A new CRT-RSA algorithm resistant to powerful fault attacks

“…Ultimately, it can ensure that the final result is randomized and cannot be used to break the system even if a proper fault is induced. Typical fault propagation type countermeasures are , , Blömer et al (2003), Ha et al (2008), Ebeid and Lambert (2010) and Ciet and Joye (2005) countermeasures. However, this class requires more computational overhead such as modular arithmetic than the checking procedure, since it has to compute complex operations instead of a comparison operation such as the 'if' statement for detecting faults.…”

“…For example, the Giraud method (Giraud, 2005(Giraud, , 2006 uses the Montgomery powering ladder (Joye and Yen, 2002) to evaluate m k mod p (or q), where k = d p (or d q Similarly, the Boscher et al method (Boscher et al, 2007) uses the right-to-left algorithm and returns the three tuples Recently, Ebeid and Lambert introduced a powerful fault attack which sets or resets a bit of the exponent k (Ebeid and Lambert, 2010). For example, let us suppose an attacker reset the i th bit of the secret exponent by zero.…”

“…Note that all countermeasures that have been developed up to now against FAs cannot guarantee 100% fault detection. To counteract the bitreset fault attack, the exponent has to be randomized such as the Ebeid-Lambert countermeasure (Ebeid and Lambert, 2010) and the Yen et al countermeasure (Yen et al, 2006). Among the existing countermeasures, the method to prevent the second-order FA is only the lock-principle method (Dottax et al, 2009).…”

“…Giraud (Dottax et al, 2009) 4l(l + b) 2 + 5l 2 + 2bl Modifying opcode, Resetting data Ebeid and Lambert (2010) 8(l + b) 3 + 4(l + b) 2 + 7bl + 5l 2 + 2l 3 Second-order…”

An efficient CRT-RSA algorithm secure against power and fault attacks

“…Ultimately, it can ensure that the final result is randomized and cannot be used to break the system even if a proper fault is induced. Typical fault propagation type countermeasures are , , Blömer et al (2003), Ha et al (2008), Ebeid and Lambert (2010) and Ciet and Joye (2005) countermeasures. However, this class requires more computational overhead such as modular arithmetic than the checking procedure, since it has to compute complex operations instead of a comparison operation such as the 'if' statement for detecting faults.…”

“…For example, the Giraud method (Giraud, 2005(Giraud, , 2006 uses the Montgomery powering ladder (Joye and Yen, 2002) to evaluate m k mod p (or q), where k = d p (or d q Similarly, the Boscher et al method (Boscher et al, 2007) uses the right-to-left algorithm and returns the three tuples Recently, Ebeid and Lambert introduced a powerful fault attack which sets or resets a bit of the exponent k (Ebeid and Lambert, 2010). For example, let us suppose an attacker reset the i th bit of the secret exponent by zero.…”

“…Note that all countermeasures that have been developed up to now against FAs cannot guarantee 100% fault detection. To counteract the bitreset fault attack, the exponent has to be randomized such as the Ebeid-Lambert countermeasure (Ebeid and Lambert, 2010) and the Yen et al countermeasure (Yen et al, 2006). Among the existing countermeasures, the method to prevent the second-order FA is only the lock-principle method (Dottax et al, 2009).…”

“…Giraud (Dottax et al, 2009) 4l(l + b) 2 + 5l 2 + 2bl Modifying opcode, Resetting data Ebeid and Lambert (2010) 8(l + b) 3 + 4(l + b) 2 + 7bl + 5l 2 + 2l 3 Second-order…”

An efficient CRT-RSA algorithm secure against power and fault attacks

Improvements to RSA Key Generation and CRT on Embedded Devices

On Applying Boolean Masking to Exponents