Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT
Abstract
In this work, we analyze all existing RSA-CRT countermeasures against the Bellcore attack that use binary self-secure exponentiation algorithms. We test their security against a powerful adversary by simulating fault injections in a fault model that includes random, zeroing, and skipping faults at all possible fault locations. We find that most of the countermeasures are vulnerable and do not provide sufficient security against all attacks in this fault model. After investigating how additional measures can be included to counter all possible fault injections, we present three countermeasures which prevent both power analysis and many kinds of fault attacks.
Keywords
Bellcore attack RSA-CRT Modular exponentiation Power analysisNotes
Acknowledgments
This work has been co-funded by the DFG as part of projects P1 and S5 within the CRC 1119 CROSSING and by the European Union’s 7th Framework Program (FP7/2007-2013) under grant agreement no. 609611 (PRACTICE).
Supplementary material
References
- 1.Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 2.Baek, Y.: Regular 2\({}^{\text{ w }}\)-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures. Int. J. Inf. Sec. 9(5), 363–370 (2010)MathSciNetCrossRefGoogle Scholar
- 3.Blömer, J., Gomes Da Silva, R., Gunther, P., Kramer, J., Seifert, J.P.: A practical second-order fault attack against a real-world pairing implementation. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2014), pp. 123–136. IEEE (2014)Google Scholar
- 4.Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
- 5.Boscher, A., Handschuh, H., Trichina, E.: Blinded fault resistant exponentiationrevisited. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), pp. 3–9.IEEE (2009)Google Scholar
- 6.Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)Google Scholar
- 7.Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
- 8.Fumaroli, G., Vigilant, D.: Blinded fault resistant exponentiation. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 62–70. Springer, Heidelberg (2006)CrossRefGoogle Scholar
- 9.Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
- 10.Joye, M., Karroumi, M.: Memory-efficient fault countermeasures. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 84–101. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 11.Joye, M., Lenstra, A.K., Quisquater, J.: Chinese remaindering based cryptosystems in the presence of faults. J. Cryptol. 12(4), 241–245 (1999)CrossRefzbMATHGoogle Scholar
- 12.Joye, M., Paillier, P., Yen, S.M.: Secure evaluation of modular functions. In: 2001 International Workshop on Cryptology and Network Security (2001)Google Scholar
- 13.Joye, M., Yen, S.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 14.Kim, C.H., Quisquater, J.: How can we overcome both side channel analysis and fault attacks on RSA-CRT? In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 21–29. IEEE (2007)Google Scholar
- 15.Kiss, A., Krämer, J., Rauzy, P., Seifert, J.P.: Algorithmic countermeasures against fault attacks and power analysis for RSA-CRT. Cryptology ePrint Archive, Report 2016/238 (2016). http://eprint.iacr.org/2016/238 Google Scholar
- 16.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
- 17.Krämer, J., Nedospasov, D., Seifert, J.-P.: Weaknesses in current RSA signature schemes. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 155–168. Springer, Heidelberg (2012)CrossRefGoogle Scholar
- 18.Le, D.-P., Rivain, M., Tan, C.H.: On double exponentiation for securing RSA against fault analysis. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 152–168. Springer, Heidelberg (2014)CrossRefGoogle Scholar
- 19.Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
- 20.Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(21), 905–907 (1982)CrossRefGoogle Scholar
- 21.Rauzy, P., Guilley, S.: Countermeasures against high-order fault-injection attacks on CRT-RSA. In: Fault Diagnosis and Tolerance in Cryptography (FDTC 2014), pp. 68–82. IEEE (2014)Google Scholar
- 22.Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 23.Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
- 24.Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks, US Patent 5,991,415 (1999)Google Scholar
- 25.Witteman, M.: A DPA attack on RSA in CRT mode (2009)Google Scholar
- 26.Yen, S., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)CrossRefzbMATHGoogle Scholar
- 27.Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002)CrossRefGoogle Scholar
- 28.Yen, S.-M., Lien, W.-C., Moon, S.-J., Ha, J.C.: Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-decryption. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 183–195. Springer, Heidelberg (2005)CrossRefGoogle Scholar