This Article 
 Bibliographic References 
 Add to: 
Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis
September 2000 (vol. 49 no. 9)
pp. 967-970

Abstract—In order to avoid fault-based attacks on cryptographic security modules (e.g., smart-cards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential fault-based attack where key bits leak only through the information whether the device produces a correct answer after a temporary fault or not. This information is available to the adversary even if a check is performed before output.

[1] R.L. Rivest,A. Shamir, and L.A. Adleman,"A Method for Obtaining Digital Signatures and Public Key Cryptosystems," Comm. ACM, vol. 21, pp. 120-126, 1978.
[2] T. ElGamal, A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms IEEE Trans. Information Theory, vol. 31, no. 4, pp. 469-472, 1985.
[3] D. Boneh, R.A. DeMillo, and R.J. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults,” Proc. Advances in Cryptology—EUROCRYPT '97, pp. 37-51, 1997.
[4] R. Anderson and M. Kuhn, “Tamper Resistance—A Cautionary Note,” Proc. Second USENIX Workshop Electronic Commerce, pp. 1-11, 1996.
[5] M. Joye, A.K. Lenstra, and J.-J. Quisquater, “Chinese Remaindering Based Cryptosystems in the Presence of Faults,” J. Cryptology, vol. 12, no. 4, pp. 241-245, 1999.
[6] F. Bao, R.H. Deng, Y. Han, A. Jeng, A.D. Narasimbalu, and T. Ngair, “Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults,” Pre-proc. 1997 Security Protocols Workshop, 1997.
[7] Y. Zheng and T. Matsumoto, “Breaking Real-World Implementations of Cryptosystems by Manipulating Their Random Number Generation,” Preproc. 1997 Symp. Cryptography and Information Security, Jan./Feb. 1997.
[8] E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,” Advances in Cryptology—CRYPTO '97, pp. 513-525, 1997.
[9] A. Shamir, “How to Check Modular Exponentiation,” Presented at the rump session of EUROCRYPT '97, May 1997
[10] D.P. Maher, “Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective,” Financial Cryptography, pp. 109-121, Berlin: Springer-Verlag, 1997.
[11] B.S. Kaliski Jr. and M.J.B. Robshaw, “Comments on Some New Attacks on Cryptographic Devices,” RSA Laboratories Bulletin, no. 5, Redwood City, Calif., July 1997.
[12] Bellcore Press Release, “New Threat Model Breaks Crypto Codes,” Sept. 1996.
[13] R. Anderson and M. Kuhn, “Low Cost Attacks on Tamper Resistant Devices,” Pre-proc. 1997 Security Protocols Workshop, Apr. 1997.
[14] P. Gutmann, “Secure Deletion of Data from Magnetic and Solid-State Memory,” Proc. Sixth USENIX Security Symp., pp. 77-89, 1996.
[15] O. Kocar, “Hardwaresicherheit von Mikrochips in Chipkarten,” Datenschutz und Datensicherheit, vol. 20, no. 7, pp. 421-424, July 1996.
[16] I. Peterson, “Chinks in Digital Armor—Exploiting Faults to Break Smart-Card Cryptosystems,” Science News, vol. 151, no. 5, pp. 78-79, Feb. 1997.
[17] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla., 1996, pp. 543-590.
[18] G.R. Blakley, “A Computer Algorithm for the Product AB Modulo M,” IEEE Trans. Computers, vol. 32, no. 5, pp. 497-500, May 1983.
[19] K.R. Sloan Jr., “Comments on 'A Computer Algorithm for the Product AB Modulo M,” IEEE Trans. Computers, vol. 34, no. 3, pp. 290-292, Mar. 1985.
[20] ÇK. Koç, “RSA Hardware Implementation,” Technical Report TR 801, RSA Laboratories, Redwood City, Calif., Apr. 1996.
[21] D. Coppersmith, “Finding a Small Root of a Univariate Modular Equation,” Proc. Advances in Cryptology—EUROCRYPT '96, pp. 155-165, 1996.
[22] D. Boneh, G. Durfee, and Y. Frankel, “An Attack on RSA Given a Small Fraction of the Private Key Bits,” Proc. Advances in Cryptology—ASIACRYPT '98, pp. 25-34, 1998.
[23] NBS FIPS PUB, “Data Encryption Standard,” Nat'l Bureau of Standards, US Dept. of Commerce, Jan. 1977.

Index Terms:
Cryptography, exponentiation, fault-based cryptanalysis, tamper resistance, interleaved modular multiplication.
Sung-Ming Yen, Marc Joye, "Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis," IEEE Transactions on Computers, vol. 49, no. 9, pp. 967-970, Sept. 2000, doi:10.1109/12.869328
Usage of this product signifies your acceptance of the Terms of Use.