文献类型：期刊文献

英文题名：To Construct High Level Secure Communication System: CTMI Is Not Enough

作者：Xu, Sen[1];Lu, Xiangjun[1];Chen, Aidong[2];Zhang, Haifeng[1,4];Gu, Haihua[3];Gu, Dawu[1];Zhang, Kaiyu[1];Guo, Zheng[1];Liu, Junrong[1]

第一作者：Xu, Sen

通讯作者：Gu, DW[1]

机构：[1]Shanghai Jiao Tong Univ, Dept Comp Sci & Engn, Shanghai 200240, Peoples R China;[2]Beijing Union Univ, Dept Software Engn, Beijing 100101, Peoples R China;[3]Wanda Internet Technol Grp, Shanghai 200127, Peoples R China;[4]Beijing Smart Chip Microelect Technol Co Ltd, Beijing, Peoples R China

第一机构：Shanghai Jiao Tong Univ, Dept Comp Sci & Engn, Shanghai 200240, Peoples R China

通讯机构：[1]corresponding author), Shanghai Jiao Tong Univ, Dept Comp Sci & Engn, Shanghai 200240, Peoples R China.

年份：2018

卷号：15

期号：11

起止页码：122-137

外文期刊名：CHINA COMMUNICATIONS

收录：;Scopus(收录号：2-s2.0-85057541497);WOS:【SCI-EXPANDED(收录号:WOS:000449981700011)】；

基金：This work is supported by the Key Technology Research and Sample-Chip Manufacture on Resistance to Physical Attacks at Circuit Level (546816170002)

语种：英文

外文关键词：information security; side channel analysis; elliptic curve digital signature algorithm; constant time modular inversion; hamming weight leakage

摘要：Public key cryptographic (PKC) algorithms, such as the RSA, elliptic curve digital signature algorithm (ECDSA) etc., are widely used in the secure conununication systems, such as OpenSSL, and a variety of information security systems. If designer do not securely implement them, the secret key will be easily extracted by side-channel attacks (SCAs) or combinational SCA thus mitigating the security of the entire communication system. Previous countermeasures of PKC implementations focused on the core part of the algorithms and ignored the modular inversion which is widely used in various PKC schemes. Many researchers believe that instead of straightforward implementation, constant time modular inversion (CTMI) is enough to resist the attack of simple power analysis combined with lattice analysis. However, we find that the CTMI security can be reduced to a hidden t-bit multiplier problem. Based on this feature, we firstly obtain Hamming weight of intermediate data through side-channel leakage. Then. we propose a heuristic algorithm to solve the problem by revealing the secret (partial and full) base of CTMI. Comparing previous necessary input message for masking filtering, our procedure need not any information about the secret base of the inversion. To our knowledge, this is the first time for evaluating the practical security of CTMI and experimental results show the fact that CTMI is not enough for high-level secure communication systems.