Abstract
Nowadays RSA using Chinese Remainder Theorem (CRT) is widely used in practical applications. However there is a very powerful attack against it with a fault injection during one of its exponentiations. Many countermeasures were proposed but almost all of them are proven to be insecure. In 2005, two new countermeasures were proposed. However they still have a weakness. The final signature is stored in a memory after CRT combination and there is an error-check routine just after CRT combination. Therefore, if an attacker can do a double-fault attack that gives the first fault during one of the exponentiation and the other to skip the error-checking routine, then he can succeed in breaking RSA. In this paper, we show this can be done with the concrete result employing a glitch attack and propose a simple and almost cost-free method to defeat it.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aumüller, C., et al.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)
Bar-El, H., et al.: The Sorcerers apprentice guide to fault attacks. In: Workshop on Fault Diagnosis and Tolerence in Cryptgraphy in association with DSN 2004 – The International Conference on Dependable Systems and Networks, pp. 330–342 (2004)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. Journal of Cryptology 14(2), 101–119 (2001), An earlier version appears in: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Blömer, J., Otto, M.: Wagner’s attack on a secure CRT-RSA algorithm recondiered. In: Breveglieri, L., et al. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)
Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against Bellcore attacks. In: 10th ACM Conference on Computer and Communications Security, pp. 311–320 (2003)
Ciet, M., Joye, M.: Practical fault countermeasures for Chinese Remaindering based RSA. In: Fault Diagnosis and Tolerance in Cryptography – FDTC’05, pp. 124–131 (2005)
Fouque, P.-A., Valette, F.: The doubling attack - why upward is better than downwards. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)
Giraud, C.: Fault resistant RSA implementation. In: Fault Diagnosis and Tolerance in Cryptography - FDTC’05, pp. 142–151 (2005)
Giraud, C.: An RSA implementaiton resistant to fault attacks and to simple power analysis. IEEE Transactions on computers 55(9), 1116–1120 (2006)
Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese remaindering based cryptosystems in the presence of faults. Journal of Cryptology 12(4), 241–245 (1999)
Joye, M., Pailler, P., Yen, S.-M.: Secure evaluation of modular functions. In: International Workshop on Cryotpology and Network Security 2001, pp. 227–229 (2001)
Joye, M., Yen, S.-M.: The Montgomery powering Ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)
Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Naccache, D., et al.: Experimenting with Faults, Lattices and the DSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 16–28. Springer, Heidelberg (2005)
Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent \(\sharp\)5,991,415, (Nov. 23, 1999), Also presented at the rump session of EUROCRYPT’97.
Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: 11th ACM Conference on Computers and Communications Security, pp. 92–97 (2004)
Yen, S.-M., Kim, D.: Cryptanalysis of two protocols for RSA with CRT based on fault infection. In: Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC’04, pp. 381–385 (2004)
Yen, S.-M., et al.: RSA speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)
Yen, S.-M., et al.: RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Transactions on Computers 52(4), 461–472 (2003), an earlier version appears in: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kim, C.H., Quisquater, JJ. (2007). Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, JJ. (eds) Information Security Theory and Practices. Smart Cards, Mobile and Ubiquitous Computing Systems. WISTP 2007. Lecture Notes in Computer Science, vol 4462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72354-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-72354-7_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72353-0
Online ISBN: 978-3-540-72354-7
eBook Packages: Computer ScienceComputer Science (R0)