CN104125061A - RSA encryption algorithm based attack defending method applied to electronic component - Google Patents
RSA encryption algorithm based attack defending method applied to electronic component Download PDFInfo
- Publication number
- CN104125061A CN104125061A CN201410394751.6A CN201410394751A CN104125061A CN 104125061 A CN104125061 A CN 104125061A CN 201410394751 A CN201410394751 A CN 201410394751A CN 104125061 A CN104125061 A CN 104125061A
- Authority
- CN
- China
- Prior art keywords
- invq
- mod
- calculate
- randomization
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to an RSA encryption algorithm based attack defending method applied to an electronic component. The RSA encryption algorithm based attack defending method includes the steps of generating random numbers: u, t, s and r; randomizing information x and secret keys including n, p, q, invQ and d with the random numbers u, t, s and r to obtain randomized results x', n', p', q', invQ' and d'; computing to obtain xp, xq, dp, dq, yp, yq and y according to the randomized x', p', q', invQ' and d', wherein p and q refers to two prime numbers which are identical in position length and unequal in size. The RSA encryption algorithm based attack defending method has the advantages that an SCA (side channel attacker) can be prevented from obtaining signatures or secret parameters of a decipherment algorithm via extraneous information of intermediate data processed by a microprocessor, and the effect of attack defending is reached.
Description
Technical field
The present invention relates to attack protection field, relate in particular to the anti-attack method in a kind of electronic unit that uses RSA cryptographic algorithms.
Background technology
Cryptographic system is divided into private key cryptographic system and public-key cryptosystem, respectively taking the symmetric encipherment algorithm DES of NBS in 1977 and IBM Corporation's development and the public key encryption algorithm RSA that proposed by R.Rivest, A.Shair and L.Adleman for 1978 as representative.Private key cryptographic system had both been unfavorable for that key management was also unfavorable for digital signature, but speed is high.Public-key cryptosystem can be used for key management and digital signature, but speed is lower.The mechanism of public-key cryptosystem is: for each user produces pair of secret keys: the decruption key of a disclosed encryption key and a secret, it must be impossible utilizing calculating to find the decruption key of secret (being called for short: private key) from disclosed encryption key (being called for short: PKI).For example: when A, B intercommunication, A obtains the PKI of B by any approach, by the public key encryption information of B, the information exchange after encryption is crossed any insecure channels and is sent, and B receives after cipher-text information, uses the private key decryption restoration of oneself to go out expressly.
Adopt RSA cryptographic algorithms to be used in smart card, be widely used at accessing database, financial application or the remote aspects such as application that pay.The principle of RSA cryptographic algorithms can be divided into following three different parts:
Part I: generate a pair of RSA key;
Part II a: plain text encryption is become to ciphertext; And
Part III: be expressly by decrypt ciphertext.
Wherein, Part I comprises following 5 steps:
Step 1, generate two length formed objects large prime number p and q not etc.;
Step 2, calculating n=p × q,
maintain secrecy;
Step 3, select integer e at random, meet
and
Step 4, calculating d, meet
Step 5, wherein PKI is (e, n), and private key is (d, p, q).
Part II calculates according to following formula: c=m
emod n.
Part III calculates according to following formula: m=c
dmod n.
Wherein, m represents that expressly c represents ciphertext, 1<m<n, and 1<c<n, e is encryption exponent, d is decryption exponent.
In the time adopting RSA cryptographic algorithms to sign, calculate according to following formula: c=m
dmod n.
As can be seen from the above analysis, in the time adopting RSA cryptographic algorithms sign or decipher, need to calculate according to following formula: y=x
dmod n, is input as message x, is output as message y.
The fail safe of RSA cryptographic algorithms is the difficulty based on the large number being formed by the product of two prime numbers being carried out to Factorization, in other words, given two large prime number p and q, the product n that obtains them is easy to, but given n, finds out prime number p and q very difficult, based on this fact, the RSA Algorithm of a safety must meet n long enough, for example: 512,1024,2048 etc.
For RSA cryptographic algorithms, key is longer, and cipher round results is better, but the expense of encrypting, deciphering is also just larger.Use Chinese remainder theorem (Chinese Remainder Theorem, hereinafter to be referred as: RSA signature CRT) or decrypt operation are by the exponential form y=x that calculates mould n
dmod n is converted into the situation of asking congruence equations, can make the speed of signature or decrypt operation improve about 4 times, uses RSA signature or the decipherment algorithm of CRT to comprise the steps:
Step 1, precomputation: dp=d mod (p-1), dq=d mod (q-1), invQ=q
-1mod p;
Step 2, calculating: xp=x mod p and xq=x mod q;
Step 3, calculating: yp=xp
dpmod p, yq=xq
dqmod q;
Step 4, calculating: y=yq+q × [(yp-yq) × invQ (mod is p)];
Wherein, be input as: n, d, p, q, dp, dq, invQ, c; Be output as y=x
dmod n.
Use the RSA signature of CRT or decipherment algorithm in the time calculating, first carry out mod p and mod q computing, wherein, two prime number p and q need to have the same long but differ in size, then carry out module exponent computing, that is: xp twice
dpmod p and xq
dqmod q, then utilize CRT again in conjunction with obtaining expressly m the result of calculation of module exponent computing.
The equilateral channel attack of input and output behavior, radiation (side channel attack when realization is used the RSA cryptographic algorithms of CRT to be vulnerable to as power consumption, time of implementation, fault on smart card, be called for short: SCA) thus compromised keys information, wherein, differential power is analyzed (Differential Power Analysis, abbreviation: DPA) attack and electromagnetic radiation attack (being called for short EMA) are effectively attack methods.DPA and EMA attack and have utilized such fact: the instantaneous energy consumption of encryption device or electromagnetism consumption depend on the operation that the handled data of equipment and equipment carry out, its principle is smart card meeting consumed energy in execution encrypting and decrypting process, produce electromagnetic radiation, by using special electronic gauge and mathematical statistics technology, just can determination and analysis these change, thereby obtain the specific key message in chip.For example: smart card is carried out the operand of the energy and instruction of an instruction consumes and is correlated with, wherein, in the time of constant and other bit change of a certain specific bit, the analysis of the current drain relevant to this instruction shows, in the time that a certain specific bit value is 0 or 1, the average energy consumption of this instruction is different, can determine that according to energy consumption this specific bit position is 0 or 1.Therefore the SCA such as DPA and EMA attacks and probably during carrying out cryptographic algorithm, obtains the extrasneous information by the handled intermediate data of microprocessor on card, this extrasneous information is likely revealed the secret parameter of signature or decipherment algorithm in some cases, makes encryption system dangerous.
Summary of the invention
The invention provides the anti-attack method in a kind of electronic unit that uses RSA cryptographic algorithms, prevent that in order to realize SCA assailant from being signed by the extrasneous information of the handled intermediate data of microprocessor or the secret parameter of decipherment algorithm, reach the effect of defensive attack.
The invention provides the anti-attack method in a kind of electronic unit that uses RSA cryptographic algorithms, when the RSA signature of each execution use Chinese remainder theorem or decipherment algorithm, adopt described method in order to realize y=x
dmod n, described method is using message x, key n, p, q, invQ, d as input, and message y is as output, and described method comprises:
Generate random number: u, t, s, r;
Adopt described random number u, t, s, r to carry out randomization message x, key n, p, q, invQ, d, the result after randomization is x ', n ', p ', q ', invQ ', d ';
According to the x ' after randomization, p ', q ', invQ ', d ', calculate xp, xq, dp, dq, yp, yq and y;
Wherein, p, q be two position appearance with but the prime number that differs in size.
The present invention also provides the anti-attack method in a kind of electronic unit that uses RSA cryptographic algorithms, when the RSA signature of each execution use Chinese remainder theorem or decipherment algorithm, adopts described method in order to realize y=x
dmod n, described method is using message x, key n, p, q, invQ, dp, dq as input, and described method comprises:
Generate random number: u, t, s, r, h;
Adopt described random number u, t, s, r, h to carry out randomization message x, key n, p, q, invQ, dp, dq, the result after randomization is x ', n ', p ', q ', invQ ', dp ', dq ';
According to the x ' after randomization, p ', q ', invQ ', dp ', dq ', calculate xp, xq, yp, yq and y;
Wherein, p, q be two position appearance with but the prime number that differs in size.
In the present invention, RSA signature or decipherment algorithm to each use CRT carry out randomization, key and the intermediate object program of the module exponent computing that uses CRT are covered, prevent that SCA assailant from obtaining the secret parameter of decipherment algorithm by the extrasneous information of the handled intermediate data of microprocessor, reach the effect that defence SCA attacks.
Brief description of the drawings
Fig. 1 is the schematic flow sheet that the present invention uses anti-attack method the first embodiment in the electronic unit of RSA cryptographic algorithms;
Fig. 2 is the structural representation that the present invention uses attack protection device the second embodiment in the electronic unit of RSA cryptographic algorithms.
Embodiment
As shown in Figure 1, for the present invention uses the schematic flow sheet of anti-attack method the first embodiment in the electronic unit of RSA cryptographic algorithms, when the RSA signature of each execution use CRT or decipherment algorithm, adopt method, the method is using message x, secret key n, p, q, invQ, d as input, and the method can comprise the steps:
Step 11, generation random number: u, t, s, r;
Step 12, adopt random number u, t, s, r to carry out randomization message x, key n, p, q, invQ, d, the result after randomization is x ', n ', p ', q ', invQ ', d ';
Wherein, p, q be two position appearance with but the prime number that differs in size;
Step 13, x ', p ' according to after randomization, q ', invQ ', d ', calculate xp, xq, dp, dq, yp, yq and y.
The implication of parameters is identical with background technology, does not repeat them here.
According to above-mentioned game method, make it can protect the module exponent computing y=x that uses CRT
dmod n, for example: the decrypt operation m=c of RSA Algorithm
dmod n and signature computing c=m
dmod n.
In the present embodiment, RSA signature or decipherment algorithm to each use CRT carry out randomization, d, p, q, invQ and intermediate object program xp, xq, dp, dq, yp, the yq of the module exponent computing that uses CRT are covered, prevent that SCA assailant from obtaining the secret parameter of decipherment algorithm by the extrasneous information of the handled intermediate data of microprocessor, reach the effect that defence SCA attacks.
Alternatively, in step 12, specifically can adopt and carry out with the following method randomization: n '=u × n, x '=x+n ',
p '=p × t, q '=q × s, invQ '=invQ × t; Wherein,
for the Euler's function of n.
Alternatively, in step 13, specifically can adopt and calculate with the following method xp, xq, dp, dq, yp, yq and y:
Step 131, calculating xp=x ' mod p ' and xq=x ' mod q ';
Step 132, calculating
with
wherein,
be respectively the Euler's function of p ', q ';
Step 133, calculating yp=xp
dpmod p ', yq=xq
dqmod q ';
Step 134, calculate y=yq+q ' × [(yp-yq) × invQ ' (mod p ')]/(t × s);
Step 135, use y mod n replace y.
It should be noted that between step 13 and step 14, there is no strict sequential relationship.
Alternatively, can not affect on the basis of calculating, by the randomization of part computation sequence, further improve fail safe.For example: the computation sequence randomization that the randomization in step 12 is calculated, by the computation sequence randomization of the modular arithmetic in step 131 and step 132, by the computation sequence randomization of the Montgomery Algorithm in step 133.
Alternatively, can also not affect on the basis of calculating, by the computation sequence randomization between step, further improve fail safe.For example,, by the computation sequence randomization of step 131 and step 132; First perform step 131 and perform step again at 132 o'clock, before step 131 is carried out, calculate x ', p ', q ', before step 132 is carried out, calculate again d ', before step 134 is carried out, calculate invQ '.
As shown in Figure 2, for the present invention uses the structural representation of attack protection device the second embodiment in the electronic unit of RSA cryptographic algorithms, adopt method while using the RSA signature of CRT or decipherment algorithm each execution, the method is using ciphertext c, key n, p, q, invQ, dp, dq as input, and the method can comprise the steps:
Step 21, generation random number: u, t, s, r, h;
Step 22, adopt described random number u, t, s, r, h to carry out randomization message x, key n, p, q, invQ, dp, dq, the result after randomization is x ', n ', p ', q ', invQ ', dp ', dq ';
Wherein, p, q be two position appearance with but the prime number that differs in size;
Step 23, x ', p ' according to after randomization, q ', invQ ', dp ', dq ', calculate xp, xq, yp, yq and y.
The implication of parameters is identical with background technology, does not repeat them here.
Be with the difference of a upper embodiment, the present embodiment is in generating u, t, s, tetra-random numbers of r, also generate random number h, and p, q, dp, dq, invQ and intermediate object program mp, mq are carried out to randomization, but key d is not carried out to randomization.
In the present embodiment, decipherment algorithm to each use CRT carries out randomization, p, q, dp, dq, invQ and intermediate object program xp, xq, yp, the yq of the module exponent computing that uses CRT are covered, prevent that SCA assailant from obtaining the secret parameter of decipherment algorithm by the extrasneous information of the handled intermediate data of microprocessor, reach the effect that defence SCA attacks.
Alternatively, in step 22, specifically can adopt and carry out with the following method randomization: calculate n '=u × n, x '=x+n ', p '=p × t, q '=q × s, invQ '=invQ × t,
with
h wherein,
be respectively the Euler's function of p, q.
Alternatively, in step 22, can also adopt and carry out with the following method randomization: calculate n '=u × n, x '=x+n ', p '=p × t, q '=q × s, invQ '=invQ × t,
with
h wherein,
be respectively the Euler's function of p ', q '.
Alternatively, in step 23, specifically can adopt and calculate with the following method cp, cq, mp, mq and m:
Step 231, calculating xp=x ' mod p ' and xp=x ' mod p ';
Step 232, calculating yp=xp
dp 'mod p ', yq=xq
dq 'mod q ';
Step 233, calculate y=yq+q ' × [(yp-yq) × invQ ' (mod p ')]/(t × s);
Step 234, use y mod n replace y.
Alternatively, in the present embodiment, can not affect under the prerequisite of calculating, by the randomization of part computation sequence.For example: the computation sequence randomization that the randomization in step 22 is calculated, by the computation sequence randomization of two modular arithmetics in step 231, by the computation sequence randomization of two Montgomery Algorithm in step 232.
Finally it should be noted that: above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can modify or be equal to replacement technical scheme of the present invention, and not depart from the spirit and scope of technical solution of the present invention.
Claims (7)
1. use the anti-attack method in the electronic unit of RSA cryptographic algorithms, it is characterized in that, each execution while using the RSA signature of Chinese remainder theorem or decipherment algorithm adopts described method in order to realize y=x
dmod n, described method is using message x, key n, p, q, invQ, d as input, and message y is as output, and described method comprises:
Generate random number: u, t, s, r;
Adopt described random number u, t, s, r to carry out randomization message x, key n, p, q, invQ, d, the result after randomization is x ', n ', p ', q ', invQ ', d ';
According to the x ' after randomization, p ', q ', invQ ', d ', calculate xp, xq, dp, dq, yp, yq and y;
Wherein, p, q be two position appearance with but the prime number that differs in size.
2. method according to claim 1, is characterized in that, describedly adopts described random number u, t, s, r to carry out randomization message x, key n, p, q, invQ, d to be specially:
Calculate n '=u × n, x '=x+n ',
p '=p × t, q '=q × s, invQ '=invQ × t; Wherein,
for the Euler's function of n.
3. method according to claim 1 and 2, is characterized in that, described in calculate xp, xq, dp, dq, yp, yq and y and be specially:
Calculate xp=x ' mod p ' and xq=x ' mod q ';
Calculate
with
Calculate yp=xp
dpmod p ', yq=xq
dqmod q ';
Calculating y=yq+q ' × [(yp-yq) × invQ ' (mod p ')]/(t × s);
With y mod n replacement y;
Wherein,
be respectively the Euler's function of p ', q '.
4. use the anti-attack method in the electronic unit of RSA cryptographic algorithms, it is characterized in that, each execution while using the RSA signature of Chinese remainder theorem or decipherment algorithm adopts described method in order to realize y=x
dmod n, described method is using message x, key n, p, q, invQ, dp, dq as input, and described method comprises:
Generate random number: u, t, s, r, h;
Adopt described random number u, t, s, r, h to carry out randomization message x, key n, p, q, invQ, dp, dq, the result after randomization is x ', n ', p ', q ', invQ ', dp ', dq ';
According to the x ' after randomization, p ', q ', invQ ', dp ', dq ', calculate xp, xq, yp, yq and y;
Wherein, p, q be two position appearance with but the prime number that differs in size.
5. method according to claim 4, is characterized in that, describedly adopts described random number u, t, s, r, h to carry out randomization message x, key n, p, q, invQ, dp, dq to be specially:
Calculate n '=u × n, x '=x+n ', p '=p × t, q '=q × s, invQ '=invQ × t,
with
h wherein,
be respectively the Euler's function of p, q.
6. method according to claim 4, is characterized in that, describedly adopts described random number u, t, s, r, h to carry out randomization message x, key n, p, q, invQ, dp, dq to be specially:
Calculate n '=u × n, c '=c+n ', p '=p × t, q '=q × s, invQ '=invQ × t,
with
h wherein,
be respectively the Euler's function of p ', q '.
7. method according to claim 4, is characterized in that, described in calculate xp, xq, yp, yq and y and be specially:
Calculate xp=x ' mod p ' and xp=x ' mod p ';
Calculate yp=xp
dp 'mod p ', yq=xq
dq 'mod q ';
Calculating y=yq+q ' × [(yp-yq) × invQ ' (mod p ')]/(t × s);
With y mod n replacement y.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410394751.6A CN104125061A (en) | 2014-08-12 | 2014-08-12 | RSA encryption algorithm based attack defending method applied to electronic component |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410394751.6A CN104125061A (en) | 2014-08-12 | 2014-08-12 | RSA encryption algorithm based attack defending method applied to electronic component |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104125061A true CN104125061A (en) | 2014-10-29 |
Family
ID=51770334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410394751.6A Pending CN104125061A (en) | 2014-08-12 | 2014-08-12 | RSA encryption algorithm based attack defending method applied to electronic component |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104125061A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107466453A (en) * | 2017-03-16 | 2017-12-12 | 深圳大趋智能科技有限公司 | The method and device of the anti-DPA attacks of DES softwares |
| CN110730072A (en) * | 2019-10-22 | 2020-01-24 | 天津津航计算技术研究所 | Side channel attack resisting method for RSA password application |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411644A (en) * | 1999-10-14 | 2003-04-16 | 格姆普拉斯公司 | Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm |
| CN103209073A (en) * | 2013-01-17 | 2013-07-17 | 北京昆腾微电子有限公司 | Anti-attack method and device in electronic component using Rivest-Shamir-Adleman (RSA) public-key encryption algorithm |
-
2014
- 2014-08-12 CN CN201410394751.6A patent/CN104125061A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411644A (en) * | 1999-10-14 | 2003-04-16 | 格姆普拉斯公司 | Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm |
| CN103209073A (en) * | 2013-01-17 | 2013-07-17 | 北京昆腾微电子有限公司 | Anti-attack method and device in electronic component using Rivest-Shamir-Adleman (RSA) public-key encryption algorithm |
Non-Patent Citations (3)
| Title |
|---|
| C. AUMULLER ET AL: ""Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures"", 《CHES》 * |
| DAVID VIGILANT: ""RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks"", 《CHES》 * |
| JULIANE KRAMER ET AL: ""Weaknesses in current RSA signature schemees"", 《INTERNATIONAL CONFERENCE ON INFORMATION SECURITY AND CRYPTOLOGY》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107466453A (en) * | 2017-03-16 | 2017-12-12 | 深圳大趋智能科技有限公司 | The method and device of the anti-DPA attacks of DES softwares |
| CN107466453B (en) * | 2017-03-16 | 2020-11-24 | 深圳大趋智能科技有限公司 | Method and device for preventing DPA attack of DES software |
| CN110730072A (en) * | 2019-10-22 | 2020-01-24 | 天津津航计算技术研究所 | Side channel attack resisting method for RSA password application |
| CN110730072B (en) * | 2019-10-22 | 2023-02-03 | 天津津航计算技术研究所 | Side channel attack resisting method for RSA password application |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2553866B1 (en) | System and method for protecting cryptographic assets from a white-box attack | |
| US10749675B2 (en) | Homomorphic white box system and method for using same | |
| EP3459203B1 (en) | Method and device to protect a cryptographic exponent | |
| JP2006340347A (en) | Authentication system executing elliptic curve digital signature cryptographic process | |
| JP2008252299A (en) | Encryption processing system and encryption processing method | |
| US6914986B2 (en) | Countermeasure method in an electronic component using a public key cryptography algorithm on an elliptic curve | |
| Nagaraj et al. | Data encryption and authetication using public key approach | |
| CN103067164A (en) | Anti-attack method for electronic components using RSA public key encryption algorithm | |
| CN104396181A (en) | System and method for generating and protecting cryptographic keys | |
| EP3698262B1 (en) | Protecting modular inversion operation from external monitoring attacks | |
| US7286666B1 (en) | Countermeasure method in an electric component implementing an elliptical curve type public key cryptography algorithm | |
| US20180091302A1 (en) | Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption | |
| JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
| Somani et al. | An improved RSA cryptographic system | |
| Gong et al. | The application of data encryption technology in computer network communication security | |
| Rui et al. | A k-RSA algorithm | |
| CN104125061A (en) | RSA encryption algorithm based attack defending method applied to electronic component | |
| Houria et al. | A comparison between the secp256r1 and the koblitz secp256k1 bitcoin curves | |
| EP3166013B1 (en) | Modular exponentiation using randomized addition chains | |
| Chou et al. | A high performance, low energy, compact masked 128-bit AES in 22nm CMOS technology | |
| CN1985458A (en) | Enhanced natural Montgomery exponent masking | |
| CN105049208A (en) | Data encryption method based on dual difficulties | |
| KR20090080842A (en) | Digital signature method, Digital signature apparatus using CRT-RSA modula exponentiation algorithm and Recording medium using by the same | |
| Abdurahmonov et al. | Improving Smart Card Security Using Elliptic Curve Cryptography over Prime Field (F p) | |
| CN103209073B (en) | Use the anti-attack method in the electronic unit of RSA public key encryption algorithm and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141029 |
|
| WD01 | Invention patent application deemed withdrawn after publication |