A Practical Collision-Based Power Analysis on RSA Prime Generation and Its Countermeasure

Sangyub Lee, Sung Min Cho, Heeseok Kim, Seokhie Hong

Research output: Contribution to journalArticle

Abstract

We analyze the security of RSA prime generation implemented on embedded devices by a practical power analysis attack. Unlike previous differential power analysis-based attack on primality tests of RSA prime generation exploiting the deterministic relationship among multiple prime candidates manipulated by consecutive primality tests, we propose a collision-based power analysis attack on the Miller-Rabin test for a single prime candidate which can recover the secret prime with a single attempt by exploiting collision characteristics of simple power analysis resistant modular exponentiation algorithms. Hence, our attack does not require the incremental prime search assumption and is applicable when countermeasures against previous attacks are deployed since it also does not require the assumption of trial divisions with small primes on prime candidates. For a realistic setting, where five 512-bit modular exponentiations are operated on an ARM Cortex-M4 microcontroller as recommended by FIPS 186-4 standard, we successfully recover the secret exponent to an extent that a feasible exhaustive search is needed for the full recovery of the secret prime. This is a first practical result of recovering a full secret of modular exponentiation which manipulates 512-bit RSA primitives with collision-based power analysis in a single attempt, where the previous attack demonstrates the result for 192-bit ECC primitive implementations. We also present a countermeasure against our attack which requires only one additional modular subtraction for the loop of square-and-multiply-always exponentiation algorithm. An experimental result for the effectiveness of our proposed countermeasure is presented.

Original languageEnglish
Article number8681035
Pages (from-to)47582-47592
Number of pages11
JournalIEEE Access
Volume7
DOIs
Publication statusPublished - 2019 Jan 1

Fingerprint

Microcontrollers
Recovery
Side channel attack

Keywords

  • Cryptography
  • Digital signatures
  • Public key
  • Side-channel attacks

ASJC Scopus subject areas

  • Computer Science(all)
  • Materials Science(all)
  • Engineering(all)

Cite this

A Practical Collision-Based Power Analysis on RSA Prime Generation and Its Countermeasure. / Lee, Sangyub; Cho, Sung Min; Kim, Heeseok; Hong, Seokhie.

In: IEEE Access, Vol. 7, 8681035, 01.01.2019, p. 47582-47592.

Research output: Contribution to journalArticle

Lee, Sangyub ; Cho, Sung Min ; Kim, Heeseok ; Hong, Seokhie. / A Practical Collision-Based Power Analysis on RSA Prime Generation and Its Countermeasure. In: IEEE Access. 2019 ; Vol. 7. pp. 47582-47592.
@article{55f556304fb44011b867d4f351b2e576,
title = "A Practical Collision-Based Power Analysis on RSA Prime Generation and Its Countermeasure",
abstract = "We analyze the security of RSA prime generation implemented on embedded devices by a practical power analysis attack. Unlike previous differential power analysis-based attack on primality tests of RSA prime generation exploiting the deterministic relationship among multiple prime candidates manipulated by consecutive primality tests, we propose a collision-based power analysis attack on the Miller-Rabin test for a single prime candidate which can recover the secret prime with a single attempt by exploiting collision characteristics of simple power analysis resistant modular exponentiation algorithms. Hence, our attack does not require the incremental prime search assumption and is applicable when countermeasures against previous attacks are deployed since it also does not require the assumption of trial divisions with small primes on prime candidates. For a realistic setting, where five 512-bit modular exponentiations are operated on an ARM Cortex-M4 microcontroller as recommended by FIPS 186-4 standard, we successfully recover the secret exponent to an extent that a feasible exhaustive search is needed for the full recovery of the secret prime. This is a first practical result of recovering a full secret of modular exponentiation which manipulates 512-bit RSA primitives with collision-based power analysis in a single attempt, where the previous attack demonstrates the result for 192-bit ECC primitive implementations. We also present a countermeasure against our attack which requires only one additional modular subtraction for the loop of square-and-multiply-always exponentiation algorithm. An experimental result for the effectiveness of our proposed countermeasure is presented.",
keywords = "Cryptography, Digital signatures, Public key, Side-channel attacks",
author = "Sangyub Lee and Cho, {Sung Min} and Heeseok Kim and Seokhie Hong",
year = "2019",
month = "1",
day = "1",
doi = "10.1109/ACCESS.2019.2909113",
language = "English",
volume = "7",
pages = "47582--47592",
journal = "IEEE Access",
issn = "2169-3536",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - A Practical Collision-Based Power Analysis on RSA Prime Generation and Its Countermeasure

AU - Lee, Sangyub

AU - Cho, Sung Min

AU - Kim, Heeseok

AU - Hong, Seokhie

PY - 2019/1/1

Y1 - 2019/1/1

N2 - We analyze the security of RSA prime generation implemented on embedded devices by a practical power analysis attack. Unlike previous differential power analysis-based attack on primality tests of RSA prime generation exploiting the deterministic relationship among multiple prime candidates manipulated by consecutive primality tests, we propose a collision-based power analysis attack on the Miller-Rabin test for a single prime candidate which can recover the secret prime with a single attempt by exploiting collision characteristics of simple power analysis resistant modular exponentiation algorithms. Hence, our attack does not require the incremental prime search assumption and is applicable when countermeasures against previous attacks are deployed since it also does not require the assumption of trial divisions with small primes on prime candidates. For a realistic setting, where five 512-bit modular exponentiations are operated on an ARM Cortex-M4 microcontroller as recommended by FIPS 186-4 standard, we successfully recover the secret exponent to an extent that a feasible exhaustive search is needed for the full recovery of the secret prime. This is a first practical result of recovering a full secret of modular exponentiation which manipulates 512-bit RSA primitives with collision-based power analysis in a single attempt, where the previous attack demonstrates the result for 192-bit ECC primitive implementations. We also present a countermeasure against our attack which requires only one additional modular subtraction for the loop of square-and-multiply-always exponentiation algorithm. An experimental result for the effectiveness of our proposed countermeasure is presented.

AB - We analyze the security of RSA prime generation implemented on embedded devices by a practical power analysis attack. Unlike previous differential power analysis-based attack on primality tests of RSA prime generation exploiting the deterministic relationship among multiple prime candidates manipulated by consecutive primality tests, we propose a collision-based power analysis attack on the Miller-Rabin test for a single prime candidate which can recover the secret prime with a single attempt by exploiting collision characteristics of simple power analysis resistant modular exponentiation algorithms. Hence, our attack does not require the incremental prime search assumption and is applicable when countermeasures against previous attacks are deployed since it also does not require the assumption of trial divisions with small primes on prime candidates. For a realistic setting, where five 512-bit modular exponentiations are operated on an ARM Cortex-M4 microcontroller as recommended by FIPS 186-4 standard, we successfully recover the secret exponent to an extent that a feasible exhaustive search is needed for the full recovery of the secret prime. This is a first practical result of recovering a full secret of modular exponentiation which manipulates 512-bit RSA primitives with collision-based power analysis in a single attempt, where the previous attack demonstrates the result for 192-bit ECC primitive implementations. We also present a countermeasure against our attack which requires only one additional modular subtraction for the loop of square-and-multiply-always exponentiation algorithm. An experimental result for the effectiveness of our proposed countermeasure is presented.

KW - Cryptography

KW - Digital signatures

KW - Public key

KW - Side-channel attacks

UR - http://www.scopus.com/inward/record.url?scp=85065084354&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065084354&partnerID=8YFLogxK

U2 - 10.1109/ACCESS.2019.2909113

DO - 10.1109/ACCESS.2019.2909113

M3 - Article

VL - 7

SP - 47582

EP - 47592

JO - IEEE Access

JF - IEEE Access

SN - 2169-3536

M1 - 8681035

ER -