CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Chapter 8 Introduction to Number Theory. 2 Contents Prime Numbers Fermats and Eulers Theorems.
Using Matrices in Real Life
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Factors, Primes & Composite Numbers
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
Chapter R: Reference: Basic Algebraic Concepts
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
Year 6 mental test 5 second questions
RSA.
Modular Arithmetic Several important cryptosystems make use of modular arithmetic. This is when the answer to a calculation is always in the range 0 –
Public Key Cryptosystem
ZMQS ZMQS
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Chapter 11: Models of Computation
Randomized Algorithms Randomized Algorithms CS648 1.
ABC Technology Project
Digital Lessons on Factoring
3 Logic The Study of What’s True or False or Somewhere in Between.
Copyright © 2013, 2009, 2005 Pearson Education, Inc.
1 University of Utah – School of Computing Computer Science 1021 "Thinking Like a Computer"
“Start-to-End” Simulations Imaging of Single Molecules at the European XFEL Igor Zagorodnov S2E Meeting DESY 10. February 2014.
©2007 First Wave Consulting, LLC A better way to do business. Period This is definitely NOT your father’s standard operating procedure.
Squares and Square Root WALK. Solve each problem REVIEW:
1 Chapter 4 The while loop and boolean operators Samuel Marateck ©2010.
Chapter 5 Test Review Sections 5-1 through 5-4.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Addition 1’s to 20.
25 seconds left…...
U1A L1 Examples FACTORING REVIEW EXAMPLES.
Week 1.
We will resume in: 25 Minutes.
Copyright © 2012 Pearson Education, Inc. Chapter 12: Theory of Computation Computer Science: An Overview Eleventh Edition by J. Glenn Brookshear.
A SMALL TRUTH TO MAKE LIFE 100%
1 Unit 1 Kinematics Chapter 1 Day
Simple Linear Regression Analysis
Multiple Regression and Model Building
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
Delta-Oriented Testing for Finite State Machines
Cryptography and Network Security Chapter 9
Anaïs GUIGNARD LURPA, ENS Cachan Validation of logic controllers from event observation in a closed-loop system Réunion VACSIM - 14 Octobre 2014.
COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues.
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
SIDE CHANNEL ATTACKS Presented by: Vishwanath Patil Abhay Jalisatgi.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.
Enhanced Doublng Attacks on Signed-All-Bits Set Recoding 1 Graduate School of Information Management and Security, Korea University, Korea
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
Advanced Information Security 6 Side Channel Attacks
Presentation transcript:

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur Card Systems

2 © 2007 Spansion Inc. Agenda RSA and Physical Attacks Modular Exponentiation Algorithm Resistant against Physical Attacks CRT RSA Algorithm Resistant against Physical Attacks

3 © 2007 Spansion Inc. RSA and Physical Attacks

4 © 2007 Spansion Inc. RSA Algorithm Public key: – Modulus: N – Public Exponent: e Private key: – Modulus: N = p. q – Private Exponent: d = e -1 mod (p-1). (q-1) RSA Signature Generation: – S = M d mod N RSA Signature Verification: – Check M = S e mod N ?

5 © 2007 Spansion Inc. RSA Algorithm Using Chinese Remainder Theorem Private key CRT format: – Private Modulus: prime number p – Private Modulus: prime number q – Private Exponent: d p = e -1 mod p-1 – Private Exponent: d q = e -1 mod q-1 – Value : A = p -1 mod q RSA Signature using CRT: – S p = M d p mod p – S q = M d q mod q – S = ((S q - S p ). A mod q). p + S p

6 © 2007 Spansion Inc. Right-to-Left Modular Exponentation Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S ← S. A mod N – A ← A 2 mod N Return (S)

7 © 2007 Spansion Inc. Simple Power Analysis Measurement of power consumption when the embedded device executes RSA Modular Multiplication and Modular Square with different power consumptions: – 2 consecutive Modular Squares  d i = 0 – Modular Multiplication followed by a Modular Square  d i = 1 Classical Countermeasure: always perform a Modular Multiplication

8 © 2007 Spansion Inc. Fault Analysis and Differential Fault Analysis Make external perturbation when the embedded device executes RSA to get an erroneous result DFA on CRT RSA: – S p ’ = M d p mod p + ε – S q = M d q mod q – S’ = ((S q - S p ’). A mod q). p + S p ’ –Gcd(S’ e mod N - M, N) = q Classical Countermeasures: – perform twice the signature – check it with the public exponent (if known)

9 © 2007 Spansion Inc. Safe-Errors Attacks Other kind of Fault Attacks Countermeasure against SPA  weakness w.r.t Fault Attacks Attack the multiplication : – Final result correct  dummy multiplication  exponent bit was 0 – Final result wrong  real multiplication  exponent bit was 1 Retrieve the whole secret exponent bit by bit Difficult to counteract SPA and FA together

10 © 2007 Spansion Inc. Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks

11 © 2007 Spansion Inc. SPA-Resistant Modular Exponentiation Algorithm Starting from the SPA-resistant algorithm: Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S[0] ← S[0]. A mod N – If d i = 0 then S[1] ← S[1] · A mod N – A ← A 2 mod N Return (S[0])

12 © 2007 Spansion Inc. Observations Loop of the algorithm: – For i from 0 to n − 1 do If d i = 1 then S[0] ← S[0].A mod N If d i = 0 then S[1] ← S[1].A mod N A ← A 2 mod N A is independent of the exponent d : A = M 2 n mod N S[1] is the result of the modular exponentiation of M by not(d) = 2 n -d-1 : S[1] = M 2 n -d-1 mod N At every step, we have the following relation: M. S[0]. S[1] = A mod N

13 © 2007 Spansion Inc. SPA/FA-Resistant Right-to-Left Modular Exponentiation Input: M, d = (d n−1,..., d 0 ) 2,N Output: M d mod N or ”Error” S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – S[d i ] ← S[d i ] · A mod N – A ← A 2 mod N If (M. S[0]. S[1] = A mod N) then Return (S[0]) Else Return (”Error”)

14 © 2007 Spansion Inc. Algorithm Analysis Cost : 2 modular multiplications compared to the SPA version Resistance against SPA: always a multiplication before a square. Security proof against DFA and Safe-Errors Attacks in the following Attacker Model : – Can only perform one fault – Can make any modification ε on any variable X’ = X + ε

15 © 2007 Spansion Inc. Security Proof Algorithm divided in finite states that corresponds to single steps computation: S[0]: 1  M d 0  M d 1.2+d 0  …  M d Fault Attack between two computations in S[0]: 1  …  M (d i-1, …, d 0 ) 2  M (d i, …, d 0 ) 2 + ε  …  M d + ε’ Final result : S’[0] = M d + ε. (M 2 i ) (d n, …, d i+1 ) 2 Equality doesn’t hold: S’[0]. S[1]. M ≠ M 2 n if ε ≠ 0 Same behavior for S[1]

16 © 2007 Spansion Inc. Security Proof: the A variable case Error on variable A also impacts S[0] and S[1] Error needs to be written in a multiplicative way: A’ = A + ε = A. β A’ = M 2 n. β 2 n-i S[0]. S[1]. M = M 2 n. β 2 n-i-1 Equality doesn’t hold: S[0]. S[1]. M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0

17 © 2007 Spansion Inc. CRT RSA Resistant to Fault Attacks

18 © 2007 Spansion Inc. FA-Resistant CRT-RSA Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA: – recombination step can be attacked Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination SPA/DFA-resistant exponentiation algorithm outputs: – (S1, S2, T) ← (M d, M not(d), M 2 n ) Perform 3 recombinations and make final check

19 © 2007 Spansion Inc. FA-Resistant CRT-RSA Signature Input: M, p, q, d p, d q, A, and b the bit-length of p and q Output: S or ”Error” (S1 p, S2 p, T p ) ← (M d p mod p, M 2 b −d p −1 mod p, M 2 b mod p) (S1 q, S2 q, T q ) ← (M d q mod q, M 2 b −d q −1 mod q, M 2 b mod q) S1 ← ((S1 q − S1 p ) · A mod q) · p + S1 p S2 ← ((S2 q − S2 p ) · A mod q) · p + S2 p T ← ((T q − T p ) · A mod q) · p + T p If (M · S1 · S2 = T mod N) then Return (S1) Else Return (”Error”)

20 © 2007 Spansion Inc. Correctness of the algorithm Result of the 3 recombinations: S1 = ((S1 q − S1 p ) · A mod q) · p + S1 p = M d mod N S2 = ((S2 q − S2 p ) · A mod q) · p + S2 p = M 2 b -d-1 mod N T = ((T q − T p ) · A mod q) · p + T p = M 2 b mod N Equality holds: M · S1 · S2 = T mod N

21 © 2007 Spansion Inc. Algorithm Analysis Cost: 2 additional recombinations Memory occupation larger : alternative solution with less memory overhead proposed in the paper – detects an error with some probability

22 © 2007 Spansion Inc. Conclusion New modular exponentiation algorithm resistant against SPA/DFA Proof of security in a realistic fault model Suitable for low cost devices Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography

23 © 2007 Spansion Inc. THANK YOU FOR YOUR ATTENTION

25 © 2007 Spansion Inc. Trademark Attribution Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and combinations thereof are trademarks of Spansion LLC. Other names used in this presentation are for informational purposes only and may be trademarks of their respective owners.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.