Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier

  • Chong Hee Kim
  • Jong Hoon Shin
  • Jean-Jacques Quisquater
  • Pil Joong Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4817)


The RSA is one of the most widely used algorithms nowadays in smart cards. The main part of RSA is the modular exponentiation composed of modular multiplications. Therefore most smart cards have a hardware modular multiplier to speed up the computation. However, secure implementation of a cryptographic algorithm in an embedded device such as a smart card has now become a big challenge since the advent of side channel analysis and fault attacks. In 2005 Giraud proposed an exponentiation algorithm, which is secure against Simple Power Analysis (SPA) and Fault Attacks (FA). Recently Boscher et al. proposed another SPA-FA resistant exponentiation algorithm. To the authors’ best knowledge, only these two provide security against SPA and FA simultaneously in an exponentiation algorithm. Both algorithms are also secure against C safe-error attack and M safe-error attack when they are implemented in a software. However, when they are implemented with a hardware modular multiplier, and this is usual in a smart card, they could be vulnerable to another type of safe error attack. In this paper, we show how this attack is possible on both SPA-FA resistant exponentiation algorithms.


Smart Card Modular Multiplication Residue Number System Embed Device Cryptographic Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Advanced Crypto Engine, Infineon. available at, http://www.infin
  2. 2.
    Fame XE, NXD. available at,
  3. 3.
    TORNATO, Samsung. available at
  4. 4.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Bao, F., Deng, R., Han, Y., Jeng, A., Narasimhalu, A., Ngair, T.: Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In: Christianson, B., Lomas, M. (eds.) Security Protocols. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. In: Fault Diagnosis and Tolerance in Cryptography in association with DSN 2004 – The International Conference on Dependable Systems and Networks, pp. 330–342 (2004)Google Scholar
  7. 7.
    Blömer, J., Otto, M.: Wagner’s attack on a secure crt-rsa algorithm reconsidered. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of eliminating errors in cryptographic computations. Journal of Cryptology 14(2), 101–119 (2001) An earlier version appears in [8]zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 237–252. Springer, Heidelberg (2007)Google Scholar
  11. 11.
    Örs, S.B., Batina, L., Preneel, B., Vandewalle, J.: Hardware implementation of a Montgomery modular multiplier in a systolic array. In: Proceedings of the 17th International Symposium on Parallel and Distributed Processing, pp. 1–8. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  12. 12.
    Giraud, C.: Fault resistant RSA implementation. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 142–151. Springer, Heidelberg (2003)Google Scholar
  13. 13.
    Joye, M., Pailler, P., Yen, S.-M.: Secure evaluation of modular functions. In: International Workshop on Cryptology and Network Security 2001, pp. 227–229 (2001)Google Scholar
  14. 14.
    Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)Google Scholar
  15. 15.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Manochehri, K., Pourmozafari, S.: Modified radix-2 montgomery modular multiplication to make it faster and simpler. In: International Conference on Coding and Computing – ITCC 2005, vol. 1, pp. 598–602 (2005)Google Scholar
  17. 17.
    Messerges, T., Dabbish, E., Sloan, R.: Examining smart-card security under the threat of power analysis attack. IEEE Transactions on Computers 51(5), 541–552 (2002)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Seifert, J.-P.: On authenticated computing and RSA-based authentication. In: Proc. of ACM conference on computer and communications security 2005, pp. 122–127. ACM Press, New York (2005)CrossRefGoogle Scholar
  19. 19.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent \(\sharp\)5,991,415 (November 23, 1999) Also presented at the rump session of EUROCRYPT 1997Google Scholar
  20. 20.
    Skorobogatov, S., Anderson, R.-J.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)Google Scholar
  21. 21.
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: 11th ACM Conference on Computers and Communications Security, pp. 92–97. ACM Press, New York (2004)CrossRefGoogle Scholar
  22. 22.
    Yen, S.-M., Joye, M.: Checking before output may not be enough against fault based cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefGoogle Scholar
  23. 23.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)Google Scholar
  24. 24.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA speedup with chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Transactions on Computers 52(4), 461–472 (2003) An earlier version appears in [23]CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Chong Hee Kim
    • 1
  • Jong Hoon Shin
    • 2
  • Jean-Jacques Quisquater
    • 1
  • Pil Joong Lee
    • 2
  1. 1.UCL Crypto Group, Université Catholique de LouvainBelgium
  2. 2.Dept. of Electronic and Electrical Eng., POSTECH, PohangKorea

Personalised recommendations