Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Ryuta NARA, Kei SATOH, Masao YANAGISAWA, Tatsuo OHTSUKI, Nozomu TOGAWA, "Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures" in IEICE TRANSACTIONS on Fundamentals,
vol. E93-A, no. 12, pp. 2481-2489, December 2010, doi: 10.1587/transfun.E93.A.2481.
Abstract: Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E93.A.2481/_p
Copy
@ARTICLE{e93-a_12_2481,
author={Ryuta NARA, Kei SATOH, Masao YANAGISAWA, Tatsuo OHTSUKI, Nozomu TOGAWA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures},
year={2010},
volume={E93-A},
number={12},
pages={2481-2489},
abstract={Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.},
keywords={},
doi={10.1587/transfun.E93.A.2481},
ISSN={1745-1337},
month={December},}
Copy
TY - JOUR
TI - Scan-Based Side-Channel Attack against RSA Cryptosystems Using Scan Signatures
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 2481
EP - 2489
AU - Ryuta NARA
AU - Kei SATOH
AU - Masao YANAGISAWA
AU - Tatsuo OHTSUKI
AU - Nozomu TOGAWA
PY - 2010
DO - 10.1587/transfun.E93.A.2481
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E93-A
IS - 12
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - December 2010
AB - Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.
ER -