# CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

## Presentation on theme: "CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur."— Presentation transcript:

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur Card Systems

2 © 2007 Spansion Inc. Agenda RSA and Physical Attacks Modular Exponentiation Algorithm Resistant against Physical Attacks CRT RSA Algorithm Resistant against Physical Attacks

3 © 2007 Spansion Inc. RSA and Physical Attacks

4 © 2007 Spansion Inc. RSA Algorithm Public key: – Modulus: N – Public Exponent: e Private key: – Modulus: N = p. q – Private Exponent: d = e -1 mod (p-1). (q-1) RSA Signature Generation: – S = M d mod N RSA Signature Verification: – Check M = S e mod N ?

5 © 2007 Spansion Inc. RSA Algorithm Using Chinese Remainder Theorem Private key CRT format: – Private Modulus: prime number p – Private Modulus: prime number q – Private Exponent: d p = e -1 mod p-1 – Private Exponent: d q = e -1 mod q-1 – Value : A = p -1 mod q RSA Signature using CRT: – S p = M d p mod p – S q = M d q mod q – S = ((S q - S p ). A mod q). p + S p

6 © 2007 Spansion Inc. Right-to-Left Modular Exponentation Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S ← S. A mod N – A ← A 2 mod N Return (S)

7 © 2007 Spansion Inc. Simple Power Analysis Measurement of power consumption when the embedded device executes RSA Modular Multiplication and Modular Square with different power consumptions: – 2 consecutive Modular Squares  d i = 0 – Modular Multiplication followed by a Modular Square  d i = 1 Classical Countermeasure: always perform a Modular Multiplication

8 © 2007 Spansion Inc. Fault Analysis and Differential Fault Analysis Make external perturbation when the embedded device executes RSA to get an erroneous result DFA on CRT RSA: – S p ’ = M d p mod p + ε – S q = M d q mod q – S’ = ((S q - S p ’). A mod q). p + S p ’ –Gcd(S’ e mod N - M, N) = q Classical Countermeasures: – perform twice the signature – check it with the public exponent (if known)

9 © 2007 Spansion Inc. Safe-Errors Attacks Other kind of Fault Attacks Countermeasure against SPA  weakness w.r.t Fault Attacks Attack the multiplication : – Final result correct  dummy multiplication  exponent bit was 0 – Final result wrong  real multiplication  exponent bit was 1 Retrieve the whole secret exponent bit by bit Difficult to counteract SPA and FA together

10 © 2007 Spansion Inc. Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks

11 © 2007 Spansion Inc. SPA-Resistant Modular Exponentiation Algorithm Starting from the SPA-resistant algorithm: Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S[0] ← S[0]. A mod N – If d i = 0 then S[1] ← S[1] · A mod N – A ← A 2 mod N Return (S[0])

12 © 2007 Spansion Inc. Observations Loop of the algorithm: – For i from 0 to n − 1 do If d i = 1 then S[0] ← S[0].A mod N If d i = 0 then S[1] ← S[1].A mod N A ← A 2 mod N A is independent of the exponent d : A = M 2 n mod N S[1] is the result of the modular exponentiation of M by not(d) = 2 n -d-1 : S[1] = M 2 n -d-1 mod N At every step, we have the following relation: M. S[0]. S[1] = A mod N

13 © 2007 Spansion Inc. SPA/FA-Resistant Right-to-Left Modular Exponentiation Input: M, d = (d n−1,..., d 0 ) 2,N Output: M d mod N or ”Error” S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – S[d i ] ← S[d i ] · A mod N – A ← A 2 mod N If (M. S[0]. S[1] = A mod N) then Return (S[0]) Else Return (”Error”)

14 © 2007 Spansion Inc. Algorithm Analysis Cost : 2 modular multiplications compared to the SPA version Resistance against SPA: always a multiplication before a square. Security proof against DFA and Safe-Errors Attacks in the following Attacker Model : – Can only perform one fault – Can make any modification ε on any variable X’ = X + ε

15 © 2007 Spansion Inc. Security Proof Algorithm divided in finite states that corresponds to single steps computation: S[0]: 1  M d 0  M d 1.2+d 0  …  M d Fault Attack between two computations in S[0]: 1  …  M (d i-1, …, d 0 ) 2  M (d i, …, d 0 ) 2 + ε  …  M d + ε’ Final result : S’[0] = M d + ε. (M 2 i ) (d n, …, d i+1 ) 2 Equality doesn’t hold: S’[0]. S[1]. M ≠ M 2 n if ε ≠ 0 Same behavior for S[1]

16 © 2007 Spansion Inc. Security Proof: the A variable case Error on variable A also impacts S[0] and S[1] Error needs to be written in a multiplicative way: A’ = A + ε = A. β A’ = M 2 n. β 2 n-i S[0]. S[1]. M = M 2 n. β 2 n-i-1 Equality doesn’t hold: S[0]. S[1]. M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0

17 © 2007 Spansion Inc. CRT RSA Resistant to Fault Attacks

18 © 2007 Spansion Inc. FA-Resistant CRT-RSA Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA: – recombination step can be attacked Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination SPA/DFA-resistant exponentiation algorithm outputs: – (S1, S2, T) ← (M d, M not(d), M 2 n ) Perform 3 recombinations and make final check

19 © 2007 Spansion Inc. FA-Resistant CRT-RSA Signature Input: M, p, q, d p, d q, A, and b the bit-length of p and q Output: S or ”Error” (S1 p, S2 p, T p ) ← (M d p mod p, M 2 b −d p −1 mod p, M 2 b mod p) (S1 q, S2 q, T q ) ← (M d q mod q, M 2 b −d q −1 mod q, M 2 b mod q) S1 ← ((S1 q − S1 p ) · A mod q) · p + S1 p S2 ← ((S2 q − S2 p ) · A mod q) · p + S2 p T ← ((T q − T p ) · A mod q) · p + T p If (M · S1 · S2 = T mod N) then Return (S1) Else Return (”Error”)

20 © 2007 Spansion Inc. Correctness of the algorithm Result of the 3 recombinations: S1 = ((S1 q − S1 p ) · A mod q) · p + S1 p = M d mod N S2 = ((S2 q − S2 p ) · A mod q) · p + S2 p = M 2 b -d-1 mod N T = ((T q − T p ) · A mod q) · p + T p = M 2 b mod N Equality holds: M · S1 · S2 = T mod N

21 © 2007 Spansion Inc. Algorithm Analysis Cost: 2 additional recombinations Memory occupation larger : alternative solution with less memory overhead proposed in the paper – detects an error with some probability

22 © 2007 Spansion Inc. Conclusion New modular exponentiation algorithm resistant against SPA/DFA Proof of security in a realistic fault model Suitable for low cost devices Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography