Side‐channel analysis of the modular inversion step in the RSA key generation algorithm

This paper studies the security of the RSA key generation algorithm with regard to side-channel analysis and presents a novel approach that targets the simple power analysis (SPA) vulnerabilities that may exist in an implementation of the binary extended Euclidean algorithm (BEEA). The SPA vulnerabilities described, together with the properties of the values processed by the BEEA in the context of RSA key generation, represent a serious threat for an implementation of this algorithm. It is shown that an adversary can disclose the private key employing only one power trace with a success rate of 100 % – an improvement on the 25% success rate achieved by the best side-channel analysis carried out on this algorithm. Two very different BEEA implementations are analyzed, showing how the algorithm’s SPA leakages could be exploited. Also, two countermeasures are discussed that could be used to reduce those SPA leakages and prevent the recovery of the RSA private key. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Sarang Aravamuthan,et al.  A Parallelization of ECDSA Resistant to Simple Power Analysis Attacks , 2007, 2007 2nd International Conference on Communication Systems Software and Middleware.

[2]  Idris A. Eckley,et al.  changepoint: An R Package for Changepoint Analysis , 2014 .

[3]  Marc Joye,et al.  Efficient Generation of Prime Numbers , 2000, CHES.

[4]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[5]  Christophe Clavier,et al.  On the Implementation of a Fast Prime Generation Algorithm , 2007, CHES.

[6]  Santiago Sánchez-Solano,et al.  SPA vulnerabilities of the binary extended Euclidean algorithm , 2017, Journal of Cryptographic Engineering.

[7]  Zhizhang Chen,et al.  Synchronous sampling and clock recovery of internal oscillators for side channel analysis and fault injection , 2015, Journal of Cryptographic Engineering.

[8]  M. Hinek Cryptanalysis of RSA and Its Variants , 2009 .

[9]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[10]  Jean-Pierre Seifert,et al.  New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures , 2007, IMACC.

[11]  J. Stein Computational problems associated with Racah algebra , 1967 .

[12]  Werner Schindler,et al.  A New Side-Channel Attack on RSA Prime Generation , 2009, CHES.

[13]  Jim Attridge,et al.  An Overview of Hardware Security Modules , 2019 .

[14]  Éliane Jaulmes,et al.  Side-Channel Attack against RSA Key Generation Algorithms , 2014, CHES.

[15]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[16]  Zhe Liu,et al.  Implementation of a leakage-resilient ElGamal key encapsulation mechanism , 2016, Journal of Cryptographic Engineering.

[17]  Achim Zeileis,et al.  Flexible Generation of E-Learning Exams in R: Moodle Quizzes, OLAT Assessments, and Beyond , 2014 .

[18]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .