Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis

In order to avoid fault-based attacks on cryptographic security modules (e.g., smart-cards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential fault-based attack where key bits leak only through the information whether the device produces a correct answer after a temporary fault or not. This information is available to the adversary even if a check is performed before output.

[1]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[2]  Kenneth R. Sloan Comments on "A Computer Algorithm for Calculating the Product AB Modulo M" , 1985, IEEE Trans. Computers.

[3]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[4]  Blakely A Computer Algorithm for Calculating the Product AB Modulo M , 1983, IEEE Transactions on Computers.

[5]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[8]  Ralph Howard,et al.  Data encryption standard , 1987 .

[9]  David Paul Maher Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective , 1997, Financial Cryptography.

[10]  Yuliang Zheng,et al.  Breaking real-world implementations of cryptosys-tems by manipulating their random number generation , 1997 .

[11]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[12]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[13]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[14]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[15]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[16]  Ivars Peterson,et al.  Chinks in digital armor: Exploiting faults to break smart‐card cryptosystems , 1997 .

[17]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[18]  G. R. Blakley,et al.  A Computer Algorithm for Calculating the Product AB Modulo M , 1983, IEEE Trans. Computers.

[19]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[20]  Kaya Ko,et al.  RSA Hardware Implementation , 1995 .

[21]  Wilm E. Donath,et al.  Hardware implementation , 1968, AFIPS '68 (Fall, part II).

[22]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .