Transcript Document 7468318

Efficient CRT-Based RSA Cryptosystems
Immune against the Hardware Fault Attack and
the FPGA Implementations
Yonghong Yang
Supervisors: Prof. Z. Abid & Prof. W. Wang
Department of Electrical and Computer Engineering
the University of Western Ontario, Canada
May 24, 2016
1
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
2
Network security is needed
everywhere:
May 24, 2016
3
 Wide applications need security
 Electronic banking and voting
 Electronic commerce, such as online bidding
 Email, file exchange/submission
 Web browsing, etc.
May 24, 2016
4
 Cryptography
 The mathematical science to secure the
confidentiality/authentication of data by
replacing them with a transformed version
 Two types: secret-key and public-key
 Cryptography guarantees the needed security
 Privacy or confidentiality
 Data integrity
 Authentication
 Non-repudiation
May 24, 2016
5
 Secret-Key Cryptography
 Traditional method of cryptography
 Theoretical basis: “communication theory of secrecy
systems”
 Single key is used to encrypt and decrypt texts
 DES, NSA and IDEA etc.
 Disadvantages:
 Difficult key management
 Keys need to be changed frequently
May 24, 2016
 Cannot yield efficient signature mechanisms
6
 Public-Key Cryptography
 Relatively new field – 1975, initiated by the
paper “New directions in cryptography ”
 Different keys are used for encryption and
decryption
 RSA, DSA, DSS etc.
May 24, 2016
7
 Public-Key Cryptography
 Advantages:
 Easier key management
 Key can remain unchanged for longer time
 Yields efficient digital signature mechanisms
 Disadvantage:
 Slower throughputs since keys have larger
wordlengths
May 24, 2016
8
 RSA Cryptography
One of the most widely used, simplest publickey cryptography so far
 Scheme
May 24, 2016
Alice
Bob
Encrypt using
B’s public key
Decrypt using by
B’s private key
Sign with A’s
private key
Check signature
by A’s public key
9
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
10
 RSA Cryptosystem
 Public quantities: n, e; secret quantities: d,  (n)
 Encryption/decryption:
 Encryption: c  me mod n
 Decryption:
m cd mod n
 Signing/signature verification:
 Signing:
s  md modn
 Signature verification:
May 24, 2016
m  se mod n
11
 Chinese Remainder Theorem Based RSA
 Chinese Remainder Theorem is often used to
speedup the operations of RSA
 Attacks on the CRT-based RSA
 Hardware fault attack
 Timing attack
 Power attack
May 24, 2016
12
 Countermeasures to the attack
 Padding the message,
drawback: collision-free hash function (hard)
 Checking the intermediate or final results,
drawback: double the operational time and
not secure
 Revising the signature expression,
make sure no secret information is leaked
May 24, 2016
13
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
14
 Standard CRT-based two-prime RSA
m
q
p
To calculate:
s m
d mod n
m mod q
m mod p
mp
dp
mp
dq
dp
mq
mq
p
dq
q
sq
sp
CRT ( s p , s q )
s
May 24, 2016
15
 Standard CRT-based two-prime RSA
 Vulnerable to the hardware fault attack:
When s
sp ( sq ) available:
q( p)  gcd(( se  m) mod n, n) and
p(q)  n / q( p)
factors the system
May 24, 2016
16
 CRT-2 protocol proposed by Yen et al.
1. k p  m / p, kq  m / q
d
d
2. s p  m t mod p, sq  m t mod q
3.
s  (CRT ( s p , sq )  mt ) mod n where
m  ( s p t mod p  k p  sq t mod q  kq ) / 2
e
May 24, 2016
e
17
 Proposed Two-Prime RSA
1. m p  m mod p , mq  m mod q
s pt  mp
d s mod( p 1)
t
2. X p  m p mod p,
mod p, sqt  mq
d s mod( q 1)
mod q
X q  mqt mod q
s p  ( s pt  X p ) mod p, sq  ( sqt  X q ) mod q
3. s  (CRT ( s p , sq )  m) mod n
where
m  (| ( s p  X p )et | p m p  (| ( sq  X q ) et |q mq ))  (max( p, q )  1)
May 24, 2016
18
 Block diagram of the proposed two-prime RSA
p, m
q, m
m mod q
m mod p
ds
mp
Xp
mp
ds
d s p 1
mq
p
s pt
| s pt  X p | p
sp
mq
Xq
q
sqt
| sqt  X q |q
mp
q
m tp mod p
sp
Xp
(sp  X p )
et
sq
CRT ( s p , sq )
CRT
d s q 1
p
mq
mqt mod q
sq
 mp
m1
Xq
( sq  X q )
et
 mq
m2
( m1  m 2 )  ( n / min( p , q )  1)
(CRT  m ) mod n
m
s
May 24, 2016
19
 Comparison of the operational speed
Division
CRT-2
protocol by
Yen. et al.
The
proposed
two-prime
RSA
k p   m / p 
kq   m / q 
m p  m mod p
mq  m mod q
Modular
Modular
exponentiation exponentiation
mt mod n
mdt mod p
m dt mod q
t
m p mod p
t
mq mod q
d
m p t mod p
d
mq t mod q
where ( m, m  [1, n) , m p  [1, p) and mq  [1, q) )
May 24, 2016
20
 Factorization complexity
 The complexity of factoring the proposed RSA
system: O(n)
 The complexity of factoring CRT-2: O(n)
 Similar
May 24, 2016
21
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
22
 Standard CRT-based multi-prime RSA
m
p
q
m mod p
m mod q
mp dq
dp
mp
dp
p
sp
r
mq
mq
m mod i j
m mod r
dq
dr
mr
mr
q
sq
dr
r
sr
ij
. dij
mi j
.
d
.
mi j i j
ij
si j
C RT ( s p , s q , s r ,    s i j )
s
May 24, 2016
23
 Immunity of CRT-based multi-prime RSA:
 When (j-1) faulty signatures available, calculations
according to these (j-1) faulty signatures factors the
multi-prime RSA
 Still vulnerable to the hardware fault attack
May 24, 2016
24
 Proposed Multi-Prime RSA
1. mik  m mod ik
sik t  mik
d s mod( ik 1)
mod ik
t
2. X ik  mik mod ik
sik  ( sik t  X ik ) mod ik
3. s  (CRT ( sik )  m) mod n
j
m  ( | ( sik  X ik )et |ik mik )  (max(ik )  1)
for k  1, 2  j
k 1
May 24, 2016
25
 The proposed multi-prime RSA
m mod i1
ds
mi1
mi1
X i1
ij , m
ik , m
i1 , m
ds
d s i 1
i1
| si1t  X i1 |i1
ds
mik
mik
1
si1t
m mod i j
m mod ik
X ik
d s i 1
k
mi j
ik
sik t
| sik t  X ik |ik
sik
si1
mitj mod i j
mitk mod ik
ij
si1
X i1
sik
e
( si  X i ) t  mi
| si j t  X i j |i j
1
1
1
m
CRT ( si1 , , sik , , si j )
k 1
(CRT  m) mod n
k
si j
X ik
k
k
X ij
e
e
( si  X i ) t  mi
k
( si  X i ) t  mi
j
j
j
mj
mk
m1
si j
j
CRT
mi j
ik
mik
ik
mit1 mod i1
d s i 1
j
si j t
X ij
mi1
i1
mi j
 ( n / min(i1 , , ik , , i j )  1)
m
s
May 24, 2016
26
 Extended CRT-2 protocol
1. Kik  m / ik
2.
sik  mdt mod ik
t
s

