1 Montgomery Modular Multiplication in Hard- ware
1 Montgomery Modular Multiplication in Hard- ware
1 Montgomery Modular Multiplication in Hard- ware
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FEI KEMT<br />
alarms are not acceptable (e.g. tot test can block the smart card, so the revision by<br />
the producer is required for reus<strong>in</strong>g it). Therefore the ranges of deviations from the<br />
ideal randomness have to be set very carefully to do not decrease the security of the<br />
system, but also do not block the TRNG by fake alarms. This is task is even more<br />
difficult for short sequences of random bits tested <strong>in</strong>side the TRNG.<br />
5.5 Attacks aga<strong>in</strong>st TRNG<br />
The ma<strong>in</strong> attacker’s goal of a cryptographic algorithm or implementation is to reveal<br />
some part or even the whole secret key and then decrypt easily any encrypted<br />
message. Attack<strong>in</strong>g RNGs has a different motivation than f<strong>in</strong>d<strong>in</strong>g the key. Inside<br />
cryptographic systems the RNG plays crucial role <strong>in</strong> generation of secret keys, session<br />
keys, etc. A random key is the outcome of the generation process. Therefore the<br />
target of the attack is not only the generated value of the secret key but also any<br />
<strong>in</strong>formation mak<strong>in</strong>g possible to predict the succeed<strong>in</strong>g or preced<strong>in</strong>g values of the<br />
keys.<br />
In case of successful attack, the generated values may not be random anymore<br />
and can be constant or strongly biased or attacker knows the algorithm for their<br />
correct prediction with high probability. By this approach one tries to change the<br />
random behaviour of the TRNG to determ<strong>in</strong>istic one, or at least change the proba-<br />
bility distribution of the generated sequence.<br />
In case of PRNG, the knowledge of the seed or <strong>in</strong>ternal status can lead to break<strong>in</strong>g<br />
the generator because its structure is usually known and public. In case of well-<br />
deigned TRNG the <strong>in</strong>formation about actual <strong>in</strong>ternal status does not provide any<br />
<strong>in</strong>formation about the previous or follow<strong>in</strong>g one. Therefore focus of the attack is the<br />
source of noise and randomness extraction method rather than the <strong>in</strong>ternal status<br />
of the TRNG.<br />
Attacks on cryptographic systems (<strong>in</strong>clud<strong>in</strong>g RNG) can be divided <strong>in</strong>to algorith-<br />
mic and implementation attacks.<br />
Algorithmic attacks The first group of attacks, the algorithmic attacks, <strong>in</strong>cludes<br />
mathematical analysis of the mechanism for randomness extraction or the structure<br />
of the PRNG and does not require any access to the attacked unit. The analysis<br />
can be used especially aga<strong>in</strong>st PRNG designs with non-properly designed way of<br />
obta<strong>in</strong><strong>in</strong>g the seed value [69]. If seed conta<strong>in</strong>s low level of entropy, then the output<br />
of the generator has statistical properties not comparable to the random sequence<br />
91