One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation
In this paper, a deep-learning based power/EM analysis attack on the state-of-the-art RSA–CRT software implementation is proposed. Our method is applied to a side-channel-aware implementation with the Gnu Multi-Precision (MP) Library, which is a typical open-source software library. Gnu MP employs...
Main Authors: | , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2022-08-01
|
Series: | Transactions on Cryptographic Hardware and Embedded Systems |
Subjects: | |
Online Access: | https://ojs-dev.ub.rub.de/index.php/TCHES/article/view/9829 |
_version_ | 1797690087656390656 |
---|---|
author | Kotaro Saito Akira Ito Rei Ueno Naofumi Homma |
author_facet | Kotaro Saito Akira Ito Rei Ueno Naofumi Homma |
author_sort | Kotaro Saito |
collection | DOAJ |
description |
In this paper, a deep-learning based power/EM analysis attack on the state-of-the-art RSA–CRT software implementation is proposed. Our method is applied to a side-channel-aware implementation with the Gnu Multi-Precision (MP) Library, which is a typical open-source software library. Gnu MP employs a fixed-window exponentiation, which is the fastest in a constant time, and loads the entire precomputation table once to avoid side-channel leaks from multiplicands. To conduct an accurate estimation of secret exponents, our method focuses on the process of loading the entire precomputation table, which we call a dummy load scheme. It is particularly noteworthy that the dummy load scheme is implemented as a countermeasure against a simple power/EM analysis (SPA/SEMA). This type of vulnerability from a dummy load scheme also exists in other cryptographic libraries. We also propose a partial key exposure attack suitable for the distribution of errors inthe secret exponents recovered from the windowed exponentiation. We experimentally show that the proposed method consisting of the above power/EM analysis attack, as well as a partial key exposure attack, can be used to fully recover the secret key of the RSA–CRT from the side-channel information of a single decryption or a signature process.
|
first_indexed | 2024-03-12T01:54:29Z |
format | Article |
id | doaj.art-b07fa84000fb43eb9e5ff121347a0fb0 |
institution | Directory Open Access Journal |
issn | 2569-2925 |
language | English |
last_indexed | 2024-03-12T01:54:29Z |
publishDate | 2022-08-01 |
publisher | Ruhr-Universität Bochum |
record_format | Article |
series | Transactions on Cryptographic Hardware and Embedded Systems |
spelling | doaj.art-b07fa84000fb43eb9e5ff121347a0fb02023-09-08T07:01:09ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252022-08-012022410.46586/tches.v2022.i4.490-526One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed ExponentiationKotaro Saito0Akira Ito1Rei Ueno2Naofumi Homma3Tohoku University, 2–1–1 Katahira, Aoba-ku, Sendai-shi, Miyagi, 980-8577, JapanTohoku University, 2–1–1 Katahira, Aoba-ku, Sendai-shi, Miyagi, 980-8577, JapanTohoku University, 2–1–1 Katahira, Aoba-ku, Sendai-shi, Miyagi, 980-8577, JapanTohoku University, 2–1–1 Katahira, Aoba-ku, Sendai-shi, Miyagi, 980-8577, Japan In this paper, a deep-learning based power/EM analysis attack on the state-of-the-art RSA–CRT software implementation is proposed. Our method is applied to a side-channel-aware implementation with the Gnu Multi-Precision (MP) Library, which is a typical open-source software library. Gnu MP employs a fixed-window exponentiation, which is the fastest in a constant time, and loads the entire precomputation table once to avoid side-channel leaks from multiplicands. To conduct an accurate estimation of secret exponents, our method focuses on the process of loading the entire precomputation table, which we call a dummy load scheme. It is particularly noteworthy that the dummy load scheme is implemented as a countermeasure against a simple power/EM analysis (SPA/SEMA). This type of vulnerability from a dummy load scheme also exists in other cryptographic libraries. We also propose a partial key exposure attack suitable for the distribution of errors inthe secret exponents recovered from the windowed exponentiation. We experimentally show that the proposed method consisting of the above power/EM analysis attack, as well as a partial key exposure attack, can be used to fully recover the secret key of the RSA–CRT from the side-channel information of a single decryption or a signature process. https://ojs-dev.ub.rub.de/index.php/TCHES/article/view/9829Side-channel attackDeep learningRSA–CRTPartial key exposure attack Gnu MP OpenSSL |
spellingShingle | Kotaro Saito Akira Ito Rei Ueno Naofumi Homma One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation Transactions on Cryptographic Hardware and Embedded Systems Side-channel attack Deep learning RSA–CRT Partial key exposure attack Gnu MP OpenSSL |
title | One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation |
title_full | One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation |
title_fullStr | One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation |
title_full_unstemmed | One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation |
title_short | One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation |
title_sort | one truth prevails a deep learning based single trace power analysis on rsa crt with windowed exponentiation |
topic | Side-channel attack Deep learning RSA–CRT Partial key exposure attack Gnu MP OpenSSL |
url | https://ojs-dev.ub.rub.de/index.php/TCHES/article/view/9829 |
work_keys_str_mv | AT kotarosaito onetruthprevailsadeeplearningbasedsingletracepoweranalysisonrsacrtwithwindowedexponentiation AT akiraito onetruthprevailsadeeplearningbasedsingletracepoweranalysisonrsacrtwithwindowedexponentiation AT reiueno onetruthprevailsadeeplearningbasedsingletracepoweranalysisonrsacrtwithwindowedexponentiation AT naofumihomma onetruthprevailsadeeplearningbasedsingletracepoweranalysisonrsacrtwithwindowedexponentiation |