Similar operation template attack on RSA-CRT as a case study

  • Sen Xu
  • Xiangjun Lu
  • Kaiyu Zhang
  • Yang Li
  • Lei Wang
  • Weijia Wang
  • Haihua Gu
  • Zheng Guo
  • Junrong Liu
  • Dawu Gu
Research Paper
  • 13 Downloads

Abstract

A template attack, the most powerful side-channel attack methods, usually first builds the leakage profiles from a controlled profiling device, and then uses these profiles to recover the secret of the target device. It is based on the fact that the profiling device shares similar leakage characteristics with the target device. In this study, we focus on the similar operations in a single device and propose a new variant of the template attack, called the similar operation template attack (SOTA). SOTA builds the models on public variables (e.g., input/output) and recovers the values of the secret variables that leak similar to the public variables. SOTA’s advantage is that it can avoid the requirement of an additional profiling device. In this study, the proposed SOTA method is applied to a straightforward RSA-CRT implementation. Because the leakage is (almost) the same in similar operations, we reduce the security of RSA-CRT to a hidden multiplier problem (HMP) over GF(q), which can be solved byte-wise using our proposed heuristic algorithm. The effectiveness of our proposed method is verified as an entire prime recovery procedure in a practical leakage scenario.

Keywords

side channel attack template attack RSA-CRT hidden number problem prime recovery 

Notes

Acknowledgements

This work was supported by Major State Basic Research Development Program (973 Program) (Grant No. 2013CB338004), National Natural Science Foundation of China (Grant Nos. U1536103, 61402286, 61472249, 61602239, 61572192, 61472250), Minhang District Cooperation Plan (Grant No. 2016MH310), and Natural Science Foundation of Jiangsu Province (Grant No. BK20160808).

