Presentation is loading. Please wait.

Presentation is loading. Please wait.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

Published byMartin Keetch Modified over 10 years ago

Similar presentations

Presentation on theme: "CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur."— Presentation transcript:

1 CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur Card Systems

2 2 © 2007 Spansion Inc. Agenda RSA and Physical Attacks Modular Exponentiation Algorithm Resistant against Physical Attacks CRT RSA Algorithm Resistant against Physical Attacks

3 3 © 2007 Spansion Inc. RSA and Physical Attacks

4 4 © 2007 Spansion Inc. RSA Algorithm Public key: – Modulus: N – Public Exponent: e Private key: – Modulus: N = p. q – Private Exponent: d = e -1 mod (p-1). (q-1) RSA Signature Generation: – S = M d mod N RSA Signature Verification: – Check M = S e mod N ?

5 5 © 2007 Spansion Inc. RSA Algorithm Using Chinese Remainder Theorem Private key CRT format: – Private Modulus: prime number p – Private Modulus: prime number q – Private Exponent: d p = e -1 mod p-1 – Private Exponent: d q = e -1 mod q-1 – Value : A = p -1 mod q RSA Signature using CRT: – S p = M d p mod p – S q = M d q mod q – S = ((S q - S p ). A mod q). p + S p

6 6 © 2007 Spansion Inc. Right-to-Left Modular Exponentation Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S ← S. A mod N – A ← A 2 mod N Return (S)

7 7 © 2007 Spansion Inc. Simple Power Analysis Measurement of power consumption when the embedded device executes RSA Modular Multiplication and Modular Square with different power consumptions: – 2 consecutive Modular Squares  d i = 0 – Modular Multiplication followed by a Modular Square  d i = 1 Classical Countermeasure: always perform a Modular Multiplication

8 8 © 2007 Spansion Inc. Fault Analysis and Differential Fault Analysis Make external perturbation when the embedded device executes RSA to get an erroneous result DFA on CRT RSA: – S p ’ = M d p mod p + ε – S q = M d q mod q – S’ = ((S q - S p ’). A mod q). p + S p ’ –Gcd(S’ e mod N - M, N) = q Classical Countermeasures: – perform twice the signature – check it with the public exponent (if known)

9 9 © 2007 Spansion Inc. Safe-Errors Attacks Other kind of Fault Attacks Countermeasure against SPA  weakness w.r.t Fault Attacks Attack the multiplication : – Final result correct  dummy multiplication  exponent bit was 0 – Final result wrong  real multiplication  exponent bit was 1 Retrieve the whole secret exponent bit by bit Difficult to counteract SPA and FA together

10 10 © 2007 Spansion Inc. Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks

11 11 © 2007 Spansion Inc. SPA-Resistant Modular Exponentiation Algorithm Starting from the SPA-resistant algorithm: Input: M, d = (d n−1,..., d 0 ) 2, N Output: M d mod N S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – If d i = 1 then S[0] ← S[0]. A mod N – If d i = 0 then S[1] ← S[1] · A mod N – A ← A 2 mod N Return (S[0])

12 12 © 2007 Spansion Inc. Observations Loop of the algorithm: – For i from 0 to n − 1 do If d i = 1 then S[0] ← S[0].A mod N If d i = 0 then S[1] ← S[1].A mod N A ← A 2 mod N A is independent of the exponent d : A = M 2 n mod N S[1] is the result of the modular exponentiation of M by not(d) = 2 n -d-1 : S[1] = M 2 n -d-1 mod N At every step, we have the following relation: M. S[0]. S[1] = A mod N

13 13 © 2007 Spansion Inc. SPA/FA-Resistant Right-to-Left Modular Exponentiation Input: M, d = (d n−1,..., d 0 ) 2,N Output: M d mod N or ”Error” S[0] ← 1 S[1] ← 1 A ← M For i from 0 to n − 1 do – S[d i ] ← S[d i ] · A mod N – A ← A 2 mod N If (M. S[0]. S[1] = A mod N) then Return (S[0]) Else Return (”Error”)

14 14 © 2007 Spansion Inc. Algorithm Analysis Cost : 2 modular multiplications compared to the SPA version Resistance against SPA: always a multiplication before a square. Security proof against DFA and Safe-Errors Attacks in the following Attacker Model : – Can only perform one fault – Can make any modification ε on any variable X’ = X + ε

