This application claims the benefit of Korean Patent Application No. 10-2014-0012212 filed on Feb. 3, 2014, the subject matter of which is hereby incorporated by reference.
The inventive concept relates to encryption methods and related apparatuses. More particularly, the inventive concept relates to encryption methods and related apparatuses that make use of the Chinese Remainder Theorem (CRT) as applied to Rivest Shamir Adleman (RSA) encryption methods and apparatuses.
Representative calculations involved in the use of the certain RSA encryption methods include exponentiation operation(s) using a given “secret key”. Various adaptations to RSA encryption methods have been suggested to improve the efficiency of the exponentiation operations in environments where system resources (e.g., available memory space) used to perform certain calculations are limited. Among the these adaptations, the so-called Chinese Remainder Theorem (CRT) may be used to generate digital signature(s) at speeds approximately four times faster than previously used, unmodified RSA encryption methods and systems. This class of CRT modified RSA encryption methods and systems may be termed the “CRT-RSA approach” inclusive of CRT-RSA method(s) and/or CRT-RSA system(s).
Despite notable performance advantages, the CRT-RSA approach creates exploitable weaknesses in associated data processing operations. That is, CRT-RSA systems and computational methods are fairly weak against so-called “fault attacks”.
Embodiments of the inventive concept provide a Chinese Remainder Theorem modified, Rivest Shamir Adleman (CRT-RSA) encryption approach that provides improved resistant to fault injection attacks using a Feistel structure.
According to an aspect of the inventive concept, there is provided a CRT-RSA encryption method including: calculating first parameter information and second parameter information that are to be used in a modular exponential calculation process based on a modular calculation result of a secret key that is obtained by using Euler's phi function with respect to two different prime numbers calculated from the public key; performing a modular exponential calculation with respect to a next block based on calculation information of a previous block, in a block unit divided respectively from the first parameter information and the second parameter information; and calculating an encryption process result based on a CRT calculation by using results of the modular exponential calculation.
The calculating of the first parameter information and the second parameter information may include determining intermediate calculation information dp and dq generated based on equations dp=d mod(p−1) and dq=d mod(q−1) as the first parameter information and the second parameter information or determining intermediate calculation information respectively derived from dp and dq as the first parameter information and the second parameter information, wherein d denotes a secret key, p and q denote prime numbers, and a public key N satisfies a condition N=p·q.
The calculating of the first parameter information and the second parameter information may include: calculating intermediate calculation information dp and dq based on equations dp=d mod(p−1) and dq=d mod(q−1); and calculating the first parameter information d′p and the second parameter information d′q respective derived from the intermediate calculation information dp and dq by using the intermediate calculation information dp and dq together, wherein d denotes a secret key, p and q denote prime numbers, and a public key N satisfies a condition N=p·q.
The performing of the modular exponential calculation may include dividing the first parameter information and the second parameter information respectively into two blocks, and performing the modular exponential calculation with respect to the next block by using at least one of the intermediate calculation information and the calculation information in the previous block by the divided block unit.
The first parameter information and the second parameter information may be respectively divided into two blocks having equal sizes.
The performing of the modular exponential calculation may include: extracting 1A block information that is a part of the first parameter information; extracting 2A block information that is a part of the second parameter information; performing a first modular exponential calculation based on the 1A block information; performing a second modular exponential calculation based on the 2A block information; extracting 1B block information that is remaining except for the 1A block information from the first parameter information; extracting 2B block information that is remaining except for the 2A block information from the second parameter information; performing a third modular exponential calculation based on the 1B block information by using a result of the modular exponential calculation of the 1A block information; and performing a fourth modular exponential calculation based on the 2B block information by using a result of the modular exponential calculation of the 2A block information.
The extracting of the 1A block information may include calculating the 1A block information L′d
from the first parameter information d′p having an n-bit length.
The extracting of the 2A block information may include calculating the 2A block information L′d
from the second parameter information d′q having an n-bit length.
The performing of the first modular exponential calculation may include calculating a first calculation value Ls
The performing of the first modular exponential calculation may include further calculating a third calculation value CKL
The performing of the second modular exponential calculation may include calculating a fourth calculation value Ls
The performing of the second modular exponential calculation may further include a sixth calculation value CKL
The extracting of the 1B block information may include calculating the 1B block information R′d
wherein Ψd is determined based on dp and dq, dp and dq are determined respectively based on equations dp=d mod(p−1) and dq=d mod(q−1), t′d
The extracting of the 2B block information may include calculating the 2B block information R′d
wherein Ψd is determined based on dp and dq, dp and dq are determined respectively based on equations dp=d mod(p−1), and dq=d mod(q−1), t′d
The performing of the third modular exponential calculation may include calculating a seventh calculation value Rs
The performing of the third modular exponential calculation may further include calculating a ninth calculation value CKR
wherein p′ denotes intermediate calculation information derived from p by the calculation using s, p, and q, s is a random number, p and q are prime numbers, and the public key N satisfies a condition N=p·q.
The performing of the fourth modular exponential calculation may include calculating a tenth calculation value Rs
The performing of the fourth modular exponential calculation may further include calculating a twelfth calculation value CKR
wherein q′ denotes intermediate calculation information derived from q by the calculation using s, p, and q, s is a random number, p and q are prime numbers, and the public key N satisfies a condition N=p·q.
The calculating of the encryption process result may include: calculating a thirteenth calculation value S and a fourteenth calculation value S′ based on equations S=CRTFA(Rs
According to another aspect of the inventive concept, there is provided a Chinese remainder theorem (CRT)-Rivest Shamir Adleman (RSA) encryption apparatus including: a register block for storing input information necessary for encryption processes and intermediate calculation information generated during encryption calculation processes; an intermediate value calculator for calculating intermediate calculation information including first parameter information and second parameter information for determining an exponentiation operation value about a message in a modular exponential calculation process by applying input information read from the register block; an information partition processing unit for dividing the first parameter information and the second parameter information respectively into a plurality of blocks; a modular multiplier performing modular exponentiation calculation processes by applying the intermediate calculation information to each of the blocks divided from the first parameter information and the second parameter information through a plurality of calculating iterations; a CRT calculator for performing a CRT calculation by using results of the modular exponential calculation; and an encryption result calculator for calculating an encryption processing result based on a result of the CRT calculation.
The modular multiplier may sequentially perform a first modular exponential calculation based on 1A block information divided from the first parameter information, a second modular exponential calculation based on 2A block information divided from the second parameter information, a third modular exponential calculation based on 1B block information that is a remaining except for the 1A block information in the first parameter information, and a fourth modular exponential calculation based on 2B block information that is a remaining except for the 2A block information in the second parameter information, and the third modular exponential calculation is performed by using a result of the first modular exponential calculation and the fourth modular exponential calculation is performed by using a result of the second modular exponential calculation.
The intermediate value calculator may calculate at least one of the intermediate calculation information applied to divide the first and second parameter information respectively into the plurality of blocks and the intermediate calculation information applied to the modular exponential calculation of the block unit.
According to another aspect of the inventive concept, there is provided a computer-readable storage medium having embodied thereon a program code for implementing a Chinese remainder theorem (CRT)-Rivest Shamir Adleman (RSA) encryption method in a computer, wherein the CRT-RSA encryption method may include: calculating first parameter information and second parameter information that are to be used in a modular exponential calculation process based on a modular calculation result of a secret key that is obtained by using Euler's phi function with respect to two different prime numbers calculated from the public key; performing a modular exponential calculation with respect to a next block based on calculation information of a previous block, in a block unit divided respectively from the first parameter information and the second parameter information; and calculating an encryption process based on a CRT calculation by using results of the modular exponential calculation.
Certain embodiments of the inventive concept will be more clearly understood from the following written description taken in conjunction with the accompanying drawings in which:
Hereinafter, certain embodiments of the inventive concept will be described in some additional detail with reference to the accompanying drawings. Embodiments of the inventive concept are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the inventive concept to one of ordinary skill in the art. Since the inventive concept may have diverse modified embodiments, preferred embodiments are illustrated in the drawings and are described in the detailed description of the inventive concept. However, this does not limit the inventive concept within specific embodiments and it should be understood that the inventive concept covers all the modifications, equivalents, and replacements within the idea and technical scope of the inventive concept. Throughout the written description and drawings, like reference numerals and labels are used to denote like or similar elements.
The terms used in this application are used to describe only certain embodiments, and are not intended to limit the present invention. In the following description, the technical terms are used only for explaining a specific exemplary embodiment while not limiting the present embodiments. The terms of a singular form may include plural forms unless referred to the contrary. The meaning of “include,” “comprise,” “including,” or “comprising,” specifies a property, a region, a fixed number, a step, a process, an element and/or a component but does not exclude other properties, regions, fixed numbers, steps, processes, elements and/or components.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the inventive concept belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. Expressions such as “at least one of,” when preceding a list of elements, modify the entire list of elements and do not modify the individual elements of the list.
Particular forms of the Rivest Shamir Adleman (RSA) algorithm as well as exemplary faults attacks thereon will be described below. Attacks on the RSA algorithm include both passive and active attacks. Passive attacks or so-called “side channel attacks” include attacks characterized by analyzing the RSA algorithm execution time, analyzing electric power consumption during execution of the RSA algorithm, as well as corresponding signal waveforms. Active attacks include attacks injecting deformed external clock signals, changing temperature, or subjecting a device executing the RSA algorithm to a laser, such as an X-ray laser. Any one or more of these attack approaches may be referred to as “fault attack”. A fault attack is characterized by an attacker injecting one or more faults into a computational environment (e.g., a smart card or smart card reader) running the RSA encryption algorithm. The object of many fault attacks is the location and identification of a prime number that is used as a secret value.
A representative calculation of the RSA algorithm is an exponentiation operation that uses a secret key. As noted above, certain performance aspects associated with execution of the RSA algorithm may be improved by modifying the RSA algorithm using the Chinese Remainder Theorem (CRT). This class of algorithms, related encryption methods, and systems will be referred to the “CRT-RSA approach” denoting related algorithm(s), methods of data encryption using the same, and/or system(s) encrypting data using such encryption methods.
According to certain embodiments of the inventive concept, a CRT-RSA approach is provided that is made notably more resistant to fault attacks by use a Feistel structure.
Referring to
The CPU 110 is electrically connected to the encryption processing unit 120, the decryption processing unit 130, the storage unit 140, and the I/O interface 150 via the bus 160, where the bus 160 is a transmission path used to communicate information (e.g., data, control signals, address signals, and/or commands) between the CPU 110, encryption processing unit 120, decryption processing unit 130, storage unit 140, and I/O interface 150 of the electronic device 100.
The CPU 110 controls the overall operation of the electronic device 110. That is, the CPU 110 controls the electronic device 100 to interpret a command received via the I/O interface 150 and to perform corresponding operation(s). For example, the CPU 110 may control the electronic device 100 to perform an encryption process using the encryption processing unit 120 that operates according to a defined CRT-RSA approach consistent with one or more embodiments of the inventive concept.
The storage unit 140 may be used to store data (e.g., command data, programming data, payload data, etc.) received via the I/O interface 150, as well as data and “control information” related to an CRT-RSA approach. For example, control information that may be used during a CRT-RSA approach includes; a public key, a secret key, a message, etc.
The I/O interface 150 will be configured to implement at least one data communication protocol capable of exchanging data between a host (not shown) and the electronic device 100. For example, the I/O interface 150 may be realized as an advanced technology attachment (ATA) interface, a serial ATA (SATA) interface, a parallel ATA (PATA) interface, a universal serial bus (USB) or a serial attached small computer system (SAS) interface, a small computer system interface (SCSI), an embedded multi-media card (eMMC) interface, or a UNIX file system (UFS) interface. However, embodiments of the present inventive concept are not limited to only these listed examples.
The encryption processing unit 120 may include hardware components and/or software components configured to perform an encryption process using a CRT-RSA algorithm based on a public key, secret key, and message read from the storage unit 140.
According to certain CRT-RSA approaches contemplated by the embodiments of the inventive concept, a Feistel structure is constructed and applied during execution of the CRT-RSA algorithm in order to widen a potential fault dispersion. In one such approach, secret values ‘p’ and ‘q’ (or dp and dq, respectively derived from p and q) are divided and encrypted. For example, if the bit length of defined secret values p and q is assumed to be ‘n; ten relevant exponential calculation(s) may be performed with respect to (n/2 of p and q) like in the Feistel structure. Each corresponding exponential calculation result may be used in a next exponential calculation to thereby induce greater fault dispersion.
One CRT-RSA algorithm contemplated by certain embodiments of the inventive concept includes a threshold operation of calculating “first parameter information” and “second parameter information” to be used in a modular exponential calculation process based on a modular calculation result of a secret key which is obtained by using Euler's phi function with respect to two different prime numbers calculated from the public key. This threshold operation may be followed by an operation performing a modular exponential calculation with respect to a next block based on calculation information from a previous block, assuming a block unit basis for the data being processed, wherein the blocks are divided using the first parameter information and second parameter information. Then, an operation of calculating an encryption processing result based on a CRT calculation using the modular exponential calculation result may be performed.
The decryption processing unit 130 includes hardware components and/or software components configured to perform a decryption process on encrypted text communicated via the I/O interface 150 by using the public key and the secret key read from the storage unit 140. In this context when a computational block, method, and/or system is said to be related to “encryption” it presupposes that an analogous block, method and/or system is related to corresponding “decryption”. Here, the execution of certain CRT-RSA encryption and/or decryption algorithms may be implicated in various methods and systems according to the inventive concept.
As shown in
The register block 120-1 consists of a plurality of registers, and input information necessary to the encryption process, as well as intermediate calculation information generated during encryption calculation process(es) may be stored in designated registers of the register block 120-1.
For example, the register block 120-1 may store input information to a CRT-RSA algorithm such as that listed, for example, in
Alternately, the register block 120-1 may store similar input information to a CRT-RSA algorithm such as that listed, for example, in
The intermediate value calculator 120-2 may be used to calculate intermediate calculation information including the first parameter information and second parameter information for determining an exponentiation operation value about a message in the modular exponential calculation process by applying input information read from the register block 120-1.
For example, the intermediate value calculator 120-2 may be used to perform calculations such as the processes numbered 2, 3, 6, 8, 12, and 14 in the listings of
The information partition processing unit 120-3 divides the first parameter information and the second parameter information that determine exponentiation values of the message in the modular exponential calculation process respectively into a plurality of blocks. For example, in the CRT-RSA algorithm shown in
For example, the information partition processing unit 120-3 may divide the first parameter information d′p and the second parameter information d′q respectively into a plurality of blocks as shown in processes numbered 4 and 9 in the CRT-RSA algorithm shown in
The information partition processing unit 120-3 may be used to calculate 1A block information L′d
as shown in process 4 of the CRT-RSA algorithm shown in
The information partition processing unit 120-3 may also be used to calculate 2A block information from the second parameter information d′q of an n-bit length based on calculation of
as shown in process 4 of the CRT-RSA algorithm shown in
The information partition processing unit 120-3 may also be used to calculate 1B block information from the first parameter information d′p of an n-bit length based on calculation of
using the input information and the intermediate calculation information stored in the register block 120-1, as shown in process 9 of the CRT-RSA algorithm shown in
The information partition processing unit 120-3 may also be used to calculate 2B block information R′d
using the input information and the intermediate calculation information stored in the register block 120-1, as shown in the process 9 of the CRT-RSA algorithm shown in
In the above manner, the information partition processing unit 120-3 may respectively divide the first parameter information and second parameter information into a corresponding plurality of blocks like the processes 4 and 9 of the CRT-RSA algorithm shown in
The modular multiplier 120-4 may be used to perform modular exponentiation calculation processes by applying the intermediate calculation information to each of the blocks divided from the first parameter information d′p and second parameter information d′q through a plurality of calculating iterations. For example, the modular exponentiation calculation process may be performed using the modular exponentiation calculation algorithm shown in
That is, the modular multiplier 120-4 may perform the modular exponentiation calculation according to a block unit such as the processes numbered 5, 7, 10, and 11 in the CRT-RSA algorithm shown in
In this regard, the modular multiplier 120-4 may calculate a first calculation value Ls
The modular multiplier 120-4 may also be used to calculate a fourth calculation value Ls
The modular multiplier 120-4 may also be used to calculate a seventh calculation value Rs
The modular multiplier 120-4 may also be used to calculate a tenth calculation value Rs
In the above manner, the modular multiplier 120-4 may be used to perform the modular exponentiation calculation for each of a number of blocks, like in the exemplary processes 5, 7, 10, and 11 of the CRT-RSA algorithm listed in
The CRT calculator 120-5 may be used to perform a CRT calculation using the results of the modular exponentiation calculations. For example, the CRT calculator 120-5 may perform a CRT calculation like process 13 of the CRT-RSA algorithm shown in
For example, the CRT calculator 120-5 may be used to calculate a thirteenth calculation value S and a fourteenth calculation value S′ using the input information and the intermediate calculation information stored in the register block 120-1 based (e.g.,) on the calculations: S=CRTFA(Rs
As another example, the CRT calculator 120-5 may be sued to calculate a thirteenth calculation value S and a fourteenth calculation value S′ based on calculations: S=CRTFA(Rs
The encryption result calculator 120-6 may be used to calculate an encryption result obtained by comparing determination operation based on the CRT calculation results. For example, the encryption result calculator 120-6 may be used to perform processes 15, 16, and 17 in the CRT-RSA algorithm listed in
The encryption result calculator 120-6 may be used to perform a comparing determination process in relation to the input information and intermediate calculation information stored in the register block 120-1, like the process 15 in the CRT-RSA algorithm listed in
The encryption result calculator 120-6 may perform a comparing determination process using the input information and intermediate calculation information stored in the register block 120-1 as in the process 15 of the CRT-RSA algorithm listed in
Next, a CRT-RSA encryption method according to an embodiment of the inventive concept perform in the electronic device 100 of
The electronic device 100 performs an operation of calculating first parameter information and second parameter information that will be used in at least one modular exponentiation calculation process based on a modular calculation result of a secret key that is obtained using Euler's phi function values with respect to two different prime numbers calculated using a public key (S110).
For example, the electronic device 100 may respectively determine dp and dq according to the equations: dp=d mod(p−1) and dq=d mod(q−1) as the first parameter information and second parameter information. Here, denotes a secret key, ‘p’ and ‘q’ are prime numbers, and a public key N satisfies the condition (N=p times q).
Otherwise, d′p and d′q—as respectively calculated intermediate calculation information derived from dp and dq—may be determined as the first parameter information and second parameter information. Here, d′p may be determined as first intermediate calculation information derived from dp using both dp and dq, while and d′q may be determined as second intermediate calculation information derived from dq using both dp and dq.
For example, d′p and d′q may be calculated by the calculation process shown in process 3 in the CRT-RSA algorithm of
Next, the electronic device 100 performs an operation of a modular exponential calculation process with respect to a “next block” based on calculation information for a “previous block”, wherein the these sequentially processed blocks are respectively divided from the first parameter information and second parameter information (S120). For example, the first parameter information and second parameter information may be respectively divided into two blocks, and the modular exponential calculation with respect to the next block may be performed using at least one of the intermediate calculation information and calculation information of a previous block for each one of the defined blocks. In certain embodiments of the inventive concept, the first parameter information and second parameter information may be respectively divided into two blocks having the same size.
Next, the electronic device 100 performs an operation of calculating an encryption result based on the CRT calculation using the modular exponential calculation result (S130). For example, an error may be detected by the comparing determination process in the operation of calculating the encryption result.
The electronic device 100 performs an operation of calculating intermediate calculation information dp and dq based on the equation: dp=d mod(p−1) and dq=d mod(q−1) using input information (S110-1). For example, the electronic device 100 may performs an operation respectively calculating the first parameter information d′p and second parameter information d′q as derived from the intermediate calculation information dp and dq using the intermediate calculation information dp and dq (S110-2). Thus, the first parameter information d′p and second parameter information d′q may be calculated using the process 3 in the CRT-RSA algorithm listed in
The electronic device 100 may be used to performs the operation of extracting 1A block information from the first parameter information d′p (S120-1). The electronic device 100 may also be used to extract the 1A block information from the first parameter information d′p using a LEFTB function. For example, the 1A block information L′d
In addition, the electronic device 100 may be used to perform the operation of extracting 2A block information from the second parameter information d′q (S120-2). The electronic device 100 may be used to extract the 2A block information from the second parameter information d′q using the LEFTB function. For example, the 2A block information L′d
Next, the electronic device 100 may be sued to perform a first modular exponential calculation based on the 1A block information (S120-3). For example, a first calculation value Ls
In addition, the electronic device 100 may be used to performs a second modular exponential calculation based on the 2A block information (S120-4). For example, a fourth calculation value Ls
Next, the electronic device 100 may be used to performs an operation of extracting 1B block information from the first parameter information d′p, except for the 1A block information L′d
Here, Ψd may be determined based on dp and dq, where dp and dq may be determined respectively by equations dp=d mod(p−1) and dq=d mod(q−1), and t′d
In addition, the electronic device 100 may be used to perform an operation of extracting 2B block information from the second parameter information d′q, except for the 2A block information L′d
Here, Ψd may be determined based on dp and dq, where dp and dq may be determined respectively using the equations: dp=d mod(d−1), and dq=d mod(q−1), and t′d
Next, the electronic device 100 may be used to perform a third modular exponential calculation based on the 1B block information by using the modular exponential calculation result of the 1A block information (S120-7). For example, a seventh calculation value Rs
Similarly, the electronic device 100 may be used to perform a fourth modular exponential calculation based on the 2B block information by using the modular exponential calculation result with respect to the 2A block information (S120-8). For example, a tenth calculation value Rs
The electronic device 100 may be used to calculate the thirteenth calculation value S and the fourteenth calculation value S′ using the equations: S=CRTFA(Rs
Consistent with this approach, the electronic device 100 will provide an encrypted result based on a determination using a comparison process for the thirteenth and fourteenth calculation values S and S′ (S130-2). The comparison and determination process may be performed as in the process 15 in the CRT-RSA algorithm of
In operations S701A and S701B, dp and dq are respectively calculated by using equations: dp=d mod(p−1) and dq=d mod(q−1).
In operation S702A, first parameter information d′p is calculated using the values of dp and dq. Accordingly, if a fault is injected to any one of dp and dq, the fault may be diffused to the first parameter information d′p.
In operation S702B, second parameter information d′q is calculated using the values of dp and dq. Accordingly, if a fault is injected to any one of dp and dq, the fault may be diffused to the second parameter information d′q.
In operation S703A, the 1A block information L′d
In operation S703B, the 2A block information L′d
In operation S704A, a pair of intermediate values Ls
In operation S704B, another pair of intermediate values Ls
In operation S705A, an intermediate value t′d
In operation S705B, an intermediate value t′d
In operation S706A, the 1B block information R′d
In operation S706B, the 2B block information R′d
In operation S707A, another pair of intermediate values Rs
In operation S707B, another pair of intermediate values Rs
In operation S708A, an intermediate value tp is calculated by using the initial value and previous intermediate values. For example, the intermediate value tp may be calculated by using an equation
tp=(tpq+p)−p′−q′=p′+q′+p−p′−q′=p
In operation S708B, an intermediate value tq is calculated by using the initial value and previous intermediate values. For example, the intermediate value tq may be calculated by using an equation
tq=(Tpq+q)−p′−q′=p′+q′+q−p′−q′=q
In operation S709A, an intermediate value S is calculated by performing a CRT calculation using Rs
In operation S709B, an intermediate value S′ is calculated by performing a CRT calculation using R′s
In operation S710, an intermediate value Sd
In operation S711, a determination is made as to whether or not an error has been introduced during the encryption processes using the intermediate values. For example, it may be determined whether there is an error in the encryption processes using an “if statement”, such as
If ((S+Td)≠m·(S′+Sd
In operation S712, where it is determined that no error has been introduced into the determination result in operation S711, a final output value S is calculated by using the intermediate values S and S′ and other previous intermediate values.
Due to the CRT-RSA encryption process including the Feistel structure as described above, if a fault is injected to the initial value or the intermediate values, the fault is randomly diffused to subsequent calculation processes of the intermediate values and the output value. Accordingly, even if the operation S711 is deleted, the secret values p and q will not be revealed.
As already noted,
Input information in the CRT-RSA algorithm shown in
In
An algorithm shown in
If there is no fault injected in the CRT-RSA algorithm shown in
First, in the process 2, the intermediate values p′, q′ and Tpq corresponding to intermediate calculation information are calculated using equations 1 through 3.
p′=(Ψpq⊕q)+(s−1)p (1)
q′=(Ψpq⊕p)+(s−1)q (2)
Tpq=sp+sq (3)
Next, in the process 3, the first parameter d′p and the second parameter d′q are calculated using equations 4 and 5.
d′p=(Ψd⊕dq)&dp (4)
d′q=(Ψd⊕dp)&dq (5)
Next, in the process 4, the 1A block information L′d
Then, in the process 5, a pair of intermediate values Ls
Ls
L′s
CKL
Next, in the process 6, the intermediate value t′d
t′d
In addition, another pair of intermediate values Ls
Ls
L′s
CKL
In the process 8, the intermediate value t′d
t′d
Next, in the process 9, the 1B block information R′d
Then, in the process 10, another pair of intermediate values Rs
Next, in the process 11, another pair of intermediate values Rs
Next, in the process 12, the intermediate values tp and tq are calculated using equations 24 and 25.
tp=(Tpq+p)−p′−q′=p′+q′+p−p′−q′=p (24)
tq=(Tpq+q)−p′−q′=p′+q′+q−p′−q′=q (25)
In the process 13, the intermediate values S and S′ are obtained by performing CRT calculations using equations 26 and 27.
S=CRTFA(Rs
S′=CRTFA(R′s
In the process 14, the intermediate value Sd
Sd
In addition, if (S+Td)+m·(S′+Sd
As described above, a modulus random blinding method using the fault diffusion is provided in embodiments of the inventive concept, and may be applied safely to power analysis and electric wave analysis. Also, even if a fault attack for skipping the “if statement” in the process 15 is performed, a result value—in which a fault has been assumedly injected, is output through the fault diffusion when the fault is injected during calculating in each step. Therefore, the attacker may not identify the secret value using the result value in which a fault has been injected.
That is, in a case where a fault is injected, the fault is diffused to the intermediate calculation processes, and thus, the output value, in which the fault is injected, is output and the secret value may not be identified.
The example of the CRT-RSA algorithm shown in
Input information in the CRT-RSA algorithm of
An algorithm shown in
If there is no fault injected in the CRT-RSA algorithm shown in
First, in process 2, intermediate values pr, q′, and Td are calculated using equations 30 through 32.
p′=(Ψpq⊕q)&p=p (30)
q′=(Ψpq⊕p)&q=q (31)
Td=(dp+dq)+s(p+q−2) (32)
Next, in process 3, a first parameter d′p and a second parameter d′q are calculated using equations 33 and 34.
d′p=((Ψd⊕dq)&dp)+s(p−1)=dp+s(p−1) (33)
d′q=((Ψd⊕dp)&dq)+s(q−1)=dq+s(q−1) (34)
In process 4, 1A block information L′d
In process 5, a pair of intermediate values Ls
In process 6, an intermediate value td
td
In process 7, another pair of intermediate values Ls
In process 8, an intermediate value td
td
In process 9, 1B block information R′d
In process 10, another pair of intermediate values Rs
In process 11, another pair of intermediate values Rs
In process 12, intermediate values tp and tq are calculated using equations 39 and 40.
tp=Ψpq⊕q′=p (39)
tq=Ψpq⊕p′=q (40)
In process 13, intermediate values S and S′ are calculated by performing CRT calculations using equations 41 and 42.
