Security analysis of CRT-based cryptosystems

Katsuyuki Okeya, Tsuyoshi Takagi

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

A side channel attack (SCA) is a serious attack on the implementation of cryptosystems, which can break the secret key using side channel information such as timing, power consumption, etc. Recently, Boneh et al. showed that SSL is vulnerable to SCA if the attacker gets access to the local network of the server. Therefore, public-key infrastructure eventually becomes a target of SCA. In this paper, we investigate the security of RSA cryptosystem using the Chinese remainder theorem (CRT) in the sense of SCA. Novak first proposed a simple power analysis (SPA) against the CRT part using the difference of message modulo p and modulo q. In this paper, we apply Novak's attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack strictly depends on how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily detected by power analysis. Our experimental result shows that the timing with the zero multiplication is reduced about 10% from the standard one. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1-5% of the whole decryption if the bit length of modulus is 1,024.

Original languageEnglish
Pages (from-to)177-185
Number of pages9
JournalInternational Journal of Information Security
Volume5
Issue number3
DOIs
Publication statusPublished - Jul 1 2006

Fingerprint

Cryptography
Electric power utilization
Servers
Side channel attack

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Security analysis of CRT-based cryptosystems. / Okeya, Katsuyuki; Takagi, Tsuyoshi.

In: International Journal of Information Security, Vol. 5, No. 3, 01.07.2006, p. 177-185.

Research output: Contribution to journalArticle

Okeya, Katsuyuki ; Takagi, Tsuyoshi. / Security analysis of CRT-based cryptosystems. In: International Journal of Information Security. 2006 ; Vol. 5, No. 3. pp. 177-185.
@article{27dd1d63eef34d748e0fd3bf057b7b8b,
title = "Security analysis of CRT-based cryptosystems",
abstract = "A side channel attack (SCA) is a serious attack on the implementation of cryptosystems, which can break the secret key using side channel information such as timing, power consumption, etc. Recently, Boneh et al. showed that SSL is vulnerable to SCA if the attacker gets access to the local network of the server. Therefore, public-key infrastructure eventually becomes a target of SCA. In this paper, we investigate the security of RSA cryptosystem using the Chinese remainder theorem (CRT) in the sense of SCA. Novak first proposed a simple power analysis (SPA) against the CRT part using the difference of message modulo p and modulo q. In this paper, we apply Novak's attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack strictly depends on how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily detected by power analysis. Our experimental result shows that the timing with the zero multiplication is reduced about 10{\%} from the standard one. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1-5{\%} of the whole decryption if the bit length of modulus is 1,024.",
author = "Katsuyuki Okeya and Tsuyoshi Takagi",
year = "2006",
month = "7",
day = "1",
doi = "10.1007/s10207-005-0080-1",
language = "English",
volume = "5",
pages = "177--185",
journal = "International Journal of Information Security",
issn = "1615-5262",
publisher = "Springer Verlag",
number = "3",

}

TY - JOUR

T1 - Security analysis of CRT-based cryptosystems

AU - Okeya, Katsuyuki

AU - Takagi, Tsuyoshi

PY - 2006/7/1

Y1 - 2006/7/1

N2 - A side channel attack (SCA) is a serious attack on the implementation of cryptosystems, which can break the secret key using side channel information such as timing, power consumption, etc. Recently, Boneh et al. showed that SSL is vulnerable to SCA if the attacker gets access to the local network of the server. Therefore, public-key infrastructure eventually becomes a target of SCA. In this paper, we investigate the security of RSA cryptosystem using the Chinese remainder theorem (CRT) in the sense of SCA. Novak first proposed a simple power analysis (SPA) against the CRT part using the difference of message modulo p and modulo q. In this paper, we apply Novak's attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack strictly depends on how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily detected by power analysis. Our experimental result shows that the timing with the zero multiplication is reduced about 10% from the standard one. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1-5% of the whole decryption if the bit length of modulus is 1,024.

AB - A side channel attack (SCA) is a serious attack on the implementation of cryptosystems, which can break the secret key using side channel information such as timing, power consumption, etc. Recently, Boneh et al. showed that SSL is vulnerable to SCA if the attacker gets access to the local network of the server. Therefore, public-key infrastructure eventually becomes a target of SCA. In this paper, we investigate the security of RSA cryptosystem using the Chinese remainder theorem (CRT) in the sense of SCA. Novak first proposed a simple power analysis (SPA) against the CRT part using the difference of message modulo p and modulo q. In this paper, we apply Novak's attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack strictly depends on how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily detected by power analysis. Our experimental result shows that the timing with the zero multiplication is reduced about 10% from the standard one. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1-5% of the whole decryption if the bit length of modulus is 1,024.

UR - http://www.scopus.com/inward/record.url?scp=33745137797&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745137797&partnerID=8YFLogxK

U2 - 10.1007/s10207-005-0080-1

DO - 10.1007/s10207-005-0080-1

M3 - Article

AN - SCOPUS:33745137797

VL - 5

SP - 177

EP - 185

JO - International Journal of Information Security

JF - International Journal of Information Security

SN - 1615-5262

IS - 3

ER -