The Community for Technology Leaders
RSS Icon
Issue No.07 - July (2012 vol.61)
pp: 1040-1049
Kun Ma , University of Illinois at Chicago, Chicago
Han Liang , Trident Microsystems, Inc.
Kaijie Wu , University of Illinois at Chicago, Chicago
Fault-based attacks, which recover secret keys by deliberately introducing fault(s) in cipher implementations and analyzing the faulty outputs, have been proved to be extremely powerful. In this paper, we propose a novel Concurrent Error Detection (CED) scheme to counter fault-based attack against RSA by exploiting its multiplicative homomorphic property. Specifically, the proposed CED scheme verifies if \Pi _{i = 1}^k E(m_i ) \equiv E(\Pi _{i = 1}^k m_i \bmod n) (\bmod n) where E could be either RSA encryption, or decryption, or signature, or verification process. Upon a mismatch, all the ciphertexts will be suppressed. The time overhead is 1/k and k can be used to trade-off the time overhead with memory overhead and output latency. Recognizing that an RSA device could be subject to a combination of several side-channel attacks, the proposed scheme enables an easy divide-and-concur solution—any fine-tuned architecture, for example, a power-attack-resistant architecture, can be equipped with fault-attack resistance easily without disturbing its original resistance. This advantage distinguishes the proposed scheme over the existing countermeasures.
RSA, public-key cipher, concurrent error detection, fault-based attack, side-channel attack, homomorphic property.
Kun Ma, Han Liang, Kaijie Wu, "Homomorphic Property-Based Concurrent Error Detection of RSA: A Countermeasure to Fault Attack", IEEE Transactions on Computers, vol.61, no. 7, pp. 1040-1049, July 2012, doi:10.1109/TC.2011.121
[1] B. Kaliski, “TWIRL and RSA Key Size,” http://www.rsasecurity. com/rsalabsnode.asp?id=2004 , May 2003.
[2] A.K. Lenstra and E.R. Verheul, “Selecting Cryptographic Key Sizes,” J. Cryptology: J. Int'l Assoc. for Cryptologic Research, vol. 14, no. 4, pp. 255-293, 2001.
[3] J. Pollard, “Factoring with Cubic Integers” The Development of the Number Field Sieve, pp. 4-10, Springer, 1993.
[4] D. Boneh, R.A. DeMillo, and R.J. Lipton, “On the Importance of Eliminating Errors in Cryptographic Computations,” J. Cryptology, vol. 14, pp. 101-119, 2001.
[5] V. Klíma and T. Rosa, “Further Results and Considerations on Side Channel Attacks on RSA,” Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp. 244-259, 2000.
[6] D. Boneh, “Twenty Years of Attacks on the RSA Cryptosystems,” Notices of the Am. Math. Soc., vol. 46, no. 2, pp. 203-213, 1999.
[7] F. Bao, R.H. Deng, Y. Han, A. Jeng, A.D. Narasimhalu, and T. Ngair, “Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults,” Proc. Int'l Workshop Security Protocols, pp. 115-124, 1997.
[8] E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,” Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO), vol. 1294, pp. 513-525, 1997.
[9] RSA Lab, “High-Speed RSA Implementation,” ftp://ftp. , 2011.
[10] RSA Lab, “RSA Hardware Implementation,” ftp://ftp.rsasecurity. com/pub/pdfstr801.pdf , 2011.
[11] K.C. Posch and R. Posch, “Modulo Reduction in Residue Number Systems,” IEEE Trans. Parallel and Distributed Systems, vol. 6, no. 5, pp. 449-454, May 1995.
[12] S. Skorobogatov and R. Anderson, “Optical Fault Induction Attacks,” Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp. 2-12, 2002.
[13] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Concurrent Error Detection of Fault Based Side-Channel Cryptanalysis of 128-Bit Symmetric Block Ciphers,” Proc. Design Automation Conf. (DAC), pp. 579-584, 2001.
[14] G. Bertoni, L. Breveglieri, I. Koren, and V. Piuri, “On the Propagation of Faults and Their Detection in a Hardware Implementation of the Advanced Encryption Standard,” Proc. Int'l Conf. Application-Specific Systems, Architectures, and Processors (ASAP), pp. 303-312, 2002.
[15] G. Bertoni, L. Breveglieri, I. Koren, and V. Piuri, “Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard,” IEEE Trans. Computers, vol. 52, no. 4, pp. 492-505, Apr. 2003.
[16] K. Wu, R. Karri, G. Kuznetsov, and M. Goessel, “Parity Based Concurrent Error Detection for the Advanced Encryption Standard,” Proc. Int'l Test Conf. (ITC), pp. 919-926, 2004.
[17] A. Shamir, “Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks,” US Patent, Nov. 1999.
[18] C. Aumuller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault Attacks on RSA with CRT: Concrete Results and Practical Counter-Measures,” Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), B. Kaliski Jr., C. Koc, and C. Paar, eds., pp.260-275, 2002.
[19] C. Giraud, “An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis,” IEEE Trans. Computers, vol. 55, no. 9, pp. 1116-1120, Sept. 2006.
[20] D. Vigilant, “RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks” Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES), pp.130-145, 2008.
