Double Counting in $2^{t}$ -ary RSA Precomputation Reveals the Secret Exponent

A new fault attack, double counting attack (DCA), on the precomputation of 2t-ary modular exponentiation for a classical RSA digital signature (i.e., RSA without the Chinese remainder theorem) is proposed. The 2t-ary method is the most popular and widely used algorithm to speed up the RSA signature process. Developers can realize the fastest signature process by choosing optimum t . For example, t=6 is optimum for a 1536-bit classical RSA implementation. The 2t-ary method requires precomputation to generate small exponentials of message. Conventional fault attack research has paid little attention to precomputation, even though precomputation could be a target of a fault attack. The proposed DCA induces faults in precomputation using instruction skip technique, which is equivalent to replacing an instruction with a no operation in assembly language. This paper also presents a useful position checker tool to determine the position of the 2t-ary coefficients of the secret exponent from signatures based on faulted precomputations. The DCA is demonstrated to be an effective attack method for some widely used parameters. DCA can reconstruct an entire secret exponent using the position checker with 63=26-1) faulted signatures in a short time for a 1536-bit RSA implementation using the2t-ary method. The DCA process can be accelerated for a small public exponent (e.g., 65537). To the best of our knowledge, the proposed DCA is the first fault attack against classical RSA precomputation.

[1]  Hideki Yoshikawa,et al.  Round Addition Using Faults for Generalized Feistel Network , 2013, IEICE Trans. Inf. Syst..

[2]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[3]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[4]  SangJae Moon,et al.  Differential Fault Analysis for Round‐Reduced AES by Fault Injection , 2011 .

[5]  Jean-Guillaume Dumas,et al.  Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable , 2009, CT-RSA.

[6]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[9]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[10]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[11]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[12]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[13]  Jean-Pierre Seifert,et al.  On authenticated computing and RSA-based authentication , 2005, CCS '05.

[14]  Marc Joye,et al.  Fault Analysis in Cryptography , 2012, Information Security and Cryptography.

[15]  Michael Tunstall,et al.  Round Reduction Using Faults , 2005 .

[16]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[17]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[18]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[19]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[20]  Cécile Canovas,et al.  Public Key Perturbation of Randomized RSA Implementations , 2010, CHES.

[21]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[22]  Wolfgang Rankl,et al.  Smart Card Handbook: Rankl/Smart Card Handbook , 2010 .

[23]  Takashi Watanabe,et al.  Logic-Level Analysis of Fault Attacks and a Cost-Effective Countermeasure Design , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[24]  James A. Muir,et al.  Seifert's RSA Fault Attack: Simplified Analysis and Generalizations , 2006, ICICS.

[25]  Wolfgang Rankl,et al.  Smart Card Handbook , 1997 .

[26]  Cécile Canovas,et al.  Perturbating RSA Public Keys: An Improved Attack , 2008, CHES.