Abstract
In this paper, we present several efficient fault attacks against implementations of RSA–CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the first fault attacks effective against RSA–PSS. The new attacks are based on the assumption that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.
Similar content being viewed by others
Notes
Meaning that all the PEs are the same.
References
Aciiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh timing attack on unprotected SSL implementations, pp. 139–146. In ACM Conference on Computer and Communications, Security (2005)
Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: concrete results and practical countermeasures. In CHES, pp. 260–275 (2002)
Bellare, M., Rogaway, P.: PSS: provably secure encoding method for digital signatures. Submission to IEEE P1363 (1998)
Bellare, M., Rogaway, P.: Probabilistic signature scheme. Patent, 2001. US 6266771
Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against Bellcore attacks, pp. 311–320. In: ACM Conference on Computer and Communications, Security (2003)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In EUROCRYPT, pp. 37–51 (1997)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)
Brier, E., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus fault attacks against RSA-CRT signatures. In: CHES, pp. 192–206 (2011)
Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)
Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors. In: EUROCRYPT, pp. 502–519 (2012)
Chow, G.C.T., Eguro, K., Luk, W., Leong, P.: A Karatsuba-based Montgomery multiplier. In: FPL’10, pp. 434–437 (2010)
Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based cryptosystems. In: Breveglieri, L., Koren, I. (eds.) FDTC, pp. 124–131 (2005)
Cohn, H., Heninger, N.: Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437, 2011. http://eprint.iacr.org/. Presented at ANTS-X
Coron, J.-S., Giraud, C., Morin, N., Piret, G., Vigilant, D.: Fault attacks and countermeasures on Vigilant’s RSA-CRT algorithm. In FDTC, pp. 89–96 (2010)
Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on RSA signatures with partially unknown messages. In: CHES, pp. 444–456 (2009)
Coron, J.-S., Mandal, A.: PSS is secure against random fault attacks. In: ASIACRYPT, pp. 653–666 (2009)
Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against EMV signatures. In: CT-RSA, pp. 208–220 (2010)
Fouque, P.-A., Guillermin, N., Leresteux, D., Tibouchi, M., Zapalowicz, J.-C.: Attacking rsa-crt signatures with faults on montgomery multiplication. In CHES, pp. 447–462 (2012)
Garner, H.L.: The residue number system. In: IRE-AIEE-ACM ’59 (Western), pp. 146–153. ACM (1959)
Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)
Howgrave-Graham, N.: Approximate integer common divisors. In: CaLC, pp. 51–66 (2001)
Huang, M., Gaj, K., Kwon, S., El-Ghazawi, T.A.: An optimized hardware architecture for the Montgomery multiplication algorithm. In: Public Key Cryptography, pp. 214–228 (2008)
Kaliski, B.S.: Raising the standard for RSA signatures: RSA-PSS. CryptoBytes Technical Newsletter, February 2003. http://www.rsa.com/rsalabs/node.asp?id=2005
Koç, Ç.K., Acar, T.: Analyzing and comparing Montgomery multiplication algorithms. IEEE Micro 16(3), 26–33 (1996)
McIvor, C., McLoone, M., McCanny, J.: Modified Montgomery modular multiplication and RSA exponentiation techniques. IEE Proc. Comput. Digital Tech. 151(6), 402–408 (2004)
Mentens, N., Sakiyama, K., Preneel, B., Verbauwhede, I.: Efficient pipelining for modular multiplication architectures in prime fields. In: Proceedings of the 17th ACM Great Lakes symposium on VLSI, GLSVLSI ’07, pp. 534–539, New York, NY, USA, ACM (2007)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
Nozaki, H., Motoyama, M., Shimbo, A., Kawamura, S.: Implementation of RSA algorithm based on RNS Montgomery multiplication. In: CHES, pp. 364–376 (2001)
Oracle. JavaCard 3.0.1 Platform Specification. http://www.oracle.com/technetwork/java/javacard/overview/
Orup, H.: Simplifying quotient determination in high-radix modular multiplication. In: IEEE Symposium on Computer Arithmetic’95, pp. 193–193 (1995)
Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: CT-RSA, pp. 459–480 (2009)
Schindler, W.: A timing attack against RSA with the Chinese remainder theorem. In: CHES, pp. 109–124 (2000)
Shamir, A.: Improved method and apparatus for protecting public key schemes from timing and fault attacks. Patent Application, 1998. WO 1998/052319 A1
Skorobogatov, S.: Optical fault masking attacks. In: FDTC, pp. 23–29 (2010)
Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: CHES, pp. 2–12 (2002)
Stein, W., et al.: Sage Mathematics Software (Version 4.8). The Sage Development Team, 2012. http://www.sagemath.org
Suzuki, D.: How to maximize the potential of FPGA resources for modular exponentiation. In: CHES, pp. 272–288 (2007)
Tenca, A.F., Koç, Ç.K.: A scalable architecture for Montgomery multiplication. In: Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, CHES ’99, PP. 94–108, London, UK. Springer, Berlin (1999)
The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org/
Vigilant, D.: RSA with CRT: a new cost-effective solution to thwart fault attacks. In: CHES, pp. 130–145 (2008)
Walter, C.D.: Montgomery’s multiplication technique: How to make it smaller and faster. In: CHES, pp. 80–93 (1999)
Yen, S.-M., Moon, S.-J., Ha, J.: Hardware fault attack on RSA with CRT revisited. In: ICISC, pp. 374–388 (2002)
Acknowledgments
The first author was partly supported under grant 12-15-1432-HiCi from King Abdul Aziz University
Author information
Authors and Affiliations
Corresponding author
Additional information
A short version of this work appeared as [18]
Rights and permissions
About this article
Cite this article
Fouque, PA., Guillermin, N., Leresteux, D. et al. Attacking RSA–CRT signatures with faults on montgomery multiplication. J Cryptogr Eng 3, 59–72 (2013). https://doi.org/10.1007/s13389-013-0050-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-013-0050-x