电子学报2024,Vol.52Issue(3):689-695,7.DOI:10.12263/DZXB.20220175
一种基于模板的RSA-CRT模约减攻击方法
An Attack Method Against the Modular Reduction Within a RSA-CRT Implementation Based on Template Attack
马向亮 1乌力吉 2王宏 3张向民 2黄克振 4刘玉岭5
作者信息
- 1. 清华大学集成电路学院,北京 100084||北京邮电大学集成电路学院,北京 100876
- 2. 清华大学集成电路学院,北京 100084||清华大学北京信息科学与技术国家研究中心,北京 100084
- 3. 国家信息技术安全研究中心,北京 100084
- 4. 中国科学院软件研究所可信计算与信息保障实验室,北京 100190
- 5. 中国科学院信息工程研究所,北京 100093||中国科学院大学网络安全学院,北京 101408
- 折叠
摘要
Abstract
At present,there are few researches on profile attacks against RSA-CRT implementation.This paper takes modular reduction operation as the research object,and a template attack method against RSA-CRT implementation is pro-posed.The core of this method is to solve the difficulty to recover the RSA-CRT private key from the Hamming weight of the intermediate value of ciphertext modular reduction.The characteristic of this method is to build a model based on the Hamming weight of the intermediate value derived from modular reduction.The Hamming weight can be obtained by col-lecting the power traces of chosen ciphertext modular reduction for template matching,and the intermediate value is recov-ered from the Hamming weight variation,the private key of the RSA-CRT algorithm can be further inferred based on the in-termediate value.In addition,the advantage of this method is that ideally,templates based on the intermediate Hamming weight model can be shared,and there is no limit on the number of bits of the intermediate value for modelling,which can be in byte size,64 bit size,or even the bit size of p.In the actual environment,it can be selected according to the leaked in-formation.Finally,in this paper,the lowest byte of the intermediate value is selected to model to verify the feasibility of this method,and the defense suggestions are also provided.关键词
模板攻击/RSA-CRT/选择密文/模约减/侧信道攻击Key words
template attack/RSA-CRT/chosen-ciphertext/modular reduction/side channel attack分类
信息技术与安全科学引用本文复制引用
马向亮,乌力吉,王宏,张向民,黄克振,刘玉岭..一种基于模板的RSA-CRT模约减攻击方法[J].电子学报,2024,52(3):689-695,7.
