This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis
September 2006 (vol. 55 no. 9)
pp. 1116-1120
Nowadays, Side Channel Attacks allow an attacker to recover secrets stored in embedded devices more efficiently than any other kind of attack. Among the former, Fault Attacks (FA) and Single Power Analysis (SPA) are probably the most effective: When applied to straightforward implementations of the RSA cryptosystem, only one execution of the algorithm is required to recover the secret key. Over recent years, many countermeasures have been proposed to prevent Side Channel Attacks on RSA. Regarding Fault Attacks, only one countermeasure offers effective protection and it can be very costly. In this paper, we focus on a means to counteract Fault Attacks by presenting a new way of implementing exponentiation algorithms. This method can be used to obtain fast FA-resistant RSA signature generations in both the Straightforward Method and Chinese Remainder Theorem modes. Moreover, as it has been shown that Fault Attacks can benefit from the weaknesses introduced by some SPA countermeasures, we ensure that our method resists SPA and, thus, does not require supplementary SPA countermeasures.

[1] P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advances in Cryptology, Proc. CRYPTO '96, N.Koblitz, ed., pp. 104-113, 1996.
[2] D. Boneh, R. DeMillo, and R. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults,” Advances in Cryptology, Proc. EUROCRYPT '97, W. Fumy, ed., pp. 37-51, 1997.
[3] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” Advances in Cryptology, Proc. CRYPTO '99, M. Wiener, ed., pp. 388-397, 1999.
[4] J.-S. Coron, “Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems,” Proc. Cryptographic Hardware and Embedded Systems (CHES '99), Ç. Koç and C. Paar, eds., pp. 292-302, 1999.
[5] S.-M. Yen and M. Joye, “Checking before Output May Not Be Enough against Fault-Based Cryptanalysis,” IEEE Trans. Computers, vol. 49, no. 9, pp. 967-970, June 2000.
[6] H. Garner, “The Residue Number System,” IRE Trans. Electronic Computers, vol. 8, no. 6, pp. 140-147, 1959.
[7] C. Couvreur and J.-J. Quisquater, “Fast Decipherment Algorithm for RSA Public-Key Cryptosystem,” Electronics Letters, vol. 18, no. 21, pp. 905-907, 1982.
[8] C. Giraud and H. Thiebeauld, “A Survey on Fault Attacks,” Proc. Smart Card Research and Advanced Applications VI (CARDIS 2004), J.-J. Quisquater, P. Paradinas, Y. Deswarte, and A.E. Kalam, eds., pp. 159-176, 2004.
[9] A. Shamir, “Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks,” Int'l Patent Number: WO 98/52319, Nov. 1998.
[10] C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures,” Proc. Cryptographic Hardware and Embedded Systems (CHES 2002), B. Kaliski Jr., Ç. Koç, and C. Paar, eds., pp. 260-275, 2002.
[11] S.-M. Yen, S.-J. Kim, S.-G. Lim, and S.-J. Moon, “RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis,” Proc. Information Security and Cryptology (ICISC 2001), K. Kim, ed., pp. 397-413, 2001.
[12] J. Blömer, M. Otto, and J.-P. Seifert, “A New RSA-CRT Algorithm Secure against Bellcore Attacks,” Proc. ACM Conf. Computer and Comm. Security (CCS '03), S. Jajodia, V. Atluri, and T. Jaeger, eds., pp. 311-320, 2003.
[13] S.-M. Yen and D. Kim, “Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection,” Proc. Workshop Fault Diagnosis and Tolerance in Cryptography (FDTC '04), L. Breveglieri and I. Koren, eds., pp. 381-385, 2004.
[14] S.-M. Yen, S. Moon, and J.-C. Ha, “Hardware Fault Attack on RSA with CRT Revisited,” Proc. Information Security and Cryptology (ICISC 2002), P.Lee and C. Lim, eds., pp. 374-388, 2002.
[15] D. Wagner, “Cryptanalysis of a Provable Secure CRT-RSA Algorithm,” Proc. ACM Conf. Computer and Comm. Security (CCS '04), B. Pfitzmann and P. Liu, eds., pp. 82-91, 2004.
[16] S.-M. Yen, W.-C. Lien, S.-J. Moon, and J.-C. Ha, “Power Analysis by Exploiting Chosen Message and Internal Collisions—Vulnerability of Checking Mechanism for RSA-Decryption,” Progress in Cryptology, Proc. Mycrypt 2005, E. Dawson and S. Vaudenay, eds., pp. 183-195, 2005.
[17] R. Novak, “SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation,” Proc. Public Key Cryptography (PKC 2002), D. Naccache and P. Paillier, eds., pp. 252-262, 2002.
[18] M. Joye and S.-M. Yen, “The Montgomery Powering Ladder,” Proc. Cryptographic Hardware and Embedded Systems (CHES 2002), B. Kaliski Jr., Ç.Koç, and C. Paar, eds., pp. 291-302, 2002.
[19] S.-M. Yen, S.-J. Kim, S.-G. Lim, and S.-J. Moon, “A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack,” Proc. Information Security and Cryptology (ICISC 2001), K. Kim, ed., pp. 414-427, 2001.

Index Terms:
Smart cards, side channel, fault injection, simple power analysis, public-key cryptosystems, RSA, exponentiation.
Citation:
Christophe Giraud, "An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis," IEEE Transactions on Computers, vol. 55, no. 9, pp. 1116-1120, Sept. 2006, doi:10.1109/TC.2006.135
Usage of this product signifies your acceptance of the Terms of Use.