ETRI Journal

Electronics and Telecommunications Research Institute (한국전자통신연구원)
권호 표지
DOI QR코드

DOI QR Code

Improved Shamir's CRT-RSA Algorithm: Revisit with the Modulus Chaining Method

  • Received : 2013.04.23
  • Accepted : 2013.11.27
  • Published : 2014.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

RSA signature algorithms using the Chinese remainder theorem (CRT-RSA) are approximately four-times faster than straightforward implementations of an RSA cryptosystem. However, the CRT-RSA is known to be vulnerable to fault attacks; even one execution of the algorithm is sufficient to reveal the secret keys. Over the past few years, several countermeasures against CRT-RSA fault attacks have tended to involve additional exponentiations or inversions, and in most cases, they are also vulnerable to new variants of fault attacks. In this paper, we review how Shamir's countermeasure can be broken by fault attacks and improve the countermeasure to prevent future fault attacks, with the added benefit of low additional costs. In our experiment, we use the side-channel analysis resistance framework system, a fault injection testing and verification system, which enables us to inject a fault into the right position, even to within $1{\mu}s$. We also explain how to find the exact timing of the target operation using an Atmega128 software board.

Keywords

References

  1. J. Park et al., "Differential Fault Analysis for Round-Reduced AES by Fault Injection," ETRI J., vol. 33, no. 3, June 2011, pp. 434-442. https://doi.org/10.4218/etrij.11.0110.0478
  2. J. Blomer, M. Otto, and J.-P. Seifert, "A New CRT-RSA Algorithm Secure Against Bellcore Attacks," Tenth ACM Conf. Comput. Commun. Security, Washington, DC, USA, Oct. 27-30, 2003, pp. 311-320.
  3. J. Blomer and M. Otto, "Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered," Third Int. Conf. Fault Diagnosis Tolerance Cryptography, Yokohama, Japan, 2006, pp. 13-23.
  4. C. Aumuller et al., "Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures," Cryptographic Hardware Embedded Syst., Redwood Shores, CA, USA, Aug. 13-15, 2002, pp. 260-275.
  5. A. Boscher, H. Handschuh, and E. Trichina, Fault Resistant RSA Signatures: Chinese Remaindering in Both Directions. Accessed Mar. 31, 2014. http://eprint.iacr.org/2010/038
  6. D. Vigilant, "RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks," Tenth Int. Conf. Cryptographic Hardware Embedded Syst., Washington, DC, USA, Aug. 10-13, 2008, pp. 130-145.
  7. S.-M. Yen et al., "RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis," IEEE Trans. Comput., vol. 52, no. 4, Apr. 2003, pp. 461-472. https://doi.org/10.1109/TC.2003.1190587
  8. D. Wagner, "Cryptanalysis of a Provably Secure CRT-RSA Algorithm," Eleventh ACM Conf. Comput. Commun. Security, Washington, DC, USA, Oct. 25-29, 2004, pp. 92-97.
  9. S.-K. Kim et al., "An Efficient CRT-RSA Algorithm Secure against Power and Fault Attacks," J. Syst. Software, vol. 84, no. 10, Oct. 2011, pp. 1660-1669. https://doi.org/10.1016/j.jss.2011.04.026
  10. S.-M. Yen, D. Kim, and S.J. Moon, "Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection," Third Int. Conf. Fault Diagnosis Tolerance Cryptography, Yokohama, Japan, vol. 4236, 2006, pp. 53-61.
  11. J.-S. Coron et al., "Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm," Seventh Int. Conf. Fault Diagnosis Tolerance Cryptography, Santa Babara, CA, USA, Aug. 21, 2010, pp. 89-96.
  12. D. Boneh, R.A. DeMillo, and R.J. Lipton, "On the Importance of Checking Cryptographic Protocols for Faults," Advances in Cryptology Sixteenth Annual Int. Conf. Theory Appl. Cryptographic Tech., Konstanz, Germany, May 11-15, 1997, pp. 37-51.
  13. A. Shamir, Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks, US Patent 5,991,415, filed May 12, 1997, issued Nov. 23, 1999.
  14. C. Giraud, "An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis," IEEE Trans. Comput., vol. 55, no. 9, Sept. 2006, pp. 1116-1120. https://doi.org/10.1109/TC.2006.135
  15. S.-M. Yen et al., "RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis," Fourth Int. Conf. Info. Security Cryptology, Seoul, Rep. of Korea, Dec. 6-7, 2001, pp. 397-413.
  16. S.-K. Kim et al., "An Efficient CRT-RSA Algorithm Secure against Power and Fault Attacks," J. Syst. Softw., vol. 84, no. 10, Oct. 2011, pp. 1660-1669. https://doi.org/10.1016/j.jss.2011.04.026
  17. A. Boscher, R. Naciri, and E. Prouff, "CRT RSA Algorithm Protected against Fault Attacks," First Workshop Info. Security Theory Practice, Crete, Greece, May 9-11, 2007, pp. 229-243.
  18. M. Ciet and M. Joye, "Practical Fault Countermeasures for Chinese Remaindering Based RSA," Second Int. Conf. Fault Diagnosis Tolerance Cryptography, Scotland, UK, Sept. 2, 2005, pp. 124-131.
  19. ISO 7816, "Identification Cards Integrated Circuit(s) Cards with Contacts," Geneva, Switzerland, Created in 1989, amended in 1992.
  20. Atmega 128 specification. Accessed Mar. 31, 2014. http://www.atmel.com/Images/doc2467.pdf

Cited by

  1. Conditional Re-encoding Method for Cryptanalysis-Resistant White-Box AES vol.37, pp.5, 2014, https://doi.org/10.4218/etrij.15.0114.0025
  2. One-Bit to Four-Bit Dual Conversion for Security Enhancement against Power Analysis vol.ea99, pp.10, 2016, https://doi.org/10.1587/transfun.e99.a.1833
  3. A Masked White-Box Cryptographic Implementation for Protecting Against Differential Computation Analysis vol.13, pp.10, 2014, https://doi.org/10.1109/tifs.2018.2825939