Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Presentation at CHES 2002lem/wi14.08.2002, Page 1======!"§==Systems=
A DPA Attack Against theModular Reduction within aCRT Implementation of RSA
Bert den Boer, Kerstin Lemke, Guntram WickeT-Systems ISS GmbH
Presentation at CHES 2002
Presentation at CHES 2002lem/wi14.08.2002, Page 2======!"§==Systems=
DPA Attack against a CRT Implementation of RSAContents
n RSA Cryptosystem
n DPA Attack against a non-CRT Implementation
n DPA Attack against a CRT Implementation– General Approach– Results– Practical Efficiency– Limitations and Countermeasures
n Conclusion
Presentation at CHES 2002lem/wi14.08.2002, Page 3======!"§==Systems=
DPA against a CRT Implementation of RSARSA Cryptosystem
n Secret Primes p and qn Public Modulus N withn Public Exponent en Secret Exponent d with
n Decryption (RSA Decryption, RSA Signing):
n Encryption
Presentation at CHES 2002lem/wi14.08.2002, Page 4======!"§==Systems=
DPA against a non-CRT Implementation of RSASquare Multiply Algorithm
n ‘Top-down Square Multiply’ Algorithm to perform
Presentation at CHES 2002lem/wi14.08.2002, Page 5======!"§==Systems=
DPA against a non-CRT Implementation of RSAApproach for DPA Attack against the Exponent
n Key hypotheses H(j)– Guesses on next exponent bits or– Guesses on next modular operations
n Selection Functions d(x,j)– n-bit Hamming weight W(x) of predicted intermediate data x
for each key hypothesis H(j):
n Correlation between d(xi,j) and Power Consumption P(xi,t)
– Absolute maximum of correlation coefficient identifies thecorrect key value j
Presentation at CHES 2002lem/wi14.08.2002, Page 6======!"§==Systems=
n Split exponent
n Perform 2 exponentiations:
n Using
n Calculate
DPA against a CRT Implementation of RSACRT Algorithm (Garner)
Presentation at CHES 2002lem/wi14.08.2002, Page 7======!"§==Systems=
DPA Attack against a CRT Implementation of RSAMain Idea
nThe remainder r0 of an input value x0 modulo a secretprime q is successively attacked by DPA
nThe gcd of (x0-r0 ) and the public RSA modulus N = p qgives the prime q
Presentation at CHES 2002lem/wi14.08.2002, Page 8======!"§==Systems=
DPA Attack against a CRT Implementation of RSAGeneral Approach
n MRED: Modular Reduction on Equidistant Datan Use of equidistant input data xi at each kmeasurement series:
n Each measurement series k compromises the k-th byteof the remainder r0 (k=0: least significant byte of r0)
Presentation at CHES 2002lem/wi14.08.2002, Page 9======!"§==Systems=
DPA Attack against a CRT Implementation of RSAHypotheses on the Remainder
Presentation at CHES 2002lem/wi14.08.2002, Page 10======!"§==Systems=
DPA Attack against a CRT Implementation of RSASelection Function
n The selection function d(x,j) is based on 8 bit Hamming weight.
Presentation at CHES 2002lem/wi14.08.2002, Page 11======!"§==Systems=
DPA Attack against a CRT Implementation of RSASuccessive Approximation
n Check for each measurement series k that
n If the gcd is 1=> Run DPA on measurement series k to compromise fk
n else=> The modulus N is factorized by the gcd (end criterion).
Presentation at CHES 2002lem/wi14.08.2002, Page 12======!"§==Systems=
DPA Attack against a CRT Implementation of RSAResults using simulated measurement data 1/3
Presentation at CHES 2002lem/wi14.08.2002, Page 13======!"§==Systems=
DPA Attack against a CRT Implementation of RSAResults using simulated measurement data 2/3
Presentation at CHES 2002lem/wi14.08.2002, Page 14======!"§==Systems=
DPA Attack against a CRT Implementation of RSAResults using simulated measurement data 3/3
Presentation at CHES 2002lem/wi14.08.2002, Page 15======!"§==Systems=
DPA Attack against a CRT Implementation of RSAAttack Efforts against 1024 Bit RSA Key
Presentation at CHES 2002lem/wi14.08.2002, Page 16======!"§==Systems=
DPA Attack against a CRT Implementation of RSALimitations and Countermeasures
n Basic Assumptions for MRED:1. High number of single measurements2. Variation of input data is equidistant3. Equidistant Variation of the input data results in equidistant
variation of the remainder
n Countermeasures1. Usage counters / Failure Counters (RSA Decryption only)2. Padding Formats (RSA Signing only)3. Destroy
e. g. by multiplicative message blinding
Presentation at CHES 2002lem/wi14.08.2002, Page 17======!"§==Systems=
DPA Attack against a CRT Implementation of RSAConclusion
nA new DPA attack has been presented that compromises a secretprime at the modular reduction step of a CRT implementation.
nThe moral is
– to secure the reduction modulo a secret prime and todestroy the basic assumption of MRED: