Toshinori Suzuki

Toshinori Suzuki, Masahiro Kaminaga

To increase the number of wireless devices, e.g., mobile or IoT terminals, cryptosystems are essential for secure communications. In this regard, random number generation is crucial because the appropriate function of cryptosystems relies on it to work properly. This paper proposes a true random number generator (TRNG) method capable of working in wireless communication systems. By embedding a TRNG in such systems, no additional analog circuits are required and working conditions can be limited as long as wireless communication systems are functioning properly, making TRNG method cost-effective. We also present some theoretical background and considerations. We next conduct experimental verification, which strongly supports the viability of the proposed method.

Masahiro Kaminaga, Toshinori Suzuki, Masaharu Fukase

Rabin encryption and a secure ownership transfer protocol based on the difficulty of factorization of a public key use a small public exponent. Such encryption requires random number padding. The Coppersmith's shortpad attack works effectively on short padding, thereby allowing an adversary to extract the secret message. However, the criteria for determining the appropriate padding size remains unclear. In this paper, we derived the processing-time formula for the shortpad attack and determined the optimal random-padding size in order to achieve the desired security.

Masahiro Kaminaga, Hideki Yoshikawa, Arimitsu Shikoda et al.

The Rabin cryptosystem has been proposed protect the unique ID (UID) in radio-frequency identification tags. The Rabin cryptosystem is a type of lightweight public key system that is theoretetically quite secure; however it is vulnerable to several side-channel attacks. In this paper, a crashing modulus attack is presented as a new fault attack on modular squaring during Rabin encryption. This attack requires only one fault in the public key if its perturbed public key can be factored. Our simulation results indicate that the attack is more than 50\% successful with several faults in practical time. A complicated situation arises when reconstrucing the message, including the UID, from ciphertext, i.e., the message and the perturbed public key are not relatively prime. We present a complete and mathematically rigorous message reconstruction algorithm for such a case. Moreover, we propose an exact formula to obtain a number of candidate messages. We show that the number is not generally equal to a power of two.

Masahiro Kaminaga, Hideki Yoshikawa, Toshinori Suzuki

A new fault attack, double counting attack (DCA), on the precomputation of $2^t$-ary modular exponentiation for a classical RSA digital signature (i.e., RSA without the Chinese remainder theorem) is proposed. The $2^t$-ary method is the most popular and widely used algorithm to speed up the RSA signature process. Developers can realize the fastest signature process by choosing optimum $t$. For example, $t=6$ is optimum for a 1536-bit classical RSA implementation. The $2^t$-ary method requires precomputation to generate small exponentials of message. Conventional fault attack research has paid little attention to precomputation, even though precomputation could be a target of a fault attack. The proposed DCA induces faults in precomputation by using instruction skip technique, which is equivalent to replacing an instruction with a no operation in assembly language. This paper also presents a useful "position checker" tool to determine the position of the $2^t$-ary coefficients of the secret exponent from signatures based on faulted precomputations. The DCA is demonstrated to be an effective attack method for some widely used parameters. DCA can reconstruct an entire secret exponent using the position checker with $63(=2^6-1)$ faulted signatures in a short time for a 1536-bit RSA implementation using the $2^6$-ary method. The DCA process can be accelerated for a small public exponent (e.g., 65537). The the best of our knowledge, the proposed DCA is the first fault attack against classical RSA precomputation.