KR101123729B1 - Message blinding method for rsa without inversion operation - Google Patents

Abstract

PURPOSE: A message blinding method of RSA(Rivest Shamir Adleman) is provided to minimize the degradation of a processing speed by performing a padding elimination work. CONSTITUTION: An RSA encryption system establishes random padding r including a disjoint relation with n(S101). The RSA encryption system establishes plural additional calculation by using the random padding(S103). The RSA encryption system establishes the maximum value of a variable by using total bit numbers when the bit is displayed as a binary number(S105).

Description

Message blinding method of RSA without inverse operation {MESSAGE BLINDING METHOD FOR RSA WITHOUT INVERSION OPERATION}

The present invention relates to a message blinding method of RSA (Rivest Shamir Adleman), and more particularly, to a message blinding method of RSA for protecting an RSA cryptosystem from various power analysis attacks.

RSA cryptosystems have been known to be vulnerable to power analysis attacks, the most powerful of the subchannel analysis methods, and countermeasures have been continuously proposed to defend RSA cryptosystems from various power analysis attacks.

As a countermeasure to securely design exponential operations of RSA cryptosystems, the message (M) is randomly blinded (M * ran), then exponential operations are performed, and random number removal is performed to obtain signature values. A study on the blinding method to be performed is in progress.

As part of this research, the modular exponentiation and constant multiplication algorithms (preceding literature [1]), encryption methods that cope with power attacks (preceding literature [2]), and additional channel attacks Method and apparatus for protecting public key cryptographic system, computer readable recording medium recording the above method (prior art document [3]), message blinding method for power attack (prior art document [4]) ) And modified BRIP exponential calculation methods (prior art document [5]).

However, the method of Prior Art [1] has a problem in that the most significant bit of the private key is revealed, and the corresponding methods of other Prior Art [2] to [5] require additional inverse operations, exponential power operations, etc. The RSA encryption system has a problem that slows down the response by causing a decrease in processing speed. In addition, these prior art countermeasures have many vulnerabilities in other attack methods because they are designed considering only stability against Simple Power Analysis (SPA) and Differential Power Analysis (DPA). . Therefore, there has been a demand in the art to develop countermeasures that can minimize the degradation of processing speed due to inverse computation in RSA cryptosystems and protect RSA cryptosystems from various power analysis.

[1] Korean Laid-Open Patent Publication No. 2007-0049823, "Modular Exponential Associative and Constant-Multiplication Method for Power Attacks" [2] Korean Laid-Open Patent Publication No. 2005-0056824, "An Encryption Method Responding to Power Attacks" [3] Korean Laid-Open Patent Publication No. 2004-0027570, "Method and Apparatus for Protecting a Public Key Cryptography System from Additional Channel Attacks, and a Computer-readable Recording Medium Recording the Method" [4] Korean Patent Publication No. 0772550, "Message Blinding Method Safe to Power Attack"

[5] F. Amiel and B. Feix, "On the BRIP Algorithms Security for RSA", WISTP 2008, LNCS 5019, pp.136-149, Springer-Verlag, 2008

The present invention has been proposed to solve the above-mentioned problems of the prior art, and the message blinding method of the RSA which guarantees higher safety from various power analysis without the need for inverse operation as compared with the conventional counterpart method. The purpose is to provide.

Message blinding method of the RSA without the inverse operation according to an embodiment of the present invention for achieving the above object,

The message x to be sent by the RSA cryptosystem, n (= p × q), φ (n) (= (φ _t-1 φ _t-2 φ ₀ ) ₂ , φ _t- , generated using any two prime numbers p and q. ₁ = 1), e having a relation of φ (n) with a relatively Prime and d (= (d _{t -1} d _{t -2} d ₀ ) having a relation of ed = 1 mod φ (n) ₂ ) using S = x ^d CLAIMS 1. A method for message blinding of an RSA without an inverse operation that computes S that satisfies mod n, comprising: selecting a random number r that is prime with n; Calculating x ^d r ^{2 φ (n)} using the selected random number r; Calculating the S by replacing the calculated x ^d r ^{2 φ (n)} with the x ^d ; Including,

Where t is the number of bits

It is characterized by satisfying.

Here, the message blinding method of the RSA, after the step of calculating the S, by using the random number r to set a plurality of additional operations; And performing a modular exponential operation using the φ (n), d and the additive operation; It may further include.

의 연산을 수행하고 그 연산결과를 S에 저장하며, 상기 변수 i가 0 이상이면 S=S² mod n 및 S=S×

의 연산을 차례로 수행하여 최종 연산결과를 상기 S에 저장한 후 상기 변수 i가 0보다 작을 때까지 상기 감소단계로 진행하는 연산단계; 를 포함함이 바람직하다.
The performing of the modular exponential operation may include: setting a variable i = (t-1) with respect to t; When d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, if the value of d _{n -1} , which is a Most Significant Bit (MSB), is 0, S is stored as 1, A storage step of storing x as 1; Reducing the variable i by one; A determination step of determining whether the variable i is smaller than zero; If the variable i is less than 0

And store the result of the calculation in S. If the variable i is equal to or greater than 0, S = S ² mod n and S = S ×

Performing an operation of sequentially storing the final operation result in S and then proceeding to the reduction step until the variable i is smaller than 0; It is preferable to include.

In addition, according to another embodiment of the present invention to achieve the object of the RSA message blind method without a message, x, generated by using a message x to be transmitted in the RSA cryptosystem, a random number p and a random number r d (= (d _{t -1} d _{t -2} d with a relationship of (= xr _p mod p) and r _p , e having a relatively Prime relationship with r _p , ed = 1 mod x ') ₀ ) A method for message blinding of an RSA without an inverse operation that computes S satisfying S = x ^d r _p ^-1 mod p using ₂ <(p-1)) Selecting a random number v (∈ {0,1,2,3}) of; Calculating x ^d r _p ^{- 1} using the selected random number v; Calculating the S ¹ by substituting the x ^d _p r ^{-1 -} The calculated ^{_{x d r p 2 (p-}} 1); Including,

Where t is the number of bits

It is characterized by satisfying.

Here, the message blinding method of the RSA, after the step of calculating the S, by using the x 'and the random number r to set a plurality of additional operations; And performing a modulus exponential operation using the p, d and the addition operations. It may further include.

의 연산을 수행하고 그 연산결과를 S에 저장하며, 상기 변수 i가 0 이상이면 S=S² mod p 및 S=S×

의 연산을 차례로 수행하여 최종 연산결과를 상기 S에 저장한 후 상기 변수 i가 0보다 작을 때까지 상기 감소단계로 진행하는 연산단계; 를 포함한다.
The performing of the modular exponential operation may include: setting a variable i = (t-1) with respect to t; When d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, if the value of d _{n -1} , which is a Most Significant Bit (MSB), is 0, S is stored as 1, A storage step of storing x as 1; Reducing the variable i by one; A determination step of determining whether the variable i is smaller than zero; If the variable i is less than 0

And store the result of the calculation in S. If the variable i is equal to or greater than 0, S = S ² mod p and S = S ×

Performing an operation of sequentially storing the final operation result in S and then proceeding to the reduction step until the variable i is smaller than 0; It includes.

Furthermore, in order to achieve the above object, a method of blinding a message of an RSA without an inverse operation according to another embodiment of the present invention includes n (generated by using a message x to be transmitted in an RSA cryptosystem, any two prime numbers p and q) = p × q), φ (n) (= (φ _t-1 φ _t-2 φ ₀ ) ₂ , φ _t-1 = 1), and the relationship between φ (n) and the Primer (Relatively Prime) e, an inverse operation that computes S that satisfies S = x ^d mod n using d (= (d _t-1 d _t-2 d ₀ ) ₂ ) with ed = 1 mod φ (n) CLAIMS What is claimed is: 1. A method for message blinding of an RSA, the method comprising: selecting any random number r that is prime with n; Calculating r _p = r mod p, r _q = r mod q, x ' _p = xr mod p, x' _q = xr mod q using the selected random number r; The p, q and the _{r p, r q, x '} p, x' q, and _{d p (= d mod (p} -1)) and _{d q (= d mod (q} -1)) x with respect to the _p calculating ^dp r _p ^-1 (where x _p = x mod p) and x _q ^dq r _q ^-1 (where x _q = x mod q), respectively; Calculating the calculated x _{p p} r ^{-1 dp} and ^dq x _q x r using a ^{_{q -1 d r -1 = Garner (}} x p dp r p -1, x q dq r q -1); And calculating S by substituting the calculated product of x ^d r ⁻¹ and r (= x ^d r ⁻¹ × r) to x ^d ; It includes.

