CRT RSA Algorithm Protected Against Fault Attacks

Embedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we propose a new generic method of computing modular exponentiation and we prove its security in a realistic fault model. By construction, our proposal is also protected against Simple Power Analysis. Based on our new resistant exponentiation algorithm, we present two different ways of computing CRT RSA signatures in a secure way. We show that those methods do not increase execution time and can be easily implemented on low-resource devices.

[1]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[2]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[3]  Christof Paar,et al.  An Adversarial Model for Fault Analysis Against Low-Cost Cryptographic Devices , 2006, FDTC.

[4]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[5]  Israel Koren,et al.  Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2006, Yokohama, Japan, October 10, 2006, Proceedings , 2006, FDTC.

[6]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[7]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[8]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[9]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[10]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[11]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[12]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[13]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[14]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[15]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[16]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[17]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[18]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[19]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[20]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[21]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[22]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[23]  Israel Koren,et al.  Workshop on fault diagnosis and tolerance in cryptography , 2004, International Conference on Dependable Systems and Networks, 2004.

[24]  Martin Otto,et al.  Fault attacks and countermeasures , 2005 .

[25]  Harvey L. Garner,et al.  RESIDUE NUMBER SYSTEM ENHANCEMENTS FOR PROGRAMMABLE PROCESSORS , 2008 .

[26]  M. Joye,et al.  Practical Fault Countermeasures for Chinese Remaindering Based RSA ( Extended Abstract ) , 2005 .

[27]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[28]  JaeCheol Ha,et al.  Permanent Fault Attack on the Parameters of RSA with CRT , 2003, ACISP.

[29]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[30]  Kwangjo Kim,et al.  Information Security and Cryptology — ICISC 2001 , 2002, Lecture Notes in Computer Science.

[31]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[32]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[33]  Michele Boreale,et al.  Attacking Right-to-Left Modular Exponentiation with Timely Random Faults , 2006, FDTC.

[34]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[35]  Guillaume Fumaroli,et al.  Blinded Fault Resistant Exponentiation , 2006, FDTC.

[36]  Johannes Blömer,et al.  Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered , 2006, FDTC.

[37]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[38]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[39]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.