Memory-Efficient Fault Countermeasures

  • Marc Joye
  • Mohamed Karroumi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7079)


An efficient countermeasure against fault attacks for a right-to-left binary exponentiation algorithm was proposed by Boscher, Naciri and Prouff (WISTP, 2007). This countermeasure was later generalized by Baek (Int. J. Inf. Sec., 2010) to the 2 w -ary right-to-left algorithms for any \(w \geqslant 1\) (the case w = 1 corresponding to the method of Boscher, Naciri and Prouff). In this paper, we modify theses algorithms, devise new coherence relations for error detection, and reduce the memory requirements without sacrificing the performance or the security. In particular, a full register (in working memory) can be gained compared to previous implementations. As a consequence, the implementations described in this paper are particularly well suited to applications for which memory is a premium. This includes smart-card implementations of exponentiation-based cryptosystems.


Fault attacks countermeasures exponentiation memory-constrained devices smart cards 


  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003) . CrossRefGoogle Scholar
  2. 2.
    Baek, Y.-J.: Regular 2w-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures. International Journal of Information Security 9(5), 363–370 (2010)CrossRefMathSciNetGoogle Scholar
  3. 3.
    Barreto, P.S.L.M.: A note on efficient computation of cube roots in characteristic 3. Cryptology ePrint Archive, Report 2004/305 (2004),
  4. 4.
    Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against Bellcore attacks. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 311–320. ACM Press (2003)Google Scholar
  5. 5.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. Journal of Cryptology 14(2), 101–119 (2001); Earlier version published in EUROCRYPT 1997CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Boscher, A., Handschuh, H., Trichina, E.: Blinded exponentiation revisited. In: Breveglieri, L., et al. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2009, pp. 3–9. IEEE Computer Society (2009)Google Scholar
  7. 7.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Brauer, A.: On addition chains. Bulletin of the American Mathematical Society 45(10), 736–739 (1939)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Dottax, E., Giraud, C., Rivain, M., Sierra, Y.: On second-order fault analysis resistance for CRT-RSA implementations. In: Markowitch, O., Bilas, A., Hoepman, J.-H., Mitchell, C.J., Quisquater, J.-J. (eds.) WISTP 2009. LNCS, vol. 5746, pp. 68–83. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Transactions on Computers 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
  12. 12.
    Joye, M.: Highly regular m-ary powering ladders. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 350–363. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Joye, M.: Protecting RSA against fault attacks: The embedding method. In: Breveglieri, L., et al. (eds.) Fault Diagnosis and Tolerance in Cryptography − FDTC 2009, pp. 41–45. IEEE Computer Society (2009)Google Scholar
  14. 14.
    Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 334–349. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Karp, A.H., Markstein, P.W.: High-precision division and square root. ACM Transactions on Mathematical Software 23(4), 561–589 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Kim, C.H., Quisquater, J.-J.: Fault attacks for CRT based RSA: New attacks, new results, and new countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 215–228. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Kim, C.H., Quisquater, J.-J.: How can we overcome both side channel analysis and fault attacks on RSA-CRT? In: Breveglieri, L., et al. (eds.) Fault Diagnosis and Tolerance in Cryptography − FDTC 2007, pp. 21–29. IEEE Computer Society (2007)Google Scholar
  19. 19.
    Knudsen, E.W.: Elliptic scalar multiplication using point halving. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 135–149. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    Knuth, D.E.: The Art of Computer Programming, 2nd edn. Seminumerical Algorithms, vol. 2. Addison-Wesley (1981)Google Scholar
  21. 21.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  22. 22.
    Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. US Patent #5,991,415 (November 1999) Presented at the rump session of EUROCRYPT 1997Google Scholar
  24. 24.
    Vigilant, D.: RSA with CRT: A new cost-effective solution to thwart fault attacks. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 130–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Yao, A.C.-C.: On the evaluation of powers. SIAM Journal on Computing 5(1), 100–103 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Yen, S.-M., Joye, M.: Checking before output not be enough against fault-based cryptanalysis. IEEE Transactions on Computers 49(9), 967–970 (2000)CrossRefGoogle Scholar
  27. 27.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–429. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Yungui, C., Xiaodong, Y., Bingshan, W.: A fast division technique for constant divisors 2m(2n ±1). Scientia Sinica (Series A), vol. XXVII(9), pp. 984–989 (1984)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Marc Joye
    • 1
  • Mohamed Karroumi
    • 1
  1. 1.Security & Content Protection LabsTechnicolorCesson-Sévigné CedexFrance

Personalised recommendations