Journal of the Institute of Electronics Engineers of Korea CI (전자공학회논문지CI)

The Institute of Electronics and Information Engineers (대한전자공학회)
권호 표지

Enhanced Equidistant Chosen Message Power Analysis of RSA-CRT Algorithm

RSA-CRT의 향상된 등간격 선택 평문 전력 분석

  • Received : 2010.11.01
  • Accepted : 2011.03.04
  • Published : 2011.03.25
Download PDF
⟨ Previous Next ⟩

Abstract

RSA-CRT algorithm is widely used to improve the performance of RSA algorithm. However, it is also vulnerable to side channel attacks like as general RSA. One of the power attacks on RSA-CRT, proposed by Boer et al., is a power analysis which utilizes reduction steps of RSA-CRT algorithm with equidistant chosen messages, called as ECMPA(Equidistant Chosen Messages Power Analysis) or MRED(Modular Reduction on Equidistant Data) analysis. This method is to find reduction output value r=xmodp which has the same equidistant patterns as equidistant messages. One can easily compute secret prime p from exposure of r. However, the result of analysis from a reduction step in [5] is remarkably different in our experiment from what Boer expected in [5]. Especially, we found that there are Ghost key patterns depending on the selection of attack bits and selected reduction algorithms. Thus, in this paper we propose several Ghost key patterns unknown to us until now, then we suggest enhanced and detailed analyzing methods.

RSA-CRT알고리즘은 RSA알고리즘의 성능 향상을 위해 널리 쓰이고 있다. 하지만 일반적인 RSA 알고리즘처럼 CRT 버전의 RSA 또한 부채널 분석에 취약함이 알려져 왔다. 그 중 Boer등이 제안한 전력 분석 방법은 등간격 선택 전력 평문을 이용하여 CRT 알고리즘의 reduction단계를 분석하는 방법으로, 등간격 선택 평문 전력 분석 방법(Equidistant Chosen Messages Power Analysis, ECMPA)또는 MRED(Modular reduction on Equidistant data)분석 방법으로 알려져 있다. 이 방법은 등간격 선택 평문을 이용하여 입력 평문과 동일한 간격을 가지는 reduction 결과 값, r=xmodp 을 찾는 방법으로, r의 노출에 의해 RSA의 비밀 소수 p가 계산 될 수 있다. 본 논문에서의 실험 결과, 이론 적으로만 알려져 있던 reduction 단계의 분석 결과가 기존 논문의 예상과는 다른 결과를 가짐을 확인하였다. 본 논문에서는 선택 bit에 의존한 Ghost key의 패턴과, reduction 알고리즘의 연산 과정에서 발생하는 Ghost key가 존재함을 이론적 및 실험적으로 증명하였다. 따라서 본 논문은 기존에 알려지지 않은 Ghost key의 특징에 대하여 논하며, 향상되고, 구체적인 공격 방법을 제안한다.

Keywords

References

  1. P.Kocher, J.Jaffe, and B. Jun, "Introduction to differential power analysis and related attacks," 1998, White Paper, Cryptography Research, http://www.cryptography.com/dpa/technical, 1998.
  2. P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," Advances In Cryptology - CRYPTO' 99, LNCS 1666 Springer-Verlag, pp. 388-397, Santa Barbara, USA, August 1999.
  3. E. Brier, C. Clavier, and F. Olivier, "Correlation power analysis with a leakage model," Cryptographic Hardware and Embedded Systems 2004. LNCS 3156 Springer-Verlag, pp. 16-29, 2004.
  4. T.S.Messerges, E.A. Dabbish and R.H. Sloan, "Power Analysis Attacks of Modular Exponentiation in Smartcards", Cryptographic Hardware and Embedded Systems 1999, LNCS 1717 Springer-Verlag, pp. 144-157, 1999.
  5. B. D. Boer, K. Lemke, and G. Wicke, "A DPA attack against the modular reduction within a crt implementation of RSA", Cryptographic Hardware and Embedded Systems 2002, LNCS 2523 Springer-Verlag, pp. 228-243, 2002.
  6. Frederic Amiel, Benoit Feix, and Karine Villegas, "Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms", International conference on Selected area in cryptography 2007, LNCS 4876 Springer-Verlag, pp 110-125, 2007.
  7. Roman Novak "SPA-Based Adaptive Chosen -Ciphertext Attack on RSA Implementation", Public Key Crptography 2002, LNCS 2274 Springer-Verlag, pp. 252-262, 2002.
  8. Rivest R, Shamir A, Adleman L. "A method for obtaining digital signatures and public-key cryptosystems", Communications of the ACM, vol 21, Issue 2, pp. 120-126, 1978. https://doi.org/10.1145/359340.359342
  9. J. J. Quisquater and C. Couvreur, "Fast decipherment algorithm for RSA public key cryptosystem," Electronic Letters, vol. 18, No 21, pp. 905-907, 1982. https://doi.org/10.1049/el:19820617
  10. P. Barrett, "Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor" Advances In Cryptology - CRYPTO' 86, LNCS 263, Springer-Verlag, pp 311-323, 1987.
  11. P. L. Montgomery "Modular Multiplication without Trial Division", Mathematics of Computation, vol. 44, no. 170, pp. 519-521, 1985. https://doi.org/10.1090/S0025-5718-1985-0777282-X
  12. 박종연, 최지선, 한동국, 이옥연, "RSA에 대한 향상된 등간격 선택 평문 전력 분석 방법", 대한전자공학회 2010년 하계종합학술대회, 1877-1880쪽, 한국, 제주도, 2010년 6월.