skip to main content
10.1145/948109.948151acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

A new CRT-RSA algorithm secure against bellcore attacks

Published:27 October 2003Publication History

ABSTRACT

In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Remainder Theorem (CRT-RSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the one described in [7]. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]).Therefore, they establish a practical need for fault attack protected CRT-RSA schemes. Starting from a careful derivation and classification of fault models, we describe a new variant of the CRT-RSA algorithm. For the most realistic fault model described, we rigorously analyze the success probability of an adversary against our new CRT-RSA algorithm. Thereby, we prove that our new algorithm is secure against the Bellcore attack.

References

  1. R. Anderson and M. Kuhn. Tamper resistance --- a cautionary note. In Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 1 -- 11, Oakland, California, November 18-21 1996. USENIX Association.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert. Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In Workshop on Cryptographic Hardware and Embedded Systems 2002 (CHES 2002), Hotel Sofitel, San Francisco Bay (Redwood City), USA, August 13--15 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. F. Bao, H. Deng, R., Y. Jeng, A., D. Narasimhalu, and T. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, editors, \em Security Protocols, volume 1362 of Lecture Notes in Computer Science, pages 115--124. Springer-Verlag, 1998.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in cryptology --- EUROCRYPT '94 (Perugia), Lecture Notes in Computer Science, pages 92--111. Springer, Berlin, 1995.]]Google ScholarGoogle Scholar
  5. J. Blömer and A. May. personal communication, 2002.]]Google ScholarGoogle Scholar
  6. J. Blömer and J.-P. Seifert. Fault based cryptanalysis of the Advanced Encryption Standard (AES). In Seventh International Financial Cryptography Conference (FC 2003) (Gosier, Guadeloupe, FWI January 27-30), 2003.]]Google ScholarGoogle ScholarCross RefCross Ref
  7. D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking cryptographic protocols for faults. In W. Fumy, editor, Advances in Cryptology --- EUROCRYPT'97, volume 1233 of Lecture Notes in Computer Science, pages 37--51. Springer-Verlag, 1997.]]Google ScholarGoogle Scholar
  8. D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of eliminating errors in cryptographic computations. J. Cryptology, 14(2):101--119, 2001.]]Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. C. Clavier, J.-S. Coron, and N. Dabbous. Differential power analysis in the presence of hardware countermeasures. In Cryptographic Hardware and Embedded Systems -- Proceedings of CHES 2000, Worcester, MA, USA, volume 1965 of Lecture Notes in Computer Science, pages 252--263. Springer-Verlag, 2000.]] Google ScholarGoogle Scholar
  10. J.-S. Coron. Resistance against differential power analysis for elliptic curve cryptosystems. In Proceedings of Cryptographic Hardware and Embedded Systems (CHES'99), volume 1717 of Lecture Notes in Computer Science, page 292 ff. Springer-Verlag, 1999.]] Google ScholarGoogle Scholar
  11. J.-S. Coron, P. Kocher, and D. Naccache. Statistics and secret leakage. In Proceedings of Financial Cryptography, volume 1962 of Lecture Notes in Computer Science, page 157 ff. Springer-Verlag, 2000.]] Google ScholarGoogle Scholar
  12. C. Couvreur and J. Quisquater. Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters, 18(21):905--907, 1982.]]Google ScholarGoogle ScholarCross RefCross Ref
  13. G. Hardy and J. Littlewood. Some problems of 'Partitio Numerorum' III: On the expression of a number as a sum of primes. In Acta Mathematica, volume~44, pages 1--70, 1922.]]Google ScholarGoogle Scholar
  14. M. Joye, J.-J. Quisquater, S.-M. Yen, and M. Yung. Observability analysis: Detecting when improved cryptosystems fail. In B. Preneel, editor, Topics in Cryptology --- CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 17--29, San Jose, CA, USA, February 18--22, 2002, February 2002. Springer-Verlag.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. B. Kaliski, Jr. and M. Robshaw. Comments on some new attacks on cryptographic devices. Bulletin 5, RSA Laboratories, July 1997.]]Google ScholarGoogle Scholar
  16. I. Peterson. Chinks in digital armor --- exploiting faults to break smart-card cryptosystems. Science News, 151(5):78--79, 1997.]]Google ScholarGoogle ScholarCross RefCross Ref
  17. J.-J. Quisquater and D. Samyde. Eddy current for magnetic analysis with active sensor. In Proceedings of Esmart 2002 3rd edition. Nice, France, September 2002.]]Google ScholarGoogle Scholar
  18. W. Rankl and W. Effing. Smart Card Handbook. John Wiley & Sons, 2nd edition, 2000.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. T. SETI@home project. Current total statistics, June 28th 2002. http://setiathome.ssl.berkeley.edu/totals.html.]]Google ScholarGoogle Scholar
  20. A. Shamir. Method and apparatus for protecting public key schemes from timing and fault attacks, 1999. US Patent No. 5,991,415, Nov. 23, 1999.]]Google ScholarGoogle Scholar
  21. S. Skorobogatov and R. Anderson. Optical fault induction attacks. In Workshop on Cryptographic Hardware and Embedded Systems 2002 (CHES 2002), Hotel Sofitel, San Francisco Bay (Redwood City), USA, August 13 - 15, 2002, 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. S.-M. Yen and M. Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers, 49(9):967--970, September 2000.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. S.-M. Yen, S. Kim, S. Lim, and S. Moon. A countermeasure against one physical cryptanalysis may benefit another attack. In K. Kim, editor, Information Security and Cryptology --- ICISC 2001, volume 2288 of LNCS, page 414 ff., 4th International Conference Seoul, Korea, December 6-7, 2001. 2001. Springer-Verlag.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. S.-M. Yen, S. Kim, S. Lim, and S. Moon. RSA speedup with residue number system immune against hardware fault cryptanalysis. In K. Kim, editor, Information Security and Cryptology --- ICISC 2001, volume 2288 of LNCS, page 397 ff., 4th International Conference Seoul, Korea, December 6-7, 2001. 2001. Springer-Verlag. (journal version in IEEE Trans. on Comp., April 2003).]] Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A new CRT-RSA algorithm secure against bellcore attacks

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in
              • Published in

                cover image ACM Conferences
                CCS '03: Proceedings of the 10th ACM conference on Computer and communications security
                October 2003
                374 pages
                ISBN:1581137389
                DOI:10.1145/948109

                Copyright © 2003 ACM

                Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 27 October 2003

                Permissions

                Request permissions about this article.

                Request Permissions

                Check for updates

                Qualifiers

                • Article

                Acceptance Rates

                Overall Acceptance Rate1,261of6,999submissions,18%

                Upcoming Conference

                CCS '24
                ACM SIGSAC Conference on Computer and Communications Security
                October 14 - 18, 2024
                Salt Lake City , UT , USA

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader