Hardware Fault Attackon RSA with CRT Revisited

In this paper, some powerful fault attacks will be pointed out which can be used to factorize the RSA modulus if CRT is employed to speedup the RSA computation. These attacks are generic and can be applicable to Shamir's countermeasure and also applicable to a recently published enhanced countermeasure (trying to improve Shamir's method) for RSA with CRT. These two countermeasures share some similar structure in their designs and both suffer from some of the proposed attacks. The first kind of attack proposed in this paper is to induce a fault (which can be either a computational fault or any fault when data being accessed) into an important modulo reduction operation of the above two countermeasures. Note that this hardware fault attack can neither be detected by Shamir's countermeasure nor by the recently announced enhancement. The second kind of attack proposed in this paper considers permanent fault on some stored parameters in the above two countermeasures. The result shows that some permanent faults cannot be detected. Hence, the CRT-based factorization attack still works. The proposed CRT-based fault attacks once again reveals the importance of developing a sound countermeasure against RSA with CRT.

[1]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[2]  Peter J. Smith,et al.  LUC: A New Public Key System , 1993, SEC.

[3]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[4]  Ivars Peterson,et al.  Chinks in digital armor: Exploiting faults to break smart‐card cryptosystems , 1997 .

[5]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[6]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[7]  Robert H. Deng,et al.  RSA-type Signatures in the Presence of Transient Faults , 1997, IMACC.

[8]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[9]  Marc Joye,et al.  Secure Evaluation of Modular Functions , 1998 .

[10]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[11]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[12]  Yuliang Zheng,et al.  Breaking real-world implementations of cryptosys-tems by manipulating their random number generation , 1997 .

[13]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[14]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[15]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[16]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[17]  David Paul Maher Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective , 1997, Financial Cryptography.

[18]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[19]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[20]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.