[21] S.M. Yen and M. Joye, “Checking Before Output May Not be Enough against Fault-Based Cryptanalysis,” IEEE Trans. Computers, vol. 49, no. 9, pp. 967-970, Sept. 2000.
[22] S.M. Yen, S. Kim, S. Lim, and S.J. Moon, “RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis,” IEEE Trans. Computers, vol. 52, no. 4, pp. 461-472, Apr. 2003.
[23] J. BlÖmer, M. Otto, and J.P. Seifert, “A New CRT-RSA Algorithm Secure against Bellcore Attacks,” Proc. ACM Conf. Computer and Comm. Security, pp. 311-320, Oct. 2003.
[24] S. Pontarelli, G.C. Cardarilli, M. Re, and A. Salsano, “Error Detection in Addition Chain Based ECC Point Multiplication,” Proc. IEEE Int'l On-Line Testing Symp., pp. 192-194, 2009.
[25] A. Domínguez-Oviedo and M. Anwar Hasan, “Error Detection and Fault Tolerance in ECSM Using Input Randomization,” IEEE Trans. Dependable and Secure Computing vol. 6, no. 3 pp. 175-187, July 2009.
[26] R. Stern, N. Joshi, K. Wu, and R. Karri, “Register Transfer Level Concurrent Error Detection in Elliptic Curve Crypto Implementations,” Proc. Workshop Fault Diagnosis and Tolerance in Cryptography, pp. 112-119, 2007.
[27] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO), pp. 388-397, 1999.
[28] A. Matthews, “Side-Channel Attacks on Smartcards,” Network Security, vol. 2006, no. 12, pp. 18-20, Dec. 2006.
[29] P. Paillier, “Public-Key Cryptosystems Based on Discrete Logarithms Residues,” Proc. Eurocrypt, vol. 1592, pp. 223-238, 1999.
[30] RSA Laboratories, “PKCS #1 RSA Cryptography Standard,” pkcs-1v2-1.pdf, 2011.
[31] T. ElGamal, ”A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. Information Theory, vol. IT-31, no. 4, pp. 469-472, July 1985.
[32] H. Lipmaa, “Electronic Voting,” protocolsvoting.php, 2011.
[33] H. Lipmaa, “Cryptographic Auctions,” protocolsauctions.php, 2011.
[34] R. Cramer, I. Damgard, and J.B. Nielsen, “Multiparty Computation from Threshold Homomorphic Encryption,” Proc. Int'l Conf. Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT), pp. 280-300, 2001.
[35] P. Golle, M. Jakobsson, A. Juels, and P. Syverson, “Universal Re-Encryption for Mixnets, “ Proc. RSA Conf. Cryptographer's Track, T. Okamoto, ed., pp. 163-178, Feb. 2004.
[36] E. Normand, “Single Event Upset at Ground Level,” IEEE Trans. Nuclear Science, vol. 43, no. 6, pp. 2742-2750, Dec. 1996.
[37] R. Baumann, “Soft Errors in Advanced Computer Systems,” IEEE Design and Test of Computers, vol. 22, no. 3, pp. 258-266, May/June 2005.
[38] D. Wagner, “Cryptanalysis of a Provably Secure CRT-RSA Algorithm,” Proc. ACM Conf. Computer and Comm. Security, pp. 92-97, Oct. 2004.
[39] P.L. Montgomery, “Modular Multiplication without Trial Division,” Math. of Computation, vol. 44, no. 170, pp. 519-521, Apr. 1985.
[40] J.C. Bajard and L. Imbert, “A Full RNS Implementation of RSA,” IEEE Trans. Computers, vol. 53, no. 6, pp. 769-774, June 2004.
[41] M. Drutarovsky, V. Fischer, and M. Simka, “Comparison of Two Implementation Methods of Scalable Montgomery Coprocessor Embedded in Reconfigurable Hardware,” Proc. 19th Conf. Design of Circuits and Integrated Systems (DCIS), pp. 392-296, Nov. 2004.
[42] M. Ciet, M. Neve, E. Peeters, and J.-J Quisquarter, “Parallel FPGA Implementation of RSA with Residue Number Systems - Can Side-Channel Threats Be Avoided?” Proc. 46th IEEE Int'l Midwest Symp. Circuits and Systems (MWSCAS), vol. 2, pp. 806-810, Dec. 2003.
[43] J.C. Lo, “A Novel Area-Time Efficient Static CMOS Totally Self-Checking Comparator,” IEEE J. Solid-State Circuits, vol. 28, no. 2, pp 165-168, Feb. 1993.
[44] C. Metra, M. Favalli, and B. Ricco, “Highly Testable and Compact Single Output Comparator,” Proc. 15th IEEE VLSI Test Symp. (VTS), 1997.
[45] Xilinx, “Silicon Devices, FPGAs, Spartan, Series,” http://www. fpgas/spartan_series index.htm , 2011.
[46] Altera Corporation, “Cyclone FPGA,” featurescyc-architecture.html, 2011.
[47] E. Normand, “Single Event Upset at Ground Level,” IEEE Trans. Nuclear Science, vol. 43, no. 6, pp. 2742-2750, Dec. 1996.
[48] A.H. Johnston, “Radiation Effects in Advanced Microelectronics Technologies,” IEEE Trans. Nuclear Science, vol. 45, no. 3, pp. 1339-1354, June 1998.
24 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool