A New Side-Channel Attack on Reduction of RSA-CRT Montgomery Method Based

RSA-CRT is one of the most common algorithms in the digital signature. Several side-channel attacks have been presented on the implementation of RSA-CRT. One of the most important side-channel attacks on RSA-CRT is Modular Reduction on Equidistant Data (MRED). The implementation of RSA-CRT has too many challenges in the multiplications when the key size is too long (e.g. 2048 bits). Montgomery multiplication is one of the common methods for executing the RSA multiplication, which has many implementation problems and side-channel leakage challenges. This article first implements an RSA-CRT algorithm based on the Montgomery multiplication with the high-speed and low area hardware. The implementation is named RSA-CRT-MMB (Montgomery Method Based). Next, a new power analysis side-channel attack on RSA-CRT-MMB is presented. We name our attack MRED on MMB. The attack utilizes new side-channel leakage information about the CRT reduction algorithm implemented by the MMB, for the first time. The previous articles do not investigate the MRED attack on Montgomery multiplication in RSA-CRT. Finally, a new countermeasure is presented to prevent the MREDM attack. The countermeasure does not have any overload in the hardware area or running time of the RSA algorithm. The correctness of our scheme, the 2048-bit RSA-CRT-MMB, is investigated by the implementation of the scheme on the SASEBO-W board in our DPA laboratory. The total running time of 2048-bit RSA is 250ms and the RSA algorithm occupies only 23% of LUT slice on Spartan-6 FPGA. The proposed countermeasures are also verified by practical experiments.

Automated summary

The article introduces an implementation of the RSA-CRT algorithm based on Montgomery multiplication, known as RSA-CRT-MMB, which aims to address challenges in multiplications for long key sizes. A new power analysis side-channel attack on RSA-CRT-MMB, named MRED on MMB, is presented, along with a new countermeasure to prevent the attack without overloading hardware area or running time. The correctness and efficiency of the proposed scheme, 2048-bit RSA-CRT-MMB, are confirmed through practical experiments, demonstrating a total running time of 250ms and minimal hardware resource usage.