Security Analysis of CRT-Based Cryptosystems

摘要

We investigate the security of several cryptosystems based on the Chinese remainder theorem (CRT) against side channel attack (SCA). Novak first proposed a simple power analysis against the CRT part using the difference of message modulo p and modulo q. In this paper we apply Novak's attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack is strictly depending how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily able to be detected by power analysis. We examine the zero-multiplication attack on the above cryptosystems. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1% to 5% of the whole decryption.