S=CRTFA(Rs
S′−CRTFA(R′s
In process 14, an intermediate value Sd
Sd
Next, if a determination result of process 15 is (S+Td)mod tptq=m·(S′+Sd
As described above, even if a fault attack designed to skip the “if statement” in the process 15 is performed, a result value, in which the fault is injected, is output through the fault diffusion when the fault is injected during calculating in each step. Therefore, the attacker may not find out the secret value by using the result value in which the fault is injected.
For example, if the attacker deforms dp in the process 3 of the algorithm shown in
=((Ψd⊕dq)&)+s(p−1) (45)
=((Ψd⊕)⊕dq)+s(q−1) (46)
Therefore, the fault occurring in dp is diffused to the first parameter d′p and the second parameter d′q. According to this, the encrypted result S having the fault is random information that is independent of p and q.
As another example, if the attacker deforms the value dq in the process 3 of the algorithm shown in
=((Ψd⊕)&dp)+s(p−1) (47)
=((Ψd⊕dp)⊕)+s(q−1) (48)
Therefore, the fault occurring in dq is diffused to the first parameter d′p and the second parameter d′q. According to this, the encrypted result S in which the fault has occurred is random information that is independent of p and q.
As another example, if the attacker deforms values d′p or d′q in the algorithm shown in
As another example, if the attacker deforms p or q in the algorithm shown in
As another example, if the attacker deforms p′ or q′ in the algorithm shown in
As another example, if the attacker deforms Ψd or Ψpq in the algorithm shown in
Therefore, the secret values ‘p’ and/or ‘q’ will not be identified by fault attacks.
The CRT-RSA algorithm using the Feistel structure may operate safely against all the attacks that are currently known by only adding a small, additional computational load, approximately 0.002% to the original computational load for conventional CRT-RSA algorithms.
Referring to
For example, the processor 1200 shown in
For example, the NV memory 1100 shown in
The processor 1200 may perform certain calculations or tasks. For example, the processor 1200 may perform operations according to the CRT-RSA algorithm suggested by the present inventive concept. According to one or more embodiments of the present inventive concept, the processor 1200 may be a micro-processor or a central processing unit (CPU). The processor 1200 may communicate with the RAM 1300, the I/O device 1400, and the NV memory 1100 via the bus 1600 such as an address bus, a control bus, and a data bus. According to one or more embodiments, the processor 1200 may be connected to an expanded bus such as a peripheral component interconnect (PCI) bus.
The RAM 1300 may store data required to operate the computing system 1000. For example, the RAM 1300 may be a DRAM, a mobile DRAM, an SRAM, a PRAM, a ferroelectric RAM (FRAM), an RRAM, and/or an MRAM.
The I/O device 1400 may include an input unit, such as a keyboard, a keypad, or a mouse, and an output unit, such as a printer or a display. The power device 1500 may supply an operation voltage required to operate the computing system 1000.
Referring to
The memory device 2230 shown in
The card controller 2220 may include hardware or software for realizing the encryption processing unit 120 shown in
The host 2100 may record data in the memory card 2200 or read the data stored in the memory card 2200. For example, the host 2100 may perform operations according to the CRT-RSA algorithm suggested by the embodiments of the present inventive concept.
The host controller 2110 may transmit a command CMD, a clock signal CLK generated by a clock generator (not shown) in the host 2100, and data (DATA) to the memory card 2200 via the host connector 2120.
For example, the host controller 2110 may include hardware or software realizing the encryption processing unit 120 shown in
The memory card 2200 may be a compact flash card (CFC), a micro-drive, a smart media card (SMC), a multimedia card (MMC), a security digital card (SDC), a memory stick, or a USB flash memory driver.
Referring to
The flash memory system described above may be mounted by using a package of any shape. For example, a memory system of the inventive concept may be mounted by using a package on package (PoP), ball grid arrays (BGAs), chip scale packages (CSPs), a plastic leaded chip carrier (PLCC), a plastic dual in-line package (PDIP), a die in waffle pack, a die in wafer form, a chip on board (COB), a ceramic dual in-line package (CERDIP), a plastic metric quad flat pack (MQFP), a thin quad flat pack (TQFP), a small outline integrated chip (SOIC), a shrink small outline package (SSOP), a thin small outline package (TSOP), a thin quad flat pack (TQFP), a system in package (SIP), a multi chip package (MCP), a wafer-level fabricated package (WFP), or a wafer-level processed stack package (WSP).
Different embodiments of the inventive concept may be variously implemented in a method, an apparatus, or a system. When the inventive concept is implemented, wholly or in part, in software, its component elements are code segments required to execute the necessary functionality. Programs or code segments may be stored in processor readable media and may be communicated via a computer data signal in a transmission medium or in a communication network. The processor readable medium can be any medium capable of storing and/or communicating data. Examples of the processor readable medium include electronic circuits, semiconductor memory devices, ROMs, flash memories, erasable ROMs (EROMs), floppy disks, optical disks, hard disks, optical fibers, radio frequency (RF) networks, etc.
While the inventive concept has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood that various changes in form and details may be made therein without departing from the scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
10-2014-0012212 | Feb 2014 | KR | national |
Number | Name | Date | Kind |
---|---|---|---|
5991415 | Shamir | Nov 1999 | A |
6144740 | Laih et al. | Nov 2000 | A |
7496758 | Fischer et al. | Feb 2009 | B2 |
20060029224 | Baek et al. | Feb 2006 | A1 |
20130208886 | Lee | Aug 2013 | A1 |
Number | Date | Country |
---|---|---|
1 347 596 | Feb 2007 | EP |
2 222 012 | Aug 2010 | EP |
10-0431047 | Apr 2004 | KR |
10-0431286 | Apr 2004 | KR |
10-0953715 | Apr 2010 | KR |
10-0953716 | Apr 2010 | KR |
10-0954844 | Apr 2010 | KR |
10-1112570 | Jan 2012 | KR |
10-2013-0054591 | May 2013 | KR |
2006103149 | Oct 2006 | WO |
2008114310 | Sep 2008 | WO |
Entry |
---|
W. T. Penzhorn, “Fast decryption algorithms for the RSA cryptosystem,” AFRICON, 2004. 7th AFRICON Conference in Africa, Gaborone, 2004, pp. 361-364 vol. 1. |
“Data Encryption Standar (DES)”, Federal Information Processing Standards Publication, FIPS PUB 46-3, Oct. 25, 1999, U.S. Dept. of Commerce. |
Chung-Hsien Wu, Jin-Hua Hong and Cheng-Wen Wu, “RSA cryptosystem design based on the Chinese remainder theorem,” Design Automation Conference, 2001. Proceedings of the ASP-DAC 2001. Asia and South Pacific, Yokohama, 2001, pp. 391-395. |
J. Ha, C. Jun, J. Park, S. Moon and C. Kim, “A New CRT-RSA Scheme Resistant to Power Analysis and Fault Attacks,” Convergence and Hybrid Information Technology, 2008. ICCIT '08. Third International Conference on, Busan, 2008, pp. 351-356. |
A. P. Fournaris and O. Koufopavlou, “Protecting CRT RSA against Fault and Power Side Channel Attacks,” 2012 IEEE Computer Society Annual Symposium on VLSI, Amherst, MA, 2012, pp. 159-164. |
J. S. Coron, C. Giraud, N. Morin, G. Piret and D. Vigilant, “Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm,” Fault Diagnosis and Tolerance in Cryptography (FDTC), 2010 Workshop on, Santa Barbara, CA, 2010, pp. 89-96. |
C. H. Kim and J. J. Quisquater, “How can we overcome both side channel analysis and fault attacks on RSA-CRT?,” Fault Diagnosis and Tolerance in Cryptography, 2007. FDTC 2007. Workshop on, Vienna, 2007, pp. 21-29. |
C. Aumuller et al., “Fault Attacks on RSA with CRT : Concrete Results and Practical Countermeasures”. |
Johannes Blomer et al., “A New CRT-RSA Algorithm Secure Against Bellcore Attacks”. |
Nevine Ebeid et al., “A New CRT-RSA Algorithm Resistant to Powerful Fault Attacks”. |
Sung-Min Yen et al., “Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection,” pp. 53-61. |
Chong Hee Kim et al., “How can we overcome both side channel analysis and fault attacks on RSA-CRT?” 2007 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 21-29. |
Mathieu Ciet et al., “Practical Fault Countermeasures for Chinese Remaindering Based RSA”. |
Christophe Giraud, “An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis,” IEEE Transactions on Computers, vol. 55, No. 9, Sep. 2005, pp. 1116-1120. |
Jae Cheoul Ha et al., “A New CRT-RSA Scheme Resistant to Power Analysis and Fault Attacks,” Third 2008 International Conference on Convergence and Hybrid Information Technology, pp. 351-356. |
Jean-Sebastien Coron et al., “Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm,” 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 89-96. |
Arnaud Boscher et al., “CRT RSA Algorithm Protected Against Fault Attacks,” pp. 229-243. |
Bellcre: New Threat Model Breaks Crypto Codes. Press Release (1996). |
Bao, F. et al., “Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults,” Security Protocols, Lecture Notes in Computer Science, vol. 1361. |
Number | Date | Country | |
---|---|---|---|
20150222434 A1 | Aug 2015 | US |