CN106411495A - Fault injection attacking method and device for RSA algorithm - Google Patents

Fault injection attacking method and device for RSA algorithm Download PDF

Info

Publication number
CN106411495A
CN106411495A CN201610846908.3A CN201610846908A CN106411495A CN 106411495 A CN106411495 A CN 106411495A CN 201610846908 A CN201610846908 A CN 201610846908A CN 106411495 A CN106411495 A CN 106411495A
Authority
CN
China
Prior art keywords
value
plaintext
encrypted result
mistake
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610846908.3A
Other languages
Chinese (zh)
Other versions
CN106411495B (en
Inventor
邵翠萍
李慧云
唐烨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Advanced Technology of CAS
Original Assignee
Shenzhen Institute of Advanced Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Advanced Technology of CAS filed Critical Shenzhen Institute of Advanced Technology of CAS
Priority to CN201610846908.3A priority Critical patent/CN106411495B/en
Publication of CN106411495A publication Critical patent/CN106411495A/en
Application granted granted Critical
Publication of CN106411495B publication Critical patent/CN106411495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Infusion, Injection, And Reservoir Apparatuses (AREA)

Abstract

The application discloses a fault injection attack method and device for an RSA algorithm. The method comprises the steps of: acquiring a first encryption result obtained by carrying out the encryption operation on a value of a cleartext by the RSA algorithm; carrying out fault injection attack on the value of the cleartext to obtain a value of a fault cleartext; encrypting the value of the fault cleartext by using the RSA algorithm to obtain a second encryption result; and according an operational relationship among the value of the cleartext, the value of the fault cleartext, the first encryption result and the second encryption result, solving the cleartext. The method is low in accuracy requirement for an attack range, simple to implement, and relatively low in time complexity of the attacking process.

