CRT RSA Algorithm Protected Against Fault Attacks

  • Arnaud Boscher
  • Robert Naciri
  • Emmanuel Prouff
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4462)


Embedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we propose a new generic method of computing modular exponentiation and we prove its security in a realistic fault model. By construction, our proposal is also protected against Simple Power Analysis. Based on our new resistant exponentiation algorithm, we present two different ways of computing CRT RSA signatures in a secure way. We show that those methods do not increase execution time and can be easily implemented on low-resource devices.


RSA Chinese Remainder Theorem Modular Exponentiation Fault Attacks Simple Power Analysis Smart Card 


  1. 1.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Aumüller, C., et al.: Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Blömer, J., Otto, M., Seifert, J.P.: A New RSA-CRT Algorithm Secure Against Bellcore Attacks. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM Conference on Computer and Communications Security – CCS’03, pp. 311–320. ACM Press, New York (2003)Google Scholar
  4. 4.
    Ciet, M., Joye, M.: Practical Fault Countermeasures for Chinese Remaindering Based RSA. In: FDTC’05, pp. 124–132 (2005)Google Scholar
  5. 5.
    Giraud, C.: Fault Resistant RSA Implementation. In: FDTC’05, pp. 142–151 (2005)Google Scholar
  6. 6.
    Shamir, A.: Improved method and apparatus for protecting public key schemes from timing and fault attacks. International Patent Number: WO 98/52319 (1998), Also presented at the rump session of EUROCRYPT’97.Google Scholar
  7. 7.
    Yen, S.-M., et al.: RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Wagner, D.: Cryptanalysis of a Provable Secure CRT-RSA Algorithm. In: Pfitzmann, B., Liu, P. (eds.) ACM Conference on Computer and Communications Security – CCS’04, pp. 82–91. ACM Press, New York (2004)Google Scholar
  9. 9.
    Otto, M., Blömer, J.: Wagner’s Attack on a Secure CRT-RSA Algorithm Reconsidered. In: Breveglieri, L., et al. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Couvreur, C., Quisquater, J.-J.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  12. 12.
    Garner, H.: The residue number system. IRE Transactions on Electronic Computers 8(6), 140–147 (1959)CrossRefGoogle Scholar
  13. 13.
    Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  15. 15.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power analysis attacks on modular exponentiation in smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 144–157. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. 16.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997), Electronic version available at zbMATHGoogle Scholar
  17. 17.
    Coron, J.-S.: Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  18. 18.
    Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology 12(4), 241–246 (1999)CrossRefzbMATHGoogle Scholar
  19. 19.
    Yen, S.M., Joye, M.: Checking before output not be enough against fault-based cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefzbMATHGoogle Scholar
  20. 20.
    Joye, M., Yen, S.-M.: The Montgomery Powering Ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Lemke-Rust, K., Paar, C.: An Adversarial Model for Fault Analysis Against Low-Cost Cryptographic Devices. In: Breveglieri, L., et al. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 131–143. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Yen, S.-M., Moon, S.J., Ha, J.-C.: Permanent Fault Attack on RSA with CRT. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 285–296. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Bar-El, H., et al.: The Sorcerer’s Apprentice Guide to Fault Attacks. In: Breveglieri, L., Koren, I. (eds.) Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC’04, pp. 330–342. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  24. 24.
    Fumaroli, G., Vigilant, D.: Blinded Fault Resistant Exponentiation. In: Breveglieri, L., et al. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 62–70. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Boreale, M.: Attacking Right-to-Left Modular Exponentiation with Timely Random Faults. In: Breveglieri, L., et al. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 24–35. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Fouque, P.-A., Valette, F.: The Doubling Attack: Why Upwards is better than Downwards. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Yen, S.-M., et al.: Power Analysis by Exploiting Chosen Message and Internal Collisions – Vulnerability of Checking Mechanism for RSA-Decryption. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 183–195. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R., Sherman, A. (eds.) Advances in Cryptology – CRYPTO ’82, pp. 199–204. Plenum Press, New York (1982)Google Scholar
  29. 29.
    Otto, M.: Fault Attacks and Countermeasures. PhD thesis, Universität Paderborn (2004)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2007

Authors and Affiliations

  • Arnaud Boscher
    • 1
  • Robert Naciri
    • 2
  • Emmanuel Prouff
    • 2
  1. 1.Spansion, 105 rue Anatole France, 92684 Levallois-Perret CedexFrance
  2. 2.Oberthur Card Systems, 71-73 rue des Hautes Pâtures, 92726 Nanterre CedexFrance

Personalised recommendations