delete

According to the present invention, since the inverse operation for defending the conventional RSA encryption system is not required, the degradation of the processing speed can be minimized.

In addition, the present invention can ensure higher safety from various power analysis attacks.

1 is a flowchart illustrating a message blinding method of an RSA that does not require inverse operation according to an embodiment of the present invention.
2 is the algorithm of FIG.
3 is a flowchart illustrating a message blinding method of an RSA, which does not require inverse operation according to another embodiment of the present invention.
4 is the algorithm of FIG.
FIG. 5 is a flowchart illustrating a message blinding method of an RSA that does not require inverse operation according to another embodiment of the present invention. FIG.
6 is the algorithm of FIG.

Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings. In the following description, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

1 is a flowchart illustrating a message blinding method of an RSA that does not require inverse operation according to an embodiment of the present invention, and FIG. 2 is an algorithm of FIG. 1.

First, the basic concept of an embodiment of the present invention is to blind the message x using a random random number r. That is, x ^d r ^{2 φ (n)} is calculated in place of x ^d in the final result S = x ^d mod n. At this time,

이며, 여기서, t는 비트수(bit length)이다.

Where t is the bit length.

To this end, in step S101, n (= p × q) and φ (n) (= (φ _t-1 φ _t-2 φ generated using the message x to be transmitted in the RSA encryption system, and any two prime numbers p and q ₀ ) ₂ , φ _t-1 = 1), _{d with} φ (n) and e with relatively prime (e), ed = 1 mod φ (n) with d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ), and an arbitrary random number r having a small relation with n is set.

Subsequently, in step S103, the following plurality of additional operations are set using the random number r described above.

Subsequently, modular exponentiation operations are performed using these addition operations (S105 to S115).

In step S105, the total number of bits (t-1) when the integer d is expressed in binary is set to the maximum value of the variable i. In step S107, when d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, the value of d _{n -1} , which is the most significant bit (MSB), is 0, and 1 is stored in S. Then store the message x in S. In step S109, the value of the variable i is decreased by one in order to perform operations in all cases from the MSB of d to the Least Significant Bit (LSB). In step S111, in order to perform an operation on all bits of d, it is determined whether the value of the variable i is smaller than zero.

의 연산을 차례로 수행하여 최종 연산결과를 상기 S에 최종값으로 저장한 후(S113) 상기 변수 i가 0보다 작을 때까지 S109 단계로 진행하여 다시 i를 1만큼 감소시킨다.As a result of the determination in step S111, if the variable i is equal to or greater than 0, S = S ² mod n and S = S ×

After sequentially performing the operation, the final operation result is stored in the S as a final value (S113), and the process proceeds to step S109 until the variable i is smaller than 0, and i is again decreased by 1.

의 연산을 수행하고 그 연산결과를 S에 최종값으로 저장한다(S115).If the variable i is less than 0

Performs the operation and stores the operation result as the final value in S (S115).

Although FIG. 1 shows that the variable i performs an operation while changing from the MSB to the LSB, it is also possible to perform the operation while changing from the LSB to the MSB.

3 is a flowchart illustrating a message blinding method of an RSA without an inverse operation according to another embodiment of the present invention, and FIG. 4 is an algorithm of FIG. 3.

First, a basic concept of another embodiment of the present invention is to blind the message x using a random random number r. That is, instead of the x r ^d _p ^-1 from the final result of _{^{S = x d r p -1 mod}} p and calculates the _{^{x d r p 2 (p-}} 1) -1. At this time,

이며, t는 비트수(bit length)이다.

T is the bit length.

To this end, in step S301, x '(= xr _p mod p) and r _p generated using a message x to be transmitted in the RSA cryptosystem, an arbitrary prime number p, and a random number r, and a relatively small relationship with r _p. E, ed = 1 mod x 'with d (= (d _{t -1} d _{t -2} d ₀ ) ₂ <(p-1)), any random number with small relation with p Select (∈ {0,1,2,3})

Thereafter, in step S303, the following plurality of additional operations are set using x 'and an arbitrary random number r.

Subsequently, modular exponentiation operations are performed using these addition operations (S305 to S315).

In step S305, the total number of bits (t-1) when the integer d is expressed in binary is set to the maximum value of the variable i. In step S307, when d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, the value of d _{n -1} , which is MSB, is stored in S if 0, and message S in S. Save it. In operation S309, the value of the variable i is decreased by one in order to perform operations in all cases from the MSB of the d to the LSB. In step S311 it is determined whether the value of the variable i is less than zero in order to perform the operation on all bits of d.

의 연산을 차례로 수행하여 최종 연산결과를 상기 S에 최종값으로 저장한 후(S313) 상기 변수 i가 0보다 작을 때까지 S309 단계로 진행하여 다시 i를 1만큼 감소시킨다. As a result of the determination in step S311, if the variable i is equal to or greater than 0, S = S ² mod p and S = S ×

After sequentially performing the operation, the final operation result is stored in the S as the final value (S313), and the process proceeds to step S309 until the variable i is smaller than 0, and i is again decreased by 1.

의 연산을 수행하고 그 연산결과를 S에 최종값으로 저장한다(S315).
If the variable i is less than 0

Performs the operation and stores the operation result as the final value in S (S315).

5 is a flowchart illustrating a message blinding method of an RSA without an inverse operation according to another embodiment of the present invention, and FIG. 6 is an algorithm of FIG. 5.

The basic concept of another embodiment of the present invention is to blind the message x using a random random number r. That is, x ^d r ^-1 x r is calculated in place of x ^d in the final result S = x ^d mod n.

To this end, in step S501, n (= p × q), φ (n) (= (φ _t-1 φ _t-2 φ ₀ , generated using the message x to be transmitted in the RSA cryptosystem, any two prime numbers p and q ) ₂ , φ _t-1 = 1), d having a relationship of φ (n) and e (relatively prime), ed = 1 mod φ (n), and d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ). In step S503, a random number r that is prime with n is selected. In operation S505, r _p = r mod p, r _q = r mod q, x ' _p = xr mod p, and x' _q = xr mod q are respectively calculated using the selected random number r.

In step S507, p, q and the calculated r _p , r _q , x ' _p , x' _q , and d _p (d mod (p-1)) and d _q (d mod (q-1)) X _p ^dp r _p ^-1 (where x _p = x mod p) and x _q ^dq r _q ^-1 (where x _q = x mod q) are respectively calculated using the algorithm of FIG. 4. In the step S509 calculating the calculated x ^dp _p r ^-1 _p and ^{_{x q dq r q -1 x d}} r -1 = Garner (x p dp r p -1, x q dq r q -1) by using the do.

Subsequently, in step S511, the product of the calculated x ^d r ^-1 and r (= x ^d r ^-1 × r) is substituted for the x ^d to finally calculate the S.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments. Those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope of the appended claims, The genius will be so self-evident. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

Claims (7)

The message x to be sent by the RSA cryptosystem, n (= p × q), φ (n) (= (φ _t-1 φ _t-2 φ ₀ ) ₂ , φ _t- , generated using any two prime numbers p and q. ₁ = 1), e having a relation of φ (n) with a relatively Prime and d (= (d _{t -1} d _{t -2} d ₀ ) having a relation of ed = 1 mod φ (n) ₂ ) using S = x ^d In the method of message blinding of RSA which does not have inverse operation to calculate S that satisfies mod n,
Selecting any random number r that is prime with n;
Calculating x ^d r ^{2 φ (n)} using the selected random number r;
Calculating the S by replacing the calculated x ^d r ^{2 φ (n)} with the x ^d ; Including,

Where t is the number of bits
Method of message blinding in RSA without inverse operation that satisfies The method of claim 1, wherein after the Sëë¼ operation,
Setting a plurality of additional operations below using the random number r; And
Performing a modular exponential operation using the φ (n), d and the additive operation; Message blinding method of the RSA without the inverse operation further comprising.

The method of claim 2, wherein the performing of the modular exponential operation is performed.
A setting step of setting a variable i = (t-1) for the t;
When d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, if the value of d _{n -1} , which is a Most Significant Bit (MSB), is 0, S is stored as 1, A storage step of storing x as 1;
Reducing the variable i by one;
A determination step of determining whether the variable i is smaller than zero;
If the variable i is less than 0

And store the result of the calculation in S. If the variable i is equal to or greater than 0, S = S ² mod n and S = S ×

Performing an operation of sequentially storing the final operation result in S and then proceeding to the reduction step until the variable i is smaller than 0; Message blinding method of the RSA without the inverse operation including a. Generated using the message x, random prime number p and the random number r transferred from the RSA cryptosystem x '(= xr _p mod p) and r _p, wherein r _p and relatively prime (Relatively Prime) with the relationship e, ed = Compute S that satisfies S = x ^d r _p ^-1 mod p using d (= (d _{t -1} d _{t -2} d ₀ ) ₂ <(p-1)) with ¹ mod x ' In the RSA message blind method without an inverse operation,
Selecting any random number v (∈ {0,1,2,3}) that is prime with p;
Calculating x ^d r _p ^{- 1} using the selected random number v;
Calculating the S ¹ by substituting the x ^d _p r ^{-1 -} The calculated ^{_{x d r p 2 (p-}} 1); Including,

Where t is the number of bits
Method of message blinding in RSA without inverse operation that satisfies The method of claim 4, wherein after calculating S,
Setting a plurality of additional operations using the x 'and the random number r; And
Performing a modular exponential operation using the p, d, and the additive operations; Message blinding method of the RSA without the inverse operation further comprising.

The method of claim 5, wherein the performing of the modular exponential operation,
A setting step of setting a variable i = (t-1) for the t;
When d (= (d _{t -1} d _{t -2} d ₀ ) ₂ ) is converted to binary, if the value of d _{n -1} , which is a Most Significant Bit (MSB), is 0, S is stored as 1, A storage step of storing x as 1;
Reducing the variable i by one;
A determination step of determining whether the variable i is smaller than zero;
If the variable i is less than 0

And store the result of the calculation in S. If the variable i is equal to or greater than 0, S = S ² mod p and S = S ×

Performing an operation of sequentially storing the final operation result in S and then proceeding to the reduction step until the variable i is smaller than 0; Message blinding method of the RSA without the inverse operation including a. The message x to be sent by the RSA cryptosystem, n (= p × q), φ (n) (= (φ _t-1 φ _t-2 φ ₀ ) ₂ , φ _t- , generated using any two prime numbers p and q. ₁ = 1), e having a relationship between the φ (n) and the Prime (Relatively Prime), d (= (d _t-1 d _t-2 d ₀ ) with a relationship of ed = 1 mod φ (n) _{In the} method of message blinding of RSA without inverse arithmetic that computes S satisfying S = x ^d mod n using ₂ ),
Selecting any random number r that is prime with n;
Calculating r _p = r mod p, r _q = r mod q, x ' _p = xr mod p, x' _q = xr mod q using the selected random number r;
The p, q and the _{r p, r q, x '} p, x' q, and _{d p (= d mod (p} -1)) and _{d q (= d mod (q} -1)) x with respect to the _p calculating ^dp r _p ^-1 (where x _p = x mod p) and x _q ^dq r _q ^-1 (where x _q = x mod q), respectively;
Calculating the calculated x _{p p} r ^{-1 dp} and ^dq x _q x r using a ^{_{q -1 d r -1 = Garner (}} x p dp r p -1, x q dq r q -1); And
Calculating S by replacing the calculated product of x ^d r ^-1 and r (= x ^d r ^-1 × r) with x ^d ; Message blinding method of the RSA without the inverse operation including a.

Images