We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMartin Keetch
Modified over 2 years ago
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur Card Systems
2 © 2007 Spansion Inc. Agenda RSA and Physical Attacks Modular Exponentiation Algorithm Resistant against Physical Attacks CRT RSA Algorithm Resistant against Physical Attacks
3 © 2007 Spansion Inc. RSA and Physical Attacks
4 © 2007 Spansion Inc. RSA Algorithm Public key: – Modulus: N – Public Exponent: e Private key: – Modulus: N = p. q – Private Exponent: d = e -1 mod (p-1). (q-1) RSA Signature Generation: – S = M d mod N RSA Signature Verification: – Check M = S e mod N ?
5 © 2007 Spansion Inc. RSA Algorithm Using Chinese Remainder Theorem Private key CRT format: – Private Modulus: prime number p – Private Modulus: prime number q – Private Exponent: d p = e -1 mod p-1 – Private Exponent: d q = e -1 mod q-1 – Value : A = p -1 mod q RSA Signature using CRT: – S p = M d p mod p – S q = M d q mod q – S = ((S q - S p ). A mod q). p + S p
6 © 2007 Spansion Inc. Right-to-Left Modular Exponentation Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S ← S. A mod N – A ← A 2 mod N Return (S)
7 © 2007 Spansion Inc. Simple Power Analysis Measurement of power consumption when the embedded device executes RSA Modular Multiplication and Modular Square with different power consumptions: – 2 consecutive Modular Squares d i = 0 – Modular Multiplication followed by a Modular Square d i = 1 Classical Countermeasure: always perform a Modular Multiplication
8 © 2007 Spansion Inc. Fault Analysis and Differential Fault Analysis Make external perturbation when the embedded device executes RSA to get an erroneous result DFA on CRT RSA: – S p ’ = M d p mod p + ε – S q = M d q mod q – S’ = ((S q - S p ’). A mod q). p + S p ’ –Gcd(S’ e mod N - M, N) = q Classical Countermeasures: – perform twice the signature – check it with the public exponent (if known)
9 © 2007 Spansion Inc. Safe-Errors Attacks Other kind of Fault Attacks Countermeasure against SPA weakness w.r.t Fault Attacks Attack the multiplication : – Final result correct dummy multiplication exponent bit was 0 – Final result wrong real multiplication exponent bit was 1 Retrieve the whole secret exponent bit by bit Difficult to counteract SPA and FA together
10 © 2007 Spansion Inc. Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks
11 © 2007 Spansion Inc. SPA-Resistant Modular Exponentiation Algorithm Starting from the SPA-resistant algorithm: Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S ← 1 S ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S ← S. A mod N – If d i = 0 then S ← S · A mod N – A ← A 2 mod N Return (S)
12 © 2007 Spansion Inc. Observations Loop of the algorithm: – For i from 0 to n − 1 do If d i = 1 then S ← S.A mod N If d i = 0 then S ← S.A mod N A ← A 2 mod N A is independent of the exponent d : A = M 2 n mod N S is the result of the modular exponentiation of M by not(d) = 2 n -d-1 : S = M 2 n -d-1 mod N At every step, we have the following relation: M. S. S = A mod N
13 © 2007 Spansion Inc. SPA/FA-Resistant Right-to-Left Modular Exponentiation Input: M, d = (d n−1,..., d 0 ) 2,N Output: M d mod N or ”Error” S ← 1 S ← 1 A ← M For i from 0 to n − 1 do – S[d i ] ← S[d i ] · A mod N – A ← A 2 mod N If (M. S. S = A mod N) then Return (S) Else Return (”Error”)
14 © 2007 Spansion Inc. Algorithm Analysis Cost : 2 modular multiplications compared to the SPA version Resistance against SPA: always a multiplication before a square. Security proof against DFA and Safe-Errors Attacks in the following Attacker Model : – Can only perform one fault – Can make any modification ε on any variable X’ = X + ε
15 © 2007 Spansion Inc. Security Proof Algorithm divided in finite states that corresponds to single steps computation: S: 1 M d 0 M d 1.2+d 0 … M d Fault Attack between two computations in S: 1 … M (d i-1, …, d 0 ) 2 M (d i, …, d 0 ) 2 + ε … M d + ε’ Final result : S’ = M d + ε. (M 2 i ) (d n, …, d i+1 ) 2 Equality doesn’t hold: S’. S. M ≠ M 2 n if ε ≠ 0 Same behavior for S
16 © 2007 Spansion Inc. Security Proof: the A variable case Error on variable A also impacts S and S Error needs to be written in a multiplicative way: A’ = A + ε = A. β A’ = M 2 n. β 2 n-i S. S. M = M 2 n. β 2 n-i-1 Equality doesn’t hold: S. S. M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0
17 © 2007 Spansion Inc. CRT RSA Resistant to Fault Attacks
18 © 2007 Spansion Inc. FA-Resistant CRT-RSA Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA: – recombination step can be attacked Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination SPA/DFA-resistant exponentiation algorithm outputs: – (S1, S2, T) ← (M d, M not(d), M 2 n ) Perform 3 recombinations and make final check
19 © 2007 Spansion Inc. FA-Resistant CRT-RSA Signature Input: M, p, q, d p, d q, A, and b the bit-length of p and q Output: S or ”Error” (S1 p, S2 p, T p ) ← (M d p mod p, M 2 b −d p −1 mod p, M 2 b mod p) (S1 q, S2 q, T q ) ← (M d q mod q, M 2 b −d q −1 mod q, M 2 b mod q) S1 ← ((S1 q − S1 p ) · A mod q) · p + S1 p S2 ← ((S2 q − S2 p ) · A mod q) · p + S2 p T ← ((T q − T p ) · A mod q) · p + T p If (M · S1 · S2 = T mod N) then Return (S1) Else Return (”Error”)
20 © 2007 Spansion Inc. Correctness of the algorithm Result of the 3 recombinations: S1 = ((S1 q − S1 p ) · A mod q) · p + S1 p = M d mod N S2 = ((S2 q − S2 p ) · A mod q) · p + S2 p = M 2 b -d-1 mod N T = ((T q − T p ) · A mod q) · p + T p = M 2 b mod N Equality holds: M · S1 · S2 = T mod N
21 © 2007 Spansion Inc. Algorithm Analysis Cost: 2 additional recombinations Memory occupation larger : alternative solution with less memory overhead proposed in the paper – detects an error with some probability
22 © 2007 Spansion Inc. Conclusion New modular exponentiation algorithm resistant against SPA/DFA Proof of security in a realistic fault model Suitable for low cost devices Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography
23 © 2007 Spansion Inc. THANK YOU FOR YOUR ATTENTION
25 © 2007 Spansion Inc. Trademark Attribution Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and combinations thereof are trademarks of Spansion LLC. Other names used in this presentation are for informational purposes only and may be trademarks of their respective owners.
