从前缀相关泄漏中恢复机密

IF 0.5 Q4 COMPUTER SCIENCE, THEORY & METHODS

Journal of Mathematical Cryptology Pub Date : 2020-01-01 DOI:10.1515/jmc-2015-0048

Houda Ferradi, R. Géraud, S. Guilley, D. Naccache, Mehdi Tibouchi

{"title":"从前缀相关泄漏中恢复机密","authors":"Houda Ferradi, R. Géraud, S. Guilley, D. Naccache, Mehdi Tibouchi","doi":"10.1515/jmc-2015-0048","DOIUrl":null,"url":null,"abstract":"Abstract We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to k-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"14 1","pages":"15 - 24"},"PeriodicalIF":0.5000,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2015-0048","citationCount":"1","resultStr":"{\"title\":\"Recovering Secrets From Prefix-Dependent Leakage\",\"authors\":\"Houda Ferradi, R. Géraud, S. Guilley, D. Naccache, Mehdi Tibouchi\",\"doi\":\"10.1515/jmc-2015-0048\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Abstract We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to k-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.\",\"PeriodicalId\":43866,\"journal\":{\"name\":\"Journal of Mathematical Cryptology\",\"volume\":\"14 1\",\"pages\":\"15 - 24\"},\"PeriodicalIF\":0.5000,\"publicationDate\":\"2020-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1515/jmc-2015-0048\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Mathematical Cryptology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1515/jmc-2015-0048\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Mathematical Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1515/jmc-2015-0048","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 1

摘要

摘要本文讨论了如何在给定秘密比特串计算过程中获得部分信息的情况下恢复秘密比特串，假设计算是一个确定性算法，对秘密比特串进行顺序处理。这种抽象情况为针对离散对数和基于rsa的密码系统的某些类型的侧信道攻击建模，在这种情况下，攻击者不是直接从秘密指数上获取信息，而是从在幂算法的每一步变化的组或环元素上获取信息。我们的主要结果表明，对于每次迭代泄漏一个比特，在适当的统计独立性假设下，可以在多项式时间内恢复整个秘密比特串。我们还讨论了如何处理不完美泄漏，将模型扩展到k位泄漏，并展示了我们的算法如何对流行的密码系统(如(EC)DSA)进行攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Recovering Secrets From Prefix-Dependent Leakage

Abstract We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to k-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Mathematical Cryptology COMPUTER SCIENCE, THEORY & METHODS-

CiteScore

2.70

自引率

8.30%

发文量

审稿时长

100 weeks