Abstract
Implementation—physical attacks like side channel and fault injection attacks constitute a realistic problem for all security applications. Standardized public key cryptography implementations like RSA and Elliptic Curve cryptography (ECC) schemes are very vulnerable to easy-to-mount such attacks. Focus point of those attacks is the RSA/ECC cryptographic primitives of modular exponentiation or scalar multiplication respectively. There exist a very wide variety of implementation attacks on the above two cryptographic primitives so designing appropriate countermeasures is not a straightforward process. In this book chapter, we view RSA and ECC cryptographic primitives in a unified way and introduce a side channel and fault injection attack countermeasure approach that is applicable to both schemes. To achieve that, we describe and analyze the existing implementation attack ecosystem and propose an algorithm that is applicable to both modular exponentiation and scalar multiplication and is capable of providing broad resistance. The proposed approach is based on Montgomery Power Ladder which is extended in order to provide strong randomization through multiplicative/additive blinding of the RSA/ECC sensitive information. This randomization is realized in such a way that in each round of the algorithm the involved random element is propagated and expanded according to the algorithmic computation flow. In the proposed concept, faults are detected through an appropriate mechanism (fault detection) at the end of all computations by exploiting mathematical coherency between intermediate values in the algorithmic flow. Through the above countermeasure techniques, the proposed algorithm can provide protection against a wide range of “horizontal” and “vertical” side channel attacks as well as fault injection attacks, thus, acting as an all-in-one protection framework for RSA/ECC schemes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Chinese Remainder Theorem.
- 2.
A weak elliptic curve is a curve that can be cryptanalyzed easily.
- 3.
Note that \(\overline{e}\) is logical NOT of e and that \(e+\overline{e}=2^t-1\).
References
Fournaris A, Sklavos N. Public key cryptographic primitive design and protection against fault and power analysis attacks. In: DATE 2015 conference Workshop on trustworthy manufacturing and utilization of secure devices, 2015.
Bauer A, Jaulmes E, Prouff E, Wild J. Horizontal and vertical side-channel attacks against secure rsa implementations. In: Dawson E, editor. Topics in cryptology, CT-RSA 2013, ser. LNCS, vol. 7779. Berlin, Heidelberg: Springer; 2013. p. 1–17.
Bauer A, Jaulmes E, Prouff E, Wild J. Horizontal collision correlation attack on elliptic curves. In: Lange T, Lauter K, Lison KP Selected areas in cryptography—SAC 2013, ser. Lecture notes in computer science, vol. 8282. Berlin, Heidelberg: Springer; 2014. p. 553–70.
Koc CK. Cryptographic engineering. 1st ed. Incorporated: Springer Publishing Company; 2008.
Walter C. Sliding windows succumbs to big mac attack. In: Koc C, Naccache D, Paar C, editors. Cryptographic hardware and embedded systems CHES 2001, ser. Lecture notes in computer science, vol. 2162. Berlin, Heidelberg: Springer, 2001. p. 286–99.
Clavier C, Feix B, Gagnerot G, Roussellet M, Verneuil V. Horizontal correlation analysis on exponentiation. In: Soriano M, Qing S, Lpez J, editors. Information and communications security, ser. Lecture notes in computer science, vol. 6476. Berlin, Heidelberg: Springer; 2010. p. 46–61.
Fouque PA, Valette F. The doubling attack why upwards is better than downwards. In: Walter C, Koc C, Paar C, editors. Cryptographic hardware and embedded systems—CHES 2003, ser. Lecture notes in computer science, vol. 2779. Berlin/Heidelberg: Springer, p. 269–80.
Yen S, Ko L, Moon S, Ha J. Relative doubling attack against Montgomery Ladder. Inf Secur Cryptol. 2006;2005:117–28.
Yen SM, Lien WC, Moon SJ, Ha J. Power analysis by exploiting chosen message and internal collisions—vulnerability of checking mechanism for rsa-decryption. In: Dawson E, Vaudenay S, editors. Mycrypt, ser. Lecture notes in computer science, vol. 3715. Springer; 2005. p. 183–95.
