Scan-Based Side-Channel Attack on the RSA Cryptosystem

Individual authentication increases in importance as network technology advances. IC passport, SIM card and ID card used in entering and leaving management systems are dependent on a cryptography circuit for keeping their security. LSI chips used there usually include cryptography circuits and encrypt/decrypt important data such as ID numbers and electronic money information. However, there is a threat that a secret key may be retrieved from the cryptography LSI chip. Recently, side-channel attacks against a cryptosystem LSI has been reported (Boneh et al., 1997; Brier et al., 2004; Kocher, 1996; Kocher el al., 1999; Schramm el al., 2003). For example, scan-based side-channel attacks which retrieve secret keys in a cryptography LSI have attracted attention over the five years. A scan path is one of the most important testing techniques, where registers are connected in serial so that they can be controlled and observed directly from outside the LSI. Test efficiency can be increased significantly. On the other hand, one can have register data easily by using a scan path, which implies that one can retrieve a secret key in a cryptography LSI. This is a scan-based side-channel attack.


Introduction
Individual authentication increases in importance as network technology advances. IC passport, SIM card and ID card used in entering and leaving management systems are dependent on a cryptography circuit for keeping their security. LSI chips used there usually include cryptography circuits and encrypt/decrypt important data such as ID numbers and electronic money information. However, there is a threat that a secret key may be retrieved from the cryptography LSI chip. Recently, side-channel attacks against a cryptosystem LSI has been reported (Boneh et al., 1997;Brier et al., 2004;Kocher, 1996;Kocher el al., 1999;Schramm el al., 2003). For example, scan-based side-channel attacks which retrieve secret keys in a cryptography LSI have attracted attention over the five years. A scan path is one of the most important testing techniques, where registers are connected in serial so that they can be controlled and observed directly from outside the LSI. Test efficiency can be increased significantly. On the other hand, one can have register data easily by using a scan path, which implies that one can retrieve a secret key in a cryptography LSI. This is a scan-based side-channel attack.
One of the difficulties in the scan-based side-channel attack is how to retrieve a secret key from obtained scanned data from a cryptosystem LSI. In a scan path, registers inside a circuit have to be connected so that its interconnection length will be shortened to satisfy timing constraints. This means that no one but a scan-path designer knows correspondence between registers and scanned data. To succeed a scan-based side-channel attack against a cryptography LSI, an attacker needs to retrieve secret keys from the scanned data almost "randomly" connected.
Symmetric-key cryptosystems such as DES and AES are very popular and widely used. They make use of the same secret key in encryption and decryption. However, it may be difficult to securely share the same secret key, such as in communicating on the Internet. Public-key cryptosystems, on the other hand, make use of different keys to encrypt and decrypt. One of the most popular public-key cryptography algorithms is RSA (Rivest et al., 1978), which is used by many secure technologies such as secure key agreement and digital signature. Yang et al. first showed a scan-based side-channel attack against DES in 2004 and retrieved a secret key in DES (Yang et al., 2004). They also proposed a scan-based side-channel attack against AES in 2006 (Yang et al., 2006). Nara et al. proposed an improved scan-based side-channel attack method against AES in 2009 (Nara et al., 2009). A scan-based side-channel 8 www.intechopen.com 2 Will-be-set-by-IN-TECH attack against elliptic curve cryptography (Koblitz, 1987;Miller, 1986) was proposed by Nara et al. (Nara et al., 2011). On the other hand, any scan-based side-channel attacks against RSA have not been proposed yet in spite of the fact that RSA is a de-facto standard for a public-key cryptosystem. Since public-key cryptosystems have complicated algorithm compared with that of symmetric-key cryptosystems such as DES and AES, we cannot apply the scan-based side-channel attacks against symmetric-key cryptosystems to an RSA circuit. An elliptic curve cryptography algorithm is completely different from an RSA algorithm although they both are public-key algorithms. We cannot apply the scan-based side-channel attacks against elliptic curve cryptosystem to RSA, either.
In this paper, we propose a scan-based side-channel attack against an RSA circuit, which is almost independent of a scan-path structure. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate value. We call it a scan signature b e c a u s ei t sv a l u es h o w s their existence in the scanned data obtained from an RSA circuit. By checking whether a scan signature is included in the scanned data or not, we can retrieve a secret key in the target RSA circuit even if we do not know a scan path structure, as long as a scan path is implemented on an RSA circuit and it includes at least 1-bit of each intermediate value.
The purpose of our proposed method is, not to make secure scan architecture ineffective but to retrieve a secret key using scanned data in an RSA circuit with as few limitations as possible. In fact, our scan-based side-channel attack method without any modification might not work against RSA circuits using some secure scan architecture. Several secure scan architectures without consideration of our proposed scan signature cannot protect our method as discussed in Section 6. This paper is organized as follows: Section 2 introduces RSA encryption and decryption algorithms; Section 3 shows an algorithm of retrieving a secret key in an RSA circuit using intermediate values and explains problems to retrieve a secret key using a scan path; Section 4 proposes our scan-based side-channel attack method based on a scan signature; Section 5 demonstrates experimental results and performance analysis; Section 7 gives several concluding remarks.

RSA algorithm
RSA cryptography (Rivest et al., 1978) was made public in 1978 by Ronald Linn Rivest, Adi Shamir, Leonard Max Adleman. The RSA is known as the first algorithm which makes public-key cryptography practicable. It is commonly used to achieve not only encryption/decryption but also a digital signature and a digital authentication, so that most cryptography LSIs in the market implement and calculate the RSA cryptography.
The security of an RSA cryptography depends on the difficulty of factoring large numbers. To decrypt a ciphertext of an RSA cryptography will be almost impossible on the assumption that no efficient algorithm exists for solving it.

Encryption and decryption
An RSA algorithm encrypts a plaintext with a public key (n, e) and decrypts a ciphertext withasecretkey(n, d). Let us select two distinct prime numbers p and q. We calculate n by multiplying p by q, which is used as the modulus for both a public key and a secret key. To determine exponents of them, we calculate ϕ(pq) 1 for multiplying (p − 1) by (q − 1).
Let us select an integer e satisfying the conditions that 1 < e < ϕ(pq) and, e and ϕ(pq) is coprime, where e is an exponent of a public key. Let us determine an integer d satisfying the congruence relation de ≡ 1m o dϕ(pq). That is to say, the public key consists of the modulus n and the exponent e. The private key consists of the modulus n and the exponent d.
Let us consider that Alice secretly sends a message m to Bob. First, Alice receives his public key (n, e). Second, she calculates the ciphertext c with Equation 1.
Then Alice transmits c to Bob. Bob decrypts c by using his private key and receive her message m. Equation 2 represents a decryption computation.
m ≡ c d mod n (2)

Binary method
The bit length of an RSA key must be more than 1,024 bits because its security depends on its key length. It is currently recommended that n be at least 2,048 bits long (Silverman, 2002). This means that the exponent d in Equation 2 is at least 1,024 bits long. When we decrypt a cyphertext, its computation amount becomes quite large without modification. Since modulo exponentiation dominates the execution time of decrypting a cyphertext, efficient algorithms have been proposed. The binary method (Stein, 1967), as shown in Algorithm 1, is one of the most typical exponent algorithms. In Algorithm 1, the exponent d is represented by w h e r eL shows the maximum key bit length. Fig. 1 shows an example of the binary method in case of d = 1011 2 .

Scan-based attack against RSA
A scan path connects registers in an circuit serially and makes us access to them directly so that a tester can observe register values inside the circuit easily. A scan path model is shown 1 ϕ() is Euler's totient function. in Fig. 2. A scan path test is widely used in recent circuit implementations due to its testability and easiness of implementation. The purpose of a scan-based attack against RSA is to retrieve a secret exponent d from scanned data in an RSA circuit. Scan-based attack here requires several assumptions as in the previous researches in (Nara et al., 2009;2011;Yang et al., 2004;, which are summarized as shown below: 1. Attackers can encrypt/decrypt arbitrary data using the secret key on a target RSA circuit.
2. Attackers can obtain scanned data from a target RSA circuit.
3. Scanned data is not modified with compactors aimed at test efficiency.
4. Attackers know that the binary method in Algorithm 1 is used in a target RSA circuit.
5. Attackers also know the modulus n used in a target RSA circuit. 2 In addition to these, they need to be able to predict the intermediate values of the binary method using an off-line simulation.
In this section, we explain the scan-based attack against an RSA circuit (Section 3.1) and its problems in a practical case (Section 3.2).
Scan-Based Side-Channel Attack on the RSA Cryptosystem 5

Retrieving a secret exponent using intermediate values (Messerges et al., 1999)
In order to retrieve a secret exponent d, we have to solve the integer factorization in RSA. If the bit length of a secret exponent d is more than 1,024 bits or more than 2,048 bits, it is impossible to solve this problem within a realistic time. However, if we know all the "intermediate values" during the binary method shown in Algorithm 1, we can retrieve a secret exponent d in a polynomial time (Messerges et al., 1999).
Similarly, m(i) is equal to Equation 4 below, if and only if d i = 1: Based on the above discussion, we employ SF(i) defined by Equation 5 as a selective function for RSA: ℓ represents a significant key length, or key length in left-align representation, i.e., the secret exponent can be represented by When using the selective function for RSA above, we have to know in advance  Table 2 when we use a message c = 10011100, whose parameters are shown in Table 1.

Now we try to retrieve the 8-bit secret exponent d using intermediate values.
First we try to retrieve the first bit d ℓ−1 (i = ℓ − 1). We find d ℓ−1 = 1 by the definition of a significant key length ℓ.Th e nSF(ℓ − 1) is calculated as SF(ℓ − 1)=c = 10011100.S i n c e10011100 appears in Ta b l e 2, w e con fir m t hat d ℓ−1 is retrieved as one. Now we assume that the secret exponent d = 1.W e Next, we try to retrieve the second bit d ℓ−2 (i = ℓ − 2). We have already known that d ℓ−1 = 1.W e assume here that d ℓ−2 = 1. In this case, SF(ℓ − 2) is calculated as SF(ℓ − 2)=11010.S i n c e11010 does not appear in Table 2, then d ℓ−2 is retrieved not as one but as zero, i.e., d ℓ−2 = 0. Now we assume that d = 10.W ec o m p a r em (ℓ − 2)=( c 10 mod n)=( m(ℓ − 1) 2 mod n)=11010000 with the binary method result 10001111. Since they are not equal, d = 10.
Next, we try to retrieve the third bit d ℓ−3 (i = ℓ − 3). We have already known that d ℓ−1 = 1 and We have already known that d with the binary method result 10001111.
Since they are equal to each other, we find that the secret exponent d is 10111 and a significant bit ℓ is five.

Problems to retrieve a secret key using scan path
If we retrieve an L-bit secret exponent d using an exhaustive search, we have to try 2 L possible values to do it. On the other hand, the method explained in Section 3.1 retrieves a secret exponent one-bit by one-bit from MSB to LSB. It tries at most 2L possible values to retrieve an L-bit secret exponent. Further, the method just checks whether SF(i) exists in the intermediate value m(i) in Algorithm 1.
In order to apply this method to a scan-based attack, we have to know which registers store intermediate values, i.e., we have to know correspondence between scanned data and SF(i).
However, scan paths are usually designed automatically by EDA tools so that nearby registers are connected together to shorten the scan path length. Only designers can know the correspondence between scanned data and registers and thus retrieved scanned data can be considered to be "random" for attackers. Therefore, it is very difficult to find out the values of SF(i) in scanned data for attackers.

Analysis scanned data
In order to solve the problem that attackers do not know the correspondence between registers of the scanned data and ones storing intermediate values during the binary method, we focus on the general property on scan paths: a bit position of a particular register r in a scanned data when giving one input data is exactly the same as that when giving another input data. This is clearly true, since a scan path is fixed in an LSI chip and the order of connected registers in its scan path is unchanged.
If we execute the binary method for each of N messages on an RSA circuit, a bit pattern of a particular bit position in scanned data for these N messages gives N-bit data. Based on the above property, this N-bit data may give a bit pattern of a particular bit in an intermediate valuewhenwegiveeachoftheseN messages to the RSA circuit.
We can calculate SF(i) from the same N messages and d ℓ−1 down to d 0 of the secret exponent d by using an off-line simulation. By picking up a particular bit (LSB, for example) in each of SF(i) values for N messages, we also have an N-bit data (see Fig. 3). If N is large enough, this N-bit data gives information completely unique to SF(i).W ecanusethisN-bit data as a scan signature SS i to SF(i) in scanned data.
Our main idea in this section is that we find out a scan signature SS i to SF(i) in scanned data (see Fig. 4) to retrieve the secret exponent d from d ℓ−1 down to d 0 .I fa nN-bit scan signature SS i appears in the scanned data for N messages, d i is determined as one. If not, it is determined as zero.
In the rest of this section, we firstly propose a scan signature SS i to SF(i).Secondlywepropose an overall method to retrieve a secret exponent d using scan signatures. Thirdly we analyze the probabilities of successfully retrieving a secret exponent by using our method.

Calculating a scan signature to SF(i)
Assume that N messages c 1 , ··· , c N are given. Also assume that we have already known d ℓ−1 , ··· , d i+1 for a secret exponent d.L e t SF(i) r be the selective function for RSA when giving the message c r for 1 ≤ r ≤ N. Assuming that d i = 1, we can calculate SF(i) r for 1 ≤ r ≤ N.
Let us focus on a particular bit of SF(i) r .I fN is large enough, a set of these bits for SF(i) r (1 ≤ r ≤ N) gives information unique to SF(i) r . By using it, we can check whether SF(i) r are calculated or not in the target. As Fig. 3 shows, we define a scan signature SS i to be a set of SF(i) r LSBs for the sake of convenience.
If SS i appears in scanned data, d i is determined as one. If not, d i is determined as zero. After d i is correctly determined, we can continue to determine the next bit of the secret exponent d in the same way.
Our proposed method has an advantage compared to conventional scan-based attacks (Yang et al., 2004;. Our method is effective in the case of partial scan architecture. As long as a scan path includes at least 1-bit of each intermediate value, we can check whether the scan signature exists or not in the scanned data.

Scanned data analysis method
First we prepare N messages c 1 , ··· , c N and give them to an RSA circuit. For each of these messages, we obtain all the scanned data from the scan out of the RSA circuit until it outputs the binary method result. As Fig. 4 shows, the size of scanned data for each of these messages is ("scan path length" × "number of binary method cycles.") Now we check whether a scan signature SS i to SF(i) appears in the obtained scanned data under the assumption that we do not know a secret exponent d in the RSA circuit as follows: Step 1: Prepare N messages c 1 , c 2 , ··· , c N ,wherec r = c s for 1 ≤ r, s ≤ N and r = s.
Step 2: Input c r (1 ≤ r ≤ N) into the target RSA circuit and obtain scanned data every one cycle while the binary method works, until the RSA circuit outputs the result. Let sd r denote the obtained scanned data for the message c r (1 ≤ r ≤ N).
Step 3: From the definition, we have d ℓ−1 = 1. Compare m(ℓ − 1)=( c 1 mod n) with its binary method result. If they are equal, then we find that the secret exponent d is one and stop. If not, go to the next step.
Step 5: Check whether the scan signature SS ℓ−2 exists in the scanned data sd 1 , ··· , sd N , which includes the scanned data in all the cycles while the binary method runs. If it exists, then we can find out that d ℓ−2 is equal to 1, and if it does not exist, then we can find out that d ℓ−2 is equal to 0.
Step 6: Calculate m(ℓ − 2)=((c 1 ) d ℓ−1 ×2+d ℓ−2 mod n) and compare it with its binary method result. If they are equal, then we find that the secret exponent d is retrieved and terminate the analysis flow.
Step 7: We determine d ℓ−3 , d ℓ−4 , ··· in the same way as Step 4-Step 6 until the analysis flow is terminated at Step 6.
We show the example below to explain how the method above works. (

Example 2. As in
Step 3) Let us start to determine d ℓ−1 .W efi n dd ℓ−1 = 1 by the definition of ℓ. It is not necessary to check whether d ℓ−1 = 1 or not, but we can check it as follows: we calculate SF(ℓ − 1) r = c r for each c r (1 ≤ r ≤ 8) and obtain the scan signature SS ℓ−1 (see Fig. 6). As Fig. 6 (a) shows, the scan signature SS ℓ−1 becomes "11101001". Since we find out that the scan signature SS ℓ−1 exists in bit patterns of scanned data sd r (1 ≤ r ≤ 8) in Fig. 5, we confirm that d ℓ−1 is retrieved as one, i.e., d ℓ−1 = 1.N o w we assume that d = 1.W ec o m p a r em (ℓ − 1)=( ( c 1 ) 1 mod n) with its binary method result. In case they are not equal, d = 1.

12
Will-be-set-by-IN-TECH

Possibility of successfully retrieving a secret key
Given that the scan size is α bits and the cycle counts to obtain the binary method result is T.
Assume that scanned data are completely random data.
Even though SF(i) r for 1 ≤ r ≤ N is not calculated in the target RSA circuit, its scan signature may exist in scanned data. When αT < 2 N , the probability that the scan signature SS i to SF(i) r exists in somewhere in bit patterns of scanned data sd r (1 ≤ r ≤ N) is αT/2 N despite we do not calculate SF(i) r .
Sufficiently large N can decrease the probability that we mistakenly find out the scan signature SS i in scanned data. For instance, if α is 3,072, T is 1,024, and N is 30 3 , then the probability that we mistakenly find out the scan signature SS i in scanned data is 3, 072 × 1, 024/2 30 ≃ 2.93 × 10 −3 .I fα is 6,144, T is 2,048, and N is 35, then the probability that we mistakenly find out the scan signature SS i in scanned data is 6, 144 × 2, 048/2 35 ≃ 3.66 × 10 −4 .

Experiments and analysis
We have implemented our analysis method proposed in Section 4 in the C language on Red Hat Enterprise Linux 5.5, AMD Opteron 2360SE 2.5GHz, and 16GB memories and performed the following experiments: 1. First, we have generated secret exponents randomly. Thousand of them have a bit length of 1,024 and 2,048, respectively. The other hundred of them have a bit length of 4,096.
2. Next, we have given each of the secret exponents into the target RSA circuit based on Algorithm 1 and obtained scanned data. The target RSA circuit obtains binary method results in 1,024 cycles for a 1,024-bit secret exponent, in 2,048 cycles for a 2,048-bit secret exponent, and in 4,096 cycles for a 4,096-bit secret exponent. Scan path length for a 1,024-bit secret exponent is 3,072 bits, that for a 2,048-bit secret exponent is 6,144 bits, and that for a 4,096-bit secret exponent is 12,192 bits. Then total size of the obtained scanned data for 1,024-bit secret exponent is 3, 072 × 1, 024 = 3, 145, 728 bits, that for 2,048-bit secret exponent is 6, 144 × 2, 048 = 12, 582, 912 bits, and that for 4,096-bit secret exponent is 12, 192 × 4, 096 = 49, 938, 432 bits 3. Finally, we have retrieved each of the secret exponents by our proposed analysis method using the obtained scanned data. Fig. 7 and Table 4 show the results. Fig. 7 shows the number N of required messages to retrieve each secret exponent when giving each of the secret exponents. For example, the 4th 1,024-bit secret exponent is shown in Table 3. In order to retrieve this secret exponent, we need 29 messages, i.e., n = 29. In this case, we can successfully retrieve the 4th secret exponent using 29 messages but fail to retrieve it using 28 messages or less.

Discussions
We consider secure scan architecture proposed so far against our proposed scan-based attack.
Firstly, the secure scan architecture proposed in  cannot protect our proposed method from retrieving a secret key.  inserts some inverters into a scan path to invert scanned data. However, since inverted positions of scanned data are always fixed, the value of a 1-bit register sequence is only changed to its inverted value. By checking whether SS i or inverted SS i exist in the scanned data, our proposed method can easily make it ineffective.
Inoue's secure scan architecture (Inoue et al., 2009) adds unrelated data to scanned data to confuse attackers. A sequence of scanned data to which unrelated data are added is fixed and it is not always true that they confuse all the bits to protect the scanned data in order to reduce area overhead. If the register storing scan signature SS i is not confused, our proposed method can easily make it ineffective, too.
Secondly, (Chandran & Zhao, 2009;Gomułkiewicz et al., 2006;Hely et al., 2005;Lee et al., 2006;Paul et al., 2007;Yang et al., 2006) require authentication to transfer between system mode and test mode, and their security depends on authentication methods. If authentication would be broken-through and attackers could obtain scanned data, a secret key in an RSA circuit could be retrieved by using our proposed method. We consider that authentication strength is a different issue from the purpose of this chapter.
Finally, Shi el al., 2008) use a compactor so as not to output scanned data corresponding to registers directly. (Doulcier el al., 2007) proposes AES-based BIST, whereby there is no need for scan path test. However, applying these methods effectively to an RSA circuit is quite unclear because these methods are implemented only on an AES circuit or just on a sample circuit not for cryptography.

Concluding remarks
Our proposed scan-based attack can effectively retrieve a secret key in an RSA circuit, since we just focus on the variation of 1-bit of intermediate values named a scan signature. By monitoring it in the scan path, we can find out the register position specific to intermediate values.
The experimental results demonstrate that a 1,024-bit secret key can be retrieved by using 29.5 messages, a 2,048-bit secret key by using 32 input, and a 4,096-bit secret key can be retrieved by using 37 messages.
In the future, we will develop a new scan-based side-channel attack against compressed scan data for RSA. In this paper, we only pick up one RSA LSI implementation but there can be other implementations available such as in (Miyamoto et al., 2008). We will attack these RSA implementations and successfully retrieve a secret key. Developing countermeasures against the proposed scan-based side-channel attacking method is another future work.