CN106357406A - Method for efficiently acquiring private key based on SPA and zero judgment - Google Patents

Method for efficiently acquiring private key based on SPA and zero judgment Download PDF

Info

Publication number
CN106357406A
CN106357406A CN201610943340.7A CN201610943340A CN106357406A CN 106357406 A CN106357406 A CN 106357406A CN 201610943340 A CN201610943340 A CN 201610943340A CN 106357406 A CN106357406 A CN 106357406A
Authority
CN
China
Prior art keywords
mod
power consumption
bits
spa
consumption profile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610943340.7A
Other languages
Chinese (zh)
Inventor
王亚伟
王磊
张贺
曹军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING HONGSI ELECTRONIC TECHNOLOGY Co Ltd
Original Assignee
BEIJING HONGSI ELECTRONIC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING HONGSI ELECTRONIC TECHNOLOGY Co Ltd filed Critical BEIJING HONGSI ELECTRONIC TECHNOLOGY Co Ltd
Priority to CN201610943340.7A priority Critical patent/CN106357406A/en
Publication of CN106357406A publication Critical patent/CN106357406A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for efficiently acquiring a private key based on SPA and zero judgment. According to the method for efficiently acquiring the private key based on SPA and zero judgment, in an algorithm or device for signing RSA CRT realized by same or similar thoughts, difference generated by adding a zero value and nonzero value with the same immediate is used for attacking RSA CRT signature. A cleartext is selected, and then a ciphertext is calculated, so that a cleartext and secrete key relation is obtained through ciphertext input. By setting a high half part to be 0 and a low half part to be 1, and the secret key is approached through the most significant bit of the low half part. The selected cleartext is divided into two equal parts or n equal parts by using a similar method, and then the secrete key is attacked.

