CN106357406A - Method for efficiently acquiring private key based on SPA and zero judgment - Google Patents
Method for efficiently acquiring private key based on SPA and zero judgment Download PDFInfo
- Publication number
- CN106357406A CN106357406A CN201610943340.7A CN201610943340A CN106357406A CN 106357406 A CN106357406 A CN 106357406A CN 201610943340 A CN201610943340 A CN 201610943340A CN 106357406 A CN106357406 A CN 106357406A
- Authority
- CN
- China
- Prior art keywords
- mod
- power consumption
- bits
- spa
- consumption profile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for efficiently acquiring a private key based on SPA and zero judgment. According to the method for efficiently acquiring the private key based on SPA and zero judgment, in an algorithm or device for signing RSA CRT realized by same or similar thoughts, difference generated by adding a zero value and nonzero value with the same immediate is used for attacking RSA CRT signature. A cleartext is selected, and then a ciphertext is calculated, so that a cleartext and secrete key relation is obtained through ciphertext input. By setting a high half part to be 0 and a low half part to be 1, and the secret key is approached through the most significant bit of the low half part. The selected cleartext is divided into two equal parts or n equal parts by using a similar method, and then the secrete key is attacked.
Description
Technical field
The present invention relates to information security field, judge efficiently to obtain the side of private key based on spa and null value particularly to a kind of
Method.
Background technology
Rsa public key encryption algorithm is the public key cryptography technology comparing main flow in information security field.Each based on rsa realization
Plant key and smart card has been widely used for the every field such as finance, communication, social security, traffic.In order to ensure key and smart card
Safety, need to study the threat degree to these products for the various attack methods.Attack method popular at present includes
Side-channel attack (side channel attack, abbreviation sca).Simple power consumption analysis attack wherein in sca attack method
(simple power analysis attacks, abbreviation spa) and Differential power attack analysis (differential power
Analysis attacks, abbreviation dpa), and error injection attack (fault injection attack, abbreviation fia) is
For universal.
In prior art, the spa of rsa algorithm is attacked, be primarily directed to the Montgomery Algorithm of binary system realization.Due to p and q
Scope limit, to m in the range of [1, (2^512) -1] value, when m value be less than or equal to p when, (sp-sq) mod p calculate once
Subtraction, otherwise calculates subtraction one sub-addition.P is approached according to the power consumption difference of computing, that is, attacks out private key.This spa attacks
Hit in method, the difference of the point of attack may be smaller, and may there is no difference in part realization.The method and device be easy to by
Protection, can not play the effect attacking key.
Content of the invention
It is an object of the invention to provide a kind of method judging efficiently to obtain private key based on spa and null value.
The invention provides a kind of method judging based on spa and null value efficiently to obtain private key, the method is for rsa crt
Computing synthesis step middle mold subtracts computing and is attacked.During rsa computing, need to calculate (((sp-sq) * qinv) mod p) * q+sq,
If (((sp-sq) * qinv) mod p) * q partial arithmetic produces 0 value in calculating process, 0+sq and non-zero+sq is in power consumption
Sizable difference can be produced, if variant can analyze rsa crt private key according to this difference.The method can effectively be assessed
Have in rsa crt signature scheme and whether there is the possibility attacked, that is, whether there is the leak attacked.
To achieve these goals, the present invention provides a kind of method judging based on spa and null value and efficiently obtaining private key, bag
Containing step:
A length that () arranges the modulus n of rsa is 2t, and setting e is any bit less than n;
B () selects plaintext m, length is equal to length 2t of n, and decile m is two parts, and respectively mh, ml length is t, and m
=mh||ml;
C all bits that () arranges mh are all bits of 0, ml is 1, calculates c=m^e mod n, defeated for the value of c
Enter to be attacked chip and signed or decryption oprerations, obtain power consumption profile trace1;
D all bits that () arranges mh are the 0th bit of 0, ml, 1 bit is set to 1, and remaining bit is arranged
For 0, calculating c=m^e mod n, the value input of c is signed or decryption oprerations by attacking chip, is obtained power consumption profile
trace2;
E () contrasts trace1, trace2, analyze the power consumption profile of rsa crt signature final step addition, wherein execute
Zero plus sq power consumption profile is designated as trace4;The power consumption profile that execution non-zero adds sq is designated as trace5;
F all bits that () arranges mh are all bits of 0, ml is 1, when i is from t-1 to 1, executes following process:
Calculate c=m^e mod n, the value input of c is signed by attack chip or is deciphered computing, obtain trace3;
G () judges sub- power consumption trace6 of last addition in trace3, if trace6 is equal to trace4, when
Front bit is set to 1, or current bit is set to 0;
H () calculates c=m^e mod n, c input is signed by attack chip or is deciphered computing, if (rsa crt signs
The power consumption profile of name final step addition is equal to trace5, then the prime number that the value of output m is as attacked out;Conversely, output is not
Success attack.