15 15 © 2007 Spansion Inc. Security Proof Algorithm divided in finite states that corresponds to single steps computation: S[0]: 1  M d 0  M d 1.2+d 0  …  M d Fault Attack between two computations in S[0]: 1  …  M (d i-1, …, d 0 ) 2  M (d i, …, d 0 ) 2 + ε  …  M d + ε’ Final result : S’[0] = M d + ε. (M 2 i ) (d n, …, d i+1 ) 2 Equality doesn’t hold: S’[0]. S[1]. M ≠ M 2 n if ε ≠ 0 Same behavior for S[1]

16 16 © 2007 Spansion Inc. Security Proof: the A variable case Error on variable A also impacts S[0] and S[1] Error needs to be written in a multiplicative way: A’ = A + ε = A. β A’ = M 2 n. β 2 n-i S[0]. S[1]. M = M 2 n. β 2 n-i-1 Equality doesn’t hold: S[0]. S[1]. M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0

17 17 © 2007 Spansion Inc. CRT RSA Resistant to Fault Attacks

18 18 © 2007 Spansion Inc. FA-Resistant CRT-RSA Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA: – recombination step can be attacked Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination SPA/DFA-resistant exponentiation algorithm outputs: – (S1, S2, T) ← (M d, M not(d), M 2 n ) Perform 3 recombinations and make final check

19 19 © 2007 Spansion Inc. FA-Resistant CRT-RSA Signature Input: M, p, q, d p, d q, A, and b the bit-length of p and q Output: S or ”Error” (S1 p, S2 p, T p ) ← (M d p mod p, M 2 b −d p −1 mod p, M 2 b mod p) (S1 q, S2 q, T q ) ← (M d q mod q, M 2 b −d q −1 mod q, M 2 b mod q) S1 ← ((S1 q − S1 p ) · A mod q) · p + S1 p S2 ← ((S2 q − S2 p ) · A mod q) · p + S2 p T ← ((T q − T p ) · A mod q) · p + T p If (M · S1 · S2 = T mod N) then Return (S1) Else Return (”Error”)

20 20 © 2007 Spansion Inc. Correctness of the algorithm Result of the 3 recombinations: S1 = ((S1 q − S1 p ) · A mod q) · p + S1 p = M d mod N S2 = ((S2 q − S2 p ) · A mod q) · p + S2 p = M 2 b -d-1 mod N T = ((T q − T p ) · A mod q) · p + T p = M 2 b mod N Equality holds: M · S1 · S2 = T mod N

21 21 © 2007 Spansion Inc. Algorithm Analysis Cost: 2 additional recombinations Memory occupation larger : alternative solution with less memory overhead proposed in the paper – detects an error with some probability

22 22 © 2007 Spansion Inc. Conclusion New modular exponentiation algorithm resistant against SPA/DFA Proof of security in a realistic fault model Suitable for low cost devices Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography

23 23 © 2007 Spansion Inc. THANK YOU FOR YOUR ATTENTION

24

25 25 © 2007 Spansion Inc. Trademark Attribution Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and combinations thereof are trademarks of Spansion LLC. Other names used in this presentation are for informational purposes only and may be trademarks of their respective owners.

Download ppt "CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Chapter 8 Introduction to Number Theory. 2 Contents Prime Numbers Fermats and Eulers Theorems.

Chapter 8 Introduction to Number Theory. 2 Contents Prime Numbers Fermats and Eulers Theorems.
Using Matrices in Real Life

Using Matrices in Real Life
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Factors, Primes & Composite Numbers

Factors, Primes & Composite Numbers
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
Chapter R: Reference: Basic Algebraic Concepts

Chapter R: Reference: Basic Algebraic Concepts
Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.

Multiplying binomials You will have 20 seconds to answer each of the following multiplication problems. If you get hung up, go to the next problem when.
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.

MULTIPLICATION EQUATIONS 1. SOLVE FOR X 3. WHAT EVER YOU DO TO ONE SIDE YOU HAVE TO DO TO THE OTHER 2. DIVIDE BY THE NUMBER IN FRONT OF THE VARIABLE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts

Similar presentations

Ads by Google