Description

A kind of method judging efficiently to obtain private key based on spa and null value
Technical field
The present invention relates to information security field, judge efficiently to obtain the side of private key based on spa and null value particularly to a kind of Method.
Background technology
Rsa public key encryption algorithm is the public key cryptography technology comparing main flow in information security field.Each based on rsa realization Plant key and smart card has been widely used for the every field such as finance, communication, social security, traffic.In order to ensure key and smart card Safety, need to study the threat degree to these products for the various attack methods.Attack method popular at present includes Side-channel attack (side channel attack, abbreviation sca).Simple power consumption analysis attack wherein in sca attack method (simple power analysis attacks, abbreviation spa) and Differential power attack analysis (differential power Analysis attacks, abbreviation dpa), and error injection attack (fault injection attack, abbreviation fia) is For universal.
In prior art, the spa of rsa algorithm is attacked, be primarily directed to the Montgomery Algorithm of binary system realization.Due to p and q Scope limit, to m in the range of [1, (2^512) -1] value, when m value be less than or equal to p when, (sp-sq) mod p calculate once Subtraction, otherwise calculates subtraction one sub-addition.P is approached according to the power consumption difference of computing, that is, attacks out private key.This spa attacks Hit in method, the difference of the point of attack may be smaller, and may there is no difference in part realization.The method and device be easy to by Protection, can not play the effect attacking key.
Content of the invention
It is an object of the invention to provide a kind of method judging efficiently to obtain private key based on spa and null value.
The invention provides a kind of method judging based on spa and null value efficiently to obtain private key, the method is for rsa crt Computing synthesis step middle mold subtracts computing and is attacked.During rsa computing, need to calculate (((sp-sq) * qinv) mod p) * q+sq, If (((sp-sq) * qinv) mod p) * q partial arithmetic produces 0 value in calculating process, 0+sq and non-zero+sq is in power consumption Sizable difference can be produced, if variant can analyze rsa crt private key according to this difference.The method can effectively be assessed Have in rsa crt signature scheme and whether there is the possibility attacked, that is, whether there is the leak attacked.
To achieve these goals, the present invention provides a kind of method judging based on spa and null value and efficiently obtaining private key, bag Containing step:
A length that () arranges the modulus n of rsa is 2t, and setting e is any bit less than n;
B () selects plaintext m, length is equal to length 2t of n, and decile m is two parts, and respectively mh, ml length is t, and m =mh||ml;
C all bits that () arranges mh are all bits of 0, ml is 1, calculates c=m^e mod n, defeated for the value of c Enter to be attacked chip and signed or decryption oprerations, obtain power consumption profile trace1;
D all bits that () arranges mh are the 0th bit of 0, ml, 1 bit is set to 1, and remaining bit is arranged For 0, calculating c=m^e mod n, the value input of c is signed or decryption oprerations by attacking chip, is obtained power consumption profile trace2;
E () contrasts trace1, trace2, analyze the power consumption profile of rsa crt signature final step addition, wherein execute Zero plus sq power consumption profile is designated as trace4;The power consumption profile that execution non-zero adds sq is designated as trace5;
F all bits that () arranges mh are all bits of 0, ml is 1, when i is from t-1 to 1, executes following process: Calculate c=m^e mod n, the value input of c is signed by attack chip or is deciphered computing, obtain trace3;
G () judges sub- power consumption trace6 of last addition in trace3, if trace6 is equal to trace4, when Front bit is set to 1, or current bit is set to 0;
H () calculates c=m^e mod n, c input is signed by attack chip or is deciphered computing, if (rsa crt signs The power consumption profile of name final step addition is equal to trace5, then the prime number that the value of output m is as attacked out;Conversely, output is not Success attack.
The specific embodiment being provided according to the present invention, the invention discloses following technique effect:
The invention has the beneficial effects as follows, the method for the present invention is used for the work(in the relatively existing scheme of power consumption sections attacked Consumption part, difference is more greatly it is easier to implement.The leak attacked can be whether there is by quick and convenient detection rsa crt signature algorithm. Can detect whether we can prevent this attack by the rsa crt signature algorithm of design.
Whether energy effective detection of the present invention goes out in protectiving scheme can prevent private key from being attacked the mask of plaintext m.The present invention Also effective detection can go out the process of realizing of crt in scheme and whether there is leak.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or scheme of the prior art, below will be to required in embodiment The accompanying drawing using is briefly described it is therefore apparent that drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings His accompanying drawing.
Fig. 1 is a kind of schematic flow sheet judging efficiently to obtain the method for private key based on spa and null value of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work Embodiment, broadly falls into the scope of protection of the invention.
It is an object of the invention to provide a kind of method judging efficiently to obtain private key based on spa and null value.
Understandable for enabling the above objects, features and advantages of the present invention to become apparent from, below in conjunction with the accompanying drawings and specifically real The present invention is further detailed explanation to apply mode.
Embodiment 1:
A kind of method judging based on spa and null value efficiently to obtain private key, the key of rsa crt is divided into public key and private key, Wherein e, n are the public key of rsa crt;P, q, dp, dq, qinv are rsa crt private key.
The general signature process of rsa crt is as follows:
mp=c mod p mq=c mod q
sp=mp^dp sq=mq^dq
crt(sp,sq)=(((sp-sq)*qinv)mod p)*q+sq
Analyze further, (sp sq) mod p can be deformed as follows:
sp=(c mod p)^dp=(((m^e)mod n)mod p)^dp=(m^(e*dp))mod p=m mod p
sq=(c mod q)^dq=(((m^e)mod n)mod q)^dq=(m^(e*dq))mod q=m mod q
Therefore, (sp-sq) mod p=(m mod p m mod q) mod p.crt(sp,sq)=((((m mod p–m mod q)mod p)*qinv)mod p)*q+sq=x+sq.
, the span of p, q: p > q belongs to [1, (2^512) -1] taking 1024 rsa as a example;We are divided into two this interval Part, [1, q) (interval one), [q, (2^512) -1] (interval two).When the value of m falls interval a period of time, (sp-sq) mod p=(m mod p–m mod q)mod p=0;Result after then x calculates is 0, i.e. last computing is 0+sq.When the value of m falls interval two When, (sp-sq) mod p=(m mod p m mod q) mod p is non-zero;Then x is the data of 1024 bits, then final step is 1024 bit datas are added with 512 bit datas.When being added due to big data, the method that every kind of design uses differs, therefore When plaintext falls two intervals, there is obvious difference in last addition in power consumption.This patent passes through the original of selection m Value, and m value is adjusted according to the result of every step, make m approach prime number q, thus cracking out key.
The method of the present invention is used for the power consumption sections in the relatively existing scheme of power consumption sections attacked, and difference is bigger, more Easily implement.The leak attacked can be whether there is by quick and convenient detection rsa crt signature algorithm.Can detect what we designed Whether rsa crt signature algorithm can prevent this attack.
Whether energy effective detection of the present invention goes out in protectiving scheme can prevent private key from being attacked the mask of plaintext m.The present invention Also effective detection can go out the process of realizing of crt in scheme and whether there is leak.
Specific case used herein is set forth to the principle of the present invention and embodiment, the saying of above example Bright it is only intended to help and understands the method for the present invention and its core concept;Simultaneously for one of ordinary skill in the art, foundation The thought of the present invention, all will change in specific embodiments and applications.In sum, this specification content is not It is interpreted as limitation of the present invention.

Claims (1)

