抗攻击低功耗RSA处理器设计与实现

doi:10.16511/j.cnki.qhdxxb.2016.23.012

全文: PDF(1106 KB)
输出: BibTeX | EndNote (RIS)

摘要 RSA是目前应用最广的公钥算法之一, 也是金融IC卡指定的算法。近年来已有多篇文章指出无保护的RSA容易受到侧信道攻击。而且由于算法复杂, RSA运算模块往往功耗大。针对双界面金融IC低功耗、高安全性的需求, 该文设计了一种高效低功耗, 并且可抵抗常见侧信道攻击的RSA处理器。采用基于Montgomery阶梯的抗侧信道对策, 增强了RSA处理器抵抗简单功耗攻击、差分功耗攻击及常见故障攻击的能力; 通过采用结合CIOS算法和Karatsuba算法的改进Montgomery模乘算法, 使得RSA的Montgomery模乘速度提高了25%, 同时实现了低功耗; 针对智能IC卡资源受限的特点, 以32位为步长设计计算单元, 因此RSA长度可配置, 最高可达2 048位。该文采用FPGA开发板上的C*Core C0系统对提出的RSA处理器进行了功能验证。在SMIC 0.13 mm的工艺下, EDA综合结果显示: 1 024位带侧信道防护措施的RSA在30 MHz时钟下吞吐率为8.3 kb/s, 规模24 000 gates, 功耗为1.15 mW。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	任燕婷
	乌力吉
	李翔宇
	王安
	张向民

关键词 ： RSA, 低功耗, 侧信道攻击, Montgomery算法

Abstract：RSA is the most widely used public-key algorithm, and is specified as the signature algorithm in bank IC cards. The unprotected RSA implementation is vulnerable to side-channel attacks as pointed out in several works. Due to the complexity of the algorithm, the power consumption of an RSA module is usually high. A side-channel resistant, efficient and low-power RSA processor was designed using countermeasures against side-channel attacks based on the Montgomery ladder with a modified Montgomery algorithm then proposed, which combines CIOS and Karatsuba algorithms. The computation time of modular multiplication can be reduced by 25% with the length of RSA being configurable and up to 2 048 bits. The proposed RSA module was verified with C*Core C0 in FPGA board. With SMIC 0.13 μm CMOS process, the EDA synthesis result indicates that the area is about 24 000 gates, and the throughput of 1024-bit RSA is 8.3 kb/s under the frequency of 30 MHz with the power consumption of 1.15 mW.

Key words： RSA low-power side-channel attack Montgomery algorithm

收稿日期: 2014-10-28 出版日期: 2016-01-15

ZTFLH:

TN4

通讯作者: 乌力吉,副教授,E-mail:lijiwu@tsinghua.edu.cn E-mail: lijiwu@tsinghua.edu.cn

引用本文:

任燕婷, 乌力吉, 李翔宇, 王安, 张向民. 抗攻击低功耗RSA处理器设计与实现[J]. 清华大学学报（自然科学版）, 2016, 56(1): 1-6.
REN Yanting, WU Liji, LI Xiangyu, WANG An, ZHANG Xiangmin. Design and implementation of a side-channel resistant and low power RSA processor. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 1-6.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.23.012 或 http://jst.tsinghuajournals.com/CN/Y2016/V56/I1/1

[1] Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems [J]. Cmmunications of the ACM, 1978, 21(2): 120-126.
[2] Kocher P, Jaffe J, Jun B. Differential power analysis [C]//Advances in Cryptology—CRYPTO'99. Springer Berlin Heidelberg, 1999: 388-397.
[3] Marc J, Michael T. Fault Analysis in Cryptography [M]. Springer Berlin Heidelberg, 2012.
[4] Marc J, YEN Sungming. The Montgomery powering ladder [C]//Proc CHES. Springer, 2003: 291-302.
[5] Giraud C. An RSA implementation resistant to fault attacks and to simple power analysis [J]. Computers, IEEE Transactions on, 2006, 55(9): 1116-1120.
[6] Montgomery P L. Modular multiplication without trial division [J]. Mathematics of Computation, 1985, 44(1): 519-521.
[7] Koç C K, Acar T, Kaliski B S. Analyzing and comparing Montgomery multiplication algorithms [J]. IEEE Micro, 16(3), 1996: 26-33.
[8] 孔凡玉, 于佳, 李大兴. 一种改进的Montgomery模乘快速算法[J]. 计算机工程, 2005, 31(8): 1-3.KONG Fanyu, YU Jia, LI Daxing. An improved fast Montgomery multiplication algorithm [J]. Computer Engineering, 2005, 31(8): 1-3. (in Chinese)
[9] Karatsuba A, Ofman Y. Multiplication of many-digital numbers by automatic computers [J]. Proceedings of the USSR Academy of Science, 1962, 145: 293-294.
[10] WANG Deming, DING Yanyu, ZHANG Jun, et al. Area-efficient and ultra-low-power architecture of RSA processor for RFID [J]. Electronic Letters, 2012, 48(19): 1185-1187.
[11] HUANG Wei, YOU Kaidi, ZHANG Suiyu, et al. Unified low cost crypto architecture accelerating RSA/SHA-1 for security processor [C]//ASICON'09. 2009: 151-154.