Description

Error injection attack method to public key encryption algorithm RSA and device
Technical field
The application is related to Time synchronization technique field, and more particularly, to a kind of error injection to public key encryption algorithm RSA is attacked Hit method and apparatus.
Background technology
With the fast development of information technology, information security importance is mathematical.Although having multiple in safety chip Miscellaneous enciphering and deciphering algorithm and key protection mechanism, but safety chip is vulnerable to error injection attack in recent years, thus leading to The logic error of transient state is produced, attacker passes through to analyze correct and wrong encrypted result during AES execution, Finally cause the leakage of key.The error injection of safety chip is attacked and has been listed in U.S.Federal Information process standard " FIPS An important class attack pattern in 140-3 ".Therefore, the research of new error injection attack method can be helped designer and , so that just corresponding defensive measure can be made in the design phase, evading can for potential risk present in early discovery algorithm and hardware The risk of energy.The attack method to RSA (RSA algorithm, public key encryption algorithm) proposing in current research mainly wraps Include this several class:The error injection that the private key of RSA is carried out with one or two is attacked, RSA is carried out part of key attack and To the S in CRT-RSA computingpOr SqCarry out error injection attack.
For existing several error injection attack methods, first method requires the precision of error injection very high, and Time-consuming very long could crack out whole secret key bits by turn, in addition, in actually used, designer protects to secret key bits, institute It also is difficult to realize easily with directtissima key.Second method is to crack out remaining based on secret key bits known to a part The method of secret key bits, the method has strict requirements to known secret key bits, and the method comparison cracking is complicated.A kind of finally attack It is just effective that the premise of method is that algorithm must be based on CRT-RSA, but because CRT-RSA area overhead ratio is larger, thus field Composition and division in a proportion is less.
Content of the invention
For solving the problems referred to above of the prior art, a purpose of the application be to propose a kind of to public key encryption algorithm The error injection attack method of RSA, loosely requires to the firing area of plaintext, attack required precision is low, and complexity is low.
For reaching above-mentioned purpose, the error injection attack method to public key encryption algorithm RSA that the embodiment of the present application proposes, Including:Obtain RSA Algorithm and the value of plaintext is encrypted with the first encrypted result that computing obtains;Mistake is carried out to the value of described plaintext Injection attacks, obtain the value of mistake plaintext by mistake;Using described RSA Algorithm, the value of described mistake plaintext is encrypted, obtains the Two encrypted result;According to the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second encryption knot Operation relation between fruit, solves described plaintext.
For reaching above-mentioned purpose, the error injection to public key encryption algorithm RSA that the embodiment of the present application proposes attacks device, Including:Acquisition module, is encrypted, for obtaining RSA Algorithm, the first encrypted result that computing obtains to the value of plaintext;Attack mould Block, for carrying out error injection attack to the value of described plaintext, obtains the value of mistake plaintext;Encrypting module, for using described RSA Algorithm is encrypted to the value of described mistake plaintext, obtains the second encrypted result;Solve module, for according to described plaintext Value, the described mistake value of plaintext, described first encrypted result, the operation relation between described second encrypted result, solve institute State literary composition clearly.
The technical scheme being provided from above the embodiment of the present application, carries out mistake by the plaintext during RSA Algorithm is encrypted Injection attacks by mistake, obtain one to correct encryption of plaintext result and team's mistake encryption of plaintext result, according to known The error field of RSA Algorithm, public key and injection, you can derived by existing mathematical measure and be calculated the value of plaintext, and then Crack the plaintext of RSA Algorithm encryption, the required precision of firing area is low, realize simple, and the time complexity of attack process is relatively Low.
The aspect that the application adds and advantage will be set forth in part in the description, and partly will become from the following description Obtain substantially, or recognized by the practice of the application.
Brief description
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or existing Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this Some embodiments of application, for those of ordinary skill in the art, on the premise of not paying creative work, acceptable Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the error injection attack method to public key encryption algorithm RSA of the application one embodiment;
Fig. 2 is that the flow process of the error injection attack method to public key encryption algorithm RSA of another embodiment of the application is illustrated Figure;
Fig. 3 is the structural representation of the error injection attack device to public key encryption algorithm RSA of the application one embodiment;
Fig. 4 is the structural representation of the error injection attack device to public key encryption algorithm RSA of another embodiment of the application Figure.
Specific embodiment
The embodiment of the present application provides a kind of error injection attack method to public key encryption algorithm RSA and device.Need to manage Solution, error injection is attacked and is referred to pass through to introduce mistake in cryptographic algorithm in crypto chip equipment, leads to encryption device to produce Raw error result, is analyzed to error result thus obtaining key.The attack method of error injection and object of attack are adopted Cryptographic algorithm algorithm implementation method relevant with principle, attack method is to find the point of attack and extract from this algorithm is realized Attack method, so the cryptographic algorithm being directed to is different, the principle of attack is also different.
In order that those skilled in the art more fully understand the technical scheme in the application, real below in conjunction with the application Apply the accompanying drawing in example, the enforcement it is clear that described is clearly and completely described to the technical scheme in the embodiment of the present application Example is only some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, this area is common The every other embodiment that technical staff is obtained under the premise of not making creative work, all should belong to the application protection Scope.
Fig. 1 is that the flow process of the error injection attack method to public key encryption algorithm RSA that the application one embodiment proposes is shown It is intended to, as shown in figure 1, the method includes:
Step 101, obtains RSA Algorithm and the value of plaintext is encrypted with the first encrypted result that computing obtains.
Step 102, carries out error injection attack to the value of described plaintext, obtains the value of mistake plaintext.
Step 103, is encrypted to the value of described mistake plaintext using described RSA Algorithm, obtains the second encrypted result.
Step 104, according to the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second plus Operation relation between close result, solves described plaintext.
Specifically, above-mentioned plaintext is the character string needing to crack, and can will input during the hardware of RSA operation is realized Plaintext be converted to numerical value m, for example encoded by Unicode or binary coding etc. changed, then m is encrypted Computing.The target of attack of the error injection attack method of the present invention is in plain text, very loosely requires to the firing area of plaintext, must not Ask high-precision attack.It can be that the hardware chip realizing algorithm is carried out with particle-level is other to attack that the error injection of plaintext is attacked Hit so as to the plaintext code value in computing produces change.The principle of this method is first unknown plaintext to be carried out once correctly adding Close obtain encrypted result c, then to plaintext carry out error injection attack in the case of, reuse original algorithm and carry out once Encryption obtains encrypted result c of mistake '.Because AES is known, encrypted result is also be known that, therefore, root The value of plaintext just can be calculated according to the once encrypted result of mistake and once correct encrypted result, and then analyze plaintext Content.
According to an embodiment of the application, in value m of described plaintext, random injection error field, obtains described mistake Value m of plaintext '=m+r, wherein, r is the value of error field.Specifically, the common error injection such as available laser, heavy particle Instrument carries out error injection attack to plaintext, really produces upset by the numeral that physical means make ad-hoc location or changes, Obtain the value of mistake plaintext, this process can be equivalent to generate value r at random, r is added with m obtain new plaintext m '= m+r.
Embodiments herein carries out error injection attack by the plaintext during RSA Algorithm is encrypted, and obtains one and aligns Really encryption of plaintext result and team's mistake encryption of plaintext result, according to the mistake of known RSA Algorithm, public key and injection Field, you can derived by existing mathematical measure and be calculated the value of plaintext, and then crack the plaintext of RSA Algorithm encryption, attack The required precision hitting scope is low, realizes simple, and the time complexity of attack process is relatively low.
Fig. 2 is the flow process of the error injection attack method to public key encryption algorithm RSA that another embodiment of the application proposes Schematic diagram, as shown in Fig. 2 the method includes:
Step 201, is encrypted computing using RSA Algorithm to plaintext, obtains the first encrypted result.
Specifically, in plain text for needing the character string cracking, can be by the plaintext of input during the hardware of RSA operation is realized Be converted to numerical value m, for example, encoded by Unicode or binary coding etc. is changed, then computing is encrypted to m. If (e, N) is public key pair in RSA Algorithm, (d, N) is private key pair, and m is the value of plaintext, and c is ciphertext, and m ' is to be attacked by error injection The value of plaintext afterwards, c' is the encrypted result of mistake, and input is encrypted computing in plain text, obtains the first encrypted result:
C=me(mod N) (1)
It is to be appreciated that in following steps, for simplicity, will illustrate taking e=3 as a example.
Step 202, in value m of plaintext, random injection error field, obtains value m of mistake plaintext '=m+r.
Step 203, is encrypted in plain text to described mistake using described RSA Algorithm, obtains the second encrypted result.
Specifically, in the case of carrying out error injection to plaintext, RSA Algorithm is really carried out to wrong plaintext m ' Encryption, obtains the encrypted result of mistake, that is,
C '=(m ')3=m3+3m2r+3mr2+r3(mod N) (2)
Step 204, when the error field of injection is unknown, according to the value of the described plaintext, value of described mistake plaintext, described Encryption relation between first encrypted result, described second encrypted result sets up eliminant.
Step 205, according to described eliminant and the relational expression Resultant (m such as the mould of modulus Ne-c,(m+r)e- c')=0mod N, solves value r of described error field.
Specifically, according to encrypted result c twice and c ', following formula can be obtained:
Resultantm(m3-c,(m+r)3-c')
=r9+(3c-3c')r6+(3c2+21cc'+3(c')2)r3+(c-c')3=0 (modN) (3)
Above formula (3) is mould equation, and the degree of this mould equation is 9, then when error field r of injection meets | r |≤N1/9When, The value of r just can be solved using the case theory in mathematics.The number being 1024 as N, during e=3, according to the relation of r and N, r Can be at least the number of 113, the object that is, error injection is attacked can be any one position in low 113 of plaintext or many Position.
Below by the physical relationship of derivation r and N and e:
First, define f (x) and g (x) as follows respectively:
F (x)=aexe+ae-1xe-1+ae-2xe-2+...+a1x+a0
G (x)=bexe+be-1xe-1+be-2xe-2+...+b1x+b0
Then eliminant Resultant (f (x), g (x)) of f (x) and g (x) is:
From the property of eliminant, f (x)=0modN and g (x)=0modN has abundant necessity of common root on integer field Condition is eliminant Res (f (x), g (x))=0modN.X=m is brought into after f (x) and g (x), can obtain:
F (x)=xe- c=me-c
Then the eliminant of the two is:
Above formula can turn to the matrix of four e*e sizes, that is,:
Then:
Then in the result of Resultant (f (x), g (x)), high-order term will appear in following formula:
(re-c'+c)*(re-c'+c)e*(re-c'+c)e...*(re-c'+c)e,
Obviously highest this be
To sum up it can be seen that Resultant (me-c,(m+r)e- c') result be withMonotropic unit for high-order term Multinomial, only when error field meetsWhen, that is,Just r can be solved using case theory.
Step 206, according to value m of value m of described plaintext, described mistake plaintext ', value r of described error field with described First encrypted result c, described second encrypted result c ' between encryption relation derivation obtain value m of described plaintext with regard to described mistake By mistake value r of field, described first encrypted result c and described second encrypted result c ' calculating formula.
Step 207, by value r of described error field, described first encrypted result c and described second encrypted result c ' substitute into Described calculating formula, solves value m of described plaintext.
Specifically, according to the relation between r, c and c' in formula (1) (2), the value of plaintext can be calculated by following formula:
By above crack process can be seen that injection error field r need meetJust can solve (3) Formula, in the case that public key e is 3, r needs to meet | r |≤N1/9, that is, for the RSA Algorithm of 1024, can only be low in m Any one position in 113 or multidigit injection mistake.This requires for laser, this kind of conventional error injection work of heavy particle For tool, it is easily achieved.
If by the above as can be seen that attacker knows the size of the wrong r of injection in advance, then step 204- 205 just can omit, and directly just can solve plaintext m by step 206-207, and then analyze the content of plaintext according to m.
According to a specific embodiment of the application, the present processes can be realized by Java language, experimental result with Theory analysis is unanimously it was demonstrated that the method is feasible.Specific experimental procedure and method are as follows:
Table 1
It is RSA Algorithm parameter shown in table 1, the mistake attacked is described below taking encrypted characters string " www.siat.ac.cn " as a example Journey:
1) character string is m=7777772e736961742e61632e636e after Unicode coding;
2) obtaining ciphertext c after encryption m is:
C=1a04660fdc343307f51e689e03f3db717d1d05c4f016d3462945b4 c5c70476bd3f 1a4097ee4df2ac3338;
3) generate value r at random, meet r < | N |1/9.R is added with m obtain new plaintext m '= 7777772e736961742e61632f0f3b.In selectable error injection is attacked, random value r can wait with being added of m Imitate the bit flipping attacking the m causing for error injection.Ciphertext c' is obtained after encrypting new plaintext:
C'=1a04660fdc343307f51e689e74321bc2bd77cd655ed60668398ba 0ea85d4220c2 c87edf5094dad3d0743;
4) utilize the eliminant relation of c and c':
Resultantm(m3-c,(m+r)3-c')
=r9+(3c-3c')r6+(3c2+21cc'+3(c')2)r3+(c-c')3=0 (modN)
The value of c and c' is brought into respectively and obtains above-mentioned polynomial parameters and be:
