ABSTRACT
This paper considers a secure and practical CRT-based RSA signature implementation against both side channel attacks (including power analysis attack, timing attack, and most specially the recent MRED attack) as well as the various CRT-based fault attacks. Moreover, the proposed countermeasure can resist C safe-error attack which can be mounted in many existing good countermeasures. To resist side-channel attack, a special design of random message blinding is employed. On the other hand, a countermeasure based on the idea of fault diffusion is developed to protect the implementation against the powerful CRT-based fault attacks.
- C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, and J.P. Seifert, "Fault attacks on RSA with CRT: concrete results and practical countermeasures," CHES'02, LNCS 2523, pp. 260-275, Springer-Verlag, 2002. Google Scholar
- Bert den Boer, K. Lemke, and G. Wicke, "A DPA attack against the modular reduction within a CRT implementation of RSA," CHES'02, LNCS 2523, pp. 228-243, Springer-Verlag, 2002. Google Scholar
- D. Boneh, R.A. DeMillo, and R.J. Lipton, "One the importance of checking cryptographic protocols for faults," EUROCRYPT'97, LNCS 1233, pp. 37-51, Springer-Verlag, 1997. Google Scholar
- M. Joye, A.K. Lenstra, and J.-J. Quisquater, "Chinese remaindering based cryptosystems in the presence of faults," Journal of Cryptology, vol. 12, no. 4, pp. 241-245, 1999.Google Scholar
- A.K. Lenstra, "Memo on RSA signature generation in the presence of faults," September 1996.Google Scholar
- R. Novak, "SPA-based adaptive chosen-ciphertext attack on RSA implementation," PKC'02, LNCS 2274, pp. 252-262, Springer-Verlag, 2002. Google Scholar
- K. Okeya and T. Takagi, "Security analysis of CRT-based cryptosystems," ACNS '04, LNCS 3089, pp. 383-397, Springer-Verlag, 2004.Google Scholar
- W. Schindler, "A timing attack against RSA with the Chinese remainder theorem," CHES'99, LNCS 1717, pp. 292-302, Springer-Verlag, 1999. Google Scholar
- A. Shamir, "How to check modular exponentiation," presented at the rump session of EUROCRYPT'97, Konstanz, Germany, May 1997.Google Scholar
- S.M. Yen, S.J. Kim, S.G. Lim, and S.J. Moon, "RSA speedup with residue number system immune against hardware fault cryptanalysis," ICISC'01, LNCS 2288, pp. 397-413, Springer-Verlag, 2001. Google Scholar
- S.M. Yen, S.J. Moon, and J.C. Ha, "Permanent fault attack on the parameters of RSA with CRT," ACISP '03, LNCS 2727, pp. 285-296, Springer-Verlag, 2003. Google Scholar
Recommendations
Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security
PPREW'14: Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, ...
Cryptanalysis of a provably secure CRT-RSA algorithm
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityWe study a countermeasure proposed to protect Chinese remainder theorem (CRT) computations for RSA against fault attacks. The scheme was claimed to be provably secure. However, we demonstrate that the proposal is in fact insecure: it can be broken with ...
Cryptanalysis of a type of CRT-based RSA algorithms
It is well known that the Chinese Remainder Theorem (CRT) can greatly improve the performances of RSA cryptosystem in both running times and memory requirements. However, if the implementation of CRT-based RSA is careless, an attacker can reveal some ...
Comments