Formal verification of a CRT-RSA implementation against fault attacks

Abstract

Cryptosystems are highly sensitive to physical attacks, which lead security developers to design more and more complex countermeasures. Nonetheless, no proof of flaw absence has been given for any implementation of these countermeasures. This paper aims to formally verify an implementation of one published countermeasure against fault injection attacks. More precisely, the formal verification concerns Vigilant’s CRT-RSA countermeasure which is designed to sufficiently protect CRT-RSA implementations against fault attacks. The goal is to formally verify whether any possible fault injection threatening the pseudo-code is detected by the countermeasure according to a predefined attack model.

Appendices

Appendix A: Vigilant’s CRT-RSA implementation code with fault simulation

Appendix B: Details concerning the success probabilities of fault attacks

Here, we would like to give more details about the computation of the probabilities presented in Sect. 5. Noting \(|x|\) the size of \(x\).

Assume that the attacker modifies value \(A\) (\(A = B \mod C\)) and that C is a uniform, \(t\)-bit integer. We suppose that C is odd (r is odd according to the recommendations in Sect. 5, as well as p and q) and we force \(2^{t-1} < C < 2^t \). Note \(S= \{C : 2^{t-1} < C < 2^t~ and~ C = 1 \mod 2\} \).

We note U as the event that the fault is undetected and F the event of taking an element c in \(S\) s.t. \(c = C\). So, Pr\([U|F]\) is the probability that an event is undetected assuming F. Since the final result will depend only on the initial values which are uniformly distributed (the only exception may be the message \(m\). To avoid this case, we can assume that the message used is the message obtained after a padding, like OAEP. So the resulted \(m\) will also be uniformly distributed), we know that:

$$\begin{aligned} \text{ Pr}[U|F] = \frac{1}{C}\quad \text{ and}\quad \text{ Pr}[F] = \frac{1}{|S|} \end{aligned}$$

and then

$$\begin{aligned} Pr[U] =\sum _{C \in S}(\text{ Pr}[U|F] \cdot \text{ Pr}[F]) = \frac{1}{|S|} \sum _{C \in S}\frac{1}{C} \end{aligned}$$

Let \(\overline{S}=\{C : 2^{t-1} < C < 2^{t}\; \text{ and}\; C = 0 \mod 2\} \), the

$$\begin{aligned} \sum _{C \in S \cup \overline{S}}\frac{1}{C} = [\ln C]_{2^{t-1}} ^{2^t} =\ln (2^t)-\ln (2^{t-1}) =\ln 2 \end{aligned}$$

We consider approximately that \(|S| = | \overline{S}|\). Then:

$$\begin{aligned} \text{ Pr}[U]&= \frac{1}{|S|}\sum _{C \in S} \frac{1}{C} \approx \frac{1}{|S|} \times \frac{1}{2}\sum _{C \in S \cup \overline{S}} \frac{1}{C}\\&= \frac{1}{|S|} \times \frac{\ln 2}{2} = \frac{1}{2^{t-2}} \times \frac{\ln 2}{2} = 2^{-(t-1)}\ln 2 \end{aligned}$$

This is the obtained probability for the faults: 22, 28 and 32 with \(t = |p^{\prime }|\), 63, 69 and 73 with \(t = |q^{\prime }|\).

Supposing now, that the attacker modifies a value \(A\) (\(A = B \mod C^2\)). Following the same reasoning, we conclude that :

$$\begin{aligned} Pr[U] \approx 2^{-2t+1} \end{aligned}$$

This is the obtained probability for the faults: 6, 8, 13, 27, 29, 33, 34, 41, 44, 46, 51, 68, 70, 74, 75, 79, 82, 87, 88 and 91 with \(t = |r|\).