Public key cryptographic (PKC) algorithms, such as the RSA, elliptic curve digital signature algorithm (ECDSA) etc., are widely used in the secure communication sys- tems, such as OpenSSL, and a variety of in- for...Public key cryptographic (PKC) algorithms, such as the RSA, elliptic curve digital signature algorithm (ECDSA) etc., are widely used in the secure communication sys- tems, such as OpenSSL, and a variety of in- formation security systems. If designer do not securely implement them, the secret key will be easily extracted by side-channel attacks (SCAs) or combinational SCA thus mitigat- ing the security of the entire communication system. Previous countermeasures of PKC im- plementations focused on the core part of the algorithms and ignored the modular inversion which is widely used in various PKC schemes. Many researchers believe that instead of straightforward implementation, constant time modular inversion (CTMI) is enough to resist the attack of simple power analysis combined with lattice analysis. However, we find that the CTMI security can be reduced to a hidden t-bit multiplier problem. Based on this feature, we firstly obtain Hamming weight of interme- diate data through side-channel leakage. Then, we propose a heuristic algorithm to solve the problem by revealing the secret (partial and full) base of CTMI. Comparing previous nec-essary input message for masking filtering, our procedure need not any information about the secret base of the inversion. To our knowl- edge, this is the first time for evaluating the practical security of CTM! and experimental results show the fact that CTMI is not enough for high-level secure communication systems.展开更多
基金supported by the Key Technology Research and Sample-Chip Manufacture on Resistance to Physical Attacks at Circuit Level(546816170002)
文摘Public key cryptographic (PKC) algorithms, such as the RSA, elliptic curve digital signature algorithm (ECDSA) etc., are widely used in the secure communication sys- tems, such as OpenSSL, and a variety of in- formation security systems. If designer do not securely implement them, the secret key will be easily extracted by side-channel attacks (SCAs) or combinational SCA thus mitigat- ing the security of the entire communication system. Previous countermeasures of PKC im- plementations focused on the core part of the algorithms and ignored the modular inversion which is widely used in various PKC schemes. Many researchers believe that instead of straightforward implementation, constant time modular inversion (CTMI) is enough to resist the attack of simple power analysis combined with lattice analysis. However, we find that the CTMI security can be reduced to a hidden t-bit multiplier problem. Based on this feature, we firstly obtain Hamming weight of interme- diate data through side-channel leakage. Then, we propose a heuristic algorithm to solve the problem by revealing the secret (partial and full) base of CTMI. Comparing previous nec-essary input message for masking filtering, our procedure need not any information about the secret base of the inversion. To our knowl- edge, this is the first time for evaluating the practical security of CTM! and experimental results show the fact that CTMI is not enough for high-level secure communication systems.
