On Double Exponentiation for Securing RSA against Fault Analysis

Le, Duc-Phong; Rivain, Matthieu; Tan, Chik How

doi:10.1007/978-3-319-04852-9_8

Cited by 5 publications

(11 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We assume this chain to be precomputed. Le et al presented a double exponentiation algorithm, that does not rely on precomputation [18]. The binary exponentiation works as two parallel executions of the right-to-left exponentiation and uses register R 0 for calculations with d 1 and register R 1 for calculations with d 2 .…”

Section: Self-secure Exponentiation Countermeasuresmentioning

confidence: 99%

See 1 more Smart Citation

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Kiss

Krämer

Rauzy³

et al. 2016

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

Section: Self-secure Exponentiation Countermeasuresmentioning

confidence: 99%

“…The first such method is based on the Montgomery ladder [9]. This was adapted to the right-to-left version of the square-and-multiplyalways algorithm [5,6] and to double exponentiation [18,22]. We test the security of these methods using an automated testing framework.…”

Section: Introductionmentioning

confidence: 99%

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Kiss

Krämer

Rauzy³

et al. 2016

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

“…Finally, redundant exponentiation algorithms [19,26] such as the Montgomery Ladder can be used. Regardless of the approach, RSA-CRT fault countermeasures tend to be rather costly: for example, Rivain's countermeasure [26,20] has a stated overhead of 10% compared to an unprotected implementation, and is purportedly more efficient than previous works [19,29,20].…”

Section: Introductionmentioning

confidence: 99%

“…Since our faults are non-random, the probability distributions are more complex; we use careful estimates of exponential sums attached to corresponding rational functions to establish their regularity. We only analyze this countermeasure when the validity check is performed in the standard way (by computing the public permutation), but our random infection might also be used to protect other checks such as Rivain's [26,20]. In the same way, although we use RSA-CRT as a motivating example, our fault model is in fact independent of the way the modular exponentiation is implemented, and is not limited to fault attacks on RSA-CRT.…”

Section: Introductionmentioning

confidence: 99%

Making RSA–PSS Provably Secure against Non-random Faults

Barthe

Dupressoir

Fouque

et al. 2014

Advanced Information Systems Engineering

View full text Add to dashboard Cite

Abstract. RSA-CRT is the most widely used implementation for RSA signatures. However, deterministic and many probabilistic RSA signatures based on CRT are vulnerable to fault attacks. Nevertheless, Coron and Mandal (Asiacrypt 2009) show that the randomized PSS padding protects RSA signatures against random faults. In contrast, Fouque et al. (CHES 2012) show that PSS padding does not protect against certain non-random faults that can be injected in widely used implementations based on the Montgomery modular multiplication. In this article, we prove the security of an infective countermeasure against a large class of non-random faults; the proof extends Coron and Mandal's result to a strong model where the adversary can force the faulty signatures to be a multiple of one of the prime factors of the RSA modulus. Such non-random faults induce more complex probability distributions than in the original proof, which we analyze using careful estimates of exponential sums attached to suitable rational functions. The security proof is formally verified using appropriate extensions of EasyCrypt, and provides the first application of formal verification to provable (i.e. reductionist) security in the context of fault attacks.

show abstract

“…Algorithmic protections have been proposed by Giraud [22] (and many others [16,32,29]) for CRT-RSA, which naturally transpose to ECC, as shown in [28]. These protections are implementation specific (e.g., depend on the chosen exponentiation algorithm) and are thus difficult to automate, requiring specialized engineering skills.…”

mentioning

confidence: 99%

Using modular extension to provably protect Edwards curves against fault attacks

Dugardin

Guilley

Moreau³

et al. 2017

J Cryptogr Eng

View full text Add to dashboard Cite

Abstract. Fault injection attacks are a real-world threat to cryptosystems, in particular asymmetric cryptography. In this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future fault attacks. Namely, we study the modular extension protection scheme in previously existing and newly contributed variants of the countermeasure on elliptic curve scalar multiplication (ECSM) algorithms. We find that an existing countermeasure is incorrect and we propose new "test-free" variant of the modular extension scheme that fixes it. We then formally prove the correctness and security of modular extension: specifically, the fault non-detection probability is inversely proportional to the security parameter. Finally, we implement an ECSM protected with test-free modular extension during the elliptic curve operation to evaluate the efficient of this method on Edwards and twisted Edwards curves.

show abstract

On Double Exponentiation for Securing RSA against Fault Analysis

Cited by 5 publications

References 26 publications

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Algorithmic Countermeasures Against Fault Attacks and Power Analysis for RSA-CRT

Making RSA–PSS Provably Secure against Non-random Faults

Using modular extension to provably protect Edwards curves against fault attacks

Contact Info

Product

Resources

About