Abstract
A side channel attack (SCA) is a serious attack on the implementation of cryptosystems, which can break the secret key using side channel information such as timing, power consumption, etc. Recently, Boneh et al. showed that SSL is vulnerable to SCA if the attacker gets access to the local network of the server. Therefore, public-key infrastructure eventually becomes a target of SCA. In this paper, we investigate the security of RSA cryptosystem using the Chinese remainder theorem (CRT) in the sense of SCA. Novak first proposed a simple power analysis (SPA) against the CRT part using the difference of message modulo p and modulo q. In this paper, we apply Novak’s attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack strictly depends on how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily detected by power analysis. Our experimental result shows that the timing with the zero multiplication is reduced about 10% from the standard one. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1–5% of the whole decryption if the bit length of modulus is 1,024.
Similar content being viewed by others
References
Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: ISC 2003. LNCS, vol. 2851, pp. 218–233 (2003)
Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: CHES 2002. LNCS, vol. 2523, pp. 260–275 (2003)
Boneh, D., DeMillo, R., Lipton, R.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)
Boneh, D., Shacham, H.: Fast variants of RSA. CRYPTOBYTES 5(1), 1–9 (2002)
Brumley, D., Boneh, D.: Remote timing attacks are practical. Isn: 12th Usenix Security Symposium, pp. 1–14 (2003)
den Boer, B., Lemke, K., Wicke, G.: A DPA attack against the modular reduction within a CRT implementation of RSA. In: CHES 2002. LNCS, vol. 2523, pp. 228–243 (2003)
Davida, G.: Chosen sIGNATURE cRYPTANALYSIS OF the RSA (MIT) public key cryptosystem. TR-CS-82-2, University of Wisconsin (1982)
Fouque, P.-A., Martinet, G., Poupard, G.: Attacking unbalanced RSA-CRT using SPA. In: CHES 2003. LNCS, vol. 2779, pp. 254–268 (2003)
Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: PKC 2003. LNCS, vol. 2567, pp. 199–211 (2003)
Java Cryptography Architecture, http://java.sun.com/products/jdk/1.2/docs/guide/security/CryptoSpec.html
Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese remaindering based cryptosystems in the presence of faults. J. Cryptol. 12(4), 241–245 (1999)
Kaliski, B.: Timing attacks on cryptosystems. RSA Laboratories Bulletin, No. 2 (1996)
Kocher, C.: Timing attacks on Implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO’96. LNCS, vol. 1109, pp. 104–113 (1996)
Kocher, C., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO’99. LNCS, vol. 1666, pp. 388–397 (1999)
Messerges, T., Dabbish, E., Sloan, R.: Power analysis attacks of modular exponentiation in smartcards. In: CHES’99. LNCS, vol. 1717, pp. 144–157 (1999)
MultiPrime™, Compaq AXL300 Accelerator. http://www.compaq.com/products/servers/security/axl300/
Nishioka, M., Satoh, H., Sakurai, K.: Design and analysis of fast provably secure public-key cryptosystems based on a modular squaring. ICISC 2001, LNCS, vol. 2288, pp. 81–102 (2001)
Novak, R.: SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: PKC 2002. LNCS, vol. 2274, pp. 252–262 (2002)
Public-Key Cryptography Standards, PKCS #1. Amendment 1: Multi-Prime RSA, RSA Laboratories.
Schindler, W.: A timing attack against RSA with the Chinese remainder theorem. In: CHES 2000. LNCS, vol. 1965, pp. 109–124 (2000)
Takagi, T.: Fast RSA-type cryptosystem modulo pk q. In: CRYPTO’98. LNCS, vol. 1462, pp. 318–326 (1998)
Walter, C.: MIST: an efficient, randomized exponentiation algorithm for resisting power analysis. In: CT-RSA 2002. LNCS, vol. 2271, pp. 53–66 (2002)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Okeya, K., Takagi, T. Security analysis of CRT-based cryptosystems. Int. J. Inf. Secur. 5, 177–185 (2006). https://doi.org/10.1007/s10207-005-0080-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-005-0080-1