Modulus fault attacks against RSA–CRT signatures

Brier, Éric; Naccache, David; Nguyêñ, Phong Q.; Tibouchi, Mehdi

doi:10.1007/s13389-011-0015-x

Cited by 12 publications

(10 citation statements)

References 26 publications

(38 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the pioneering exploit of a CRT-RSA implementation [4], fault attacks targeting cryptographic applications have been under the spotlight of security research and new studies are published every year [28]. Such fault attacks are either described at an algorithmic level [1,8] or target a specific implementation [5,9]. They rely on the attacker's ability to inject and exploit fault effects on a sensitive application: e.g., a skipped instruction or corrupted variable.…”

Section: Related Workmentioning

confidence: 99%

A First ISA-Level Characterization of EM Pulse Effects on Superscalar Microarchitectures

Proy¹,

Heydemann

Berzati³

et al. 2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

In the area of physical attacks, system-on-chip (SoC) designs have not received the same level of attention as simpler micro-controllers. We try to model the behavior of secure software running on a superscalar out-of-order microprocessor typical of more complex SoC, in the presence of electromagnetic (EM) pulses. We first show that it is possible, in a black box approach, to corrupt the loop iteration count of both original and hardened versions of two sensitive loops. We propose a characterization methodology based on very simple codes, to understand and classify the fault effects at the level of the instruction set architecture (ISA). The resulting classification includes the well established instruction skip and register corruption models, as well as new effects specific to more complex processors, such as operand substitution, multiple correlated register corruptions, advanced control-flow hijacking, and combinations of all reported effects. This diversity and complexity of effects can lead to powerful attacks. The proposed methodology and fault classification at ISA level is a first step towards a more complete characterization. It is also a tool supporting the designers of software and hardware countermeasures. CCS CONCEPTS • Security and privacy → Hardware attacks and countermeasures; Software and application security; • Computer systems organization → Embedded and cyber-physical systems.

show abstract

Section: Related Workmentioning

confidence: 99%

A First ISA-Level Characterization of EM Pulse Effects on Superscalar Microarchitectures

Proy¹,

Heydemann

Berzati³

et al. 2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…return A Garner's formula (2) does not require a reduction modulo N , which is interesting for efficiency reasons and also because it prevents certain fault attacks [4]. On the other hand, it does require an inverse Montgomery transformation S q = CIOS(S q , 1), whereas that step is not necessary for formula (1), as it can be mixed with the multiplication with q −1 mod p. This is an important point, as some of our attacks specifically target the inverse Montgomery transformation.…”

Section: Rsa-crt Signature Generationmentioning

confidence: 99%

Attacking RSA–CRT signatures with faults on montgomery multiplication

Fouque¹,

Guillermin²,

Leresteux³

et al. 2013

J Cryptogr Eng

Self Cite

View full text Add to dashboard Cite

In this paper, we present several efficient fault attacks against implementations of RSA-CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the first fault attacks effective against RSA-PSS. The new attacks work provided that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.

show abstract

“…Garner's formula (2) does not require a reduction modulo N , which is interesting for efficiency reasons and also because it prevents certain fault attacks [4]. On the other hand, it does require an inverse Montgomery transformation S q = CIOS(S q , 1), whereas that step is not necessary for formula (1), as it can be mixed with the multiplication with q −1 mod p. This is an important point, as some of our attacks specifically target the inverse Montgomery transformation.…”

Section: Rsa-crt Signature Generationmentioning

confidence: 99%

Attacking RSA–CRT Signatures with Faults on Montgomery Multiplication

Fouque

Guillermin

Leresteux

et al. 2012

Cryptographic Hardware and Embedded Systems – CHES 2012

Self Cite

View full text Add to dashboard Cite

International audienceIn this paper, we present several efficient fault attacks against implementations of RSA–CRT signatures that use modular exponentia-tion algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the first fault attacks effective against RSA–PSS. The new attacks work provided that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures

show abstract

Modulus fault attacks against RSA–CRT signatures

Cited by 12 publications

References 26 publications

A First ISA-Level Characterization of EM Pulse Effects on Superscalar Microarchitectures

A First ISA-Level Characterization of EM Pulse Effects on Superscalar Microarchitectures

Attacking RSA–CRT signatures with faults on montgomery multiplication

Attacking RSA–CRT Signatures with Faults on Montgomery Multiplication

Contact Info

Product

Resources

About