CN108173657A - A kind of efficient resisting differential power consumption analysis RSA implementation methods - Google Patents

A kind of efficient resisting differential power consumption analysis RSA implementation methods Download PDF

Info

Publication number
CN108173657A
CN108173657A CN201711246973.3A CN201711246973A CN108173657A CN 108173657 A CN108173657 A CN 108173657A CN 201711246973 A CN201711246973 A CN 201711246973A CN 108173657 A CN108173657 A CN 108173657A
Authority
CN
China
Prior art keywords
rsa
power consumption
mod
consumption analysis
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711246973.3A
Other languages
Chinese (zh)
Inventor
蒋艳
柴佳晶
吕瑞恩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huahong Integrated Circuit Co Ltd
Beijing CEC Huada Electronic Design Co Ltd
Original Assignee
Shanghai Huahong Integrated Circuit Co Ltd
Beijing CEC Huada Electronic Design Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huahong Integrated Circuit Co Ltd, Beijing CEC Huada Electronic Design Co Ltd filed Critical Shanghai Huahong Integrated Circuit Co Ltd
Priority to CN201711246973.3A priority Critical patent/CN108173657A/en
Publication of CN108173657A publication Critical patent/CN108173657A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Power Sources (AREA)

Abstract

The invention discloses one kind based on efficient resisting differential power consumption analysis RSA implementation methods, and give the realization example of a RSA CRT implementation method using this method.This solution avoids realization tradition to blind modular inversion complicated in scheme, with the modular multiplication for being easier to realize instead of modular inversion, under the premise of safety is not influenced, RSA operation efficiency can be greatly improved, save time and space that RSA is realized.

Description

A kind of efficient resisting differential power consumption analysis RSA implementation methods
Technical field
The present invention relates to information encryption, in particular for the RSA implementation methods of resisting differential power consumption analysis (DPA).
Background technology
In recent years, the bypass attack of cryptographic algorithm increasingly attracts attention and studies.Bypass attack (Side Channel Attacks, SCA) the non-information specially that is leaked out when being run in circuit using algorithm is so as to analyze algorithm circuit In secret data.Power consumption analysis is most popular, the most commonly used type of research in current bypass attack, by monitoring encryption system The physical messages such as the electric current revealed and voltage unite to be attacked.Power consumption analysis can be divided mainly into simple power consumption according to attack means Analyze (Simple Power Analysis, SPA) and difference power consumption analysis (Differential Power Analysis, DPA) two kinds, respectively for the different weakness of circuit.Power consumption features when simple power consumption analysis is run by observing algorithm circuit To be attacked;Difference power consumption analysis is for statistical analysis to a large amount of (or ciphertext) in plain text and power consumption profile to obtain key letter Breath.
One of key means of difference power consumption analysis are exactly to need to find out a point of observation when algorithm is run, so as to basis The value of the point of observation carries out power consumption grouping.The basic step of difference power consumption analysis is acquires a large amount of power consumption profile first, so These power consumption profiles are grouped according to selected point of observation afterwards.Assuming that intermediate data is blinded, the grouping of attacker's power consumption is lost Go foundation.
For hard-wired RSA Algorithm, difference power consumption analysis needs most strick precaution.Resist the normal of difference power consumption analysis With method to blind scheme, blind scheme and blinded including the truth of a matter and blinded with index.Traditional truth of a matter blinds scheme:
M1=M*Re mod N
C '=M1 d mod N
C=C ' * R-1mod N
Wherein M is input data, and C is output data, and N is modulus, and R is random number, and e is public key, and d is private key.
Traditional scheme blinds input data with random number so that attacker can not implement differential power consumption to RSA Analysis.But the calculation amount that this scheme needs is very big, especially needs to carry out modular inversion during casting off illiteracy.And the inverse fortune of mould The implementation method of calculation is usually all sufficiently complex, and quite time-consuming, thus this method can not under resource constrained environment into Row is realized.The improvement that the present invention carries out traditional scheme under the premise of safety is not influenced, avoids wherein most complicated mould Inverse operation with the modular multiplication for being easier to realize instead of modular inversion, improves whole operation efficiency, and can reduce reality Existing area and space.
Invention content
The technical problem to be solved in the present invention is to provide a kind of efficient resisting differential power consumption analysis RSA implementation methods, can keep away Exempt to realize complicated modular inversion, improve RSA operation efficiency, save RSA Algorithm space.In order to solve the above technical problems, this hair The bright one kind that provides is given real using a RSA CRT of this method based on efficient resisting differential power consumption analysis RSA implementation methods The realization example of existing method.The present invention is as follows for efficient resisting differential power consumption analysis RSA implementation methods:
(1) M is input data in RSA operation, and C is output data, and N is modulus, and R is random number, and e is public key, and d is private Key, p and q are Big prime, and N=p*q.
(2) random number R is obtained, random number has to be larger than zero, and cannot be p or q, can not be more than or equal to N.
(3) the input data M after blinding is calculated1, M1=M*Re mod N。
(4) the data M for operation of casting off illiteracy is calculated2, M2=M*Re-1mod N。
(5) to blinding the data M after data1Carry out output result C ', C '=M that operation is blinded1 d-1mod N。
(6) it casts off illiteracy and output data C, C=C ' * M is calculated2mod N。
The step 1 to the implementation method in step 6, applicable application scenarios include but not limited to ' direct RSA operation ', ' RSACRT operations ' etc..
Its realization principle derives as follows:
According to M1=M*ReMod N, M2=M*Re-1Mod N can derive M2=M1*R-1mod N;
According to C '=M1 d-1Mod N and M2, can derive
C=C ' * M2Mod N=M1 d-1*M1*R-1Mod N=M1 d*R-1Mod N blind scheme result of calculation one with tradition It causes.And method proposed by the present invention does not interfere with the safety of realization, and the safety with conventional method does not have difference.In operation Starting stage input data is blinded, and casts off illiteracy in the ending phase of operation to output data so that it is entire Intermediate data during operation is all blinded.Attacker can not find any plaintext intermediate data to carry out power consumption analysis, so as to It can not speculate sensitive information.
The beneficial effects of the present invention are:The improvement that the present invention carries out traditional scheme, avoids wherein most complicated mould Inverse operation, with the modular multiplication for being easier to realize instead of modular inversion.The implementation method of modular inversion is usually all quite time-consuming, In hardware realization, operation time is typically 20 times of modular multiplication, and in software realization, operation time compares modular multiplication then more It is long.And the implementation method of modular inversion realizes that area and space are all very big, and reality can not be carried out under resource constrained environment It is existing.And modular multiplication is the key foundation operation of public key algorithm, common public key has all included modular multiplication in realizing.And tradition Method is compared, and implementation method of the invention avoids modular inversion, is increased and is calculated M2=M*Re-1The operation of mod N.The fortune Calculation includes modular multiplication and Montgomery Algorithm, wherein Montgomery Algorithm Re-1Modular multiplication can equally be resolved into.And the Montgomery Algorithm Power exponent is e-1, and e usually takes 17 and 65537 in RSA operation, so if if using square multiplication algorithm, calculates the mould power The modular multiplication operation number that operation needs is also few.Therefore the present invention can speed up RSA realization, and reduce realize area and Space.
The improvement that the present invention carries out traditional scheme under the premise of safety is not influenced, avoids wherein most complicated Modular inversion with the modular multiplication for being easier to realize instead of modular inversion, improves whole operation efficiency, and can reduce Realize area and space.Other advantages of the present invention, purpose and feature will be illustrated partly in the description that follows, and to this For the those of ordinary skill of field, partial content will become apparent when examining following content or can be by the reality of the present invention It tramples and learns.Using the structure specifically noted in written description and its claim, the mesh of the present invention can be realized and reached And other advantages.
Specific embodiment
The present invention provides one kind based on efficient resisting differential power consumption analysis RSA implementation methods, which can be used for straight Connect RSA operation and RSA CRT operations.The realization example process of RSA CRT implementation methods is described as follows:
Step 1, M is input data in RSACRT operations, and C is output data, and N is modulus, and R is random number, and e is public key, d For
Private key, p and q are Big prime, and N=p*q.
Step 2,64 non-zero random number Rs are obtained
Step 3, the input data M after blinding is calculated1, M1=M*Re mod N。
Step 4, the data M for operation of casting off illiteracy is calculated2, M2=M*Re-1mod N
Step 5, gauge index value, dp=(d-1) mod (p-1)
Dq=(d-1) mod (q-1)
Step 6, M is calculatedp、Mq, Mp=M1mod p
MQ=M1mod q
Step 7, S is calculatedp、Sq, Sp=Mp dp mod p
SQ=Mq dq mod q
Step 8, output result the C '=((S blinded is calculatedp–Sq)*(q-1mod p)mod p)*q+Sq
Step 9, it casts off illiteracy to obtain output data C, C=C ' * M2mod N。

Claims (2)

1. a kind of efficient resisting differential power consumption analysis RSA implementation methods, it is characterised in that:
Step 1, M is input data in RSA operation, and C is output data, and N is modulus, and R is random number, and e is public key, and d is private key, P and q is Big prime, and N=p*q.
Step 2, random number R is obtained, random number has to be larger than zero, and cannot be p or q, can not be more than or equal to N.
Step 3, the input data M after blinding is calculated1, M1=M*Re mod N。
Step 4, the data M for operation of casting off illiteracy is calculated2, M2=M*Re-1mod N。
Step 5, to blinding the data M after data1Carry out output result C ', C '=M that operation is blinded1 d-1mod N。
Step 6, it casts off illiteracy and output data C, C=C ' * M is calculated2mod N。
A kind of 2. efficient resisting differential power consumption analysis RSA implementation methods as described in claim 1, which is characterized in that the step 1 Implementation method into step 6, applicable application scenarios include but not limited to ' direct RSA operation ', ' RSA CRT operations ' etc..
CN201711246973.3A 2017-12-01 2017-12-01 A kind of efficient resisting differential power consumption analysis RSA implementation methods Pending CN108173657A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711246973.3A CN108173657A (en) 2017-12-01 2017-12-01 A kind of efficient resisting differential power consumption analysis RSA implementation methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711246973.3A CN108173657A (en) 2017-12-01 2017-12-01 A kind of efficient resisting differential power consumption analysis RSA implementation methods

Publications (1)

Publication Number Publication Date
CN108173657A true CN108173657A (en) 2018-06-15

Family

ID=62524956

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711246973.3A Pending CN108173657A (en) 2017-12-01 2017-12-01 A kind of efficient resisting differential power consumption analysis RSA implementation methods

Country Status (1)

Country Link
CN (1) CN108173657A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110048840A (en) * 2019-04-28 2019-07-23 苏州国芯科技股份有限公司 A kind of information processing method based on RSA Algorithm, system and associated component

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130208886A1 (en) * 2012-02-10 2013-08-15 Electronics And Telecommunications Research Institute Method of preventing fault-injection attacks on chinese remainder theorem-rivest shamir adleman cryptographic operations and recording medium for storing program implementing the same
CN103490885A (en) * 2013-10-14 2014-01-01 北京华大信安科技有限公司 Computing method and computing apparatus of RSA ((Rivest-Shamir-Adleman) adopting Chinese remainder theorem
CN104660399A (en) * 2013-11-25 2015-05-27 上海复旦微电子集团股份有限公司 RSA modular exponentiation calculation method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130208886A1 (en) * 2012-02-10 2013-08-15 Electronics And Telecommunications Research Institute Method of preventing fault-injection attacks on chinese remainder theorem-rivest shamir adleman cryptographic operations and recording medium for storing program implementing the same
CN103490885A (en) * 2013-10-14 2014-01-01 北京华大信安科技有限公司 Computing method and computing apparatus of RSA ((Rivest-Shamir-Adleman) adopting Chinese remainder theorem
CN104660399A (en) * 2013-11-25 2015-05-27 上海复旦微电子集团股份有限公司 RSA modular exponentiation calculation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
成为: "《一种针对RSA-CRT的功耗分析攻击方法》", 《通信技术》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110048840A (en) * 2019-04-28 2019-07-23 苏州国芯科技股份有限公司 A kind of information processing method based on RSA Algorithm, system and associated component
CN110048840B (en) * 2019-04-28 2021-10-15 苏州国芯科技股份有限公司 Information processing method, system and related components based on RSA algorithm

Similar Documents

Publication Publication Date Title
US11251935B2 (en) Multiplicative blinding for cryptographic operations
EP2273472B1 (en) Coder equipped with common key code function and built-in equipment
Hussain et al. Construction of chaotic quantum magnets and matrix Lorenz systems S-boxes and their applications
US20130279692A1 (en) Protecting modular exponentiation in cryptographic operations
CN108111295B (en) Homomorphic encryption method based on analog-to-analog operation
CN106452789B (en) A kind of endorsement method of multi-faceted anti-side-channel attack
Feng et al. A byte-based guess and determine attack on SOSEMANUK
TWI686722B (en) Exponent splitting for cryptographic operations
Duan et al. Differential power analysis attack and efficient countermeasures on PRESENT
JP7155173B2 (en) Protecting Modular Inversion Operations from External Observation Attacks
CN103916236A (en) Power attack prevention method oriented at AES algorithm and circuit achieving method thereof
Kumar et al. A cryptographic model based on logistic map and a 3-D matrix
CN104660399B (en) A kind of RSA modular exponentiation operation method and device
Legendre et al. Encoding hash functions as a sat problem
CN108173657A (en) A kind of efficient resisting differential power consumption analysis RSA implementation methods
CN104717060B (en) A kind of method for attacking elliptic curve encryption algorithm and attack equipment
Wang et al. Cryptanalysis and improvement on a cryptosystem based on a chaotic map
Ahmadi et al. Improved guess and determine attack on SOSEMANUK
Cho et al. Crossword puzzle attack on NLS
Mohamed et al. Towards algebraic cryptanalysis of HFE challenge 2
Zhang et al. A fast integer-based batch full-homomorphic encryption scheme over finite field
Bock SCA resistent implementation of the Montgomery kP-algorithm
CN106411495B (en) To the error injection attack method and device of public key encryption algorithm RSA
Shi et al. A Secure Implementation of a Symmetric Encryption Algorithm in White‐Box Attack Contexts
Wei et al. An effective differential fault analysis on the Serpent cryptosystem in the Internet of Things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180615