenstra and J.-J.Quisquater, 'Chinese reamindering based cryptosystem in the presence of faults', Journal of cryptology, 12(4), pp. 241-245, 1999 https://doi.org/10.1007/s001459900055
  7. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC Press, 1997
  8. Sung-Ming Yen, Dongryeol Kim, and SangJae Moon, 'Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection,' FDTC 2006, LNCS 4236, pp. 53-51, Springer-Verlag, 2006
  9. A. Shamir, 'How to Check Modular Exponentiation', presented at the rump session of EUROCRYPT'97, May 1997
  10. A. Shamir, 'Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks' US Patent 5991415, 23 Nov. 1999
  11. S.M. Yen, S.J. Kim, S.G. Lim, and S.J. Moon, 'RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis', IEEE Trans. on Computers. Special issue on CHES, Vol. 52, No. 4, pp. 461.472, April 2003
  12. C. Kim, and J.-J.Quisquater 'Fault attacks for CRT based RSA : new attacks, new result and new countermeasures', WISTP 2007, LNCS 4462, pp 215-228, Springer-Verlag, 2007
  13. David Wagner, 'Cryptanalysis of a provably secure CRT-RSA algorithm', Proceedings of the 11th ACM conference on Computer and communications security, pp. 92-97, Washington DC, USA, October 25-29, 2004
  14. A. Boscher, R. Naciri, and E. Prouff, 'CRT-RSA Algorithm Protected Against Fault Attacks,' Workshop in Information Security Theory and practices-WISTP'07, LNCS Vol. 4462, pp. 237-252, 2007
  15. J. Blomer, M. Otto, and J. P. Seifert, 'A new CRT-RSA algorithm secure against Bellcore attacks,' 10th ACM Conference on Computer and Communications Security, pp. 311-320, 2003
  16. C. Giraud, 'Fault resistant RSA implementation,' Fault Diagnosis and Tolerance in Cryptography-FDTC'05, pp. 142-151, 2005
  17. M. Ciet and M. Joye, 'Practical fault countermeasures for Chinese Remaindering based RSA,' Fault Diagnosis and Tolerance in Cryptography-FDTC'05, pp. 124-131, 2005