The specific embodiment being provided according to the present invention, the invention discloses following technique effect:
The invention has the beneficial effects as follows, the method for the present invention is used for the work(in the relatively existing scheme of power consumption sections attacked
Consumption part, difference is more greatly it is easier to implement.The leak attacked can be whether there is by quick and convenient detection rsa crt signature algorithm.
Can detect whether we can prevent this attack by the rsa crt signature algorithm of design.
Whether energy effective detection of the present invention goes out in protectiving scheme can prevent private key from being attacked the mask of plaintext m.The present invention
Also effective detection can go out the process of realizing of crt in scheme and whether there is leak.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or scheme of the prior art, below will be to required in embodiment
The accompanying drawing using is briefly described it is therefore apparent that drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings
His accompanying drawing.
Fig. 1 is a kind of schematic flow sheet judging efficiently to obtain the method for private key based on spa and null value of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of protection of the invention.
It is an object of the invention to provide a kind of method judging efficiently to obtain private key based on spa and null value.
Understandable for enabling the above objects, features and advantages of the present invention to become apparent from, below in conjunction with the accompanying drawings and specifically real
The present invention is further detailed explanation to apply mode.
Embodiment 1:
A kind of method judging based on spa and null value efficiently to obtain private key, the key of rsa crt is divided into public key and private key,
Wherein e, n are the public key of rsa crt;P, q, dp, dq, qinv are rsa crt private key.
The general signature process of rsa crt is as follows:
mp=c mod p mq=c mod q
sp=mp^dp sq=mq^dq
crt(sp,sq)=(((sp-sq)*qinv)mod p)*q+sq
Analyze further, (sp sq) mod p can be deformed as follows:
sp=(c mod p)^dp=(((m^e)mod n)mod p)^dp=(m^(e*dp))mod p=m mod p
sq=(c mod q)^dq=(((m^e)mod n)mod q)^dq=(m^(e*dq))mod q=m mod q
Therefore, (sp-sq) mod p=(m mod p m mod q) mod p.crt(sp,sq)=((((m mod p–m mod
q)mod p)*qinv)mod p)*q+sq=x+sq.
, the span of p, q: p > q belongs to [1, (2^512) -1] taking 1024 rsa as a example;We are divided into two this interval
Part, [1, q) (interval one), [q, (2^512) -1] (interval two).When the value of m falls interval a period of time, (sp-sq) mod p=(m
mod p–m mod q)mod p=0;Result after then x calculates is 0, i.e. last computing is 0+sq.When the value of m falls interval two
When, (sp-sq) mod p=(m mod p m mod q) mod p is non-zero;Then x is the data of 1024 bits, then final step is
1024 bit datas are added with 512 bit datas.When being added due to big data, the method that every kind of design uses differs, therefore
When plaintext falls two intervals, there is obvious difference in last addition in power consumption.This patent passes through the original of selection m
Value, and m value is adjusted according to the result of every step, make m approach prime number q, thus cracking out key.
The method of the present invention is used for the power consumption sections in the relatively existing scheme of power consumption sections attacked, and difference is bigger, more
Easily implement.The leak attacked can be whether there is by quick and convenient detection rsa crt signature algorithm.Can detect what we designed
Whether rsa crt signature algorithm can prevent this attack.
Whether energy effective detection of the present invention goes out in protectiving scheme can prevent private key from being attacked the mask of plaintext m.The present invention
Also effective detection can go out the process of realizing of crt in scheme and whether there is leak.
Specific case used herein is set forth to the principle of the present invention and embodiment, the saying of above example
Bright it is only intended to help and understands the method for the present invention and its core concept;Simultaneously for one of ordinary skill in the art, foundation
The thought of the present invention, all will change in specific embodiments and applications.In sum, this specification content is not
It is interpreted as limitation of the present invention.
Claims (1)
1. a kind of method based on spa and null value judgement efficient acquisition private key is it is characterised in that comprise step:
A length that () arranges rsa modulus n is 2t, and setting e is any bit less than n;
B () selects plaintext m, length is equal to length 2t of n, and decile m is two parts, and respectively mh, ml length is t, and m=mh
||ml;
C all bits that () arranges mh are all bits of 0, ml is 1, calculates c=m^e mod n, and the value of c is inputted quilt
Attack chip to be signed or decryption oprerations, obtain power consumption profile trace1;
D all bits that () arranges mh are the 0th bit of 0, ml, 1 bit is 1, and remaining bit is 0;Calculate c=m^
E mod n, is signed the value input of c or decryption oprerations by attacking chip, is obtained power consumption profile trace2;
E () contrasts trace1, trace2, analyze the power consumption profile difference of rsa crt signature final step addition, wherein execute
Zero plus sq power consumption profile is designated as trace4;The power consumption profile that execution non-zero adds sq is designated as trace5;
F all bits that () arranges mh are all bits of 0, ml is 1, when i is from t-1 to 1, executes following process: calculate c
=m^e mod n, is signed the value input of c or is deciphered computing, obtained trace3 by attack chip;
G () judges sub- power consumption trace6 of last addition in trace3, if trace6 is equal to trace4, currently than
Ad hoc be set to 1, or current bit is set to 0;
H () calculates c=m^e mod n, c input is signed by attack chip or is deciphered computing, if (rsa crt signs
The power consumption profile of final step addition is equal to trace5, then the prime number that the value of output m is as attacked out;Conversely, output is not attacked
Hit successfully.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610943340.7A CN106357406A (en) | 2016-11-02 | 2016-11-02 | Method for efficiently acquiring private key based on SPA and zero judgment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610943340.7A CN106357406A (en) | 2016-11-02 | 2016-11-02 | Method for efficiently acquiring private key based on SPA and zero judgment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106357406A true CN106357406A (en) | 2017-01-25 |
Family
ID=57864312
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610943340.7A Pending CN106357406A (en) | 2016-11-02 | 2016-11-02 | Method for efficiently acquiring private key based on SPA and zero judgment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357406A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417541A (en) * | 2019-09-03 | 2019-11-05 | 北京宏思电子技术有限责任公司 | Attack encryption key method, device, electronic equipment and computer readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103546277A (en) * | 2013-09-25 | 2014-01-29 | 北京握奇数据系统有限公司 | Smart card SM4 calculation based DPA attack and secret key restoring method and DPA attack and secret key restoring system |
CN103580858A (en) * | 2013-11-06 | 2014-02-12 | 北京华大信安科技有限公司 | RSA algorithm private key element acquiring method and acquiring device |
CN104079561A (en) * | 2014-06-09 | 2014-10-01 | 中国电子科技集团公司第十五研究所 | Secret key attacking method and device |
CN104796250A (en) * | 2015-04-11 | 2015-07-22 | 成都信息工程学院 | Side channel attack method for implementation of RSA (Rivest, Shamir and Adleman) cipher algorithms M-ary |
-
2016
- 2016-11-02 CN CN201610943340.7A patent/CN106357406A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103546277A (en) * | 2013-09-25 | 2014-01-29 | 北京握奇数据系统有限公司 | Smart card SM4 calculation based DPA attack and secret key restoring method and DPA attack and secret key restoring system |
CN103580858A (en) * | 2013-11-06 | 2014-02-12 | 北京华大信安科技有限公司 | RSA algorithm private key element acquiring method and acquiring device |
CN104079561A (en) * | 2014-06-09 | 2014-10-01 | 中国电子科技集团公司第十五研究所 | Secret key attacking method and device |
CN104796250A (en) * | 2015-04-11 | 2015-07-22 | 成都信息工程学院 | Side channel attack method for implementation of RSA (Rivest, Shamir and Adleman) cipher algorithms M-ary |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110417541A (en) * | 2019-09-03 | 2019-11-05 | 北京宏思电子技术有限责任公司 | Attack encryption key method, device, electronic equipment and computer readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Fouque et al. | Fault attack on elliptic curve Montgomery ladder implementation | |
Homma et al. | Collision-based power analysis of modular exponentiation using chosen-message pairs | |
AU782868B2 (en) | Information processing device, information processing method and smartcard | |
EP3459203B1 (en) | Method and device to protect a cryptographic exponent | |
CN106452789B (en) | A kind of endorsement method of multi-faceted anti-side-channel attack | |
CN101562522A (en) | Realization method of elliptic curve cryptosystem for preventing side-channel attack | |
CN103647638A (en) | DES masking method for resisting side-channel attack | |
CN109214195A (en) | A kind of the SM2 ellipse curve signature sign test hardware system and method for resisting differential power consumption attack | |
CN101180606A (en) | Determination of a modular inverse | |
CN103560877A (en) | Method and device for attacking secret key | |
CN106357378B (en) | Key detection method and its system for SM2 signature | |
CN107994980A (en) | It is a kind of using the out of order technology of clock and the anti-DPA attack methods of chaos trigger | |
CN105681033B (en) | A kind of out-of-order encryption device of multivariate quadratic equation | |
CN106357406A (en) | Method for efficiently acquiring private key based on SPA and zero judgment | |
CN106936822A (en) | For the mask realization method and system of the anti-high-order bypass analysis of SMS4 | |
CN105740730A (en) | Method for realizing secure point multiplication in chips | |
CN104717060B (en) | A kind of method for attacking elliptic curve encryption algorithm and attack equipment | |
Jia et al. | A unified method based on SPA and timing attacks on the improved RSA | |
Yin et al. | A novel spa on ecc with modular subtraction | |
Ghosh et al. | Security of prime field pairing cryptoprocessor against differential power attack | |
US7174016B2 (en) | Modular exponentiation algorithm in an electronic component using a public key encryption algorithm | |
KR101517947B1 (en) | Preventind method against power analysis attack by middle key | |
CN105656629B (en) | Safe non-adjacent expression type implementation method in chip | |
CN106301756A (en) | Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof | |
Mahanta et al. | Comparative modular exponentiation with randomized exponent to resist power analysis attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170125 |
|
RJ01 | Rejection of invention patent application after publication |