SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation.

We describe an adaptive chosen-ciphertext attack on a smart card implementation of the RSA decryption algorithm in the presence of side-channel information leakage. ... The findings can be used to eventually improve future implementations of fast RSA decryption. ... The adversary can control the output x of the RSA decryption by feeding the card with x e mod n. The attack may be classified as SPA-based adaptive chosen-ciphertext attack. ...

doi:10.1007/3-540-45664-3_18 fatcat:hg4xdmuhd5e5rhq3eevlv7kzru

As a result, we hopefully tend to reconcile the provable security notions of modern cryptography with real-world implementations of exponentiation-based cryptosystems. ... Our aim is to transfer the security of the exponentiation method being implemented to the exponent itself. ... The strongest attacks one can imagine (at the protocol level) are the so-called adaptive chosen-ciphertext attacks (CCA2). ...

doi:10.1007/3-540-44709-1_25 fatcat:rjc4wjlysbbsdbxnt7uk5oacbe

Generally, security is calculated only on the basis of brute force attack and advancements in algorithms, hardware and software architectures are ignored. ... In this study, problems are identified based upon mathematical architecture of RSA and same observations are used in removal of defects. ... An adaptive chosen-ciphertext attack on a smart card implementation of the RSA decryption algorithm in the presence of side-channel information leakage has been performed successfully. ...

doi:10.19026/rjaset.11.2094 fatcat:i6dmjyumljavnjlfvzwjtjpm4u

This paper presents SPA (Simple Power Analysis) attacks against public-key cryptosystems implemented on an FPGA platform. ... In this paper, we implemented four-types of RSA processors on an FPGA platform in combination with two variants of the Montgomery multiplication algorithm and two different types of multipliers for SPA ... The SPA with adaptively chosen messages [4] can be applied to an RSA implementation using CRT based on Garner's algorithm, where an extra modular reduction at the end of a CRT is repeatedly searched ...

doi:10.1109/fpl.2008.4629904 dblp:conf/fpl/MiyamotoHAS08 fatcat:6xnc2ostvvh5tjil3tuijbxg6a

In this paper, Kocher exploits differences in computation times to break certain implementations of RSA and of discrete-logarithm based cryptosystems. In this section, we describe two timing attacks. ... Following [5] , the second attack is against an implementation of an RSA signature scheme [2, 13] . ... Attack on a Private RSA Exponentiation Attack on a DES Key Schedule SPA-type attacks are not restricted to public-key algorithms but can potentially be applied to other types of cryptographic algorithms ...

doi:10.1007/978-0-387-71817-0_13 fatcat:lzxamf2frfgbvli5pf2u7j3sve

In this paper, we propose EM side-channel attacks with carefully constructed ciphertext on Kyber, a lattice-based key encapsulation mechanism, which is a candidate of NIST Post-Quantum Cryptography standardization ... We demonstrate that specially chosen ciphertexts allow an adversary to modulate the leakage of a target device and enable full key extraction with a small number of traces through simple power analysis ... In Section 3, we present our chosen-ciphertext SPA attack on a "clean" implementation of Kyber, while in Section 4 we focus on attacks on highly optimized ARM implementations. ...

doi:10.5281/zenodo.3979188 fatcat:ij42ymvkhngfvjrakzalplw3lm

Open Access

Exploiting the early-termination mechanism makes Simple Power Analysis (SPA) attacks relatively straightforward to conduct, and may even allow one to attack implementations with integrated countermeasures ... Furthermore, we describe an implementation of one such attack on an implementation of AES, where we were able the extract the entire key using just eight power traces. ... ciphertext or to inject chosen ciphertexts. ...

doi:10.1007/978-3-642-14423-3_13 fatcat:ekz6kbafaje3fp2dhjkhzfvcha

Asymmetric-key cryptographic algorithms when implemented on systems with branch predictors, are subjected to side-channel attacks exploiting the deterministic branch predictor behavior due to their keydependent ... Subsimulations are performed to classify the message-space into distinct partitions based on the event branch misprediction and the target key bit value. ... ) in Chosen-ciphertext attacks. ...

doi:10.1007/978-3-662-48324-4_13 fatcat:irpxozmfqncoldyrlrxsphtpja

Thus, in this paper, we introduce the trends of SCAs on IoT devices. ... Over the past 20 years, side-channel analysis (SCA) on IC Chip has mainly taken place. ... Since hardware implementations operate in parallel, they applied the chosen ciphertext DPA. They also suggested a threshold implementation based on boolean masking as a countermeasure [9] . ...

doi:10.22667/jisis.2020.02.29.002 dblp:journals/jisis/SimH20 fatcat:4sjvs66efzfctfw3v5emu7yezi

DOAJ

To demonstrate that our attacks are practical, we first show that SPA can be used to recover RSA private exponents using FI attacks. ... Such attacks have recently focused more on exploitation of implementation-centric and device-specific properties of the faults. ... SPA attacks on RSA. ...

doi:10.46586/tches.v2021.i1.192-216 fatcat:mlspidbv4rba7j76jk234xdvsi

DOAJ OJS

We also introduce approaches for preventing DPA attacks and for building cryptosystems that remain secure even when implemented in hardware that leaks. ... The attacks are practical, non-invasive, and highly effective-even against complex and noisy systems where cryptographic computations account for only a small fraction of the overall power consumption. ... Using an adaptive chosen ciphertext attack, the threshold M = q can be located by binary search, revealing the RSA private key. A similar attack was described in [12] . ...

doi:10.1007/s13389-011-0006-y fatcat:xwxqrsf6hfdbti7vplmm745quy

In this paper, we propose a new attack against a classical implementation of these operations that only requires two queries to the device. ... The complexity of this so-called "doubling attack" is much smaller than previously known ones. Furthermore, this approach defeats two of the three countermeasures proposed by Coron at CHES '99. ... We only focus on the decryption cases. In this attack we assume that the adversary mounts a chosen ciphertext attack. ...

doi:10.1007/978-3-540-45238-6_22 fatcat:x7fce7adm5e35mrrdvwyj3ruo4

The attack performs analysis on the final ciphertext and reveals the plaintext of MRVLK by exploiting the fact that the structure of the ciphertext is obvious and weak. ... This article has presented a Structural cryptanalysis on MRVLK (Message Based Random Variable Length Key Encryption). ... In this paper, the proposed attack has been applied on two well known ciphers, AES and Camellia; these ciphers use 8bit S-boxes but are structurally very different, and our attack adapts accordingly. ...

doi:10.22436/jmcs.012.03.04 fatcat:vekpjjb64zdcbn4m64257howhu

Szczepanski

., addressing the physical security of lattice-based cryptographic implementations. ... Amongst the various classes of quantum-resistant cryptography schemes, lattice-based cryptography is emerging as one of the most viable options. ... DPA can be performed but not chosen-ciphertext attacks), but they are rare. ...

doi:10.1145/3194554.3194616 dblp:conf/glvlsi/KhalidOVOGR18 fatcat:lfintj5vbbf5xllxwoxeer6hdu

Completely non-malleable encryption schemes resist attacks which allow an adversary to tamper with both ciphertexts and public keys. ... In this paper we introduce two extractor-based properties that allow us to gain insight into the design of such schemes and to go beyond known feasibility results in this area. ... We prove a fundamental theorem according to which a strongly plaintext-aware (SPA) and IND-CPA secure scheme also withstands strong chosen-ciphertext attacks 3 . ...

doi:10.1007/978-3-642-14081-5_11 fatcat:yizr7tvaavg5xhdvnaxnrxa7n4

SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation [chapter]

Preserved Fulltext

Universal Exponentiation Algorithm A First Step towards Provable SPA-Resistance [chapter]

Preserved Fulltext

A Survey and Analysis of Security Issues on RSA Algorithm

Preserved Fulltext

Chosen-message SPA attacks against FPGA-based RSA hardware implementations

Preserved Fulltext

Basics of Side-Channel Analysis [chapter]

Preserved Fulltext

Magnifying Side-Channel Leakage of Lattice-Based Cryptosystems with Chosen Ciphertexts: The Case Study of Kyber

Preserved Fulltext

Side-Channel Analysis of Cryptographic Software via Early-Terminating Multiplications [chapter]

Preserved Fulltext

Who Watches the Watchmen?: Utilizing Performance Monitors for Compromising Keys of RSA on Intel Platforms [chapter]

Preserved Fulltext

A Study on the SCA Trends for Application to IoT Devices

Preserved Fulltext

Fault Injection as an Oscilloscope: Fault Correlation Analysis

Preserved Fulltext

Introduction to differential power analysis

Preserved Fulltext

The Doubling Attack – Why Upwards Is Better than Downwards [chapter]

Preserved Fulltext

Structural Cryptanalysis Of The Message Based Random Variable Length Key Encryption Algorithm (mrvlk)

Preserved Fulltext

Physical Protection of Lattice-Based Cryptography

Preserved Fulltext

Strong Knowledge Extractors for Public-Key Encryption Schemes [chapter]

Preserved Fulltext