ZHOU Yi,SHEN Hai-bin,FAN Jun-feng

DOI: https://doi.org/10.3969/j.issn.1671-7147.2006.06.015

2006-01-01

Abstract:RSA is a time-consumed algorithm and is always implemented by using Montgomery multiplication algorithm.The paper develops a two-stage Montgomery multiplication algorithm and presents a high speed scalable hardware implementation based on the algorithm described for the RSA computation.High-radix,2~(64) is used in the algorithm.Compared with other Montgomery multiplication algorithm,the performance of RSA algorithm is highly improved.In hardware area,based on three pipelined 64×64 bit multiplier,five pipelined process unit is designed.Its architecture gives enough freedom to select the operand length to be used.It can implement multi RSA operation such as 1 024 bit,2 048 bit.In the 1 024 bit condition,its encrypt speed can reach 8 800 times per second.The system simulation and tapeout is based on SIMC0.18 technology.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Wen PANG,Jun-sheng WU

DOI: https://doi.org/10.3969/j.issn.1671-654X.2006.02.035

2006-01-01

Abstract:RSA is the most widely used arithmetic in the field of digital signature at present.Giving a detailed account of the arith-principle and arithmetic process of RSA,analyzed the leak and defect on the aspect of security matter,and formulated a series suggestion on the safety concern of how to enhancing the parameter selective program and avoiding attacked solution.Finally,the developing tend of RSA is prospected.

Li Zhu,Da-wu Gu,Chao Wang

DOI: https://doi.org/10.1007/s11741-008-0212-2

2008-01-01

Abstract:Based on the structure of the side channel attacks (SCAs) to RSA cryptosystem can resist the fault attack and combine with the randomization method for the message and secret exponent, a new implementation scheme of CRT-based (the Chinese remained theorem) RSA is proposed. The proposed scheme can prevent simple power analysis (SPA), differential power analysis (DPA) and time attack, and is compatible with the existing RSA-CRT cryptosystem as well. In addition, an improvement for resisting fault attack is proposed, which can reduce extra computation time.

Liangjian Su,Wei Guo,Zheng Guo

DOI: https://doi.org/10.1109/cis.2015.87

2015-01-01

Abstract:Recently, passive information leakage and active fault injection are widely utilized to conduct attacks and these attacks have become a serious threat to most cryptosystems such as RSA. In order to ensure the security, many exponentiation algorithms with resistance to different side-channel attacks were developed. In 2007, Amiel et al. Firstly combined Fault Attack (FA) and Simple Power Analysis (SPA) attack, which are considered as the classical active and passive attacks respectively, to recover the private key of some RSA implementations. In this paper, we show that Boscher's blind fault resistant exponentiation algorithm is also vulnerable to this kind of attack. Furthermore, we propose a countermeasure exponentiation algorithm to resist the combined attack as well as SPA, DPA and DFA.

Chao Cui,Yun Zhao,Yong Xiao,Weibin Lin,Di Xu

DOI: https://doi.org/10.1007/978-3-030-70665-4_180

2021-01-01

Abstract:As an asymmetric encryption algorithm, RSA is currently known as the ripest and most widely used one. However, it is showed in many documents in recent years that RSA algorithm is lack of security, due to its weakness in defending side channel attacks, especially power analysis attacks. This paper proposes an RSA coprocessor resistant to power analysis attack, which adds pseudo operation and exponential randomization masking to defend SPA and DPA. Then, this paper improves the speed of RSA by using 256-base subtracted-free Montgomery multiplier combining with two-layer Karatsuba multiplier and CSA adder. This design is able to be implemented on both FPGA and ASIC. With a technology of 100 MHz clock frequency and SMIC 130 nm process, DC synthesis is implemented as well. The experiment result shows that our 1024-bit RSA design costs an area of 310 K gates and has a throughput of 110 Kbps.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Lihui Wang,Qing Li,Gang Zhang,Jun Yu,Zhimin Zhang,Limin Guo,David Wei Zhang

DOI: https://doi.org/10.1109/CIS.2015.85

2015-01-01

Abstract:Elliptic Curve Cryptography (ECC) is becoming widely deployed in embedded cryptographic devices because of the reduced number of key bits. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain secret keys by measuring power consumption. To resist this attack there appear a number of countermeasures such as Montgomery ladder and double-and-add-always algorithm. This paper proposes a new simple power analysis attack to these countermeasures by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Experimental results on smart cards demonstrate that this attack method can retrieve secret keys easily in several seconds using one power trace. Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Yanzhao Yin,Liji Wu,Qian Peng,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2018.8693138

2018-01-01

Abstract:Although SPA (Simple Power Analysis) has been studied for many years, it is still effective on many cryptographic algorithms based on ECC. Double-and-Add and Montgomery ladder can avoid attacks with point double and point add operations, but in software implementation of ECC algorithm, modular addition and subtraction will be the weakness that the hostile attackers may use. In this paper, a black box SPA is performed on a smart card with SM2 algorithm, a Chinese standard of ECC cryptographic algorithm. The card was proved to implement the SM2 algorithm by Jacobi form and non-adjacent form, and its private key can be extracted by SPA within less than 10 power traces, with conditional operations in the modular subtraction. Then we discussed the probability that the ECC cryptography implemented by other forms be attacked with modular subtraction or addition, and illustrate how the problem can be solved by hardware implementation.

lihui wang,qing li,zhimin zhang,weijun shan,davidwei zhang

DOI: https://doi.org/10.2991/iset-15.2015.33

2015-01-01

Abstract:Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems such as RSA. They are especially suited to smartcards because of the limited memory and computational power available on these devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a novel simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

CHENG Wei,GU Da-wu,GUO Zheng,ZHANG Lei

DOI: https://doi.org/10.3969/j.issn.1002-0802.2011.06.043

2011-01-01

Abstract:As a fast RSA implementation,RSA-CRT is widely applied to computing-limited devices,such as smart cards.This paper describes a side channel attack against RSA-CRT implementation.By properly choosing input data,the power consumption of the intermediate value after the modular reduction is analyzed.This attack first determines the size of one of the primes,then based on it,takes another DPA attack and gets the byte-by-byte prime.The simulation experiment shows that this attack is effective,and relative to MRED,could reduce the number of needed power traces and raise the attack efficiency.

Liangliang Wang,Mi Wen,Kefei Chen,Zhongqin Bi,Yu Long

DOI: https://doi.org/10.1007/978-3-319-69471-9_19

2017-01-01

Abstract:Through the application of certificateless signature, certificate management in traditional signatures can be simplified. Furthermore, the key escrow problem in identity-based signatures can be solved as well. As history has shown, there has not been a general pairing-free certificateless signature scheme which is mainly designed with modular exponentiation and modular multiplication that can possess resistance to Type I and Type II adversaries so far. Therefore, a new hard mathematic problem is firstly defined in this paper, which is called variant of RSA problem. In the next step, a new general pairing-free certificateless signature scheme is proposed based on the newly defined variant of RSA problem and the well known discrete logarithm problem. Fortunately, the proposed scheme is also the first RSA-based certificateless signature scheme that can possess resistance to Type I and Type II adversaries. In addition, a formal security proof is provided to demonstrate that, under adaptively chosen message attacks, the proposed scheme is provably secure against Type I and Type II adversaries in the random oracle model. When compared with other known pairing-free certificateless signature schemes of the same type, the computation cost of our scheme is slightly higher, however, a higher security level can be achieved.

Aniruddha Bhattacharjya,Xiaofeng Zhong,Xing Li

DOI: https://doi.org/10.1109/access.2019.2900300

IF: 3.9

2019-01-01

IEEE Access

Abstract:For virtual private network and LAN-to-LAN tunnel sessions, End-to-End security is the main constraint in private messaging scenarios. Internet Protocol Security can negotiate new keys for every communication, but when the key is compromised, it is a problem. Perfect Forward Secrecy is the resolution. In addition, the messaging scheme should be efficient and lightweight for keeping parity with daily needs. The popular Rivest-Shamir-Adleman (RSA) cipher is omnipresent in secure communications but has many scientific problems. So here, in this paper, a lightweight and efficient Secure Hybrid RSA (SHRSA) messaging scheme with four-layered authentication stack is implemented and analyzed. The scheme is resolving the problem of asymptotic very low speed of decryption of RSA, the computational modular exponentiation complexity and partial key exposure vulnerability issues of RSA, and many more. The four-layered authentication stack have eliminated the need of the use of any password, external digital certificates, and a third party for authentication with its own four techniques in a staked way. We have found that in evolutions and analysis of the scheme, it is not only resolving various scientific problems of RSA but also occupying 2%-4% less CPU than main RSA and occupying 1%-3% less memory than main RSA. Its decryption average time has gained 8.858 times compared to the main RSA and gained 2.248 times compared to CRT RSA. We have found that the RSA, CRT-RSA, and SHRSA's encryption throughput are alike-all are around 6 KB/Sec but decryption throughput of SHRSA has gained 8.5345 times than main RSA and gained 2.1174 times than CRT-RSA. The results obtained have shown us the relevancies of the SHRSA messaging scheme to be integratable as a cipher in Blockchain architectures, cyber-physical systems, and the Internet of Everything.

Yumin Dong,Hengrui Liu,Yanying Fu,Xuanxuan Che

DOI: https://doi.org/10.1063/5.0153709

IF: 2.877

2023-07-10

Journal of Applied Physics

Abstract:Shor’s factorization algorithm (SFA) aims at finding the non-trivial factor of a given composite number, but the algorithm does not always work. In some cases, it has to call back to the beginning of the algorithm to make recalculation. After the analysis of the principle of SFA and the characteristics of RSA public-key cryptography with a series of data calculations, it can be concluded that the random value selected by the algorithm is closely related to whether the obtained period is effective. Therefore, a new optimized scheme is proposed to tackle with this defect from two perspectives: (a) When the a value is a perfect square, the algorithm can be completed with an odd cycle r. (b) When the period r obtained by the randomly selected a value is a multiple of 3, the algorithm can be completed by modifying the decomposition method to relax the requirements for the period without affecting the complexity of the algorithm. Due to the limitations of hardware in applying the quantum algorithms, the classical algorithm is applied to simulate quantum algorithms to test the success rate of decomposition of some composite numbers. The result indicates the effectiveness of the improved algorithm, which significantly reduces the probability of repeated operations to save the quantum circuit resources.

physics, applied

yulin zhang,xinggang wang

DOI: https://doi.org/10.1007/978-81-322-1695-7_20

2014-01-01

Abstract:The modified Montgomery algorithm made the modular multiplication simple using addition and shifting. We introduce four-to-two CSA architecture to design the modified Montgomery's algorithm. It cannot convert the carry-save form of an operand into its binary representation at each end of modular multiplication. At the end of RSA, we use the basic 4-CPA to accomplish the data form conversion. As a result, our design can reduce the operating time. This architecture adapts to the single chip for key lengths in excess of 1,024 bits of RSA.

Fan Zhang,Bolin Yang,Guorui Xu,Xiaoxuan Lou,Shivam Bhasin,Xinjie Zhao,Shize Guo,Kui Ren

2020-01-01

Abstract:Persistence is an intrinsic nature of many errors yet has not been caught enough attractions for years. In this chapter, the feature of persistence is applied to fault attacks (FAs), and the persistent FA is proposed. Different from traditional FAs, adversaries can prepare the fault injection stage before the encryption stage, which relaxes the constraint of the tight-coupled time synchronization. The persistent fault analysis (PFA) is elaborated on different implementations of AES-128, specially fault-hardened implementations based on dual modular redundancy (DMR). Our experimental results show that PFA is quite simple and efficient in breaking these typical implementations. To show the feasibility and practicability of our attack, a case study is illustrated on a few countermeasures of masking. This work puts forward a new direction of FAs and can be extended to attack other implementations under more interesting scenarios.

Lihui Wang,Qing Li,Zhimin Zhang,Weijun Shan,David Wei Zhang

DOI: https://doi.org/10.2991/iset-15.2015.29

2015-01-01

Abstract:Elliptic Curve Cryptography (ECC) is becoming widely deployed in embedded cryptographic devices. However, simple power analysis (SPA) attacks may retrieve secret keys by exploiting the power consumption of ECC devices. To resist the SPA attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a refined simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the power consumption of different jump instructions if the implementation of ECC's countermeasure is not carefully designed. The experiments also demonstrate that the proposed countermeasure in this paper can resist this kind of SPA attack

Majid Mumtaz,Luo Ping

DOI: https://doi.org/10.1080/09720529.2018.1564201

2019-01-01

Journal of Discrete Mathematical Sciences and Cryptography

Abstract:RSA public key cryptosystem is the de-facto standard use in worldwide technologies as a strong encryption/decryption and digital signature scheme. RSA successfully defended forty years of attack since invention. In this study we survey, its past, present advancements and upcoming challenges that needs concrete analysis and as a counter measure against possible threats according to underlying algebraic structure. Past studies shows us some attacks on RSA by inspecting flaws on relax model using weak public/private keys, integer factorization problem, and some specific low parameter selection attacks. Such flaws can not hamper the security of RSA cryptosystem by at large, but can explore possible vulnerabilities for more deep understanding about underlying mathematics and improper parameter selection. We describe a brief survey of past findings and detail description about specific attacks. A comprehensive survey of known attacks on RSA cryptosystem shows us that a well implemented algorithm is unbreakable and it survived against a number of cryptanalytic attacks since last forty years.

ZHANG Hong,LIU Fang-yuan

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.15.012

2010-01-01

Abstract:The contradictory between the RSA algorithm of the key,s length and execution efficiency is the bottleneck of the further development of the RSA algotithm.In order to balance the cost of the computation of the canadia decipher,the four prime number RSA algorithm mentioned in the article is the way of fast relization decipher based on four short keys to be divided into four modules ciphertext and the use of Chinese Remainder Theorem.can make large number of high-power operation mode into a low wide of the number of relatively small computing modular exponentiation.