Attacking RSA–CRT signatures with faults on montgomery multiplication

In this paper, we present several efficient fault attacks against implementations of RSA–CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the first fault attacks effective against RSA–PSS. The new attacks are based on the assumption that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.

[1]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[2]  JaeCheol Ha,et al.  Hardware Fault Attackon RSA with CRT Revisited , 2002, ICISC.

[3]  Çetin Kaya Koç,et al.  A Scalable Architecture for Modular Multiplication Based on Montgomery's Algorithm , 2003, IEEE Trans. Computers.

[4]  Çetin Kaya Koç,et al.  A Scalable Architecture for Montgomery Multiplication , 1999, CHES.

[5]  Mihir Bellare,et al.  PSS: Provably Secure Encoding Method for Digital Signatures , 1998 .

[6]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[7]  M. Joye,et al.  Practical Fault Countermeasures for Chinese Remaindering Based RSA ( Extended Abstract ) , 2005 .

[8]  Daisuke Suzuki,et al.  How to Maximize the Potential of FPGA Resources for Modular Exponentiation , 2007, CHES.

[9]  David Vigilant,et al.  RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks , 2008, CHES.

[10]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[11]  Sergei Skorobogatov,et al.  Optical Fault Masking Attacks , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[12]  Matthieu Rivain,et al.  Securing RSA against Fault Analysis by Double Addition Chain Exponentiation , 2009, CT-RSA.

[13]  David Naccache,et al.  Modulus Fault Attacks against RSA-CRT Signatures , 2011, CHES.

[14]  Wayne Luk,et al.  A Karatsuba-Based Montgomery Multiplier , 2010, 2010 International Conference on Field Programmable Logic and Applications.

[15]  Tolga Acar,et al.  Analyzing and comparing Montgomery multiplication algorithms , 1996, IEEE Micro.

[16]  Jean-Sébastien Coron,et al.  Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  Atsushi Shimbo,et al.  Implementation of RSA Algorithm Based on RNS Montgomery Multiplication , 2001, CHES.

[18]  Tarek A. El-Ghazawi,et al.  An Optimized Hardware Architecture for the Montgomery Multiplication Algorithm , 2008, Public Key Cryptography.

[19]  Jean-Sébastien Coron,et al.  PSS Is Secure against Random Fault Attacks , 2009, ASIACRYPT.

[20]  J. McCanny,et al.  Modified Montgomery modular multiplication and RSA exponentiation techniques , 2004 .

[21]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[22]  Holger Orup,et al.  Simplifying quotient determination in high-radix modular multiplication , 1995, Proceedings of the 12th Symposium on Computer Arithmetic.

[23]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[24]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[25]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[26]  Phong Q. Nguyen,et al.  Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers , 2012, IACR Cryptol. ePrint Arch..

[27]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[28]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[29]  Antoine Joux,et al.  Fault Attacks on RSA Signatures with Partially Unknown Messages , 2009, CHES.

[30]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[31]  C. D. Walter,et al.  Montgomery's Multiplication Technique: How to Make It Smaller and Faster , 1999, CHES.

[32]  Ingrid Verbauwhede,et al.  Efficient pipelining for modular multiplication architectures in prime fields , 2007, GLSVLSI '07.

[33]  Jean-Sébastien Coron,et al.  Fault Attacks Against emv Signatures , 2010, CT-RSA.

[34]  Nadia Heninger,et al.  Approximate common divisors via lattices , 2011, IACR Cryptol. ePrint Arch..

[35]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[36]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[37]  Harvey L. Garner,et al.  RESIDUE NUMBER SYSTEM ENHANCEMENTS FOR PROGRAMMABLE PROCESSORS , 2008 .