Atsushi Miyamoto

Systematic Design of RSA Processors Based on High-Radix Montgomery Multipliers

This paper presents a systematic design approach to provide the optimized Rivest-Shamir-Adleman (RSA) processors based on high-radix Montgomery multipliers satisfying various user requirements, such as circuit area, operating time, and resistance against side-channel attacks. In order to involve the tradeoff between the performance and the resistance, we apply four types of exponentiation algorithms: two variants of the binary method with/without Chinese Remainder Theorem (CRT). We also introduces three multiplier-based datapath-architectures using different intermediate data forms: 1) single form, 2) semi carry-save form, and 3) carry-save form, and combined them with a wide variety of arithmetic components. Their radices are parameterized from 28 to 2128. A total of 242 datapaths for 1024-bit RSA processors were obtained for each radix. The potential of the proposed approach is demonstrated through an experimental synthesis of all possible processors with a 90-nm CMOS standard cell library. As a result, the smallest design of 861 gates with 118.47 ms/RSA to the fastest design of 0.67 ms/RSA at 153\thinspace 862 gates were obtained. In addition, the use of the CRT technique reduced the RSA operation time of the fastest design to 0.24 ms. Even if we employed the exponentiation algorithm resistant to typical side-channel attacks, the fastest design can perform the RSA operation in less than 1.0 ms.

Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs

This paper proposes new chosen-message power-analysis attacks against public-key cryptosystems based on modular exponentiation, which use specific input pairs to generate collisions between squaring operations at different locations in the two power traces. Unlike previous attacks of this kind, the new attacks can be applied to all the standard implementations of the exponentiation process: binary (left-to-right and right-to-left), m-ary, and sliding window methods. The SPA countermeasure of inserting dummy multiplications can also be defeated (in some cases) by using the proposed attacks. The effectiveness of the attacks is demonstrated by actual experiments with hardware and software implementations of RSA on an FPGA and the PowerPC processor, respectively. In addition to the new collision generation methods, a high-accuracy waveform matching technique is introduced to detect the collisions even when the recorded signals are noisy and the clock has some jitter.

Comparative Power Analysis of Modular Exponentiation Algorithms

This paper proposes new chosen-message power-analysis attacks for public-key cryptosystems based on modular exponentiation, where specific input pairs are used to generate collisions between squaring operations at different locations in the two power traces. Unlike previous attacks of this kind, the new attack can be applied to all standard implementations of the exponentiation process, namely binary (left-to-right and right-to-left), m-ary, and sliding window methods. The proposed attack can also circumvent typical countermeasures, such as the Montgomery powering ladder and the double-add algorithm. The effectiveness of the attack is demonstrated in experiments with hardware and software implementations of RSA on an FPGA and a PowerPC processor, respectively. In addition to the new collision generation methods, a highly accurate waveform matching technique is introduced for detecting the collisions even when the recorded signals are noisy and there is a certain amount of clock jitter.

Chosen-message SPA attacks against FPGA-based RSA hardware implementations

This paper presents SPA (simple power analysis) attacks against public-key cryptosystems implemented on an FPGA platform. The SPA attack investigates a power waveform generated by a cryptographic module, and reveals a secret key in the module. We focus on chosen-message SPA attacks, which enhances the differences of operating waveforms between multiplication and squaring correlated to the secret key by using the input of particular messages. In particular, Yen showed a unique SPA attack against RSA cryptosystem, but no verification experiment using actual software or hardware was performed. In this paper, we implemented four-types of RSA processors on an FPGA platform in combination with two variants of the Montgomery multiplication algorithm and two different types of multipliers for SPA attacks experiments. Then we demonstrated effectiveness of various chosen-message attacks as well as Yenpsilas method, and investigated the characteristics of the attacks depending on the hardware architectures.

Multiple-Valued Constant-Power Adder for Cryptographic Processors

This paper presents the design of a multiple-valued adder for tamper-resistant cryptographic processors. The proposed adder is implemented in Multiple-Valued Current-Mode Logic (MV-CML). The important feature of MV-CML is that the power consumption can be constant regardless of the input values, which makes it possible to prevent power analysis attacks using dependencies between power consumption and intermediate values or operations of the executed cryptographic algorithms. In this paper, we present a multiple-valued constant-power adder based on the binary Positive-Digit (PD) number system and its application to RSA processors. The power characteristic of the proposed adder is evaluated with HSPICE simulation using 90nm process technology. The proposed design can achieve constant power consumption with low performance overhead in comparison with the conventional binary design.

Enhanced power analysis attack using chosen message against RSA hardware implementations

SPA (simple power analysis) attacks against RSA cryptosystems are enhanced by using chosen-message scenarios. One of the most powerful chosen-message SPA attacks was proposed by Yen et. al. in 2005, which can be applied to various algorithms and architectures, and can defeat the most popular SPA countermeasure using dummy multiplication. Special input values of -1 and a pair of -X and X can be used to identify squaring operations performed depending on key bit stream. However, no experimental result on actual implementation was reported. In this paper, we implemented some RSA processors on an FPGA platform and demonstrated that Yens attack with a signal filtering technique clearly reveal the secret key information in the actual power waveforms.

Systematic design of high-radix Montgomery multipliers for RSA processors

The present paper proposes a systematic design approach to provide the optimal high-radix Montgomery multipliers for an RSA processor satisfying user requirements. We introduces three multiplier-based architectures using different intermediate-data forms ((i) single form, (ii) semi carry-save form, and (iii) carry-save form, and combined them with a wide variety of arithmetic components. Their radices are also parameterized from 28 to 264. A total of 202 designs for 1,024-bit RSA processors were obtained for each radix, and were synthesized using a 90-nm CMOS standard cell library. The smallest design of 0.9 Kgates with 137.8 ms/RSA to the fastest design of 1.8 ms/RSA at 74.7 Kgates were then obtained. In addition, the optimal design to meet the user requirements can be easily obtained from all the combinations. In addition to choosing the datapath architecture, the arithmetic component, and the radix parameters, the proposed systematic approach can also adopt other process technologies.

Design of Tamper-Resistant Registers for Multiple-Valued Cryptographic Processors

This paper presents the design of tamper-resistant registers for multiple-valued cryptographic processors. The voltage-mode and current-mode registers are proposed for hiding dependencies between power consumption and input data. For this purpose, the voltage-mode register activates any one of two flip-flops in a complementary style, and the current-mode register maintains the number of current signals independently of the input value. This paper also applies the two registers to RSA processors in Multiple-Valued Current-Mode Logic and evaluates the power characteristics by HSIM simulations using 90nm process technology. The result shows that the proposed designs can achieve constant power consumption with lower overhead in comparison with the conventional designs.

SPA against an FPGA-Based RSA Implementation with a High-Radix Montgomery Multiplier

Simple power analysis (SPA) was applied to an RSA processor with a high-radix Montgomery multiplier on an FPGA platform, and the different characteristics of power waveforms caused by two types of multiplier (built-in and custom) were investigated in detail. The authors also applied an active attack where input data was set to a specific pattern to control the modular multiplication. The power dissipation for the multiplication was greatly reduced in comparison with modular squaring, resulting in success in revealing all of the secret key bits

Evaluation of Simple/Comparative Power Analysis against an RSA ASIC implementation

Simple Power Analysis attacks with chosen-message techniques were applied to an RSA processor implemented with standard CMOS technology on ASIC, and the different characteristics of power waveforms caused by two types of implementation (ASIC and FPGA) were investigated in detail. We also applied Comparative Power Analysis an advanced power analysis attack in which a pair of input data was used to enhance the waveform pattern for modular exponentiation. The power dissipation of modular squaring in the difference waveform was greatly reduced when compared to modular multiplication, allowing all of the secret key bits to be successfully revealed.