Kocher P, Jaffe J, Jun B. Differential power analysis. In: Advances in cryptology proceedings of crypto 99. Springer; 1999, p. 388–97.
Amiel F, Feix B, Villegas K. Power analysis for secret recovering and reverse engineering of public key algorithms. In: Adams C, Miri A, Wiener M, editors. Selected areas in cryptography, ser. Lecture notes in computer science, vol. 4876. Berlin, Heidelberg, Springer; 2007. p. 110–25.
Bogdanov A, Kizhvatov I, Pyshkin A. Algebraic methods in side-channel collision attacks and practical collision detection. In: Chowdhury D, Rijmen V, Das A, editors. Progress in cryptology—INDOCRYPT 2008, ser. Lecture notes in computer science, vol. 5365. Berlin, Heidelberg: Springer; 2008. p. 251–65.
Moradi A. Statistical tools flavor side-channel collision attacks. In: Pointcheval D, Johansson T, editors. Advances in cryptology EUROCRYPT 2012, ser. Lecture notes in computer science, vol. 7237. Berlin, Heidelberg: Springer; 2012. p. 428–45.
Feix B, Roussellet M, Venelli A. Side-channel analysis on blinded regular scalar multiplications. In: Meier W, Mukhopadhyay D, editors. Progress in cryptology—INDOCRYPT 2014, ser. Lecture notes in computer science, vol. 8885. Springer International Publishing; 2014. p. 3–20.
Bauer A, Jaulmes I. Correlation analysis against protected sfm implementations of rsa. In: Paul G, Vaudenay S, editors. Progress in cryptology INDOCRYPT 2013, ser. Lecture notes in computer science, vol. 8250. Springer International Publishing; 2013. p. 98–115.
Joye M, Yen S-M. The montgomery powering ladder. In: CHES ’02: revised papers from the 4th international workshop on cryptographic hardware and embedded systems. London, UK: Springer; 2003. p. 291–302.
Coron J-S. Resistance against differential power analysis for elliptic curve cryptosystems. In: Proceedings of the first international workshop on cryptographic hardware and embedded systems, ser. CHES ’99. London, UK: Springer; 1999. p. 292–302.
Goubin L. A refined power-analysis attack on elliptic curve cryptosystems. In: Public key cryptographyPKC 2003, 2002. p. 199–211.
Mamiya H, Miyaji A, Morimoto H. Efficient countermeasures against RPA, DPA, and SPA. Crypt Hardware Embed Syst. 2004;3156:243–319.
Amiel F, Feix B. On the BRIP algorithms security for RSA. In: Information security theory and practices. Convergence and next generation networks: smart devices; May 2008.
Boneh D, DeMillo RA, Lipton R-J. On the importance of checking cryptographic protocols for faults (extended abstract). In: EUROCRYPT’97, 1997. p. 37–51.
Ciet M, Joye M. Elliptic curve cryptosystems in the presence of permanent and transient faults. Des Codes Crypt. 2005;36(1):33–43.
Fouque P-A, Lercier R, Réal D, Valette F. Fault attack on elliptic curve montgomery ladder implementation. In: 2008 5th workshop on fault diagnosis and tolerance in cryptography. IEEE; Aug. 2008. p. 92–8.
Shamir A. Method and apparatus for protecting public key schemes from timing and fault attacks. U.S. Patent 5,991,415, May 1999.
Sung-Ming Y, Kim S, Lim S, Moon S. RSA speedup with residue number system immune against hardware fault cryptanalysis, vol. 2288. In: Information security and cryptology ICISC 2001, 2002. p. 397–413.
Sung-Ming Y, Seungjoo K, Seongan L, Sang-Jae M. RSA speedup with chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Trans Comput. 2003;52(4):461–72.
Blömer J, Otto M, Seifert J. A new CRT-RSA algorithm secure against Bellcore attacks. In: Proceedings of the 10th ACM conference on computer and communications security. ACM, 2003. p. 311–20.
Wagner D. Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM conference on computer and communications security. ACM, 2004. p. 92–7.
Liu S, King B, Wang W. A CRT-RSA algorithm secure against hardware fault attacks. In: 2nd IEEE international symposium on dependable. Autonomic and secure computing, 2006. p. 51–60.
Qin B, Li M, Kong F. Further cryptanalysis of a provably secure CRT-RSA Algorithm. In: The 1st international symposium on data, privacy, and E-Commerce (ISDPE 2007). IEEE, Nov. 2007, p. 327–31.
Kim C, Quisquater J. Fault attacks for CRT based RSA: new attacks, new results, and new countermeasures. Smart cards, mobile and ubiquitous computing systems. Inf Secur Theory Pract. 2007;4462:215–28.
Fan J, Verbauwhede I. An updated survey on secure ECC implementations: attacks, countermeasures and cost. Crypt Secur From Theory Appl. 2012;6805:265–82.
Giraud C. An rsa implementation resistant to fault attacks and to simple power analysis. IEEE Trans Comput. 2006;55(9):1116–20.
Fumaroli G, Vigilant D. Blinded fault resistant exponentiation. In: Breveglieri L, Koren I, Naccache D, Seifert J-P, editors. FDTC, ser. LNCS, vol. 4236. Springer; 2006. p. 62–70.
Fournaris A, Koufopavlou O. Protecting crt rsa against fault and power side channel attacks. In: 2012 IEEE Computer Society Annual Symposium on, VLSI (ISVLSI, Aug. 2012. p. 159–64.
Amiel F, Villegas K, Feix B, Marcel L. Passive and active combined attacks: combining fault attacks and side channel analysis. In: Proceedings of the workshop on fault diagnosis and tolerance in cryptography, ser. FDTC ’07. Washington, DC, USA: IEEE Computer Society; 2007. p. 92–102.
Schmidt JM, Tunstall M, Avanzi R, Kizhvatov I, Kasper T, Oswald D. Combined implementation attack resistant exponentiation. In: Abdalla M, Barreto P, editors. Progress in cryptology LATINCRYPT 2010, ser. Lecture notes in computer science, vol. 6212. Berlin, Heidelberg: Springer; 2010. p. 305–22.
Fournaris AP. Fault and simple power attack resistant rsa using montgomery modular multiplication. In: Proceedings of the IEEE international symposium on circuits and systems (ISCAS 2010). IEEE; 2010.
Kim CH, Quisquater JJ. How can we overcome both side channel analysis and fault attacks on RSA-CRT?. In: Workshop on fault diagnosis and tolerance in cryptography (FDTC 2007). IEEE; 2007. p. 21–9.
Boscher A, Handschuh H, Trichina E. Blinded fault resistant exponentiation revisited. In: Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE; 2009. p. 3–9.
Danger JL, Guilley S, Bhasin S, Nassar M. Overview of dual rail with precharge logic styles to thwart implementation-level attacks on hardware cryptoprocessors. In: 2009 3rd international conference on, signals, circuits and systems (SCS). IEEE; 2009. p. 1–8.
Moradi A, Shalmani MTM, Salmasizadeh M. Dual-rail transition logic: a logic style for counteracting power analysis attacks. Comput Electr Eng. 2009;35(2):359–69.
Yen S-M, Kim S, Lim S, Moon S-J. Rsa speedup with chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Trans Comput. 2003;52(4):461–72.
Acknowledgements
This work is supported by EU COST action IC1204 “Trustworthy Manufacturing and Utilization of Secure Devices (TRUDEVICE)”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Fournaris, A.P. (2017). Fault and Power Analysis Attack Protection Techniques for Standardized Public Key Cryptosystems. In: Sklavos, N., Chaves, R., Di Natale, G., Regazzoni, F. (eds) Hardware Security and Trust. Springer, Cham. https://doi.org/10.1007/978-3-319-44318-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-44318-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44316-4
Online ISBN: 978-3-319-44318-8
eBook Packages: EngineeringEngineering (R0)