CN103209073A - Anti-attack method and device in electronic component using Rivest-Shamir-Adleman (RSA) public-key encryption algorithm - Google Patents

Anti-attack method and device in electronic component using Rivest-Shamir-Adleman (RSA) public-key encryption algorithm Download PDF

Info

Publication number
CN103209073A
CN103209073A CN2013101289601A CN201310128960A CN103209073A CN 103209073 A CN103209073 A CN 103209073A CN 2013101289601 A CN2013101289601 A CN 2013101289601A CN 201310128960 A CN201310128960 A CN 201310128960A CN 103209073 A CN103209073 A CN 103209073A
Authority
CN
China
Prior art keywords
unit
prime
prime number
modp
calculating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013101289601A
Other languages
Chinese (zh)
Other versions
CN103209073B (en
Inventor
刘忠志
房伟如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
KT MICRO Inc
Beijing KT Micro Ltd
Original Assignee
KT MICRO Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by KT MICRO Inc filed Critical KT MICRO Inc
Priority to CN201310128960.1A priority Critical patent/CN103209073B/en
Priority claimed from CN201310128960.1A external-priority patent/CN103209073B/en
Publication of CN103209073A publication Critical patent/CN103209073A/en
Application granted granted Critical
Publication of CN103209073B publication Critical patent/CN103209073B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to an anti-attack method and device in electronic component using an RSA public-key encryption algorithm. The method is used when a RSA decipherment algorithm using a Chinese remainder theorem is implemented each time, and according to the method, a ciphertext c and secret keys d, n, p and q serve as inputs. The method comprises the steps of generating three random numbers u, t and s; substituting c'=c+u*n for the ciphertext c; calculating according to formulas that p'=p*t and q'=q*s; calculating according to formulas that cp'=c'modp' and cq'=c'mod; calculating according to formulas that mp=cp'dp'modp' and mq=cq'dq'modq'; calculating according to formulas that m=mq+q*((mp-mq)(q-1modp)(modp)); and substituting mmodn for m, wherein p and q are two prime numbers of the same bit length and different values and are euler functions of n, p' and q' respectively. By the aid of the method and the device, a differential power analysis (DPA) attacker can not obtain secret parameters of the decipherment algorithm through extraneous information of intermediate data processed by a microprocessor effectively, so that defence against DPA attacks can be achieved.

Description

Use the anti-attack method and device in the electronic unit of RSA public key encryption algorithms
Technical field
The present invention relates to the anti-attack method and device in attack protection field, more particularly to a kind of electronic unit of use RSA public key encryption algorithms.
Background technology
Cipher system is divided into Private key encryption system and public-key cryptosystem, and the symmetric encipherment algorithm DES and the public key encryption algorithm RSA by R.Rivest, A.Shair and L.Adleman proposition in 1978 developed respectively using NBS in 1977 with IBM Corporation is representative.Private key encryption system had both been unfavorable for key management or had been unfavorable for digital signature, but speed is high.Public-key cryptosystem can be used for key management and digital signature, but speed is relatively low.The mechanism of public-key cryptosystem is:A pair of secret keys is produced for each user:The decruption key of one disclosed encryption key and a secret, be from disclosed encryption key(Referred to as:Public key)The decruption key for finding secret using calculating(Referred to as:Private key)Must be impossible.For example:When A, B intercommunication, A obtains B public key by any approach, and with B public key encryption information, the information after encryption is sent by any insecure channels, and B is received after cipher-text information, is gone out in plain text with the private key decryption restoration of oneself.
Using RSA cryptographic algorithms with a smart card, it is widely used in terms of database, financial application or remote payment application is accessed.The principle of RSA cryptographic algorithms is segmented into the different part of following three:
Part I:Generate a pair of RSA keys;
Part II:One plaintext is encrypted to ciphertext;And
Part III:By ciphertext decryption in plain text.
Wherein, Part I includes following 5 steps:
Step 1: Big prime p and q that two length formed objects of generation are not waited;
Step 2: n=p × q is calculated,
Figure BDA00003049946300012
Secrecy;
Step 3: random selection integer e, meets
Figure BDA00003049946300013
And
Figure BDA00003049946300014
Step 4: calculating d, meet
Figure BDA00003049946300015
Step 5: wherein public key is (e, n), private key is (d, p, q).
Part II is calculated according to equation below:c=memodn。
Part III is calculated according to equation below:m=cdmodn。
Wherein, m represents that in plain text, c represents ciphertext, 1<m<N, 1<c<N, e are encryption exponents, and d is decryption exponent.
The security of RSA cryptographic algorithms is the difficulty that Factorization is carried out based on the big number formed to the product by two prime numbers, in other words, give two Big primes p and q, the product n for obtaining them is easy to, but given n, find out prime number p and q is extremely difficult, it is true based on this, the RSA system of one safety must is fulfilled for n long enoughs, for example:512,1024,2048 etc..
For RSA cryptographic algorithms, key is longer, and cipher round results are better, but encryption, decryption expense it is also bigger.Use Chinese remainder theorem(Chinese Remainder Theorem, hereinafter referred to as:CRT)RSA cryptographic algorithms decryption speed can be made about to improve 4 times or so, decryption computing by calculating mould n exponential form m=cdModn is converted into the situation for seeking congruence equations, may include steps of:
Step 1: precomputation:dp=dmod(p-1),dq=dmod(q-1),invQ=q-1modp;
Step 2: calculating:Cp=cmodp and cq=cmodq;
Step 3: calculating:mp=cpdpmodp,mq=cqdqmodq;
Step 4: calculating:
Figure BDA00003049946300021
p
Wherein, input and be:n,d,p,q,dp,dq,invQ,c;It is output as m=cdmodn。
Using CRT RSA Algorithm when calculating is decrypted, modp and modq computings are first carried out, wherein, two prime number p need the bit length with as with q but differed in size, and then perform module exponent computing twice, i.e.,:cpdpModp and cqdqModq, then by the result of calculation of module exponent computing using CRT in conjunction with obtaining plaintext m.
Input and output behavior when being vulnerable to such as power consumption, execution time, failure using CRT RSA cryptographic algorithms, radiation attack are realized on smart cards so as to reveal key information, wherein, Differential Power Analysis(Differential Power Analysis, referred to as:DPA)Attack is a kind of effectively Attacks method.DPA attacks make use of such a fact:The operation that the instantaneous energy consumption of encryption device is carried out dependent on the data and equipment handled by equipment, its principle is smart card meeting consumed energy during encrypting and decrypting is performed, produce electromagnetic radiation, by using special electronic gauge and mathematics statistical technique, these changes just can be detected and analyze, so as to obtain the specific key message in chip.Specifically, the energy that smart card performs an instruction consumption is related to the operand instructed, wherein, when the constant and other bit change of a certain specific bit, then analysis shows of the current drain related to the instruction, when a certain specific bit value is 0 or 1, the mean consumption of the instruction is different.Therefore the attack of DPA types probably to obtain as the extrasneous information of the intermediate data handled by the microprocessor on card during AES is performed, this extrasneous information makes it possible to reveal in some cases the secret parameter of decipherment algorithm so that encryption system is dangerous.
The content of the invention
The present invention provides the anti-attack method and device in a kind of electronic unit of use RSA public key encryption algorithms, to realize that the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, the effect of defence DPA attacks is reached.
The present invention provides the anti-attack method in a kind of electronic unit of use RSA public key encryption algorithms, including uses method when performing the RSA decipherment algorithms using Chinese remainder theorem every time, and method is using ciphertext c, key d, n, p, q as input, and method includes:
Generate three random numbers:u、t、s;
Ciphertext c is replaced with c '=c+u × n;
Calculate p '=p × t, q '=q × s;
Calculate cp '=c ' modp ' and cq '=c ' mod;
Calculate
Figure BDA00003049946300031
With
Figure BDA00003049946300032
Calculate mp=cp 'dp′modp′,mq=cq′dq′modq′;
Calculate m=mq+q × [(mp-mq) (q-1modp)(modp)];
M is replaced with mmodn;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300033
Respectively n, p ', q ' Euler's function.
The present invention also provides the attack protection device in a kind of electronic unit of use RSA public key encryption algorithms, described device is used when performing the RSA decipherment algorithms using Chinese remainder theorem every time, described device is using ciphertext c, key d, n, p, q as input, and described device includes:
Generation module, for generating three random numbers:u、t、s;
First alternative module, for replacing ciphertext c with c '=c+u × n;
First computing module, for calculating p '=p × t, q '=q × s;
Second computing module, for calculating cp '=c ' modp ' and cq '=c ' modq ';
3rd computing module, for calculating
Figure BDA00003049946300041
With
4th computing module, for calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
5th computing module, for calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Second alternative module, for replacing m with mmodn;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300043
Respectively n, p ', q ' Euler's function.
In the present invention, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
Brief description of the drawings
Fig. 1 is schematic flow sheet of the present invention using the anti-attack method first embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 2 is schematic flow sheet of the present invention using the anti-attack method second embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 3 is schematic flow sheet of the present invention using the anti-attack method 3rd embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 4 is schematic flow sheet of the present invention using the anti-attack method fourth embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 5 is schematic flow sheet of the present invention using the attack protection device first embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 6 is schematic flow sheet of the present invention using the attack protection device second embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 7 is schematic flow sheet of the present invention using the attack protection device 3rd embodiment in the electronic unit of RSA public key encryption algorithms;
Fig. 8 is schematic flow sheet of the present invention using the attack protection device fourth embodiment in the electronic unit of RSA public key encryption algorithms.
Embodiment
With reference to specification drawings and specific embodiments, the invention will be further described.
As shown in Figure 1, for schematic flow sheet of the present invention using the anti-attack method first embodiment in the electronic unit of RSA public key encryption algorithms, this method is used when performing the RSA decipherment algorithms using CRT every time, this method is using ciphertext c, key d, n, p, q as input, and this method includes following 8 steps:
Step 11, three random numbers of generation:u、t、s;
Step 12, with c '=c+u × n replace ciphertext c;
Step 13, calculating p '=p × t, q '=q × s;
Step 14, calculating cp '=c ' modp ' and cq '=c ' modq ';
Step 15, calculating
Figure BDA00003049946300051
With
Figure BDA00003049946300052
Step 16, calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
Step 17, calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Step 18, with mmodn replace m;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300053
Respectively n, p ', q ' Euler's function.
According to above-mentioned game method, it is set to protect the module exponent computing using CRT, the decryption computing of such as RSA Algorithm:
m=cdmodn
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
As shown in Fig. 2 being schematic flow sheet of the present invention using the anti-attack method second embodiment in the electronic unit of RSA public key encryption algorithms, following 9 steps can be included:
Step 21, into four random numbers:u、r、t、s;
Step 22, with c '=c+u × n replace ciphertext c;
Step 23, calculating
Figure BDA00003049946300061
Step 24, calculating p '=p × t, q '=q × s;
Step 25, calculating cp '=c ' modp ' and cq '=c ' mod;
Step 26, calculating
Figure BDA00003049946300062
With
Figure BDA00003049946300063
Step 27, calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
Step 28, calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Step 29, with mmodn replace m;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300064
Respectively n, p ', q ' Euler's function.
Difference with a upper embodiment is that the present embodiment also generates random number r while tri- random numbers of u, t, s are generated;In addition to carrying out randomization to p, q, dp, dq and intermediate result mp, mq, randomization also has been carried out to key d.
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using the p of CRT module exponent computing, q, dp, dq, intermediate result mp, mq and key d, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
As shown in figure 3, being schematic flow sheet of the present invention using the anti-attack method 3rd embodiment in the electronic unit of RSA public key encryption algorithms, following 9 steps can be included:
Step 31, four random numbers of generation:U, r, t, s, wherein, t and s are small prime number;
Step 32, with c '=c+u × n replace ciphertext c;
Step 33, calculating
Figure BDA00003049946300071
Step 34, calculating p '=p × t, q '=q × s;
Step 35, calculating cp '=c ' modp ' and cq '=c ' mod;
Step 36, calculating dp '=d ' mod (p-1) (t-1) and dq '=d ' mod (q-1) (s-1);
Step 37, calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
Step 38, calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Step 39, with mmodn replace m;
Difference with a upper embodiment is that in the present embodiment, t, s are prime number,
Figure BDA00003049946300072
Figure BDA00003049946300073
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using the p of CRT module exponent computing, q, dp, dq, intermediate result mp, mq and key d, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
It is alternatively possible to which random selection obtains t, s from the prime number prestored.
But, when t, s bit length are long, if random selection obtains t, s from the prime number prestored, the quantity of alternative prime number will be very more, so that the time required for causing the operation is very long, and the memory space taken is than larger.In order to solve this problem, the less prime number of two or more bit length can be randomly choosed from the prime number prestored, t is equal to the product of the two above prime numbers, correspondingly,
Figure BDA00003049946300081
Product after subtracting 1 respectively equal to the two above prime numbers is multiplied by (p-1).Like this, due to the much smaller number of the quantity of the less prime number of the bit length prime number longer relative to bit length, therefore, the quantity of alternative prime number will much less, the time required for the operation is relatively fewer, and the memory space taken is also less.Similarly, two or more prime number is randomly choosed from the prime number prestored, s is equal to the product of the two above prime numbers,
Figure BDA00003049946300082
Product after subtracting 1 respectively equal to two or more prime number is multiplied by (q-1).
For example:Assuming that t length is about 64, small prime number of 4 length at 10~16 can be randomly choosed:T1, t2, t3, t4 so that t=t1 × t2 × t3 × t4, now,
Figure BDA00003049946300083
Similarly, it is assumed that s length is about 64, small prime number of 4 length at 10~16 can be randomly choosed:S1, s2, s3, s4 so that s=s1 × s2 × s3 × s4, now,
Figure BDA00003049946300084
As shown in Figure 4, for schematic flow sheet of the present invention using the anti-attack method fourth embodiment in the electronic unit of RSA public key encryption algorithms, this method is used when performing the RSA decipherment algorithms using CRT every time, this method is using ciphertext c, key d, n, p, q as input, and this method includes following 8 steps:
Step 41, three random numbers of generation:U, t, s, wherein, t and s are small prime number;
Step 42, with c '=c+u × n replace ciphertext c;
Step 43, calculating p '=p × t, q '=q × s;
Step 44, calculating cp '=c ' modp ' and cq '=c ' modq ';
Step 45, calculating dp '=dmod (p-1) (t-1) and dq '=dmod (q-1) (s-1);
Step 46, calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
Step 47, calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Step 48, with mmodn replace m;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300091
Respectively n, p ', q ' Euler's function.
The difference of schematic flow sheet is shown in the present embodiment Fig. 1, in the present embodiment, and t, s are prime number,
Figure BDA00003049946300092
According to above-mentioned game method, it is set to protect the module exponent computing using CRT, the decryption computing of such as RSA Algorithm:
m=cdmodn
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
Alternatively, in the present embodiment, it can be randomly choosed from the prime number prestored and obtain t, s.
But, if t, s bit length are long, the quantity of alternative prime number will be very more, and the time required for causing the operation is very long, and the memory space taken is than larger.In order to solve this problem, the less prime number of two or more bit length can be randomly choosed from the prime number prestored, t is equal to the product of the two above prime numbers, correspondingly,
Figure BDA00003049946300101
Product after subtracting 1 respectively equal to the two above prime numbers is multiplied by (p-1).Like this, due to the much smaller number of the quantity of the less prime number of the bit length prime number longer relative to bit length, therefore, the quantity of alternative prime number will much less, the time required for the operation is relatively fewer, and the memory space taken is also less.Similarly, two or more prime number is randomly choosed from the prime number prestored, s is equal to the product of the two above prime numbers,
Figure BDA00003049946300102
Product after subtracting 1 respectively equal to two or more prime number is multiplied by (q-1).
As shown in Figure 5, for structural representation of the present invention using the attack protection device first embodiment in the electronic unit of RSA public key encryption algorithms, the device is used when performing the RSA decipherment algorithms using Chinese remainder theorem every time, the device can include generation module 51, first alternative module 52, first computing module 53, second computing module 54, 3rd computing module 55, 4th computing module 56, 5th computing module 57 and the second alternative module 58, first computing module 53 and the first alternative module 52 are connected with generation module 51 respectively, second computing module 54 is connected with the first computing module 53 and the first alternative module 52, 3rd computing module 55 is connected with the first computing module 53, 4th computing module 56 and the first computing module 53, second computing module 54 and the 3rd computing module 55 are connected, 5th computing module 57 is connected with the 4th computing module 56, second alternative module 58 is connected with the 5th computing module 57.
The device is using ciphertext c, key d, n, p, q as input, and generation module 51 is used to generate three random numbers:u、t、s;First alternative module 52 is used to replace ciphertext c with c '=c+u × n;First computing module 53 is used to calculate p '=p × t, q '=q × s;Second computing module 54 is used to calculate cp '=c ' modp ' and cq '=c ' modq ';3rd computing module 55 is used to calculateWith
Figure BDA00003049946300112
4th computing module 56 is used to calculate mp=cp 'dp′modp′,mq=cq′dq′modq′;5th computing module 57 is used to calculate m=mq+q × [(mp-mq) (q-1modp)(modp)];Second alternative module 58 is used to replace m with mmodn.
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure BDA00003049946300113
Respectively n, p ', q ' Euler's function.
Using the device, it is set to protect the module exponent computing using CRT, the decryption computing of such as RSA Algorithm:
m=cdmodn
In the present embodiment, generation module 51 is generated after three random numbers u, t, s, first alternative module 52 replaces ciphertext c with c '=c+u × n, first computing module 53 calculates p '=p × t, q '=q × s, second computing module 54 calculates cp '=c ' modp ' and cq '=c ' modq ', and the 3rd computing module 55 is calculated
Figure BDA00003049946300114
With
Figure BDA00003049946300115
4th computing module 56 calculates mp=cp 'dp′modp′,mq=cq′dq′modq′;5th computing module 57 calculates m=mq+q × [(mp-mq) (q-1Modp) (modp)], finally, second alternative module 58 replaces m with mmodn, so as to be calculated using randomization the decipherment algorithm every time using CRT, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
As shown in Figure 6, for structural representation of the present invention using the attack protection device second embodiment in the electronic unit of RSA public key encryption algorithms, difference with a upper embodiment is that generation module 51 also generates random number r while three random number u, t, s are generated;3rd computing module 55 can include the computing unit 551 of substituting unit 550 and first, wherein, substituting unit 550 is connected with generation module 51, and the first computing module 551 is connected with substituting unit 550, the first computing module 53 and the 4th computing module 56.Wherein, substituting unit 550 is used
Figure BDA00003049946300121
Instead of key d;First computing unit 55 is used to calculate
Figure BDA00003049946300122
With
Figure BDA00003049946300123
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using the p of CRT module exponent computing, q, dp, dq, intermediate result mp, mq and key d, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
As shown in Figure 7, for structural representation of the present invention using the attack protection device 3rd embodiment in the electronic unit of RSA public key encryption algorithms, on the basis of structural representation shown in Fig. 5, generation module 51 can include generation unit 510, memory cell 511 and select unit 512;Generation unit 510 is connected with the first alternative module 52, and select unit 512 is connected with the computing module 53 of memory cell 511 and first.Wherein, generation unit 510 is used to generate random number u and r;Memory cell 511 is used to store prime number;Select unit 512 is used for the random selection from the prime number of the storage of memory cell 511 and obtains t, s.
On the basis of structural representation shown in Fig. 5,3rd computing module 55 can include substituting unit 550, the second computing unit 552 and the 4th computing unit 554, wherein, substituting unit 550 is connected with generation unit 510, second computing unit 552 is connected with select unit 512, and the 4th computing unit 554 is connected with the second computing unit 552, the computing module 56 of substituting unit 550 and the 4th.Wherein, substituting unit 550 is used
Figure BDA00003049946300131
Instead of key d;Second computing unit 552 is used to calculate
Figure BDA00003049946300132
4th computing unit 554 is used to calculate
Figure BDA00003049946300133
With
Figure BDA00003049946300134
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
In the present embodiment, when random selection obtains t, s in the prime number that select unit 512 is stored from memory cell 511, if t, s bit length are long, the quantity of alternative prime number will be very more, time required for causing the operation is very long, and the memory space taken is than larger.In order to solve this problem, select unit 512 can include the select unit 5122 of first choice unit 5121 and second, wherein, the select unit 5122 of first choice unit 5121 and second is connected with memory cell 511, the first computing module 53 and the second computing unit 552 respectively.Wherein, first choice unit 5121 is used to from memory cell 511 randomly choose two or more prime number, and t is equal to the product of the two above prime numbers, calculated in the second computing unit 552
Figure BDA00003049946300135
When,
Figure BDA00003049946300136
Product after subtracting 1 respectively equal to two or more prime number is multiplied by (p-1);Second select unit 5122 is used to from memory cell 511 randomly choose two or more prime number, and s is equal to the product of the two above prime numbers, calculated in the second computing unit 552
Figure BDA00003049946300137
When,
Figure BDA00003049946300138
Product after subtracting 1 respectively equal to the two above prime numbers is multiplied by (q-1).Like this, due to the much smaller number of the quantity of the less prime number of the bit length prime number longer relative to bit length, therefore, the quantity of alternative prime number will much less, the time required for the operation is relatively fewer, and the memory space taken is also less.
As shown in Figure 8, for structural representation of the present invention using the attack protection device fourth embodiment in the electronic unit of RSA public key encryption algorithms, on the basis of structural representation shown in Fig. 5, t, s are prime number, 3rd computing module 55 can include the second computing unit 552 and the 3rd computing unit 553, wherein, the second computing unit 552 is connected with generation module 51, and the 3rd computing unit 553 is connected with the second computing unit 552.Wherein, the second computing unit 552 is used to calculate3rd computing unit 553 is used to calculateWith
Figure BDA00003049946300143
In the present embodiment, decipherment algorithm every time using CRT is calculated using randomization, it will be covered by randomization using p, q, dp, dq and intermediate result mp, mq of CRT module exponent computing, the secret parameter of decipherment algorithm can not effectively be obtained by the extrasneous information of the intermediate data handled by microprocessor by making it possible to DPA attackers, reach the effect of defence DPA attacks.
Alternatively, in the present embodiment, generation module 51 can include generation unit 510, memory cell 511 and select unit 512;Generation unit 512 is connected with the first alternative module 52, and select unit 512 is connected with the computing module 53 of memory cell 511 and first.Wherein, generation unit 510 is used to generate random number u;Memory cell 511 is used to store prime number;Select unit 512 is used for the random selection from the prime number of the storage of memory cell 511 and obtains t, s.
In the present embodiment, when random selection obtains t, s in the prime number that select unit 512 is stored from memory cell 511, if t, s bit length are long, the quantity of alternative prime number will be very more, time required for causing the operation is very long, and the memory space taken is than larger.In order to solve this problem, select unit 512 can select select unit 5122 including first choice unit 5121 and second, wherein, the select unit 5122 of first choice unit 5121 and second is connected with memory cell 511, the first computing module 53 and the second computing unit 552 respectively.Wherein, first choice unit 5121 is used to from memory cell 511 randomly choose two or more prime number, and t is equal to the product of the two above prime numbers, calculated in the second computing unit 552
Figure BDA00003049946300151
When,
Figure BDA00003049946300152
Product after subtracting 1 respectively equal to two or more prime number is multiplied by (p-1);Second select unit 5122 is used to from memory cell 511 randomly choose two or more prime number, and s is equal to the product of the two above prime numbers, calculated in the second computing unit 552
Figure BDA00003049946300153
When,
Figure BDA00003049946300154
Product after subtracting 1 respectively equal to the two above prime numbers is multiplied by (q-1).Like this, due to the much smaller number of the quantity of the less prime number of the bit length prime number longer relative to bit length, therefore, the quantity of alternative prime number will much less, the time required for the operation is relatively fewer, and the memory space taken is also less.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention and it is unrestricted, although the present invention is described in detail with reference to preferred embodiment, it will be understood by those within the art that, technical scheme can be modified or equivalent, without departing from the spirit and scope of technical solution of the present invention.

Claims (13)

1. the anti-attack method in a kind of electronic unit of use RSA public key encryption algorithms, it is characterized in that, methods described is used when performing the RSA decipherment algorithms using Chinese remainder theorem every time, methods described is using ciphertext c, key d, n, p, q as input, and methods described includes:
Generate three random numbers:u、t、s;
Ciphertext c is replaced with c '=c+u × n;
Calculate p '=p × t, q '=q × s;
Calculate cp '=c ' modp ' and cq '=c ' modq ';
CalculateWith
Figure FDA00003049946200012
Calculate mp=cp 'dp′modp′,mq=cq′dq′modq′;
Calculate m=mq+q × [(mp-mq) (q-1modp)(modp)];
M is replaced with mmodn;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,
Figure FDA00003049946200013
Respectively n, p ', q ' Euler's function.
2. according to the method described in claim 1, it is characterised in that while three random numbers of the generation, also generate random number r;
Methods described also includes:With
Figure FDA00003049946200014
Instead of key d;
It is described to calculate
Figure FDA00003049946200015
WithSpecially:Calculate
Figure FDA00003049946200017
With
3. method according to claim 1 or 2, it is characterised in that t, s are prime number,
Figure FDA00003049946200019
4. method according to claim 3, it is characterised in that generation t, s are specially:
Random selection obtains t, s from the prime number prestored.
5. method according to claim 4, it is characterised in that random selection, which obtains t, s, from the prime number prestored includes:
Two or more prime number is randomly choosed from the prime number prestored, t is equal to the product of described two above prime numbers,
Figure FDA00003049946200024
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (p-1);
Two or more prime number is randomly choosed from the prime number prestored, s is equal to the product of described two above prime numbers,
Figure FDA00003049946200025
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (q-1).
6. the attack protection device in a kind of electronic unit of use RSA public key encryption algorithms, it is characterized in that, described device is used when performing the RSA decipherment algorithms using Chinese remainder theorem every time, described device is using ciphertext c, key d, n, p, q as input, and described device includes:
Generation module, for generating three random numbers:u、t、s;
First alternative module, for replacing ciphertext c with c '=c+u × n;
First computing module, for calculating p '=p × t, q '=q × s;
Second computing module, for calculating cp '=c ' modp ' and cq '=c ' modq ';
3rd computing module, for calculating
Figure FDA00003049946200021
With
Figure FDA00003049946200022
4th computing module, for calculating mp=cp 'dp′modp′,mq=cq′dq′modq′;
5th computing module, for calculating m=mq+q × [(mp-mq) (q-1modp)(modp)];
Second alternative module, for replacing m with mmodn;
Wherein, p, q are the prime numbers that two bit lengths are identical but differ in size,Respectively n, p ', q ' Euler's function.
7. device according to claim 6, it is characterised in that the generation module also generates random number r while three random numbers are generated;
3rd computing module includes:
Substituting unit, for using
Figure FDA00003049946200031
Instead of key d;
First computing unit, for calculating
Figure FDA00003049946200032
With
Figure FDA00003049946200033
8. device according to claim 6, it is characterised in that t, s are prime number, the 3rd computing module includes:
Second computing unit, for calculating
Figure FDA00003049946200034
3rd computing unit, for calculating
Figure FDA00003049946200035
With
Figure FDA00003049946200036
9. device according to claim 6, it is characterised in that t, s are prime number, the generation module also generates random number r while three random numbers are generated;
3rd computing module includes:
Substituting unit, for using
Figure FDA00003049946200037
Instead of key d;
Second computing unit, for calculating
Figure FDA00003049946200038
4th computing unit, for calculating
Figure FDA00003049946200039
With
Figure FDA000030499462000310
10. device according to claim 8, it is characterised in that the generation module includes:
Generation unit, for generating random number u;
Memory cell, for storing prime number;
Select unit, t, s are obtained for random selection in the prime number that is stored from the memory cell.
11. device according to claim 10, it is characterised in that the select unit includes:
First choice unit, for randomly choosing two or more prime number from the memory cell, t is equal to the product of described two above prime numbers,
Figure FDA00003049946200041
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (p-1);
Second select unit, for randomly choosing two or more prime number from the memory cell, s is equal to the product of described two above prime numbers,
Figure FDA00003049946200042
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (q-1).
12. device according to claim 9, it is characterised in that the generation module includes:
Generation unit, for generating random number u and r;
Memory cell, for storing prime number;
Select unit, t, s are obtained for random selection in the prime number that is stored from the memory cell.
13. according to claim 12 described device, it is characterised in that the select unit includes:
First choice unit, for randomly choosing two or more prime number from the memory cell, t is equal to the product of described two above prime numbers,
Figure FDA00003049946200043
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (p-1);
Second select unit, for randomly choosing two or more prime number from the memory cell, s is equal to the product of described two above prime numbers,
Figure FDA00003049946200044
Product after subtracting 1 respectively equal to described two above prime numbers is multiplied by (q-1).
CN201310128960.1A 2013-01-17 2013-04-15 Use the anti-attack method in the electronic unit of RSA public key encryption algorithm and device Active CN103209073B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310128960.1A CN103209073B (en) 2013-01-17 2013-04-15 Use the anti-attack method in the electronic unit of RSA public key encryption algorithm and device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201310017592.3 2013-01-17
CN2013100175923 2013-01-17
CN 201310017592 CN103067164A (en) 2013-01-17 2013-01-17 Anti-attack method for electronic components using RSA public key encryption algorithm
CN201310128960.1A CN103209073B (en) 2013-01-17 2013-04-15 Use the anti-attack method in the electronic unit of RSA public key encryption algorithm and device

Publications (2)

Publication Number Publication Date
CN103209073A true CN103209073A (en) 2013-07-17
CN103209073B CN103209073B (en) 2016-11-30

Family

ID=

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125061A (en) * 2014-08-12 2014-10-29 昆腾微电子股份有限公司 RSA encryption algorithm based attack defending method applied to electronic component
CN104980271A (en) * 2014-04-10 2015-10-14 深圳中电长城信息安全系统有限公司 Multiplication operation method and system in cloud computing and based on Batch RSA
CN105095739A (en) * 2014-05-14 2015-11-25 国民技术股份有限公司 Method and system for testing electronic encryption device
CN106161391A (en) * 2015-04-17 2016-11-23 国民技术股份有限公司 A kind of safety chip and to error injection attack defence method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411644A (en) * 1999-10-14 2003-04-16 格姆普拉斯公司 Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm
CN1554047A (en) * 2001-09-06 2004-12-08 因芬尼昂技术股份公司 Device and method for calculating the result of a modular exponentiation
CN102571342A (en) * 2010-12-27 2012-07-11 北京中电华大电子设计有限责任公司 RSA (Ron Rivest, Adi Shamir and Leonard Adleman) algorithm digital signature method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411644A (en) * 1999-10-14 2003-04-16 格姆普拉斯公司 Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm
CN1554047A (en) * 2001-09-06 2004-12-08 因芬尼昂技术股份公司 Device and method for calculating the result of a modular exponentiation
CN102571342A (en) * 2010-12-27 2012-07-11 北京中电华大电子设计有限责任公司 RSA (Ron Rivest, Adi Shamir and Leonard Adleman) algorithm digital signature method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JULIANE KRAMER 等: "Weakness in Current RSA Signature Schemes", 《SPRINGER》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980271A (en) * 2014-04-10 2015-10-14 深圳中电长城信息安全系统有限公司 Multiplication operation method and system in cloud computing and based on Batch RSA
CN104980271B (en) * 2014-04-10 2018-04-17 深圳中电长城信息安全系统有限公司 Multiplying method and system based on Batch RSA in a kind of cloud computing
CN105095739A (en) * 2014-05-14 2015-11-25 国民技术股份有限公司 Method and system for testing electronic encryption device
CN104125061A (en) * 2014-08-12 2014-10-29 昆腾微电子股份有限公司 RSA encryption algorithm based attack defending method applied to electronic component
CN106161391A (en) * 2015-04-17 2016-11-23 国民技术股份有限公司 A kind of safety chip and to error injection attack defence method and device
CN106161391B (en) * 2015-04-17 2020-10-23 国民技术股份有限公司 Security chip and method and device for defending error injection attack

Also Published As

Publication number Publication date
CN103067164A (en) 2013-04-24

Similar Documents

Publication Publication Date Title
US10749675B2 (en) Homomorphic white box system and method for using same
US8422671B2 (en) Methods of encryption and decryption using operand ordering and encryption systems using the same
Jaju et al. A Modified RSA algorithm to enhance security for digital signature
Al-Hamami et al. Enhanced method for RSA cryptosystem algorithm
Nagaraj et al. Data encryption and authetication using public key approach
JP2006340347A (en) Authentication system executing elliptic curve digital signature cryptographic process
JP2008252299A (en) Encryption processing system and encryption processing method
CN103067164A (en) Anti-attack method for electronic components using RSA public key encryption algorithm
EP2553866A1 (en) System and method for protecting cryptographic assets from a white-box attack
EP3698262B1 (en) Protecting modular inversion operation from external monitoring attacks
JP2004304800A (en) Protection of side channel for prevention of attack in data processing device
Somani et al. An improved RSA cryptographic system
Rui et al. A k-RSA algorithm
JP4626148B2 (en) Calculation method of power-residue calculation in decryption or signature creation
CN1985458B (en) Enhanced natural Montgomery exponent masking
Padmaja et al. RSA encryption using three Mersenne primes
EP3166013B1 (en) Modular exponentiation using randomized addition chains
Srinivas et al. Encryption and decryption using elliptic curves for public key cryptosystems
Kayode et al. Efficient RSA cryptosystem decryption based on Chinese remainder theorem and strong prime
KR100953715B1 (en) Digital signature method, Digital signature apparatus using CRT-RSA modula exponentiation algorithm and Recording medium using by the same
CN104125061A (en) RSA encryption algorithm based attack defending method applied to electronic component
KR100953716B1 (en) Method and Apparatus of digital signature using bit arithmetic based on CRT-RSA and Recording medium using by the same
CN103209073B (en) Use the anti-attack method in the electronic unit of RSA public key encryption algorithm and device
CN105049208A (en) Data encryption method based on dual difficulties
Ganpati et al. A Survey of Different Public-Key Cryptosystems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100195 Beijing, Yuquan, No. 23 Haidian District Road, building No. 4

Applicant after: KT MICRO, Inc.

Address before: 100195 Beijing, Yuquan, No. 23 Haidian District Road, building No. 4

Applicant before: Beijing Kunteng electronic Limited by Share Ltd.

Address after: 100195 Beijing, Yuquan, No. 23 Haidian District Road, building No. 4

Applicant after: Beijing Kunteng electronic Limited by Share Ltd.

Address before: 100195 Beijing, Yuquan, No. 23 Haidian District Road, building No. 4

Applicant before: KT MICRO Inc. (BEIJING)

COR Change of bibliographic data
C14 Grant of patent or utility model
GR01 Patent grant