25 seconds left….. 24 seconds left….. 23 seconds left…..
Jeopardy Topic 1Topic Q 1Q 6Q 11Q 16Q 21 Q 2Q 7Q 12Q 17Q 22 Q 3Q 8Q 13Q 18Q 23 Q 4Q 9Q 14Q 19Q 24 Q 5Q 10Q 15Q 20Q 25 Final Jeopardy.
We will resume in: 25 Minutes We will resume in: 24 Minutes.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
WEEK 1 You have 10 seconds to name…
Addition 1’s to
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Addition Facts = = =
Title Subtitle 1. A. B. C. C. * D. Click to try again! INCORRECT.
1 Chapter 4 The while loop and boolean operators Samuel Marateck ©2010.
Squares and Square Root WALK. Solve each problem REVIEW:
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Chapter 5 Test Review Sections 5-1 through 5-4. Simplify each expression. 1)2) 3)4) 5) 6)
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
TWO STEP EQUATIONS 1. SOLVE FOR X 3. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE 2. DO THE ADDITION STEP FIRST.
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
ABC Technology Project Mrs. Kiddle. ABCs of Technology Word 1 Word 2 Word 3 Word 4 Word 5 Word 6 Word 7 Word 8 Word 9 Word 19 Word 20 Word 21 Word 22.
Copyright © 2007 Pearson Education, Inc. Slide R-2 Chapter R: Reference: Basic Algebraic Concepts R.1Review of Exponents and Polynomials R.2Review of.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Factors, Primes & Composite Numbers by Monica Yuskaitis.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Chapter 8 Introduction to Number Theory. 2 Contents Prime Numbers Fermats and Eulers Theorems.
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Simple Linear Regression Analysis Chapter 13.
Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Digital Lessons on Factoring.
A SMALL TRUTH TO MAKE LIFE 100%. If A B C D E F G H I J K L M N O P Q R S T U V W X Y Z is equal to
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Multiple Regression and Model Building Chapter 14.
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
FACTORING REVIEW EXAMPLES 1. Factor x 2 + 3x – 4Solve x 2 + 3x – 4 = 0 Graph Y 1 = x 2 + 3x – 4 Find x-intercepts What _____× _____ = – 4 and _____+ _____.
Slide 5-1 Copyright © 2003 Pearson Education, Inc. Figure: Computer Science an overview EDITION 7 J. Glenn Brookshear.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.
Cryptography. Cryptography is concerned with keeping communications private. Today governments use sophisticated methods of coding and decoding messages.
1 Unit 1 Kinematics Chapter 1 Day
Cryptography and Network Security Chapter 9 Fourth Edition by William Stallings Lecture slides by Lawrie Brown modified by S. KONDAKCI.
©2007 First Wave Consulting, LLC A better way to do business. Period This is definitely NOT your father’s standard operating procedure.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
1 Chapter 1 The Study of Body Function Image PowerPoint Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
Anaïs GUIGNARD LURPA, ENS Cachan Validation of logic controllers from event observation in a closed-loop system Réunion VACSIM - 14 Octobre 2014.
SIMOCODE-DP Software. Automation and Drives SIMOCODE-DP 3UF5 08/04 2 Protection Control Logic Communication SIMOCODE Software Communication Protection.
Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.
STATISTICS Sampling and Sampling Distributions Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
1 RSA. 2 Prime Numbers An integer p is a prime number if it has no factors other than 1 and itself. An integer which is greater than 1 and not a prime.
1 4 Square Questions B A D C Look carefully to the diagram Now I will ask you 4 questions about this square. Are you ready?
“Start-to-End” Simulations Imaging of Single Molecules at the European XFEL Igor Zagorodnov S2E Meeting DESY 10. February 2014.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION 2. TAKE THE INVERSE OF THE SECOND NUMBER 3. FOLLOW THE RULES FOR ADDITION 4. ADD THE OPPOSITE.
© 2016 SlidePlayer.com Inc. All rights reserved.