我正在学习利用冲洗+重新加载方法来获取RSA的私钥。
我读了相关论文
齐平+重新加载并找到了其开源代码( 冲洗+reloa )。
我根据教程进行了实验。
我非常感谢这些开源代码。
但是有了这些开源代码,我总是有一个非常令人困惑的问题。只是他们不会介绍正确的结果的外观(如果我知道正确的结果,我可以更快地重现它们,并更好地观察到论文对实验的影响)。
例如,在RSA上进行冲洗+重新加载的实验。底部图像提出了优化的RSA实现,称为CRT-RSA。
根据该论文的引入,只要检测到加密过程中的平方降 - 零食,也可以恢复私钥。
论文指出:
正方形还原降低的降低指示一个位。序列
不遵循乘以的正方形还原表示清晰的位。
但是根据上一个说明,这似乎还原 dp 和 dq 。因为上述代码是计算 mp = c^dp mod p 和 mq = c^dq mod q 。
论文指出:
因此,知道DP(对称,DQ)足以分解
n并打破加密
n并通过阅读纸张和源代码来
probe 0x080f7607 S #mpih-mul.c:270 (First cache line in mpih_sqr_n())
probe 0x080f6c45 r #mpih-div.c:329 (Loop in default case in mpihelp_divrem())
probe 0x080f6fa8 M #mpih-mul.c:121 (First cache line of mul_n())
,我发现他始终检查解密时是否使用以下三个缓存线。之后,作者直接给出了位错误率。
这感觉可疑。我测量了解密期间上面三个缓存线的访问延迟。并根据以下简介将它们还原为 01 位。
正方形还原降低的降低指示一个位。序列
不遵循乘以的正方形还原表示清晰的位。
如何计算位错误率?这会还原DP还是DQ?还是其他?
如何获得正确的DP和DQ进行比较?
谢谢!
I am learning to utilize flush+reload method to get private key of RSA.
I read related papers
flush+reload and found its open source code (flush+reloa flush+reloa).
And I experimented according to the tutorial.
I am very grateful for these open source codes.
But with these open source codes, I always have a very confusing question. It's just that they don't introduce what the correct result looks like (if I know the correct result, I can reproduce them faster, and better observe the impact of the paper's idea on the experiment).
For example, the experiment of Flush+Reload on RSA. The bottom image presents an optimized RSA implementation, known as CRT-RSA.
According to the introduction of the paper, as long as the Square-Reduce-Multiply in the encryption process is detected, the private key can also be restored.
The paper states:
Square-Reduce-Multiply-Reduce indicate a set bit. Sequences of
Square-Reduce which are not followed by Multiply indicate a clear bit.
But according to the previous description this seems to restore dp and dq. Because the above code is calculating mp = c^dp mod p and mq = c^dq mod q.
The paper states:
Hence, knowing dp (and, symmetrically, dq) is sufficient for factoring
n and breaking the encryption
By reading the paper and source code, I found that he always checks whether the following three cache lines are used when decrypting.
probe 0x080f7607 S #mpih-mul.c:270 (First cache line in mpih_sqr_n())
probe 0x080f6c45 r #mpih-div.c:329 (Loop in default case in mpihelp_divrem())
probe 0x080f6fa8 M #mpih-mul.c:121 (First cache line of mul_n())
After that, the author directly gave the bit error rate.
This feels suspicious. I measured the access latency of the three cache lines above during decryption. And restore them to 01 bits according to the following introduction.
Square-Reduce-Multiply-Reduce indicate a set bit. Sequences of
Square-Reduce which are not followed by Multiply indicate a clear bit.
How can I calculate the bit error rate? Does this restore dp or dq? or something else?
How to get the correct dp and dq for comparison?
Thanks!
发布评论
评论(1)
他们泄漏的是
,我不知道您在谈论哪个示例。
如果您澄清这一点(例如,通过添加链接),我可能可以编辑并提供更好的答案。
攻击RSA时,通常假定已知
n和e(公共模量和指数)。要打破RSA,我们需要恢复私有指数
d。但是,有多种方法可以重建
d:由于
n = p * q,泄漏p或q将琐碎地恢复p = n/q(或Q = N / P < / code>分别)。,从而恢复知道
p和q,我们可以计算d = e^( - 1)mod phi(n)(其中phi(n) )=(p-1) *(q-1))。当然,泄漏
d本身也足够了。要打破CRT-RSA,可以使用
dq或dp来计算Primesp或qqd。位错误率
要获得位错误率,您必须知道正确的结果,然后按以下方式进行计算:
例如,如果我泄漏了位
10001,但是正确的键是10101,位错误率为:由于泄漏的位之一是不正确的。
What they leak
I don't know which example specifically you are talking about.
If you clarify this (e.g., by adding a link) I may be able to edit this and provide a better answer.
When attacking RSA, it is usually assumed that
Nande(the public modulus and exponent) are known.To break RSA, we need to recover the private exponent
d.However, there are multiple ways to reconstruct
d:Since
N = p * q, leaking eitherporqwill trivially recoverp = N / q(orq = N / prespectively).Knowing
pandq, we can calculated = e^(-1) mod phi(N)(wherephi(N) = (p-1) * (q-1)).Of course, leaking
ditself will also suffice.To break CRT-RSA, leaking either
dqordpcan be used to calculate one of the primesporq, thus recoveringd.Bit Error Rate
To get the bit error rate, you have to know the correct result, then you calculate it the following way:
For example, if I leak the bits
10001, but the correct key is10101, the bit error rate is:Since one of the leaked bits is incorrect.