一种基于模板的RSA-CRT模约减攻击方法  

作　　者：马向亮 乌力吉[1,2] 王宏[4] 张向民[1,2] 黄克振 刘玉岭 MA Xiang-liang;WU Li-ji;WANG Hong;ZHANG Xiang-min;HUANG Ke-zhen;LIU Yu-ling(School of Integrated Circuits,Tsinghua University,Beijing 100084,China;Beijing National Research Center for Information Science and Technology,Tsinghua University,Beijing 100084,China;School of Integrated Circuits,Beijing University of Posts and Telecommunications,Beijing 100876,China;National Research Center for Information Technology Security,Beijing 100084,China;Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 101408,China)

机构地区：[1]清华大学集成电路学院,北京100084 [2]清华大学北京信息科学与技术国家研究中心,北京100084 [3]北京邮电大学集成电路学院,北京100876 [4]国家信息技术安全研究中心,北京100084 [5]中国科学院软件研究所可信计算与信息保障实验室,北京100190 [6]中国科学院信息工程研究所,北京100093 [7]中国科学院大学网络安全学院,北京101408

出　　处：《电子学报》2024年第3期689-695,共7页Acta Electronica Sinica

基　　金：中国互联网发展基金会资助。

摘　　要：目前针对RSA-CRT的建模类攻击研究较少,本文以模约减操作为研究对象,提出了一种针对RSA-CRT实现的模板攻击方法.该方法的核心是解决了如何由模约减后中间值的汉明重量恢复RSA-CRT私钥的难题.该方法的特点是基于模约减后中间值的汉明重量模型建模,通过采集选择密文模约减的能量迹进行模板匹配获取模约减后中间值的汉明重量,由汉明重量变化值恢复中间值,进一步恢复RSA-CRT算法的私钥.另外,该方法的优点在于理想情况下,基于中间值汉明重量模型建立的模板之间可以共用,且对中间值以多少位大小建模没有限制,可以选择字节大小,64位大小,甚至私钥p相同大小,实际环境中可根据泄露信息情况进行选取.最后,本文选择对中间值的最低字节进行建模,验证了该方法的可行性,并给出了防护建议.At present,there are few researches on profile attacks against RSA-CRT implementation.This paper takes modular reduction operation as the research object,and a template attack method against RSA-CRT implementation is pro⁃posed.The core of this method is to solve the difficulty to recover the RSA-CRT private key from the Hamming weight of the intermediate value of ciphertext modular reduction.The characteristic of this method is to build a model based on the Hamming weight of the intermediate value derived from modular reduction.The Hamming weight can be obtained by col⁃lecting the power traces of chosen ciphertext modular reduction for template matching,and the intermediate value is recov⁃ered from the Hamming weight variation,the private key of the RSA-CRT algorithm can be further inferred based on the in⁃termediate value.In addition,the advantage of this method is that ideally,templates based on the intermediate Hamming weight model can be shared,and there is no limit on the number of bits of the intermediate value for modelling,which can be in byte size,64 bit size,or even the bit size of p.In the actual environment,it can be selected according to the leaked in⁃formation.Finally,in this paper,the lowest byte of the intermediate value is selected to model to verify the feasibility of this method,and the defense suggestions are also provided.

关 键 词：模板攻击 RSA-CRT 选择密文 模约减 侧信道攻击 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]