Homomorphic Property-Based Concurrent Error Detection of RSA: A Countermeasure to Fault Attack

Fault-based attacks, which recover secret keys by deliberately introducing fault(s) in cipher implementations and analyzing the faulty outputs, have been proved to be extremely powerful. In this paper, we propose a novel Concurrent Error Detection (CED) scheme to counter fault-based attack against RSA by exploiting its multiplicative homomorphic property. Specifically, the proposed CED scheme verifies if Πi=1k E(mi) ≡ EΠi=1k mi (mod n) (mod n) where E could be either RSA encryption, or decryption, or signature, or verification process. Upon a mismatch, all the ciphertexts will be suppressed. The time overhead is 1/k and k can be used to trade-off the time overhead with memory overhead and output latency. Recognizing that an RSA device could be subject to a combination of several side-channel attacks, the proposed scheme enables an easy divide-and-concur solution-any fine-tuned architecture, for example, a power-attack-resistant architecture, can be equipped with fault-attack resistance easily without disturbing its original resistance. This advantage distinguishes the proposed scheme over the existing countermeasures.

[1]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[2]  A. H. Johnston Radiation effects in advanced microelectronics technologies , 1997 .

[3]  Security Rsa,et al.  TWIRL and RSA Key Size , 2003 .

[4]  Cecilia Metra,et al.  Highly testable and compact single output comparator , 1997, Proceedings. 15th IEEE VLSI Test Symposium (Cat. No.97TB100125).

[5]  Wilm E. Donath,et al.  Hardware implementation , 1968, AFIPS '68 (Fall, part II).

[6]  Ramesh Karri,et al.  Concurrent error detection of fault-based side-channel cryptanalysis of 128-bit symmetric block ciphers , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[7]  Jien Chung Lo,et al.  Novel area-time efficient static CMOS totally self-checking comparator , 1993 .

[8]  Kaya Ko,et al.  High-speed Rsa Implementation Contents Preface 1 1 the Rsa Cryptosystem 3 3 Modular Multiplication 33 , 1994 .

[9]  B. Kaliski,et al.  TWIRL and RSA Key Size , 2003 .

[10]  A. Juels,et al.  Universal Re-encryption for Mixnets , 2004, CT-RSA.

[11]  Vlastimil Klíma,et al.  Further Results and Considerations on Side Channel Attacks on RSA , 2002, CHES.

[12]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[13]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[14]  Robert Baumann,et al.  Soft errors in advanced computer systems , 2005, IEEE Design & Test of Computers.

[15]  David Vigilant,et al.  RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks , 2008, CHES.

[16]  Ramesh Karri,et al.  Register Transfer Level Concurrent Error Detection in Elliptic Curve Crypto Implementations , 2007 .

[17]  Reinhard Posch,et al.  Modulo Reduction in Residue Number Systems , 1995, IEEE Trans. Parallel Distributed Syst..

[18]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[19]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[20]  Eric Peeters,et al.  Parallel FPGA implementation of RSA with residue number systems - can side-channel threats be avoided? , 2003, 2003 46th Midwest Symposium on Circuits and Systems.

[21]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[22]  R. Cramer,et al.  Multiparty Computation from Threshold Homomorphic Encryption , 2000 .

[23]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[24]  Viktor Fischer,et al.  Comparison of Two Implementations of Scalable Montgomery Coprocessor Embedded in Reconfigurable Hardware , 2004 .

[25]  Seungjoo Kim,et al.  RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis , 2003, IEEE Trans. Computers.

[26]  Israel Koren,et al.  Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard , 2003, IEEE Trans. Computers.

[27]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[28]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[29]  Jeremy Epstein,et al.  Electronic Voting , 2007, Computer.

[30]  Salvatore Pontarelli,et al.  Error detection in addition chain based ECC Point Multiplication , 2009, 2009 15th IEEE International On-Line Testing Symposium.

[31]  Ramesh Karri,et al.  Low cost concurrent error detection for the advanced encryption standard , 2004 .

[32]  J. Pollard Factoring with cubic integers , 1993 .

[33]  Kaya Ko,et al.  RSA Hardware Implementation , 1995 .

[34]  Israel Koren,et al.  On the propagation of faults and their detection in a hardware implementation of the Advanced Encryption Standard , 2002, Proceedings IEEE International Conference on Application- Specific Systems, Architectures, and Processors.

[35]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[36]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[37]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[38]  M. Anwar Hasan,et al.  Error Detection and Fault Tolerance in ECSM Using Input Randomization , 2009, IEEE Transactions on Dependable and Secure Computing.

[39]  Adam Matthews Smart Cards: Side-channel attacks on smartcards , 2006 .

[40]  Laurent Imbert,et al.  a full RNS implementation of RSA , 2004, IEEE Transactions on Computers.

[41]  E. Normand Single event upset at ground level , 1996 .

[42]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .