Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular Multiplier

The RSA is one of the most widely used algorithms nowadays in smart cards. The main part of RSA is the modular exponentiation composed of modular multiplications. Therefore most smart cards have a hardware modular multiplier to speed up the computation. However, secure implementation of a cryptographic algorithm in an embedded device such as a smart card has now become a big challenge since the advent of side channel analysis and fault attacks. In 2005 Giraud proposed an exponentiation algorithm, which is secure against Simple Power Analysis (SPA) and Fault Attacks (FA). Recently Boscher et al. proposed another SPA-FA resistant exponentiation algorithm. To the authors' best knowledge, only these two provide security against SPA and FA simultaneously in an exponentiation algorithm. Both algorithms are also secure against C safe-error attack and M safe-error attack when they are implemented in a software. However, when they are implemented with a hardware modular multiplier, and this is usual in a smart card, they could be vulnerable to another type of safe error attack. In this paper, we show how this attack is possible on both SPA-FA resistant exponentiation algorithms.

[1]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[2]  Seungjoo Kim,et al.  RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis , 2003, IEEE Trans. Computers.

[3]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[4]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[5]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[6]  Emmanuel Prouff,et al.  CRT RSA Algorithm Protected Against Fault Attacks , 2007, WISTP.

[7]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[8]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[9]  Johannes Blömer,et al.  Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered , 2006, FDTC.

[10]  Jean-Pierre Seifert,et al.  On authenticated computing and RSA-based authentication , 2005, CCS '05.

[11]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[12]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[13]  Kooroush Manochehri,et al.  Modified radix-2 Montgomery modular multiplication to make it faster and simpler , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[14]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[15]  Joos Vandewalle,et al.  Hardware implementation of a Montgomery modular multiplier in a systolic array , 2003, Proceedings International Parallel and Distributed Processing Symposium.

[16]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[17]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[18]  Israel Koren,et al.  Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2006, Yokohama, Japan, October 10, 2006, Proceedings , 2006, FDTC.