(3c-3c')=- 150bac0f3c11056e14c3d996630d1c46e3c6f01ecc849081750ff2fb 27 C21, (3c+21cc'+3 (c')2) and (c-c')3Value can be similar to reckoning, will not be described here.
5) above-mentioned parameter is brought in following formula:
r9+(3c-3c')r6+(3c+21cc'+3(c')2)r3+(c-c')3≡0(modN)
∵ r < | N |1/9
So far, the problem of mould equation just can be with naturalization for solving high-order moment problem.
6) solve in polynomial time and obtain r=" ABCD " (Hex), value is brought in formula (4).
Wherein, polynomial time (Polynomial time) in theory of computational complexity, refers to the meter of a problem Evaluation time m (n) is not more than the multinomial multiple of problem size n.
7) after bringing r into, the result of formula (4) is the mould equation of a monotropic unit.With regard to this type mould equation method for solving Research, comparative maturity at present, usually using its equivalent polynomial one lattice of coefficients to construct, the side about being subtracted using lattice Method, is met the value of equation within the polynomial time, solves and obtains m=www.siat.ac.cn.
8) so far, entirely the error injection attack process of public key encryption algorithm RSA is finished.
Can be calculated according to above-mentioned polynomial time and complexity computation, the time complexity of whole attack process For O (nk).
Embodiments herein carries out error injection attack by the plaintext during RSA Algorithm is encrypted, and obtains one and aligns Really encryption of plaintext result and team's mistake encryption of plaintext result, according to the mistake of known RSA Algorithm, public key and injection Field, you can derived by existing mathematical measure and be calculated the value of plaintext, and then crack the plaintext of RSA Algorithm encryption;? In the case that the error field of injection is unknown, the value of error field can be solved under certain condition, and then be calculated in plain text.This Method carries out error injection attack to plaintext, and the required precision of firing area is low, realizes simple, and the time of attack process is complicated Degree is relatively low.
Based on same inventive concept, the embodiment of the present application additionally provides a kind of error injection to public key encryption algorithm RSA Attack device, can be used for realizing the method described by above-described embodiment, as described in the following examples.Due to public key encryption The error injection of algorithm RSA attacks the principle of device solve problem and the error injection attack method to public key encryption algorithm RSA Similar, the enforcement therefore attacking device to the error injection of public key encryption algorithm RSA may refer to public key encryption algorithm RSA's The enforcement of error injection attack method, repeats no more in place of repetition.Used below, term " unit " or " module " permissible Realize the software of predetermined function and/or the combination of hardware.Although the method described by following examples is preferably come real with software Existing, but hardware, or the realization of the combination of software and hardware is also may and to be contemplated.
Fig. 3 is the structural representation of the error injection attack device to public key encryption algorithm RSA of the application one embodiment. The device of the present embodiment can be that the logical block realizing corresponding function constitutes or runs the electricity having corresponding function software Sub- equipment.As shown in figure 3, this attacks device to the error injection of public key encryption algorithm RSA and including acquisition module 10, attacking module 20th, encrypting module 30 and solution module 40.
Acquisition module 10, is encrypted, for obtaining RSA Algorithm, the first encrypted result that computing obtains to the value of plaintext;
Attack module 20, for error injection attack is carried out to the value of described plaintext, obtain the value of mistake plaintext;
Encrypting module 30, for being encrypted to the value of described mistake plaintext using described RSA Algorithm, obtains the second encryption Result;
Solve module 40, for according to the value of described plaintext, the value of described mistake plaintext, described first encrypted result, institute State the operation relation between the second encrypted result, solve described plaintext.
In an embodiment of the application, attack module 20 and inject mistake specifically for random in value m of described plaintext Field by mistake, obtains value m of described mistake plaintext '=m+r, wherein, r is the value of error field.Specifically, available laser, weight The common error injection instrument such as particle carries out error injection attack to plaintext, really makes ad-hoc location by physical means Numeral produces upset or changes, and obtains the value of mistake plaintext, this process can be equivalent to generate value r at random, by r and m It is added and obtain new plaintext m '=m+r.
Embodiments herein carries out error injection attack by the plaintext during RSA Algorithm is encrypted, and obtains one and aligns Really encryption of plaintext result and team's mistake encryption of plaintext result, according to the mistake of known RSA Algorithm, public key and injection Field, you can derived by existing mathematical measure and be calculated the value of plaintext, and then crack the plaintext of RSA Algorithm encryption, attack The required precision hitting scope is low, realizes simple, and the time complexity of attack process is relatively low.