1. a kind of method based on spa and null value judgement efficient acquisition private key is it is characterised in that comprise step:
A length that () arranges rsa modulus n is 2t, and setting e is any bit less than n;
B () selects plaintext m, length is equal to length 2t of n, and decile m is two parts, and respectively mh, ml length is t, and m=mh ||ml;
C all bits that () arranges mh are all bits of 0, ml is 1, calculates c=m^e mod n, and the value of c is inputted quilt Attack chip to be signed or decryption oprerations, obtain power consumption profile trace1;
D all bits that () arranges mh are the 0th bit of 0, ml, 1 bit is 1, and remaining bit is 0;Calculate c=m^ E mod n, is signed the value input of c or decryption oprerations by attacking chip, is obtained power consumption profile trace2;
E () contrasts trace1, trace2, analyze the power consumption profile difference of rsa crt signature final step addition, wherein execute Zero plus sq power consumption profile is designated as trace4;The power consumption profile that execution non-zero adds sq is designated as trace5;
F all bits that () arranges mh are all bits of 0, ml is 1, when i is from t-1 to 1, executes following process: calculate c =m^e mod n, is signed the value input of c or is deciphered computing, obtained trace3 by attack chip;
G () judges sub- power consumption trace6 of last addition in trace3, if trace6 is equal to trace4, currently than Ad hoc be set to 1, or current bit is set to 0;
H () calculates c=m^e mod n, c input is signed by attack chip or is deciphered computing, if (rsa crt signs The power consumption profile of final step addition is equal to trace5, then the prime number that the value of output m is as attacked out;Conversely, output is not attacked Hit successfully.
CN201610943340.7A 2016-11-02 2016-11-02 Method for efficiently acquiring private key based on SPA and zero judgment Pending CN106357406A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610943340.7A CN106357406A (en) 2016-11-02 2016-11-02 Method for efficiently acquiring private key based on SPA and zero judgment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610943340.7A CN106357406A (en) 2016-11-02 2016-11-02 Method for efficiently acquiring private key based on SPA and zero judgment

Publications (1)

Publication Number Publication Date
CN106357406A true CN106357406A (en) 2017-01-25

Family

ID=57864312

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610943340.7A Pending CN106357406A (en) 2016-11-02 2016-11-02 Method for efficiently acquiring private key based on SPA and zero judgment

Country Status (1)

Country Link
CN (1) CN106357406A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417541A (en) * 2019-09-03 2019-11-05 北京宏思电子技术有限责任公司 Attack encryption key method, device, electronic equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103546277A (en) * 2013-09-25 2014-01-29 北京握奇数据系统有限公司 Smart card SM4 calculation based DPA attack and secret key restoring method and DPA attack and secret key restoring system
CN103580858A (en) * 2013-11-06 2014-02-12 北京华大信安科技有限公司 RSA algorithm private key element acquiring method and acquiring device
CN104079561A (en) * 2014-06-09 2014-10-01 中国电子科技集团公司第十五研究所 Secret key attacking method and device
CN104796250A (en) * 2015-04-11 2015-07-22 成都信息工程学院 Side channel attack method for implementation of RSA (Rivest, Shamir and Adleman) cipher algorithms M-ary

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103546277A (en) * 2013-09-25 2014-01-29 北京握奇数据系统有限公司 Smart card SM4 calculation based DPA attack and secret key restoring method and DPA attack and secret key restoring system
CN103580858A (en) * 2013-11-06 2014-02-12 北京华大信安科技有限公司 RSA algorithm private key element acquiring method and acquiring device
CN104079561A (en) * 2014-06-09 2014-10-01 中国电子科技集团公司第十五研究所 Secret key attacking method and device
CN104796250A (en) * 2015-04-11 2015-07-22 成都信息工程学院 Side channel attack method for implementation of RSA (Rivest, Shamir and Adleman) cipher algorithms M-ary

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417541A (en) * 2019-09-03 2019-11-05 北京宏思电子技术有限责任公司 Attack encryption key method, device, electronic equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
Fouque et al. Fault attack on elliptic curve Montgomery ladder implementation
Homma et al. Collision-based power analysis of modular exponentiation using chosen-message pairs
AU782868B2 (en) Information processing device, information processing method and smartcard
EP3459203B1 (en) Method and device to protect a cryptographic exponent
CN106452789B (en) A kind of endorsement method of multi-faceted anti-side-channel attack
CN101562522A (en) Realization method of elliptic curve cryptosystem for preventing side-channel attack
CN103647638A (en) DES masking method for resisting side-channel attack
CN109214195A (en) A kind of the SM2 ellipse curve signature sign test hardware system and method for resisting differential power consumption attack
CN101180606A (en) Determination of a modular inverse
CN103560877A (en) Method and device for attacking secret key
CN106357378B (en) Key detection method and its system for SM2 signature
CN107994980A (en) It is a kind of using the out of order technology of clock and the anti-DPA attack methods of chaos trigger
CN105681033B (en) A kind of out-of-order encryption device of multivariate quadratic equation
CN106357406A (en) Method for efficiently acquiring private key based on SPA and zero judgment
CN106936822A (en) For the mask realization method and system of the anti-high-order bypass analysis of SMS4
CN105740730A (en) Method for realizing secure point multiplication in chips
CN104717060B (en) A kind of method for attacking elliptic curve encryption algorithm and attack equipment
Jia et al. A unified method based on SPA and timing attacks on the improved RSA
Yin et al. A novel spa on ecc with modular subtraction
Ghosh et al. Security of prime field pairing cryptoprocessor against differential power attack
US7174016B2 (en) Modular exponentiation algorithm in an electronic component using a public key encryption algorithm
KR101517947B1 (en) Preventind method against power analysis attack by middle key
CN105656629B (en) Safe non-adjacent expression type implementation method in chip
CN106301756A (en) Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof
Mahanta et al. Comparative modular exponentiation with randomized exponent to resist power analysis attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170125

RJ01 Rejection of invention patent application after publication