Abstract
The secure implementation of the Greatest Common Divisor (GCD) algorithm is fundamental for many cryptographic schemes. The binary GCD algorithm has a highly input-dependent behavior. Therefore, we must carefully implement the binary GCD used in cryptographic systems. However, it has been noted that the binary GCD algorithm implemented in OpenSSL 1.1.0-1.1.0h and 1.0.2b-1.0.2o is not secure. Aldaya et al. presented this vulnerability at CHES2019. They also proposed a side-channel attack to collect sequences of operations performed by the binary GCD algorithm and an error correction algorithm (AGTB algorithm) to recover the LSBs of secret keys from the noisy sequences. In this paper, we propose an error correction algorithm that, like the AGTB algorithm, focuses on only a single type of error. We evaluate our algorithm using numerical experiments that reveal that our algorithm achieves a higher recovery rate than the AGTB algorithm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aldaya, A.C., Brumley, B.B.: When one vulnerable primitive turns viral: novel single-trace attacks on ECDSA and RSA. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 196–221 (2020). https://doi.org/10.13154/tches.v2020.i2.196-221
Aldaya, A.C., García, C.P., Tapia, L.M.A., Brumley, B.B.: Cache-timing attacks on RSA key generation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(4), 213–242 (2019). https://doi.org/10.13154/tches.v2019.i4.213-242
Aldaya, A.C., Sarmiento, A.J.C., Sánchez-Solano, S.: SPA vulnerabilities of the binary extended Euclidean algorithm. J. Cryptogr. Eng. 7(4), 273–285 (2016). https://doi.org/10.1007/s13389-016-0135-4
Allan, T., Brumley, B.B., Falkner, K.E., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: Schwab, S., Robertson, W.K., Balzarotti, D. (eds.) Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 422–435. ACM (2016). http://dl.acm.org/citation.cfm?id=2991084
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_14
Halderman, J.A., et al.: Lest we remember: cold boot attacks on encryption keys. In: van Oorschot, P.C. (ed.) Proceedings of the 17th USENIX Security Symposium, 28 July–1 August 2008, San Jose, CA, USA, pp. 45–60. USENIX Association (2008). http://www.usenix.org/events/sec08/tech/full_papers/halderman/halderman.pdf
Henecka, W., May, A., Meurer, A.: Correcting errors in RSA private keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_19
Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_1
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Kunihiro, N., Shinohara, N., Izu, T.: Recovering RSA secret keys from noisy key bits with erasures and errors. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 180–197. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_12
Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A coding-theoretic approach to recovering noisy RSA keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_24
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). https://doi.org/10.1145/359340.359342
Stein, J.: Computational problems associated with racah algebra. J. Comput. Phys. 1(3), 397–405 (1967)
Weiser, S., Spreitzer, R., Bodner, L.: Single trace attack against RSA key generation in intel SGX SSL. In: Kim, J., Ahn, G., Kim, S., Kim, Y., López, J., Kim, T. (eds.) Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, 04–08 June 2018, pp. 575–586. ACM (2018). https://doi.org/10.1145/3196494.3196524
Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 640–656. IEEE Computer Society (2015). https://doi.org/10.1109/SP.2015.45
Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 719–732. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
Acknowledgments
This work was supported by JST CREST Grant Number JPMJCR2113 and JSPS KAKENHI Grant Number 21H03440.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Finding \(\varepsilon \) Such that \(P_\textrm{SCA}\) and \(P_\textrm{APPROX}\) are Closest
We use the conditional relative entropy as the distance between \(P_\textrm{SCA}\) and \(P_\textrm{ARROX}\). Consider \(\hat{\varepsilon }\), which minimizes the conditional relative entropy. For the joint probability distribution \( P_\textrm{ARROX}(\tilde{z} \mid z), \, P_\textrm{SCA}(\tilde{z} \mid z)\), the conditional relative entropy is as follows.
Now, we have the optimal \(\hat{\varepsilon }\) as \(\hat{\varepsilon } {:}{=}\arg {\min _\varepsilon {D(P_\textrm{ARROX}(\tilde{z} \mid z) \, \mid \mid \, P_\textrm{SCA}(\tilde{z} \mid z))}}\).
The partial derivative \(\partial D/\partial \varepsilon \) of Eq. (14) is as follows.
Using Eq. (15), the point where \(\partial D/\partial \varepsilon = 0\) is \(\hat{\varepsilon }\); therefore, \(\hat{\varepsilon } \approx 0.0247\). If we use \(\hat{\varepsilon }\) as the error rate \(\varepsilon ^{\prime }\) for computing the likelihood-based loss function in Sect. 5.3, \(P_\textrm{APPROX}(\tilde{z} \mid z)\) and \(P_\textrm{SCA}(\tilde{z} \mid z)\) are close.
B Details About the AGTB Algorithm
We give details about the AGTB algorithm [2]. In particular, this section summarizes the parameters used as input for the AGTB algorithm and how Prune is performed in this study. This section also summarizes the experimental results for the AGTB algorithm performed in this study.
1.1 B.1 Prune
Candidate solutions generated by Expand are removed by Prune. In the AGTB algorithm, the parameters g, G, \(\textsf{cons}\) and \(\textsf{th}\) determine which candidate solutions are removed. In particular, the most important parameters are g and G, and the AGTB algorithm keeps at most \(g\times G\) candidate solutions. \(e_{\textrm{min}}\) is the smallest value of \(e_{x_1} + e_{x_2} + e_{\textrm{mult}}\) among the candidate solutions. Furthermore, \(\textsf{cons}\) is the number of consecutive additions or deletions up to that phase. In Prune, for each candidate solution, the following criteria are applied to decide whether to remove it. In other words, for the following criteria, only candidate solutions that have not been removed are kept and used in the next phase of error correction.
-
1.
Remove candidate solutions that exceed the value of \(\textsf{cons}\) for the number of consecutive 0 insertions or 0 deletions in Expand.
-
2.
Remove candidate solutions that do not satisfy \(e_{x_1} + e_{x_2} + e_{\textrm{mult}} \le \textsf{th}\).
-
3.
Remove candidate solutions that do not satisfy \(e_{x_1} + e_{x_2} + e_{\textrm{mult}} \le e_{\textrm{min}} + g\).
-
4.
Classify by the value of \(e_{x_1} + e_{x_2} + e_{\textrm{mult}}\). In addition, sort by the value of \(e_\textrm{mult}\) in each class, keep only G candidate solutions from the beginning in each class, and remove the others.
For the AGTB algorithm, g, G, \(\textsf{cons}\), and \(\textsf{th}\) are the criteria for Prune.
1.2 B.2 Implementation of the AGTB Algorithm
In the experiment with Sect. 5, the erroneous Z-sequences generated by our SCA may have \(\tilde{Z}_i=0\). When \(\tilde{Z}_i=0\), the structure of the \(\tilde{x}_1\) and \(\tilde{x}_2\) in the binary representation changes. It becomes difficult to correct errors by focusing on the number of 0s between 1 and 1 in the binary representations of \(\tilde{x}_1\) and \(\tilde{x}_2\). From the discussion in Sect. 2.2, as \(Z_i \ge 1\) always holds, for \(\tilde{Z}_i=0\), \(\tilde{Z}_i \leftarrow 1\). We can then immediately solve this problem. In this paper, we add this process as a pre-computation that we set \(\tilde{Z}_i \leftarrow 1\) for all elements with \(\tilde{Z}_i=0\) in noisy Z-sequences. In fact, the pre-computation improves the performance of the AGTB algorithm. We implement the AGTB algorithm following the above flow and use it in Sect. 5.2 and Sect. 5.3.
1.3 B.3 Setting Parameters as Input for the AGTB Algorithm
This section describes how to set g, G, \(\textsf{cons}\), and \(\textsf{th}\), which are the input parameters of the AGTB algorithm. In the experiment to recover primes by [2], \(g=10, \, G=15000, \, \textsf{cons}=3, \, \textsf{th}=150\).
The most basic parameters are g and G. This is because the upper limit of the number of candidate solutions to be kept is \(g \times G\) in the AGTB algorithm. Taking into account the performance of our available computers, we set \(g, \, G\) to satisfy \(g \times G = 2 ^{16}\) in the experiments in this paper. Moreover, according to \(P_\textrm{ARROX}(\tilde{z} \mid z)\), errors do not occur continuously; therefore, \(\textsf{cons} = 2, \, 3\) is sufficient.
1.4 B.4 Experiment to Evaluate the AGTB Algorithm
We describe experiments using the AGTB algorithm in Sect. 5.2 and Sect. 5.3. Figure 8 and Table 4 show the result of the error correction of the artificially generated sequence described in Sect. 5.2. From this result, the best performance is obtained when \(g=2^{4}, \, G=2^{12}, \, \textsf{cons} = 3, \, \textsf{th}=200\).
Table 5 shows the results obtained when the sequence is obtained by using the actual SCA described in Sect. 5.3. In this case, \((g=2^3,\, G=2^{13},\, \textsf{cons}=3,\, \textsf{th}=50)\) and \((g=2^ 4,\, G=2^{12},\, \textsf{cons}=3,\, \textsf{th}=50)\) give the best success rate.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tani, K., Kunihiro, N. (2023). HS-Based Error Correction Algorithm for Noisy Binary GCD Side-Channel Sequences. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/978-3-031-33488-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-33488-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33487-0
Online ISBN: 978-3-031-33488-7
eBook Packages: Computer ScienceComputer Science (R0)