Fig. 4 is the structural representation of the error injection attack device to public key encryption algorithm RSA of another embodiment of the application Figure.As shown in figure 4, on the basis of Fig. 3, described device also includes derivation unit 41, solves unit 42, sets up module 50 and meter Calculate module 60, wherein, solve module 40 and include derivation unit 41 and solve unit 42.
Specifically, when described error field r is unknown, set up module, for bright according to the value of described plaintext, described mistake Encryption relation between the value of literary composition, described first encrypted result, described second encrypted result sets up eliminant Resultant (me-c, (m+r)e-c');
Computing module, for according to described eliminant and the relational expressions such as the mould of modulus N
Resultant(me-c,(m+r)e- c')=0mod N, solve value r of described error field, wherein, c adds for first Close result, c ' is the second encrypted result, and (e, N) is the public key pair of described RSA, and e is encryption exponent, and N is modulus.
When described error field r is unknown, described error injection is attacked and is metCan using the case theory in mathematics To solve the value of r.
When known to described error field, derivation unit 41 is used for the value according to value m of described plaintext, described mistake plaintext M ', value r of described error field and described first encrypted result c, described second encrypted result c ' between encryption relation derivation Obtain value r with regard to described error field for value m, described first encrypted result c and described second encrypted result c of described plaintext ' Calculating formula.As e=3, the calculating formula of m is:
Solve unit 42 to be used for value r of described error field, described first encrypted result c and described second encrypted result C ' substitutes into described calculating formula, solves value m of described plaintext.
Embodiments herein carries out error injection attack by the plaintext during RSA Algorithm is encrypted, and obtains one and aligns Really encryption of plaintext result and team's mistake encryption of plaintext result, according to the mistake of known RSA Algorithm, public key and injection Field, you can derived by existing mathematical measure and be calculated the value of plaintext, and then crack the plaintext of RSA Algorithm encryption;? In the case that the error field of injection is unknown, the value of error field can be solved under certain condition, and then be calculated in plain text.This Method carries out error injection attack to plaintext, and the required precision of firing area is low, realizes simple, and the time of attack process is complicated Degree is relatively low.
It should be noted that in the description of the present application, term " first ", " second " etc. are only used for describing purpose, and not It is understood that as indicating or implying relative importance.Additionally, in the description of the present application, unless otherwise stated, the implication of " multiple " It is two or more.
In flow chart or here any process described otherwise above or method description are construed as, represent and include The module of the code of executable instruction of one or more steps for realizing specific logical function or process, fragment or portion Point, and the scope of the preferred embodiment of the application includes other realization, wherein can not press shown or discuss suitable Sequence, including according to involved function by substantially simultaneously in the way of or in the opposite order, carry out perform function, this should be by the application Embodiment person of ordinary skill in the field understood.
It should be appreciated that each several part of the application can be realized with hardware, software, firmware or combinations thereof.Above-mentioned In embodiment, the software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realizing.For example, if realized with hardware, and the same in another embodiment, can use well known in the art under Any one of row technology or their combination are realizing:There is the logic gates for data-signal is realized with logic function Discrete logic, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are appreciated that to realize all or part step that above-described embodiment method carries Suddenly the program that can be by completes come the hardware to instruct correlation, and described program can be stored in a kind of computer-readable storage medium In matter, this program upon execution, including one or a combination set of the step of embodiment of the method.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or the spy describing with reference to this embodiment or example Point is contained at least one embodiment or the example of the application.In this manual, to the schematic representation of above-mentioned term not Necessarily refer to identical embodiment or example.And, the specific features of description, structure, material or feature can be any One or more embodiments or example in combine in an appropriate manner.
Although embodiments herein has been shown and described above it is to be understood that above-described embodiment is example Property it is impossible to be interpreted as the restriction to the application, those of ordinary skill in the art within the scope of application can be to above-mentioned Embodiment is changed, changes, replacing and modification.

