Subscribe

Issue No.07 - July (2012 vol.61)

pp: 1040-1049

Kun Ma , University of Illinois at Chicago, Chicago

Han Liang , Trident Microsystems, Inc.

Kaijie Wu , University of Illinois at Chicago, Chicago

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2011.121

ABSTRACT

Fault-based attacks, which recover secret keys by deliberately introducing fault(s) in cipher implementations and analyzing the faulty outputs, have been proved to be extremely powerful. In this paper, we propose a novel Concurrent Error Detection (CED) scheme to counter fault-based attack against RSA by exploiting its multiplicative homomorphic property. Specifically, the proposed CED scheme verifies if \Pi _{i = 1}^k E(m_i ) \equiv E(\Pi _{i = 1}^k m_i \bmod n) (\bmod n) where E could be either RSA encryption, or decryption, or signature, or verification process. Upon a mismatch, all the ciphertexts will be suppressed. The time overhead is 1/k and k can be used to trade-off the time overhead with memory overhead and output latency. Recognizing that an RSA device could be subject to a combination of several side-channel attacks, the proposed scheme enables an easy divide-and-concur solution—any fine-tuned architecture, for example, a power-attack-resistant architecture, can be equipped with fault-attack resistance easily without disturbing its original resistance. This advantage distinguishes the proposed scheme over the existing countermeasures.

INDEX TERMS

RSA, public-key cipher, concurrent error detection, fault-based attack, side-channel attack, homomorphic property.

CITATION

Kun Ma, Han Liang, Kaijie Wu, "Homomorphic Property-Based Concurrent Error Detection of RSA: A Countermeasure to Fault Attack",

*IEEE Transactions on Computers*, vol.61, no. 7, pp. 1040-1049, July 2012, doi:10.1109/TC.2011.121REFERENCES

- [1] B. Kaliski, “TWIRL and RSA Key Size,” http://www.rsasecurity. com/rsalabsnode.asp?id=2004 , May 2003.
- [2] A.K. Lenstra and E.R. Verheul, “Selecting Cryptographic Key Sizes,”
J. Cryptology: J. Int'l Assoc. for Cryptologic Research, vol. 14, no. 4, pp. 255-293, 2001.- [3] J. Pollard, “Factoring with Cubic Integers”
The Development of the Number Field Sieve, pp. 4-10, Springer, 1993.- [4] D. Boneh, R.A. DeMillo, and R.J. Lipton, “On the Importance of Eliminating Errors in Cryptographic Computations,”
J. Cryptology, vol. 14, pp. 101-119, 2001.- [5] V. Klíma and T. Rosa, “Further Results and Considerations on Side Channel Attacks on RSA,”
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp. 244-259, 2000.- [6] D. Boneh, “Twenty Years of Attacks on the RSA Cryptosystems,”
Notices of the Am. Math. Soc., vol. 46, no. 2, pp. 203-213, 1999.- [7] F. Bao, R.H. Deng, Y. Han, A. Jeng, A.D. Narasimhalu, and T. Ngair, “Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults,”
Proc. Int'l Workshop Security Protocols, pp. 115-124, 1997.- [8] E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,”
Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO), vol. 1294, pp. 513-525, 1997.- [9] RSA Lab, “High-Speed RSA Implementation,” ftp://ftp. rsasecurity.com/pub/pdfstr201.pdf , 2011.
- [10] RSA Lab, “RSA Hardware Implementation,” ftp://ftp.rsasecurity. com/pub/pdfstr801.pdf , 2011.
- [11] K.C. Posch and R. Posch, “Modulo Reduction in Residue Number Systems,”
IEEE Trans. Parallel and Distributed Systems, vol. 6, no. 5, pp. 449-454, May 1995.- [12] S. Skorobogatov and R. Anderson, “Optical Fault Induction Attacks,”
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp. 2-12, 2002.- [13] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Concurrent Error Detection of Fault Based Side-Channel Cryptanalysis of 128-Bit Symmetric Block Ciphers,”
Proc. Design Automation Conf. (DAC), pp. 579-584, 2001.- [14] G. Bertoni, L. Breveglieri, I. Koren, and V. Piuri, “On the Propagation of Faults and Their Detection in a Hardware Implementation of the Advanced Encryption Standard,”
Proc. Int'l Conf. Application-Specific Systems, Architectures, and Processors (ASAP), pp. 303-312, 2002.- [15] G. Bertoni, L. Breveglieri, I. Koren, and V. Piuri, “Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard,”
IEEE Trans. Computers, vol. 52, no. 4, pp. 492-505, Apr. 2003.- [16] K. Wu, R. Karri, G. Kuznetsov, and M. Goessel, “Parity Based Concurrent Error Detection for the Advanced Encryption Standard,”
Proc. Int'l Test Conf. (ITC), pp. 919-926, 2004.- [17] A. Shamir, “Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks,” US Patent, Nov. 1999.
- [18] C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault Attacks on RSA with CRT: Concrete Results and Practical Counter-Measures,”
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), B. Kaliski Jr., C. Koc, and C. Paar, eds., pp.260-275, 2002.- [19] C. Giraud, “An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis,”
IEEE Trans. Computers, vol. 55, no. 9, pp. 1116-1120, Sept. 2006.- [20] D. Vigilant, “RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks”
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp.130-145, 2008.- [21] S.M. Yen and M. Joye, “Checking Before Output May Not be Enough against Fault-Based Cryptanalysis,”
IEEE Trans. Computers, vol. 49, no. 9, pp. 967-970, Sept. 2000.- [22] S.M. Yen, S. Kim, S. Lim, and S.J. Moon, “RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis,”
IEEE Trans. Computers, vol. 52, no. 4, pp. 461-472, Apr. 2003.- [23] J. BlÖmer, M. Otto, and J.P. Seifert, “A New CRT-RSA Algorithm Secure against Bellcore Attacks,”
Proc. ACM Conf. Computer and Comm. Security, pp. 311-320, Oct. 2003.- [24] S. Pontarelli, G.C. Cardarilli, M. Re, and A. Salsano, “Error Detection in Addition Chain Based ECC Point Multiplication,”
Proc. IEEE Int'l On-Line Testing Symp., pp. 192-194, 2009.- [25] A. Domínguez-Oviedo and M. Anwar Hasan, “Error Detection and Fault Tolerance in ECSM Using Input Randomization,”
IEEE Trans. Dependable and Secure Computing vol. 6, no. 3 pp. 175-187, July 2009.- [26] R. Stern, N. Joshi, K. Wu, and R. Karri, “Register Transfer Level Concurrent Error Detection in Elliptic Curve Crypto Implementations,”
Proc. Workshop Fault Diagnosis and Tolerance in Cryptography, pp. 112-119, 2007.- [27] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,”
Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO), pp. 388-397, 1999.- [28] A. Matthews, “Side-Channel Attacks on Smartcards,”
Network Security, vol. 2006, no. 12, pp. 18-20, Dec. 2006.- [29] P. Paillier, “Public-Key Cryptosystems Based on Discrete Logarithms Residues,”
Proc. Eurocrypt, vol. 1592, pp. 223-238, 1999.- [30] RSA Laboratories, “PKCS #1 RSA Cryptography Standard,” ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1 pkcs-1v2-1.pdf, 2011.
- [31] T. ElGamal, ”A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,”
IEEE Trans. Information Theory, vol. IT-31, no. 4, pp. 469-472, July 1985.- [32] H. Lipmaa, “Electronic Voting,” http://www.cs.ut.ee/~lipmaa/crypto/link/ protocolsvoting.php, 2011.
- [33] H. Lipmaa, “Cryptographic Auctions,” http://www.cs.ut.ee/~lipmaa/crypto/link/ protocolsauctions.php, 2011.
- [34] R. Cramer, I. Damgard, and J.B. Nielsen, “Multiparty Computation from Threshold Homomorphic Encryption,”
Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT), pp. 280-300, 2001.- [35] P. Golle, M. Jakobsson, A. Juels, and P. Syverson, “Universal Re-Encryption for Mixnets, “
Proc. RSA Conf. Cryptographer's Track, T. Okamoto, ed., pp. 163-178, Feb. 2004.- [36] E. Normand, “Single Event Upset at Ground Level,”
IEEE Trans. Nuclear Science, vol. 43, no. 6, pp. 2742-2750, Dec. 1996.- [37] R. Baumann, “Soft Errors in Advanced Computer Systems,”
IEEE Design and Test of Computers, vol. 22, no. 3, pp. 258-266, May/June 2005.- [38] D. Wagner, “Cryptanalysis of a Provably Secure CRT-RSA Algorithm,”
Proc. ACM Conf. Computer and Comm. Security, pp. 92-97, Oct. 2004.- [39] P.L. Montgomery, “Modular Multiplication without Trial Division,”
Math. of Computation, vol. 44, no. 170, pp. 519-521, Apr. 1985.- [40] J.C. Bajard and L. Imbert, “A Full RNS Implementation of RSA,”
IEEE Trans. Computers, vol. 53, no. 6, pp. 769-774, June 2004.- [41] M. Drutarovsky, V. Fischer, and M. Simka, “Comparison of Two Implementation Methods of Scalable Montgomery Coprocessor Embedded in Reconfigurable Hardware,”
Proc. 19th Conf. Design of Circuits and Integrated Systems (DCIS), pp. 392-296, Nov. 2004.- [42] M. Ciet, M. Neve, E. Peeters, and J.-J Quisquarter, “Parallel FPGA Implementation of RSA with Residue Number Systems - Can Side-Channel Threats Be Avoided?”
Proc. 46th IEEE Int'l Midwest Symp. Circuits and Systems (MWSCAS), vol. 2, pp. 806-810, Dec. 2003.- [43] J.C. Lo, “A Novel Area-Time Efficient Static CMOS Totally Self-Checking Comparator,”
IEEE J. Solid-State Circuits, vol. 28, no. 2, pp 165-168, Feb. 1993.- [44] C. Metra, M. Favalli, and B. Ricco, “Highly Testable and Compact Single Output Comparator,”
Proc. 15th IEEE VLSI Test Symp. (VTS), 1997.- [45] Xilinx, “Silicon Devices, FPGAs, Spartan, Series,” http://www. xilinx.com/products/silicon_solutions/ fpgas/spartan_series index.htm , 2011.
- [46] Altera Corporation, “Cyclone FPGA,” http://www.altera.com/products/devices/cyclone/ featurescyc-architecture.html, 2011.
- [47] E. Normand, “Single Event Upset at Ground Level,”
IEEE Trans. Nuclear Science, vol. 43, no. 6, pp. 2742-2750, Dec. 1996.- [48] A.H. Johnston, “Radiation Effects in Advanced Microelectronics Technologies,”
IEEE Trans. Nuclear Science, vol. 45, no. 3, pp. 1339-1354, June 1998. |