Skip to main content
SpringerLink
Log in

Attacking RSA–CRT signatures with faults on montgomery multiplication

  • CHES 2012
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In this paper, we present several efficient fault attacks against implementations of RSA–CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the first fault attacks effective against RSA–PSS. The new attacks are based on the assumption that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. Meaning that all the PEs are the same.

References

  1. Aciiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh timing attack on unprotected SSL implementations, pp. 139–146. In ACM Conference on Computer and Communications, Security (2005)

  2. Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In CHES, pp. 260–275 (2002)

  3. Bellare, M., Rogaway, P.: PSS: provably secure encoding method for digital signatures. Submission to IEEE P1363 (1998)

  4. Bellare, M., Rogaway, P.: Probabilistic signature scheme. Patent, 2001. US 6266771

  5. Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against Bellcore attacks, pp. 311–320. In: ACM Conference on Computer and Communications, Security (2003)

  6. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In EUROCRYPT, pp. 37–51 (1997)

  7. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  8. Brier, E., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus fault attacks against RSA-CRT signatures. In: CHES, pp. 192–206 (2011)

  9. Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)

    Article  Google Scholar 

  10. Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors. In: EUROCRYPT, pp. 502–519 (2012)

  11. Chow, G.C.T., Eguro, K., Luk, W., Leong, P.: A Karatsuba-based Montgomery multiplier. In: FPL’10, pp. 434–437 (2010)

  12. Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based cryptosystems. In: Breveglieri, L., Koren, I. (eds.) FDTC, pp. 124–131 (2005)

  13. Cohn, H., Heninger, N.: Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437, 2011. http://eprint.iacr.org/. Presented at ANTS-X

  14. Coron, J.-S., Giraud, C., Morin, N., Piret, G., Vigilant, D.: Fault attacks and countermeasures on Vigilant’s RSA-CRT algorithm. In FDTC, pp. 89–96 (2010)

  15. Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on RSA signatures with partially unknown messages. In: CHES, pp. 444–456 (2009)

  16. Coron, J.-S., Mandal, A.: PSS is secure against random fault attacks. In: ASIACRYPT, pp. 653–666 (2009)

  17. Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against EMV signatures. In: CT-RSA, pp. 208–220 (2010)

  18. Fouque, P.-A., Guillermin, N., Leresteux, D., Tibouchi, M., Zapalowicz, J.-C.: Attacking rsa-crt signatures with faults on montgomery multiplication. In CHES, pp. 447–462 (2012)

  19. Garner, H.L.: The residue number system. In: IRE-AIEE-ACM ’59 (Western), pp. 146–153. ACM (1959)

  20. Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)

    Article  Google Scholar 

  21. Howgrave-Graham, N.: Approximate integer common divisors. In: CaLC, pp. 51–66 (2001)

  22. Huang, M., Gaj, K., Kwon, S., El-Ghazawi, T.A.: An optimized hardware architecture for the Montgomery multiplication algorithm. In: Public Key Cryptography, pp. 214–228 (2008)

  23. Kaliski, B.S.: Raising the standard for RSA signatures: RSA-PSS. CryptoBytes Technical Newsletter, February 2003. http://www.rsa.com/rsalabs/node.asp?id=2005

  24. Koç, Ç.K., Acar, T.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro 16(3), 26–33 (1996)

    Article  Google Scholar 

  25. McIvor, C., McLoone, M., McCanny, J.: Modified Montgomery modular multiplication and RSA exponentiation techniques. IEE Proc. Comput. Digital Tech. 151(6), 402–408 (2004)

    Article  Google Scholar 

  26. Mentens, N., Sakiyama, K., Preneel, B., Verbauwhede, I.: Efficient pipelining for modular multiplication architectures in prime fields. In: Proceedings of the 17th ACM Great Lakes symposium on VLSI, GLSVLSI ’07, pp. 534–539, New York, NY, USA, ACM (2007)

  27. Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)

    Article  MATH  Google Scholar 

  28. Nozaki, H., Motoyama, M., Shimbo, A., Kawamura, S.: Implementation of RSA algorithm based on RNS Montgomery multiplication. In: CHES, pp. 364–376 (2001)

  29. Oracle. JavaCard 3.0.1 Platform Specification. http://www.oracle.com/technetwork/java/javacard/overview/

  30. Orup, H.: Simplifying quotient determination in high-radix modular multiplication. In: IEEE Symposium on Computer Arithmetic’95, pp. 193–193 (1995)

  31. Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: CT-RSA, pp. 459–480 (2009)

  32. Schindler, W.: A timing attack against RSA with the Chinese remainder theorem. In: CHES, pp. 109–124 (2000)

  33. Shamir, A.: Improved method and apparatus for protecting public key schemes from timing and fault attacks. Patent Application, 1998. WO 1998/052319 A1

  34. Skorobogatov, S.: Optical fault masking attacks. In: FDTC, pp. 23–29 (2010)

  35. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: CHES, pp. 2–12 (2002)

  36. Stein, W., et al.: Sage Mathematics Software (Version 4.8). The Sage Development Team, 2012. http://www.sagemath.org

  37. Suzuki, D.: How to maximize the potential of FPGA resources for modular exponentiation. In: CHES, pp. 272–288 (2007)

  38. Tenca, A.F., Koç, Ç.K.: A scalable architecture for Montgomery multiplication. In: Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, CHES ’99, PP. 94–108, London, UK. Springer, Berlin (1999)

  39. The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org/

  40. Vigilant, D.: RSA with CRT: a new cost-effective solution to thwart fault attacks. In: CHES, pp. 130–145 (2008)

  41. Walter, C.D.: Montgomery’s multiplication technique: How to make it smaller and faster. In: CHES, pp. 80–93 (1999)

  42. Yen, S.-M., Moon, S.-J., Ha, J.: Hardware fault attack on RSA with CRT revisited. In: ICISC, pp. 374–388 (2002)

Download references

Acknowledgments

The first author was partly supported under grant 12-15-1432-HiCi from King Abdul Aziz University

Author information

Authors and Affiliations

  1. University of Rennes 1, Rennes, France

    Pierre-Alain Fouque

  2. DGA IS, Bruz, France

    Nicolas Guillermin & Delphine Leresteux

  3. NTT Secure Platform Laboratories, Tokyo, Japan

    Mehdi Tibouchi

  4. INRIA, Rennes, France

    Jean-Christophe Zapalowicz

Authors
  1. Pierre-Alain Fouque
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolas Guillermin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Delphine Leresteux
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mehdi Tibouchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jean-Christophe Zapalowicz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mehdi Tibouchi.

Additional information

A short version of this work appeared as [18]

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fouque, PA., Guillermin, N., Leresteux, D. et al. Attacking RSA–CRT signatures with faults on montgomery multiplication. J Cryptogr Eng 3, 59–72 (2013). https://doi.org/10.1007/s13389-013-0050-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-013-0050-x

Keywords

Search

Navigation