References

  1. 1.
    Kocher P C, Jaffe J, Jun B. Differential power analysis. In: Advances in Cryptology — CRYPTO’99. Berlin: Springer, 1999. 15–19Google Scholar
  2. 2.
    Brier E, Clavier C, Olivier F. Correlation power analysis with a leakage model. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2004. 16–29Google Scholar
  3. 3.
    Gierlichs B, Batina L, Tuyls P. Mutual information analysis. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2008. 426–442Google Scholar
  4. 4.
    Batina L, Gierlichs B, Lemke-Rust K. Differential cluster analysis. In: Cryptographic Hardware and Embedded Systems–CHE 2009 Lausanne. Berlin: Springer, 2009. 112–127CrossRefGoogle Scholar
  5. 5.
    Chari S, Rao J R, Rohatgi P. Template attacks. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2002. 13–28Google Scholar
  6. 6.
    Amiel F, Feix B, Villegas K. Power analysis for secret recovering and reverse engineering of public key algorithms. In: Proceedings of International Workshop on Selected Areas in Cryptography. Berlin: Springer, 2007. 110–125CrossRefGoogle Scholar
  7. 7.
    Balasch J, Gierlichs B, Reparaz O, et al. DPA, bitslicing and masking at 1 GHz. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015. 599–619Google Scholar
  8. 8.
    Tang M, Qiu Z L, Peng H B, et al. Toward reverse engineering on secret S-boxes in block ciphers. Sci China Inf Sci, 2014, 57: 032208MATHGoogle Scholar
  9. 9.
    Genkin D, Adi Shamir A, Tromer E. RSA Key Extraction via low-bandwidth acoustic cryptanalysis. In: Proceedings of Advances in Cryptology — CRYPTO 2014. Berlin: Springer, 2014. 444–461CrossRefGoogle Scholar
  10. 10.
    Genkin D, Pipman I, Tromer E. Get your hands off my laptop: physical side-channel key-extraction attacks on PCs. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2014. 242–260Google Scholar
  11. 11.
    Genkin D, Pachmanov L, Pipman I, et al. Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015. 207–228Google Scholar
  12. 12.
    Genkin D, Pachmanov L, Pipman I, et al. ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, 2016. 1626–1638Google Scholar
  13. 13.
    Belgarric P, Fouque P A, Macario-Rat G, et al. Side-channel analysis of Weierstrass and Koblitz curve ECDSA on Android smartphones. In: Proceedings of the Cryptographers’ Track at the RSA Conference 2016. Cham: Springer, 2016. 236–252Google Scholar
  14. 14.
    Coppersmith D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J Cryptol, 1997, 10: 233–260MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Joye M, Yen S M. The montgomery powering ladder. In: Proceedings of Cryptographic Hardware and Embedded Systems, Redwood Shores, 2002. 291–302Google Scholar
  16. 16.
    Chevallier-Mames B, Ciet M, Joye M. Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans Comp, 2004, 53: 760–768CrossRefMATHGoogle Scholar
  17. 17.
    Brier É, Joye M. Weierstraß Elliptic curves and side-channel attacks. In: Proceedings of International Workshop on Public Key Cryptography. Berlin: Springer, 2002. 2274: 335–345CrossRefGoogle Scholar
  18. 18.
    Sinha Roy S, Järvinen K, Verbauwhede I. Lightweight coprocessor for Koblitz curves: 283-Bit ECC including scalar conversion with only 4300 gates. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015. 102–122Google Scholar
  19. 19.
    Witteman M. A DPA attack on RSA in CRT mode. Riscure Technical Report, 2009. https://www.riscure.com/archive/DPA attack on RSA in CRT mode.pdf.Google Scholar
  20. 20.
    Aldaya A C, Sarmiento A J C, Sánchez-Solano S. SPA vulnerabilities of the binary extended Euclidean algorithm. J Cryp Eng, 2016, 7: 273–285CrossRefGoogle Scholar
  21. 21.
    Walter C D. Sliding windows succumbs to big Mac attack. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2001. 286–299Google Scholar
  22. 22.
    Montminy D P, Baldwin R O, Temple M A, et al. Improving cross-device attacks using zero-mean unit-variance normalization. J Cryp Eng, 2013, 3: 99–110CrossRefGoogle Scholar
  23. 23.
    Standaert F X, Archambeau C. Using subspace-based template attacks to compare and combine power and electromagnetic information leakages. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2008. 411–425Google Scholar
  24. 24.
    Archambeau C, Peeters E, Standaert F X, et al. Template attacks in principal subspaces. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2006. 1–14Google Scholar
  25. 25.
    Hospodar G, Gierlichs B, De Mulder E, et al. Machine learning in side-channel analysis: a first study. J Cryp Eng, 2011, 1: 293–305CrossRefGoogle Scholar
  26. 26.
    Lerman L, Bontempi G, Markowitch O, et al. Power analysis attack: an approach based on machine learning. Int J Appl Cryp, 2014, 3: 97–115MathSciNetCrossRefMATHGoogle Scholar
  27. 27.
    Choudary O, Kuhn M G. Template attacks on different devices. In: Proceedings of International Workshop on Constructive Side-Channel Analysis and Secure Design. Cham: Springer, 2014. 179–198Google Scholar
  28. 28.
    Whitnall C, Oswald E. Robust profiling for DPA-style attacks. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015. 3–21Google Scholar
  29. 29.
    Rivest R L, Shamir A, Adleman LM. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM, 1983, 21: 96–99MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Quisquater J J. Fast decipherment algorithm for RSA public-key cryptosystem. Electron Lett, 2007, 18: 905–907CrossRefGoogle Scholar
  31. 31.
    Choudary O, Kuhn M G. Efficient template attacks. In: Proceedings of International Conference on Smart Card Research and Advanced Applications. Cham: Springer, 2013. 253–270Google Scholar
  32. 32.
    Belaïd S, Fouque P A, Gérard B. Side-channel analysis of multiplications in GF(2128)-application to AES-GCM. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2014. 306–325Google Scholar
  33. 33.
    Belaïd S, Coron J S, Fouque P A, et al. Improved side-channel analysis of finite-field multiplication. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2015. 395–415Google Scholar
  34. 34.
    Merino Del Pozo S, Standaert F X. Blind source separation from single measurements using singular spectrum analysis. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems, Saint-Malo, 2015. 42–59Google Scholar
  35. 35.
    Renauld M, Standaert F X, Veyrat-Charvillon N, et al. A formal study of power variability issues and side-channel attacks for nanoscale devices. In: Advances in Cryptology — EUROCRYPT 2011. Berlin: Springer, 2011. 109–128CrossRefGoogle Scholar

Copyright information

© Science China Press and Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Sen Xu
    • 1
  • Xiangjun Lu
    • 1
  • Kaiyu Zhang
    • 1
  • Yang Li
    • 2
  • Lei Wang
    • 1
  • Weijia Wang
    • 1
  • Haihua Gu
    • 3
  • Zheng Guo
    • 1
  • Junrong Liu
    • 1
  • Dawu Gu
    • 4
    • 1
  1. 1.Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina
  2. 2.College of Computer Science and TechnologyNanjing University of Aeronautics and AstronauticsNanjingChina
  3. 3.Wanda Internet Technology GroupShanghaiChina
  4. 4.Shanghai Institute for Advanced Communication and Data ScienceShanghaiChina

Personalised recommendations