Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures

This article describes concrete results and practically validated countermeasures concerning differential fault attacks on RSA using the CRT. We investigate smartcards with an RSA coprocessor where any hardware countermeasures to defeat fault attacks have been switched off. This scenario was chosen in order to analyze the reliability of software countermeasures.We start by describing our laboratory setting for the attacks. Hereafter, we describe the experiments and results of a straightforward implementation of a well-known countermeasure. This implementation turned out to be not sufficient. With the data obtained by these experiments we developed a practical error model. This enabled us to specify enhanced software countermeasures for which we were not able to produce any successful attacks on the investigated chips.Nevertheless, we are convinced that only sophisticated hardware countermeasures (sensors, filters, etc.) in combination with software countermeasures will be able to provide security.

[1]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[2]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[3]  Peter Gutmann,et al.  Data Remanence in Semiconductor Devices , 2001, USENIX Security Symposium.

[4]  David Paul Maher Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective , 1997, Financial Cryptography.

[5]  Yuliang Zheng,et al.  Breaking real-world implementations of cryptosys-tems by manipulating their random number generation , 1997 .

[6]  Ivars Peterson,et al.  Chinks in digital armor: Exploiting faults to break smart‐card cryptosystems , 1997 .

[7]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[8]  David M'Raïhi,et al.  Cryptographic smart cards , 1996, IEEE Micro.

[9]  Jean-Pierre Seifert,et al.  Note on Fast Computation of Secret RSA Exponents , 2002, ACISP.

[10]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[11]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[12]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[13]  Helena Handschuh,et al.  Smart Card Crypto-Coprocessors for Public-Key Cryptography , 1998, CARDIS.

[14]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[15]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[16]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[17]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[18]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[19]  Marc Joye,et al.  Secure Evaluation of Modular Functions , 1998 .

[20]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[21]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[22]  Robert H. Deng,et al.  RSA-type Signatures in the Presence of Transient Faults , 1997, IMACC.

[23]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[24]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[25]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[26]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[27]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[28]  Moti Yung,et al.  Observability Analysis - Detecting When Improved Cryptosystems Fail , 2002, CT-RSA.

[29]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.