Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

In this work, we analyze all existing RSA-CRT countermeasures against the Bellcore attack that use binary self-secure exponentiation algorithms. We test their security against a powerful adversary by simulating fault injections in a fault model that includes random, zeroing, and skipping faults at all possible fault locations. We find that most of the countermeasures are vulnerable and do not provide sufficient security against all attacks in this fault model. After investigating how additional measures can be included to counter all possible fault injections, we present three countermeasures which prevent both power analysis and many kinds of fault attacks.

[1]  Helena Handschuh,et al.  Blinded Fault Resistant Exponentiation Revisited , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[2]  Benoit Feix,et al.  Distinguishing Multiplications from Squaring Operations , 2009, Selected Areas in Cryptography.

[3]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[4]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[5]  Guillaume Fumaroli,et al.  Blinded Fault Resistant Exponentiation , 2006, FDTC.

[6]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[7]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[8]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[9]  Matthieu Rivain,et al.  Securing RSA against Fault Analysis by Double Addition Chain Exponentiation , 2009, CT-RSA.

[10]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[11]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[12]  Chik How Tan,et al.  On Double Exponentiation for Securing RSA against Fault Analysis , 2014, CT-RSA.

[13]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[14]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[15]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007 .

[16]  Jean-Jacques Quisquater,et al.  How can we overcome both side channel analysis and fault attacks on RSA-CRT? , 2007, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007).

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Emmanuel Prouff,et al.  CRT RSA Algorithm Protected Against Fault Attacks , 2007, WISTP.

[19]  Marc Joye,et al.  Secure Evaluation of Modular Functions , 1998 .

[20]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[21]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[22]  Yoo-Jin Baek,et al.  Regular 2w-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures , 2010, International Journal of Information Security.

[23]  Jean-Pierre Seifert,et al.  Weaknesses in Current RSA Signature Schemes , 2011, ICISC.

[24]  Marc Witteman Riscure A DPA attack on RSA in CRT mode , 2009 .

[25]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[26]  Marc Joye,et al.  Memory-Efficient Fault Countermeasures , 2011, CARDIS.

[27]  Sylvain Guilley,et al.  Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[28]  Jean-Pierre Seifert,et al.  A Practical Second-Order Fault Attack against a Real-World Pairing Implementation , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.