Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Constructive Side-Channel Analysis and Secure Design

COSADE 2014: Constructive Side-Channel Analysis and Secure Design pp 56–68Cite as

On the Use of RSA Public Exponent to Improve Implementation Efficiency and Side-Channel Resistance

  • Conference paper
  • First Online:

  • 1180 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8622))

Abstract

Since the end of the nineties, cryptographic developers must not only provide fast implementations but they must also take Side-Channel Analysis and Fault Injection into account. From that time, many side-channel and fault countermeasures have been proposed to reach a double goal: provide a high level of security while having the smallest impact on performance and memory consumption. In the particular case of RSA, the knowledge of the public exponent has been used to propose the most efficient fault countermeasure in terms of security and performance. However so far no study has been published which exploits such a variable to improve RSA efficiency and side-channel resistance.

In this paper, we fill this gap by proposing an original CRT-RSA implementation which makes use of the knowledge of the public exponent. In particular, we investigate an efficient method using only 4 private key parameters out of 5 and we also propose a free message blinding method to reinforce side-channel resistance.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    According to [23, Table 1], \(99.95\,\%\) of the RSA public keys which are used nowadays use one of the 15 following values as public exponent: \(3\), \(5\), \(7\), \(11\), \(13\), \(17\), \(19\), \(21\), \(23\), \(35\), \(41\), \(47\), \(2^{8}+1\), \(2^{16}-1\) and \(2^{16}+1\). In particular, more than \(95\,\%\) of the public exponents are equal to \(2^{16}+1\).

  2. 2.

    To compute these figures, we assume that a modular exponentiation using \(d_p\), \(d_p-1\), \(d_q\) or \(d_q-1\) as exponent requires 1023 squares and 512 multiplications on average, i.e. 1585 modular operations.

References

  1. Amiel, F., Feix, B., Villegas, K.: Power analysis for secret recovering and reverse engineering of public key algorithms. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 110–125. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  2. Barbu, G., Battistello, A., Dabosville, G., Giraud, C., Renault, G., Renner, S., Zeitoun, R.: Combined attack on CRT-RSA. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 198–215. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  3. Battistello, A., Giraud, C.: Fault analysis of infective AES computations. In: Fischer, W., Schmidt, J.-M. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2014, pp. 101–107. IEEE Computer Society (2014)

    Google Scholar 

  4. Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 1–17. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Bonech, D., DeMillo, R., Lipton, R.: New Threat Model Breaks Crypto Codes. Bellcore Press Release, Morristown (1996)

    Google Scholar 

  6. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  7. Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)

    Google Scholar 

  8. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004)

    Article  Google Scholar 

  9. Clavier, C., Feix, B.: Updated recommendations for blinded exponentiation vs. single trace analysis. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 80–98. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140–155. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  11. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  12. Coron, J.-S., Giraud, C., Morin, N., Piret, G., Vigilant, D.: Fault attacks and countermeasures on vigilant’s RSA-CRT algorithm. In: Breveglieri, L., Joye, M., Koren, I., Naccache, D., Verbauwhede, I. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2010, pp. 89–96. IEEE Computer Society (2010)

    Google Scholar 

  13. Couvreur, C., Quisquater, J.-J.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(21), 905–907 (1982)

    Article  Google Scholar 

  14. EMV. Integrated Circuit Card Specifications for Payment Systems - Book 2 - Security and Key Management, June 2008

    Google Scholar 

  15. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, p. 251. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  16. Garner, H.: The residue number system. IRE Trans. Electron. Comput. 8(6), 140–147 (1959)

    Article  Google Scholar 

  17. Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Comput. 55(9), 1116–1120 (2006)

    Article  Google Scholar 

  18. Joye, M.: Protecting RSA against fault attacks: the embedding method. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.-P. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2009, pp. 41–45. IEEE Computer Society (2009)

    Google Scholar 

  19. Joye, M., Tunstall, M.: Fault Analysis in Cryptography. Information Security and Cryptography. Springer, Heidelberg (2012)

    Book  MATH  Google Scholar 

  20. Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  21. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  22. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  23. Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Ron was wrong, Whit is right. Cryptology ePrint Archive, report 2012/064 (2012). http://eprint.iacr.org/

  24. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks - Revealing the Secrets of Smartcards. Springer, New York (2007)

    Google Scholar 

  25. Novak, R.: SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 252–262. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  26. Oracle Corp. Application Programming Interface, Java Card Platform, Version 3.0.4 Classic Edition (2011)

    Google Scholar 

  27. PKCS #1. RSA Cryptography Specifications Version 2.1. RSA Laboratories (2003)

    Google Scholar 

  28. Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  29. Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MATH  MathSciNet  Google Scholar 

  30. Shamir, A.: How to check modular exponentiation. In: Eurocrypt’97 rump session (1997)

    Google Scholar 

  31. Walter, C.D.: Sliding windows succumbs to Big Mac attack. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  32. Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: RSA speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

Download references

Acknowledgments

The author would like to thank Guillaume Barbu, Alberto Battistello, Emmanuelle Dottax and Gilles Piret for their comments on the preliminary version of this paper.

Author information

Authors and Affiliations

  1. Cryptography and Security Group, Oberthur Technologies, 4, Allée du Doyen Georges Brus, 33600, Pessac, France

    Christophe Giraud

Authors
  1. Christophe Giraud
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christophe Giraud .

Editor information

Editors and Affiliations

  1. FNISA, Paris, France

    Emmanuel Prouff

A CRT-RSA Key Generation Algorithms

A CRT-RSA Key Generation Algorithms

Algorithm 5 describes the standard CRT-RSA key generation and Algorithm 6 presents the specific CRT-RSA key generation for our new method. One can observe that the costly inverse computation \(q^{-1} \mathrm{{~mod~}}p\) is no more necessary. Moreover, since the public exponent is always provided as input for the key generation, we do not need extra-computation to provide such a value.

figure e
figure f

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Giraud, C. (2014). On the Use of RSA Public Exponent to Improve Implementation Efficiency and Side-Channel Resistance. In: Prouff, E. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2014. Lecture Notes in Computer Science(), vol 8622. Springer, Cham. https://doi.org/10.1007/978-3-319-10175-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10175-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10174-3

  • Online ISBN: 978-3-319-10175-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation