Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

  • Ágnes KissEmail author
  • Juliane Krämer
  • Pablo Rauzy
  • Jean-Pierre Seifert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9689)


In this work, we analyze all existing RSA-CRT countermeasures against the Bellcore attack that use binary self-secure exponentiation algorithms. We test their security against a powerful adversary by simulating fault injections in a fault model that includes random, zeroing, and skipping faults at all possible fault locations. We find that most of the countermeasures are vulnerable and do not provide sufficient security against all attacks in this fault model. After investigating how additional measures can be included to counter all possible fault injections, we present three countermeasures which prevent both power analysis and many kinds of fault attacks.


Bellcore attack RSA-CRT Modular exponentiation Power analysis 



This work has been co-funded by the DFG as part of projects P1 and S5 within the CRC 1119 CROSSING and by the European Union’s 7th Framework Program (FP7/2007-2013) under grant agreement no. 609611 (PRACTICE).

Supplementary material


  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Baek, Y.: Regular 2\({}^{\text{ w }}\)-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures. Int. J. Inf. Sec. 9(5), 363–370 (2010)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Blömer, J., Gomes Da Silva, R., Gunther, P., Kramer, J., Seifert, J.P.: A practical second-order fault attack against a real-world pairing implementation. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2014), pp. 123–136. IEEE (2014)Google Scholar
  4. 4.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Boscher, A., Handschuh, H., Trichina, E.: Blinded fault resistant exponentiationrevisited. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), pp. 3–9.IEEE (2009)Google Scholar
  6. 6.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)Google Scholar
  7. 7.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Fumaroli, G., Vigilant, D.: Blinded fault resistant exponentiation. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 62–70. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
  10. 10.
    Joye, M., Karroumi, M.: Memory-efficient fault countermeasures. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 84–101. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Joye, M., Lenstra, A.K., Quisquater, J.: Chinese remaindering based cryptosystems in the presence of faults. J. Cryptol. 12(4), 241–245 (1999)CrossRefzbMATHGoogle Scholar
  12. 12.
    Joye, M., Paillier, P., Yen, S.M.: Secure evaluation of modular functions. In: 2001 International Workshop on Cryptology and Network Security (2001)Google Scholar
  13. 13.
    Joye, M., Yen, S.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Kim, C.H., Quisquater, J.: How can we overcome both side channel analysis and fault attacks on RSA-CRT? In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 21–29. IEEE (2007)Google Scholar
  15. 15.
    Kiss, A., Krämer, J., Rauzy, P., Seifert, J.P.: Algorithmic countermeasures against fault attacks and power analysis for RSA-CRT. Cryptology ePrint Archive, Report 2016/238 (2016). Google Scholar
  16. 16.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Krämer, J., Nedospasov, D., Seifert, J.-P.: Weaknesses in current RSA signature schemes. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 155–168. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Le, D.-P., Rivain, M., Tan, C.H.: On double exponentiation for securing RSA against fault analysis. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 152–168. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  19. 19.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(21), 905–907 (1982)CrossRefGoogle Scholar
  21. 21.
    Rauzy, P., Guilley, S.: Countermeasures against high-order fault-injection attacks on CRT-RSA. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2014), pp. 68–82. IEEE (2014)Google Scholar
  22. 22.
    Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks, US Patent 5,991,415 (1999)Google Scholar
  25. 25.
    Witteman, M.: A DPA attack on RSA in CRT mode (2009)Google Scholar
  26. 26.
    Yen, S., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)CrossRefzbMATHGoogle Scholar
  27. 27.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Yen, S.-M., Lien, W.-C., Moon, S.-J., Ha, J.C.: Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-decryption. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 183–195. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Ágnes Kiss
    • 1
    Email author
  • Juliane Krämer
    • 1
    • 2
  • Pablo Rauzy
    • 3
  • Jean-Pierre Seifert
    • 2
  1. 1.TU DarmstadtDarmstadtGermany
  2. 2.TU BerlinBerlinGermany
  3. 3.Inria, CITI LabVilleurbanneFrance

Personalised recommendations