Combined Implementation Attack Resistant Exponentiation

  • Jörn-Marc Schmidt
  • Michael Tunstall
  • Roberto Avanzi
  • Ilya Kizhvatov
  • Timo Kasper
  • David Oswald
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6212)


Different types of implementation attacks, like those based on side channel leakage and active fault injection, are often considered as separate threats. Countermeasures are, therefore, often developed and implemented accordingly. However, Amiel et al. showed that an adversary can successfully combine two attack methods to overcome such countermeasures. In this paper, we consider instances of these combined attacks applied to RSA and elliptic curve-based cryptosystems. We show how previously proposed countermeasures may fail to thwart these attacks, and propose a countermeasure that protects the variables in a generic exponentiation algorithm in the same scenario.


Combined Implementation Attacks Countermeasures Infective Computation RSA ECC 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Anderson, R.J., Kuhn, M.G.: Tamper resistance — a cautionary note. In: Adam, N.R., Yesha, Y. (eds.) Electronic Commerce 1994. LNCS, vol. 1028, pp. 1–11. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Baek, Y.J., Vasyltsov, I.: How to prevent DPA and fault attack in a unified way for ECC scalar multiplication — ring extension method. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 225–237. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Kim, C.H., Quisquater, J.J.: How can we overcome both side channel analysis and fault attacks on RSA-CRT? In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2007, pp. 21–29. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  8. 8.
    Amiel, F., Villegas, K., Feix, B., Marcel, L.: Passive and active combined attacks: Combining fault attacks and side channel analysis. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2007, pp. 92–102. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  9. 9.
    Yen, S.M., Kim, S., Lim, S., Moon, S.J.: RSA speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)Google Scholar
  10. 10.
    Gaubatz, G., Sunar, B.: Robust finite field arithmetic for fault-tolerant public-key cryptography. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 196–210. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004)CrossRefGoogle Scholar
  12. 12.
    Shamir, A.: Improved method and apparatus for protecting public key schemes from timing and fault attacks. US Patent 5991415 (1999)Google Scholar
  13. 13.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks — Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  14. 14.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proceedings of the IEEE 94(2), 370–382 (2006)CrossRefGoogle Scholar
  15. 15.
    Courrége, J.C., Feix, B., Roussellet, M.: Simple power analysis on exponentiation revisited. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 65–79. Springer, Heidelberg (2010)Google Scholar
  16. 16.
    Bernstein, D.J., Lange, T.: Inverted Edwards coordinates. In: Boztas, S., Lu, H. (eds.) AAECC 2007. LNCS, vol. 4851, pp. 20–27. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Kim, C.H., Quisquater, J.J.: Fault attacks for CRT based RSA: New attacks, new results, and new countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J. J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 215–228. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Dottax, E., Giraud, C., Rivain, M., Sierra, Y.: On second-order fault analysis resistance for CRT-RSA implementations. In: Markowitch, O., Bilas, A., Hoepman, J.H., Mitchell, C.J., Quisquater, J.J. (eds.) WISTP 2009. LNCS, vol. 5746, pp. 68–83. Springer, Heidelberg (2009)Google Scholar
  19. 19.
    Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)Google Scholar
  20. 20.
    Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Transactions on Computers 12(4), 241–245 (2006)MathSciNetGoogle Scholar
  21. 21.
    Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, C., Bilas, A., Quisquater, J.J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Fumaroli, G., Vigilant, D.: Blinded fault resistant exponentiation. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 62–70. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Proudler, I.K.: Idempotent AN codes. In: IEE Colloquium on Signal Processing Applications of Finite Field Mathematics, pp. 8/1–8/5. IEEE, Los Alamitos (1989)Google Scholar
  25. 25.
    Medwed, M., Schmidt, J.M.: A generic fault countermeasure providing data and program flow integrity. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2008, pp. 68–73. IEEE, Los Alamitos (2008)Google Scholar
  26. 26.
    Smart, N., Oswald, E., Page, D.: Randomised representations. In: IET Proceedings on Information Security, vol. 2(2), pp. 19–27 (2008)Google Scholar
  27. 27.
    Lange, T.: Trace zero subvarieties of genus 2 curves for cryptosystems. Journal of the Ramanujan Mathematical Society 19(1), 15–33 (2004)zbMATHMathSciNetGoogle Scholar
  28. 28.
    Blömer, J., Otto, M., Seifert, J.P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J. P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Goubin, L.: A refined power analysis attack on elliptic curve cryptosystems. In: Desmedt, Y. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  30. 30.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Avanzi, R.M.: Countermeasures against differential power analysis for hyperelliptic curves. In: Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Acimez, O., Gueron, S., Seifert, J.P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Jebelean, T.: An algorithm for exact division. Journal of Symbolic Computation 15(2), 169–180 (1993)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jörn-Marc Schmidt
    • 1
  • Michael Tunstall
    • 2
  • Roberto Avanzi
    • 3
  • Ilya Kizhvatov
    • 4
  • Timo Kasper
    • 3
  • David Oswald
    • 3
  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria
  2. 2.Department of Computer ScienceUniversity of BristolBristolUnited Kingdom
  3. 3.Horst Görtz Institute for IT SecurityRuhr-University BochumBochumGermany
  4. 4.Computer Science and Communications Research UnitUniversity of LuxembourgLuxembourg

Personalised recommendations