Claims (11)

1. a kind of error injection attack method to public key encryption algorithm RSA is it is characterised in that include:
Obtain RSA Algorithm and the value of plaintext is encrypted with the first encrypted result that computing obtains;
Error injection attack is carried out to the value of described plaintext, obtains the value of mistake plaintext;
Using described RSA Algorithm, the value of described mistake plaintext is encrypted, obtains the second encrypted result;
According between the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second encrypted result Operation relation, solves described plaintext.
2. method according to claim 1 is it is characterised in that the described value to described plaintext carries out error injection attack, Obtain the value of mistake plaintext, including:
Random injection error field in value m of described plaintext, obtains value m of described mistake plaintext '=m+r, wherein, r is mistake The value of field by mistake.
3. method according to claim 2 is it is characterised in that when value r of described error field is unknown, in described solution Before described plaintext, methods described also includes solving value r of described error field, specifically includes:
According between the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second encrypted result Encryption relation sets up eliminant Resultant (me-c,(m+r)e-c');
According to described eliminant and the relational expression Resultant (m such as the mould of modulus Ne-c,(m+r)e- c')=0mod N, solve described Value r of error field,
Wherein, c is the first encrypted result, and c ' is the second encrypted result, and (e, N) is the public key pair of described RSA, and e is encryption exponent, N is modulus.
4. method according to claim 3 is it is characterised in that described error injection attacks satisfaction
5. the method according to any one of claim 2-4 is it is characterised in that when known to described error field, described Close according to the computing between the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second encrypted result System, solves described plaintext, specifically includes:
Value m according to value m of described plaintext, described mistake plaintext ', value r of described error field and described first encrypted result C, described second encrypted result c ' between encryption relation derivation obtain described plaintext value r with regard to described error field for value m, Described first encrypted result c and described second encrypted result c ' calculating formula;
By value r of described error field, described first encrypted result c and described second encrypted result c ' substitute into described calculating formula, Solve value m of described plaintext.
6. method according to claim 3 is it is characterised in that the described mould equilibrium relationships according to described eliminant and modulus N Resultant(me-c,(m+r)e- c')=0mod N, solve described error field value r include:
By described eliminant expand intoFor this monotropic unit multinomial of highest;
According to described monotropic unit multinomial, solve Resultant (m using case theorye-c,(m+r)e- c')=0mod N.
7. a kind of error injection to public key encryption algorithm RSA attacks device it is characterised in that including:
Acquisition module, is encrypted, for obtaining RSA Algorithm, the first encrypted result that computing obtains to the value of plaintext;
Attack module, for error injection attack is carried out to the value of described plaintext, obtain the value of mistake plaintext;
Encrypting module, for being encrypted to the value of described mistake plaintext using described RSA Algorithm, obtains the second encrypted result;
Solve module, for according to the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second Operation relation between encrypted result, solves described plaintext.
8. device according to claim 7 is it is characterised in that described attack module is specifically for value m in described plaintext In random injection error field, obtain value m of described mistake plaintext '=m+r, wherein, r is the value of error field.
9. device according to claim 8 is it is characterised in that when described error field r is unknown, described device is also wrapped Include:
Set up module, for according to the value of described plaintext, the value of described mistake plaintext, described first encrypted result, described second Encryption relation between encrypted result sets up eliminant Resultant (me-c,(m+r)e-c');
Computing module, for according to described eliminant and the relational expressions such as the mould of modulus N
Resultant(me-c,(m+r)e- c')=0mod N, solve value r of described error field,
Wherein, c is the first encrypted result, and c ' is the second encrypted result, and (e, N) is the public key pair of described RSA, and e is encryption exponent, N is modulus.
10. device according to claim 9 is it is characterised in that described error injection attacks satisfaction
11. according to Claim 8 the device described in -10 any one it is characterised in that when known to described error field, described Solve module, specifically include:
Derivation unit, value m for according to value m of described plaintext, described mistake plaintext ', value r of described error field with described First encrypted result c, described second encrypted result c ' between encryption relation derivation obtain value m of described plaintext with regard to described mistake By mistake value r of field, described first encrypted result c and described second encrypted result c ' calculating formula;
Solve unit, for by value r of described error field, described first encrypted result c and described second encrypted result c ' generation Enter described calculating formula, solve value m of described plaintext.
CN201610846908.3A 2016-09-23 2016-09-23 To the error injection attack method and device of public key encryption algorithm RSA Active CN106411495B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610846908.3A CN106411495B (en) 2016-09-23 2016-09-23 To the error injection attack method and device of public key encryption algorithm RSA

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610846908.3A CN106411495B (en) 2016-09-23 2016-09-23 To the error injection attack method and device of public key encryption algorithm RSA

Publications (2)

Publication Number Publication Date
CN106411495A true CN106411495A (en) 2017-02-15
CN106411495B CN106411495B (en) 2019-07-12

Family

ID=57997333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610846908.3A Active CN106411495B (en) 2016-09-23 2016-09-23 To the error injection attack method and device of public key encryption algorithm RSA

Country Status (1)

Country Link
CN (1) CN106411495B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173645A (en) * 2017-12-27 2018-06-15 中国科学院国家空间科学中心 The safety detection method and its device of a kind of crypto chip

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CUIPING SHAO: "cryptographic implementation of RSA for ion fault injection attack", 《IEEE CONFERENCE》 *
温睿文: "RSA算法的错误敏感攻击研究与实践", <万方数据> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108173645A (en) * 2017-12-27 2018-06-15 中国科学院国家空间科学中心 The safety detection method and its device of a kind of crypto chip
CN108173645B (en) * 2017-12-27 2021-02-02 中国科学院国家空间科学中心 Security detection method and device for password chip

Also Published As

Publication number Publication date
CN106411495B (en) 2019-07-12

Similar Documents

Publication Publication Date Title
CN1989726B (en) Method and device for executing cryptographic calculation
CN108352981B (en) Cryptographic device arranged for computing a target block encryption
CN103905202B (en) A kind of RFID lightweight mutual authentication methods based on PUF
US9553722B2 (en) Generating a key based on a combination of keys
CN108964872B (en) Encryption method and device based on AES
CN108055120B (en) Method for detecting AES-OTR algorithm to resist differential fault attack
CN105009507A (en) Generating a key derived from a cryptographic key using a physically unclonable function
CN104639502B (en) A kind of mask method and device of the anti-Attacks of SM4 algorithms
CN105933108B (en) A kind of pair of SM4 algorithm realizes the method cracked
CN110663215A (en) Elliptic curve point multiplication device and method in white-box scene
CN104410490B (en) The method of non-linear extruding protection password S boxes
Khan et al. A novel substitution box for encryption based on Lorenz equations
CN105897400A (en) Masking method and device for SM4 algorithm
CN112653546A (en) Fault attack detection method based on power consumption analysis
Bhaskar et al. An advanced symmetric block cipher based on chaotic systems
CN102404108B (en) Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm
Huang et al. Trace buffer attack: Security versus observability study in post-silicon debug
Zhu et al. Counteracting leakage power analysis attack using random ring oscillators
US11061997B2 (en) Dynamic functional obfuscation
CN106411495B (en) To the error injection attack method and device of public key encryption algorithm RSA
CN109936437B (en) power consumption attack resisting method based on d +1 order mask
CN102158338B (en) Differential fault analysis (DFA) method and system for Twofish encrypted chip
Hao et al. Algebraic fault attack on the SHA-256 compression function
Joshi et al. Single Event Transient Fault Analysis of ELEPHANT cipher
RU2009146386A (en) PROTECTION PROTECTION OF CRYPTOGRAPHIC CALCULATION

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant