CRT RSA Algorithm Protected Against Fault Attacks

Boscher, Arnaud; Naciri, Robert; Prouff, Emmanuel

doi:10.1007/978-3-540-72354-7_19

Cited by 34 publications

(36 citation statements)

References 25 publications

(37 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The scheme by Boscher et al [10] is based on the rightto-left square-and-multiply-always algorithm [15] which was originally devoted to thwart simple side channel analysis (see Sect. 6.1).…”

Section: Self-secure Exponentiationsmentioning

confidence: 99%

“…6.1). In [10], the authors observe that this algorithm computes a triplet (a 0 , a 1 , a 2 ) that equals (m d , m 2 l −d−1 , m 2 l ) at the end of the algorithm, where l denotes the bit-length of d. The principle of their countermeasure is hence to check that a 0 · a 1 · m equals a 2 at the end of the exponentiation. Once again, in case of fault injection, the relation between the a i 's is broken and the fault is detected by the final check.…”

Section: Self-secure Exponentiationsmentioning

confidence: 99%

See 1 more Smart Citation

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation

Rivain

2009

Topics in Cryptology – CT-RSA 2009

View full text Add to dashboard Cite

Abstract. Fault Analysis is a powerful cryptanalytic technique that enables to break cryptographic implementations embedded in portable devices more efficiently than any other technique. For an RSA implemented with the Chinese Remainder Theorem method, one faulty execution suffices to factorize the public modulus and fully recover the private key. It is therefore mandatory to protect embedded implementations of RSA against fault analysis. This paper provides a new countermeasure against fault analysis for exponentiation and RSA. It consists in a self-secure exponentiation algorithm, namely an exponentiation algorithm that provides a direct way to check the result coherence. An RSA implemented with our solution hence avoids the use of an extended modulus (which slows down the computation) as in several other countermeasures. Moreover, our exponentiation algorithm involves 1.65 multiplications per bit of the exponent which is significantly less than the 2 required by other self-secure exponentiations.

show abstract

Section: Self-secure Exponentiationsmentioning

confidence: 99%

Section: Self-secure Exponentiationsmentioning

confidence: 99%

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation

Rivain

2009

Topics in Cryptology – CT-RSA 2009

View full text Add to dashboard Cite

show abstract

“…The first fault attack [4] targets an RSA implementation using the Chinese remainder theorem, RSA-CRT, and is known as the Bellcore attack. The Bellcore attack aroused great interest and led to many publications about fault attacks on RSA-CRT,e.g., [1,6,9,11,22]. Countermeasures to prevent the Bellcore attack can be categorized into two families: the first one relies on a modification of the RSA modulus and the second one uses self-secure exponentiation.…”

Section: Introductionmentioning

confidence: 99%

“…The first such method is based on the Montgomery ladder [9]. This was adapted to the right-to-left version of the square-and-multiplyalways algorithm [5,6] and to double exponentiation [18,22]. We test the security of these methods using an automated testing framework.…”

Section: Introductionmentioning

confidence: 99%

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Kiss

Krämer

Rauzy³

et al. 2016

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

“…Algorithmic protections have been proposed by Giraud [22] (and many others [16,32,29]) for CRT-RSA, which naturally transpose to ECC, as shown in [28]. These protections are implementation specific (e.g., depend on the chosen exponentiation algorithm) and are thus difficult to automate, requiring specialized engineering skills.…”

mentioning

confidence: 99%

Using modular extension to provably protect Edwards curves against fault attacks

Dugardin

Guilley

Moreau³

et al. 2017

J Cryptogr Eng

View full text Add to dashboard Cite

Abstract. Fault injection attacks are a real-world threat to cryptosystems, in particular asymmetric cryptography. In this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future fault attacks. Namely, we study the modular extension protection scheme in previously existing and newly contributed variants of the countermeasure on elliptic curve scalar multiplication (ECSM) algorithms. We find that an existing countermeasure is incorrect and we propose new "test-free" variant of the modular extension scheme that fixes it. We then formally prove the correctness and security of modular extension: specifically, the fault non-detection probability is inversely proportional to the security parameter. Finally, we implement an ECSM protected with test-free modular extension during the elliptic curve operation to evaluate the efficient of this method on Edwards and twisted Edwards curves.

show abstract

CRT RSA Algorithm Protected Against Fault Attacks

Cited by 34 publications

References 25 publications

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Using modular extension to provably protect Edwards curves against fault attacks

Contact Info

Product

Resources

About