ABSTRACT
In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Remainder Theorem (CRT-RSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the one described in [7]. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]).Therefore, they establish a practical need for fault attack protected CRT-RSA schemes. Starting from a careful derivation and classification of fault models, we describe a new variant of the CRT-RSA algorithm. For the most realistic fault model described, we rigorously analyze the success probability of an adversary against our new CRT-RSA algorithm. Thereby, we prove that our new algorithm is secure against the Bellcore attack.
- R. Anderson and M. Kuhn. Tamper resistance --- a cautionary note. In Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 1 -- 11, Oakland, California, November 18-21 1996. USENIX Association.]] Google ScholarDigital Library
- C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert. Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In Workshop on Cryptographic Hardware and Embedded Systems 2002 (CHES 2002), Hotel Sofitel, San Francisco Bay (Redwood City), USA, August 13--15 2002.]] Google ScholarDigital Library
- F. Bao, H. Deng, R., Y. Jeng, A., D. Narasimhalu, and T. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, editors, \em Security Protocols, volume 1362 of Lecture Notes in Computer Science, pages 115--124. Springer-Verlag, 1998.]] Google ScholarDigital Library
- M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in cryptology --- EUROCRYPT '94 (Perugia), Lecture Notes in Computer Science, pages 92--111. Springer, Berlin, 1995.]]Google Scholar
- J. Blömer and A. May. personal communication, 2002.]]Google Scholar
- J. Blömer and J.-P. Seifert. Fault based cryptanalysis of the Advanced Encryption Standard (AES). In Seventh International Financial Cryptography Conference (FC 2003) (Gosier, Guadeloupe, FWI January 27-30), 2003.]]Google ScholarCross Ref
- D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking cryptographic protocols for faults. In W. Fumy, editor, Advances in Cryptology --- EUROCRYPT'97, volume 1233 of Lecture Notes in Computer Science, pages 37--51. Springer-Verlag, 1997.]]Google Scholar
- D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of eliminating errors in cryptographic computations. J. Cryptology, 14(2):101--119, 2001.]]Google ScholarDigital Library
- C. Clavier, J.-S. Coron, and N. Dabbous. Differential power analysis in the presence of hardware countermeasures. In Cryptographic Hardware and Embedded Systems -- Proceedings of CHES 2000, Worcester, MA, USA, volume 1965 of Lecture Notes in Computer Science, pages 252--263. Springer-Verlag, 2000.]] Google Scholar
- J.-S. Coron. Resistance against differential power analysis for elliptic curve cryptosystems. In Proceedings of Cryptographic Hardware and Embedded Systems (CHES'99), volume 1717 of Lecture Notes in Computer Science, page 292 ff. Springer-Verlag, 1999.]] Google Scholar
- J.-S. Coron, P. Kocher, and D. Naccache. Statistics and secret leakage. In Proceedings of Financial Cryptography, volume 1962 of Lecture Notes in Computer Science, page 157 ff. Springer-Verlag, 2000.]] Google Scholar
- C. Couvreur and J. Quisquater. Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters, 18(21):905--907, 1982.]]Google ScholarCross Ref
- G. Hardy and J. Littlewood. Some problems of 'Partitio Numerorum' III: On the expression of a number as a sum of primes. In Acta Mathematica, volume~44, pages 1--70, 1922.]]Google Scholar
- M. Joye, J.-J. Quisquater, S.-M. Yen, and M. Yung. Observability analysis: Detecting when improved cryptosystems fail. In B. Preneel, editor, Topics in Cryptology --- CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 17--29, San Jose, CA, USA, February 18--22, 2002, February 2002. Springer-Verlag.]] Google ScholarDigital Library
- B. Kaliski, Jr. and M. Robshaw. Comments on some new attacks on cryptographic devices. Bulletin 5, RSA Laboratories, July 1997.]]Google Scholar
- I. Peterson. Chinks in digital armor --- exploiting faults to break smart-card cryptosystems. Science News, 151(5):78--79, 1997.]]Google ScholarCross Ref
- J.-J. Quisquater and D. Samyde. Eddy current for magnetic analysis with active sensor. In Proceedings of Esmart 2002 3rd edition. Nice, France, September 2002.]]Google Scholar
- W. Rankl and W. Effing. Smart Card Handbook. John Wiley & Sons, 2nd edition, 2000.]] Google ScholarDigital Library
- T. SETI@home project. Current total statistics, June 28th 2002. http://setiathome.ssl.berkeley.edu/totals.html.]]Google Scholar
- A. Shamir. Method and apparatus for protecting public key schemes from timing and fault attacks, 1999. US Patent No. 5,991,415, Nov. 23, 1999.]]Google Scholar
- S. Skorobogatov and R. Anderson. Optical fault induction attacks. In Workshop on Cryptographic Hardware and Embedded Systems 2002 (CHES 2002), Hotel Sofitel, San Francisco Bay (Redwood City), USA, August 13 - 15, 2002, 2002.]] Google ScholarDigital Library
- S.-M. Yen and M. Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers, 49(9):967--970, September 2000.]] Google ScholarDigital Library
- S.-M. Yen, S. Kim, S. Lim, and S. Moon. A countermeasure against one physical cryptanalysis may benefit another attack. In K. Kim, editor, Information Security and Cryptology --- ICISC 2001, volume 2288 of LNCS, page 414 ff., 4th International Conference Seoul, Korea, December 6-7, 2001. 2001. Springer-Verlag.]] Google ScholarDigital Library
- S.-M. Yen, S. Kim, S. Lim, and S. Moon. RSA speedup with residue number system immune against hardware fault cryptanalysis. In K. Kim, editor, Information Security and Cryptology --- ICISC 2001, volume 2288 of LNCS, page 397 ff., 4th International Conference Seoul, Korea, December 6-7, 2001. 2001. Springer-Verlag. (journal version in IEEE Trans. on Comp., April 2003).]] Google ScholarDigital Library
Index Terms
A new CRT-RSA algorithm secure against bellcore attacks
Recommendations
Cryptanalysis of a provably secure CRT-RSA algorithm
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityWe study a countermeasure proposed to protect Chinese remainder theorem (CRT) computations for RSA against fault attacks. The scheme was claimed to be provably secure. However, we demonstrate that the proposal is in fact insecure: it can be broken with ...
CRT RSA algorithm protected against fault attacks
WISTP'07: Proceedings of the 1st IFIP TC6 /WG8.8 /WG11.2 international conference on Information security theory and practices: smart cards, mobile and ubiquitous computing systemsEmbedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we ...
Cryptanalysis of a type of CRT-based RSA algorithms
It is well known that the Chinese Remainder Theorem (CRT) can greatly improve the performances of RSA cryptosystem in both running times and memory requirements. However, if the implementation of CRT-based RSA is careless, an attacker can reveal some ...
Comments