An efficient CRT-RSA algorithm secure against power and fault attacks

RSA digital signatures based on the Chinese Remainder Theorem (CRT) are subject to power and fault attacks. In particular, modular exponentiation and CRT recombination are prone to both attacks. However, earlier countermeasures are susceptible to the possibility of advanced and sophisticated attacks. In this paper, we investigate state-of-the-art countermeasures against power and fault attacks from the viewpoint of security and efficiency. Then, we show possible vulnerabilities to fault attacks. Finally, we propose new modular exponentiation and CRT recombination algorithms secure against all known power and fault attacks. Our proposal improves efficiency by replacing arithmetic operations with logical ones to check errors in the CRT recombination step. In addition, since our CRT-RSA algorithm does not require knowledge of the public exponent, it guarantees a more versatile implementation.

[1]  Michael Tunstall,et al.  Montgomery Multiplication with Redundancy Check , 2007 .

[2]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[3]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[4]  Cécile Canovas,et al.  In(security) Against Fault Injection Attacks for CRT-RSA Implementations , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[5]  Martin Otto,et al.  Fault attacks and countermeasures , 2005 .

[6]  David Vigilant,et al.  RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks , 2008, CHES.

[7]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[8]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[9]  Emmanuel Prouff,et al.  CRT RSA Algorithm Protected Against Fault Attacks , 2007, WISTP.

[10]  B. L. Johnson,et al.  The Residue Number System For VLSI Signal Processing , 1986, Optics & Photonics.

[11]  Adi Shamir,et al.  Comparative Power Analysis of Modular Exponentiation Algorithms , 2010, IEEE Transactions on Computers.

[12]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007 .

[13]  JaeCheol Ha,et al.  Relative Doubling Attack Against Montgomery Ladder , 2005, ICISC.

[14]  Jean-Sébastien Coron,et al.  PSS Is Secure against Random Fault Attacks , 2009, ASIACRYPT.

[15]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007).

[16]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[17]  Sylvain Guilley,et al.  The Proof by 2M-1: a Low-Cost Method to Check Arithmetic Computations , 2005, SEC.

[18]  Roman Novak,et al.  SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation , 2002, Public Key Cryptography.

[19]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[20]  Marc Joye,et al.  Protecting RSA against Fault Attacks: The Embedding Method , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[21]  Nevine Maurice Ebeid,et al.  A new CRT-RSA algorithm resistant to powerful fault attacks , 2010, WESS '10.

[22]  M. Joye,et al.  Practical Fault Countermeasures for Chinese Remaindering Based RSA ( Extended Abstract ) , 2005 .

[23]  Jean-Jacques Quisquater,et al.  Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier , 2007, ICISC.

[24]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[25]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[26]  Sylvain Guilley,et al.  Fault Injection Resilience , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[27]  Christophe Giraud,et al.  On Second-Order Fault Analysis Resistance for CRT-RSA Implementations , 2009, WISTP.

[28]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[29]  Benoit Feix,et al.  Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms , 2007, Selected Areas in Cryptography.

[30]  Jean-Sébastien Coron,et al.  Fault Attacks Against emv Signatures , 2010, CT-RSA.

[31]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[32]  JaeCheol Ha,et al.  A New CRT-RSA Scheme Resistant to Power Analysis and Fault Attacks , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[33]  Bert den Boer,et al.  A DPA Attack against the Modular Reduction within a CRT Implementation of RSA , 2002, CHES.

[34]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[35]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[36]  Seungjoo Kim,et al.  RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis , 2003, IEEE Trans. Computers.

[37]  Sung-Ming Yen,et al.  Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection , 2006, FDTC.

[38]  Antoine Joux,et al.  Fault Attacks on RSA Signatures with Partially Unknown Messages , 2009, CHES.

[39]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[40]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[41]  JaeCheol Ha,et al.  Hardware Fault Attackon RSA with CRT Revisited , 2002, ICISC.

[42]  Jean-Sébastien Coron,et al.  Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.