(
CRT
(
s
)

m
) mod n
3.
ik
j
e
m  ( sik t mod ik  kik ) / j for k  1, 2  j
k 1
May 24, 2016
27
 Comparison of the operational speed
Division
Extended
CRT-2
protocol
The proposed
multi-prime
RSA
ki  m / ik 

k

mik  m mod ik
Division
Modular
exponentiation
Modular
exponentiation
X/j
m dt mod ik
mt mod n
d
mik t mod ik
t
mi mod i
k
k
where ( mi [1, ik ) , m, m  [1, n) and k  1, , j )
k
May 24, 2016
28
 Operational speed improvement has been verified
by one example of three-prime RSA
 Similar factorization complexity
 Still O(n) for obtaining any factor from the
proposed multi-prime RSA
 Predicted to use fewer hardware resources
 Will be verified by Implementation results later
May 24, 2016
29
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
30
 Design flow
Design entry
Simulation
Synthesis
Translate
Map
Design
verification
Implementation
design
Place and
route
May 24, 2016
31
 Structure of modular exponentiation algorithm
(to calculate X E mod N )
record_msb
A_in
B_in
N_in
Montgomery
modular
multiplication
component
Start_in
Mon_finish
idle
finish
call
Montgomery
pre-map
component
if ei='1'
if ei='0'
pre_squmulti
call
Montgomery
components
exp_start='1'
pre_pre-map
i=0
R_out
May 24, 2016
record the most
significant bit
position ek
post-map
output the
result
set ready to '1'
call
Montgomery
component
pre_squ
pre_pos-tmap
call
squ
Montgomery
premulti
component
i=i+1 if i<=k
squmulti
if i>k
32
 Structure of Montgomery modular multiplication
algorithm (to calculate A  B  2 k mod N )
reset
waiting
for a new
operation
finish
idle
i=0
add value to
intermediate addition
result
if i<=31
i=i+1
shift
output the
values and set
the finish flag
subtraction subtract N
if R>N
If i>31
left shift
one bit
May 24, 2016
33
 Hardware structure of Montgomery modular multiplication
B _in
B _in
'0'
b 0_reg
r0_reg
ai
Mux
p
XOR
A_in
'0'
B _in
B_reg
N _in
Adder
BN_reg
R_reg
Mux
addition
state
if i<=31
i=i+1
Left_Shift
register
N _in
N_reg
R_reg
Subtractor
if i>31
subtraction
state
finish state
May 24, 2016
R
Adder
A_reg
R-N>0?
Mux
shift state
AB 2  k mod N
Out
34
 Structure of proposed two-prime RSA
sp
Xp
p
Montgomery
A_in
component
R_out
B_in
N_in
Start1
| 22k | p
p
Montgomery
component
B_in
R_out
N_in
Mon_finish
Finish1
Mon_start
A_in
X_in
et
Modular
exponentiation
component
E_in
Z_out
p
N_in
Mon_finish
Finish1
Mon_start
Start1
Exp_finish
mp
temp1 subtractor
n
1
max( p , q )
Efinish1
Exp_start
m
Estart1
adder
Multiplier
temp3
2k
sq
Xq
A_in
Montgomery
component
B_in
R_out
q
A_in
Montgomery
component
B_in
R_out
q
N_in
et
q
X_in
Modular
exponentiation
component
E_in
Z_out
mq
temp2 subtractor
N_in
Exp_finish
Mon_finish
Mon_finish
Efinish2
Finish2
Finish2
Mon_start
Mon_start
Exp_start
Estart2
Start2
N_in
Start2
| 2 |q
May 24, 2016
35
 Structure of standard CRT-based two-prime RSA
M
k
A_in
Montgomery
component
B_in
R_out
2 mod p
p
dp
Start1
Modular
exponentiation
component
E_in
Z_out
| p  1 |q  p
sp
M
A_in
B_in
E_finish1
N_in
Mon_finish
Finish1
Mon_start
Montgomery
component
Estart1
dq
R_out
q
N_in
Mon_finish
Estart2
Finish2
Mon_start
2 2 k mod N
CRT_1
Exp_finish
Exp_start
mq
q
Start2
X_in
p
N_in
2 k mod q
mp
X_in
E_in
Z_out
Exp_finish
CRT_1
R_out
B_in
p
N_in
Mon_finish
Mon_start
Finish1
Start1
Modular
exponentiation
component
N_in
Montgomery
A_in component
| q  1 | p q
sq
Montgomery
A_in component
R_out
B_in
CRT_2
q
E_finish2
Exp_start
N_in
Mon_finish
Mon_start
Finish2
Start2
Montgomery
A_in component
B_in
R_out
temp1
N
N_in
Start1
Mon_finish
Finish1
Mon_start
Adder
stemp1
stemp2
2 2 k mod N
Montgomery
A_in component
CRT_2
B_in
R_out
temp2
temp2>0?
MUX
S
subtractor
N
May 24, 2016
N_in
Start2
Mon_finish
Finish2
Mon_start
N
36
 Structure of CRT-2 protocol
sp
X_in
et
E_in
p
Modular
exponentiation
component
Z_out
N_in
Estart1
Exp_finish
Exp_start
m
p
efinish1
adder
quot1
divider rem1
multiplier
p
kp
temp1
1
m
quot2
q
divider rem2
q
sq
et
X_in
Modular
exponentiation
component
E_in
Z_out
adder
shift
register
m
adder
multiplier
temp2
kq
adder
q
N_in
Estart2
May 24, 2016
Exp_finish
Exp_start
efinish2
37
Implementation results:
May 24, 2016
CLB
usage
LUT
usage
Equivalent
gates
Standard CRTbased two-prime
RSA
1,226
4,775
46,324
Proposed twoprime RSA
1,431
5,615
55,913
CRT-2 protocol
1,997
6,577
85,229
Standard threeprime RSA
1,759
6,939
68,144
Proposed threeprime RSA
2,130
8,252
82,233
Extended CRT-2
protocol
2,646
9,121
109,756
38
 Implementation results
Resources
Usage (%)
Resources
usage (%)
Standard
2-prime
Proposed
2-prime
2-prime
(CRT-2)
82.6
100
152
Standard
3-prime
Proposed
3-prime
3-prime
(CRT-2)
82
100
133
Conclusion: Not many more resources than the
standard CRT-based RSA and much fewer than the
systems based on CRT-2 protocol
May 24, 2016
39
 Introduction
 Literature Review
 Proposed Efficient Two-Prime RSA Cryptosystem
 Proposed Efficient Multi-Prime RSA Cryptosystem
 FPGA Implementations and Results
 Conclusions
May 24, 2016
40
 Conclusions
 The immunity of the RSA cryptosystems against the hardware
fault attack is greatly increased
 The proposed RSA cryptosystems provide more efficient
operations than previous work, and they bear similar
immunity against the hardware fault attack.
 The proposed RSA cryptosystems use fewer resources than
previous work in hardware implementations
 The standard CRT-based RSA cryptosystems with more
factors bears more difficult for the hardware fault attack
May 24, 2016
41
 Future work
 Speed up the basic block: modular exponentiation
computation
 Implement the RSA cryptosystems with enhanced immunity
against other implementation attacks
 Download the RSA cryptosystems implemented in Chapter
5 to the FPGA chip
May 24, 2016
42
Thanks !
and
Questions ?
May 24, 2016
43