Document 7468318
Download
Report
Transcript Document 7468318
Efficient CRT-Based RSA Cryptosystems
Immune against the Hardware Fault Attack and
the FPGA Implementations
Yonghong Yang
Supervisors: Prof. Z. Abid & Prof. W. Wang
Department of Electrical and Computer Engineering
the University of Western Ontario, Canada
May 24, 2016
1
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
2
Network security is needed
everywhere:
May 24, 2016
3
Wide applications need security
Electronic banking and voting
Electronic commerce, such as online bidding
Email, file exchange/submission
Web browsing, etc.
May 24, 2016
4
Cryptography
The mathematical science to secure the
confidentiality/authentication of data by
replacing them with a transformed version
Two types: secret-key and public-key
Cryptography guarantees the needed security
Privacy or confidentiality
Data integrity
Authentication
Non-repudiation
May 24, 2016
5
Secret-Key Cryptography
Traditional method of cryptography
Theoretical basis: “communication theory of secrecy
systems”
Single key is used to encrypt and decrypt texts
DES, NSA and IDEA etc.
Disadvantages:
Difficult key management
Keys need to be changed frequently
May 24, 2016
Cannot yield efficient signature mechanisms
6
Public-Key Cryptography
Relatively new field – 1975, initiated by the
paper “New directions in cryptography ”
Different keys are used for encryption and
decryption
RSA, DSA, DSS etc.
May 24, 2016
7
Public-Key Cryptography
Advantages:
Easier key management
Key can remain unchanged for longer time
Yields efficient digital signature mechanisms
Disadvantage:
Slower throughputs since keys have larger
wordlengths
May 24, 2016
8
RSA Cryptography
One of the most widely used, simplest publickey cryptography so far
Scheme
May 24, 2016
Alice
Bob
Encrypt using
B’s public key
Decrypt using by
B’s private key
Sign with A’s
private key
Check signature
by A’s public key
9
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
10
RSA Cryptosystem
Public quantities: n, e; secret quantities: d, (n)
Encryption/decryption:
Encryption: c me mod n
Decryption:
m cd mod n
Signing/signature verification:
Signing:
s md modn
Signature verification:
May 24, 2016
m se mod n
11
Chinese Remainder Theorem Based RSA
Chinese Remainder Theorem is often used to
speedup the operations of RSA
Attacks on the CRT-based RSA
Hardware fault attack
Timing attack
Power attack
May 24, 2016
12
Countermeasures to the attack
Padding the message,
drawback: collision-free hash function (hard)
Checking the intermediate or final results,
drawback: double the operational time and
not secure
Revising the signature expression,
make sure no secret information is leaked
May 24, 2016
13
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
14
Standard CRT-based two-prime RSA
m
q
p
To calculate:
s m
d mod n
m mod q
m mod p
mp
dp
mp
dq
dp
mq
mq
p
dq
q
sq
sp
CRT ( s p , s q )
s
May 24, 2016
15
Standard CRT-based two-prime RSA
Vulnerable to the hardware fault attack:
When s
sp ( sq ) available:
q( p) gcd(( se m) mod n, n) and
p(q) n / q( p)
factors the system
May 24, 2016
16
CRT-2 protocol proposed by Yen et al.
1. k p m / p, kq m / q
d
d
2. s p m t mod p, sq m t mod q
3.
s (CRT ( s p , sq ) mt ) mod n where
m ( s p t mod p k p sq t mod q kq ) / 2
e
May 24, 2016
e
17
Proposed Two-Prime RSA
1. m p m mod p , mq m mod q
s pt mp
d s mod( p 1)
t
2. X p m p mod p,
mod p, sqt mq
d s mod( q 1)
mod q
X q mqt mod q
s p ( s pt X p ) mod p, sq ( sqt X q ) mod q
3. s (CRT ( s p , sq ) m) mod n
where
m (| ( s p X p )et | p m p (| ( sq X q ) et |q mq )) (max( p, q ) 1)
May 24, 2016
18
Block diagram of the proposed two-prime RSA
p, m
q, m
m mod q
m mod p
ds
mp
Xp
mp
ds
d s p 1
mq
p
s pt
| s pt X p | p
sp
mq
Xq
q
sqt
| sqt X q |q
mp
q
m tp mod p
sp
Xp
(sp X p )
et
sq
CRT ( s p , sq )
CRT
d s q 1
p
mq
mqt mod q
sq
mp
m1
Xq
( sq X q )
et
mq
m2
( m1 m 2 ) ( n / min( p , q ) 1)
(CRT m ) mod n
m
s
May 24, 2016
19
Comparison of the operational speed
Division
CRT-2
protocol by
Yen. et al.
The
proposed
two-prime
RSA
k p m / p
kq m / q
m p m mod p
mq m mod q
Modular
Modular
exponentiation exponentiation
mt mod n
mdt mod p
m dt mod q
t
m p mod p
t
mq mod q
d
m p t mod p
d
mq t mod q
where ( m, m [1, n) , m p [1, p) and mq [1, q) )
May 24, 2016
20
Factorization complexity
The complexity of factoring the proposed RSA
system: O(n)
The complexity of factoring CRT-2: O(n)
Similar
May 24, 2016
21
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
22
Standard CRT-based multi-prime RSA
m
p
q
m mod p
m mod q
mp dq
dp
mp
dp
p
sp
r
mq
mq
m mod i j
m mod r
dq
dr
mr
mr
q
sq
dr
r
sr
ij
. dij
mi j
.
d
.
mi j i j
ij
si j
C RT ( s p , s q , s r , s i j )
s
May 24, 2016
23
Immunity of CRT-based multi-prime RSA:
When (j-1) faulty signatures available, calculations
according to these (j-1) faulty signatures factors the
multi-prime RSA
Still vulnerable to the hardware fault attack
May 24, 2016
24
Proposed Multi-Prime RSA
1. mik m mod ik
sik t mik
d s mod( ik 1)
mod ik
t
2. X ik mik mod ik
sik ( sik t X ik ) mod ik
3. s (CRT ( sik ) m) mod n
j
m ( | ( sik X ik )et |ik mik ) (max(ik ) 1)
for k 1, 2 j
k 1
May 24, 2016
25
The proposed multi-prime RSA
m mod i1
ds
mi1
mi1
X i1
ij , m
ik , m
i1 , m
ds
d s i 1
i1
| si1t X i1 |i1
ds
mik
mik
1
si1t
m mod i j
m mod ik
X ik
d s i 1
k
mi j
ik
sik t
| sik t X ik |ik
sik
si1
mitj mod i j
mitk mod ik
ij
si1
X i1
sik
e
( si X i ) t mi
| si j t X i j |i j
1
1
1
m
CRT ( si1 , , sik , , si j )
k 1
(CRT m) mod n
k
si j
X ik
k
k
X ij
e
e
( si X i ) t mi
k
( si X i ) t mi
j
j
j
mj
mk
m1
si j
j
CRT
mi j
ik
mik
ik
mit1 mod i1
d s i 1
j
si j t
X ij
mi1
i1
mi j
( n / min(i1 , , ik , , i j ) 1)
m
s
May 24, 2016
26
Extended CRT-2 protocol
1. Kik m / ik
2.
sik mdt mod ik
t
s
(
CRT
(
s
)
m
) mod n
3.
ik
j
e
m ( sik t mod ik kik ) / j for k 1, 2 j
k 1
May 24, 2016
27
Comparison of the operational speed
Division
Extended
CRT-2
protocol
The proposed
multi-prime
RSA
ki m / ik
k
mik m mod ik
Division
Modular
exponentiation
Modular
exponentiation
X/j
m dt mod ik
mt mod n
d
mik t mod ik
t
mi mod i
k
k
where ( mi [1, ik ) , m, m [1, n) and k 1, , j )
k
May 24, 2016
28
Operational speed improvement has been verified
by one example of three-prime RSA
Similar factorization complexity
Still O(n) for obtaining any factor from the
proposed multi-prime RSA
Predicted to use fewer hardware resources
Will be verified by Implementation results later
May 24, 2016
29
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
30
Design flow
Design entry
Simulation
Synthesis
Translate
Map
Design
verification
Implementation
design
Place and
route
May 24, 2016
31
Structure of modular exponentiation algorithm
(to calculate X E mod N )
record_msb
A_in
B_in
N_in
Montgomery
modular
multiplication
component
Start_in
Mon_finish
idle
finish
call
Montgomery
pre-map
component
if ei='1'
if ei='0'
pre_squmulti
call
Montgomery
components
exp_start='1'
pre_pre-map
i=0
R_out
May 24, 2016
record the most
significant bit
position ek
post-map
output the
result
set ready to '1'
call
Montgomery
component
pre_squ
pre_pos-tmap
call
squ
Montgomery
premulti
component
i=i+1 if i<=k
squmulti
if i>k
32
Structure of Montgomery modular multiplication
algorithm (to calculate A B 2 k mod N )
reset
waiting
for a new
operation
finish
idle
i=0
add value to
intermediate addition
result
if i<=31
i=i+1
shift
output the
values and set
the finish flag
subtraction subtract N
if R>N
If i>31
left shift
one bit
May 24, 2016
33
Hardware structure of Montgomery modular multiplication
B _in
B _in
'0'
b 0_reg
r0_reg
ai
Mux
p
XOR
A_in
'0'
B _in
B_reg
N _in
Adder
BN_reg
R_reg
Mux
addition
state
if i<=31
i=i+1
Left_Shift
register
N _in
N_reg
R_reg
Subtractor
if i>31
subtraction
state
finish state
May 24, 2016
R
Adder
A_reg
R-N>0?
Mux
shift state
AB 2 k mod N
Out
34
Structure of proposed two-prime RSA
sp
Xp
p
Montgomery
A_in
component
R_out
B_in
N_in
Start1
| 22k | p
p
Montgomery
component
B_in
R_out
N_in
Mon_finish
Finish1
Mon_start
A_in
X_in
et
Modular
exponentiation
component
E_in
Z_out
p
N_in
Mon_finish
Finish1
Mon_start
Start1
Exp_finish
mp
temp1 subtractor
n
1
max( p , q )
Efinish1
Exp_start
m
Estart1
adder
Multiplier
temp3
2k
sq
Xq
A_in
Montgomery
component
B_in
R_out
q
A_in
Montgomery
component
B_in
R_out
q
N_in
et
q
X_in
Modular
exponentiation
component
E_in
Z_out
mq
temp2 subtractor
N_in
Exp_finish
Mon_finish
Mon_finish
Efinish2
Finish2
Finish2
Mon_start
Mon_start
Exp_start
Estart2
Start2
N_in
Start2
| 2 |q
May 24, 2016
35
Structure of standard CRT-based two-prime RSA
M
k
A_in
Montgomery
component
B_in
R_out
2 mod p
p
dp
Start1
Modular
exponentiation
component
E_in
Z_out
| p 1 |q p
sp
M
A_in
B_in
E_finish1
N_in
Mon_finish
Finish1
Mon_start
Montgomery
component
Estart1
dq
R_out
q
N_in
Mon_finish
Estart2
Finish2
Mon_start
2 2 k mod N
CRT_1
Exp_finish
Exp_start
mq
q
Start2
X_in
p
N_in
2 k mod q
mp
X_in
E_in
Z_out
Exp_finish
CRT_1
R_out
B_in
p
N_in
Mon_finish
Mon_start
Finish1
Start1
Modular
exponentiation
component
N_in
Montgomery
A_in component
| q 1 | p q
sq
Montgomery
A_in component
R_out
B_in
CRT_2
q
E_finish2
Exp_start
N_in
Mon_finish
Mon_start
Finish2
Start2
Montgomery
A_in component
B_in
R_out
temp1
N
N_in
Start1
Mon_finish
Finish1
Mon_start
Adder
stemp1
stemp2
2 2 k mod N
Montgomery
A_in component
CRT_2
B_in
R_out
temp2
temp2>0?
MUX
S
subtractor
N
May 24, 2016
N_in
Start2
Mon_finish
Finish2
Mon_start
N
36
Structure of CRT-2 protocol
sp
X_in
et
E_in
p
Modular
exponentiation
component
Z_out
N_in
Estart1
Exp_finish
Exp_start
m
p
efinish1
adder
quot1
divider rem1
multiplier
p
kp
temp1
1
m
quot2
q
divider rem2
q
sq
et
X_in
Modular
exponentiation
component
E_in
Z_out
adder
shift
register
m
adder
multiplier
temp2
kq
adder
q
N_in
Estart2
May 24, 2016
Exp_finish
Exp_start
efinish2
37
Implementation results:
May 24, 2016
CLB
usage
LUT
usage
Equivalent
gates
Standard CRTbased two-prime
RSA
1,226
4,775
46,324
Proposed twoprime RSA
1,431
5,615
55,913
CRT-2 protocol
1,997
6,577
85,229
Standard threeprime RSA
1,759
6,939
68,144
Proposed threeprime RSA
2,130
8,252
82,233
Extended CRT-2
protocol
2,646
9,121
109,756
38
Implementation results
Resources
Usage (%)
Resources
usage (%)
Standard
2-prime
Proposed
2-prime
2-prime
(CRT-2)
82.6
100
152
Standard
3-prime
Proposed
3-prime
3-prime
(CRT-2)
82
100
133
Conclusion: Not many more resources than the
standard CRT-based RSA and much fewer than the
systems based on CRT-2 protocol
May 24, 2016
39
Introduction
Literature Review
Proposed Efficient Two-Prime RSA Cryptosystem
Proposed Efficient Multi-Prime RSA Cryptosystem
FPGA Implementations and Results
Conclusions
May 24, 2016
40
Conclusions
The immunity of the RSA cryptosystems against the hardware
fault attack is greatly increased
The proposed RSA cryptosystems provide more efficient
operations than previous work, and they bear similar
immunity against the hardware fault attack.
The proposed RSA cryptosystems use fewer resources than
previous work in hardware implementations
The standard CRT-based RSA cryptosystems with more
factors bears more difficult for the hardware fault attack
May 24, 2016
41
Future work
Speed up the basic block: modular exponentiation
computation
Implement the RSA cryptosystems with enhanced immunity
against other implementation attacks
Download the RSA cryptosystems implemented in Chapter
5 to the FPGA chip
May 24, 2016
42
Thanks !
and
Questions ?
May 24, 2016
43