Abstract
In this paper, some powerful fault attacks will be pointed out which can be used to factorize the RSA modulus if CRT is employed to speedup the RSA computation. These attacks are generic and can be applicable to Shamir’s countermeasure and also applicable to a recently published enhanced countermeasure (trying to improve Shamir’s method) for RSA with CRT. These two countermeasures share some similar structure in their designs and both suffer from some of the proposed attacks. The first kind of attack proposed in this paper is to induce a fault (which can be either a computational fault or any fault when data being accessed) into an important modulo reduction operation of the above two countermeasures. Note that this hardware fault attack can neither be detected by Shamir’s countermeasure nor by the recently announced enhancement. The second kind of attack proposed in this paper considers permanent fault on some stored parameters in the above two countermeasures. The result shows that some permanent faults cannot be detected. Hence, the CRT-based factorization attack still works. The proposed CRT-based fault attacks once again reveals the importance of developing a sound countermeasure against RSA with CRT.
This work was supported by the Mobile Network Security Research Center, School of Electronic and Electrical Engineering, Kyungpook National University, Korea.
The first author was also supported in part by the Computer & Communication Research Laboratories (CCL), Industrial Technology Research Institute (ITRI), Republic of China.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
R.L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystem,” Commun. of ACM, vol. 21, no. 2, pp. 120–126, 1978. 375
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469–472, 1985. 375
R. Anderson and M. Kuhn, “Tamper resistance-a cautionary note,” In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp. 1–11, 1996. 375
R. Anderson and M. Kuhn, “Low cost attacks on tamper resistant devices,” In Pre-proceedings of the 1997 Security Protocols Workshop, Paris, France, 7–9th April 1997. 375
Bellcore Press Release, “New threat model breaks crypto codes,” Sept. 1996, available at URL http://www.bellcore.com/PRESS/ADVSRY96/facts.html. 375
D. Boneh, R.A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” In Advances in Cryptology-EUROCRYPT’97, LNCS 1233, pp. 37–51, Springer-Verlag, 1997. 375, 377
F. Bao, R.H. Deng, Y. Han, A. Jeng, A.D. Narasimbalu, and T. Ngair, “Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults,” In Pre-proceedings of the 1997 Security Protocols Workshop, Paris, France, 1997. 375
Y. Zheng and T. Matsumoto, “Breaking real-world implementations of cryptosystems by manipulating their random number generation,” In Pre-proceedings of the 1997 Symposium on Cryptography and Information Security, Fukuoka, Japan, 29th January–1st February 1997. An earlier version was presented at the rump session of ASIACRYPT’96. 375
I. Peterson, “Chinks in digital armor-Exploiting faults to break smart-card cryptosystems,” Science News, vol. 151, no. 5, pp. 78–79, 1997. 375
M. Joye, J.-J. Quisquater, F. Bao, and R.H. Deng, “RSA-type signatures in the presence of transient faults,” In Cryptography and Coding, LNCS 1355, pp. 155–160, Springer-Verlag, 1997. 375
D.P. Maher, “Fault induction attacks, tamper resistance, and hostile reverse engineering in perspective,” In Financial Cryptography, LNCS 1318, pp. 109–121, Springer-Verlag, Berlin, 1997. 375
E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” In Advances in Cryptology-CRYPTO’97, LNCS 1294, pp. 513–525, Springer-Verlag, Berlin, 1997. 375
A.K. Lenstra, “Memo on RSA signature generation in the presence of faults,” September 1996. 375, 377
M. Joye, A.K. Lenstra, and J.-J. Quisquater, “Chinese remaindering based cryptosystems in the presence of faults,” Journal of Cryptology, vol. 12, no. 4, pp. 241–245, 1999. 375, 377
M. Joye, F. Koeune, and J.-J. Quisquater, “Further results on Chinese remaindering,” Tech. Report CG-1997/1, UCL Crypto Group, Louvain-la-Neuve, March 1997. 375
A. Shamir, “How to check modular exponentiation,” presented at the rump session of EUROCRYPT’97, Konstanz, Germany, 11–15th May 1997. 375, 377, 381
A. Shamir, “Method and apparatus for protecting public key schemes from timing and fault attacks,” United States Patent 5991415, November 23, 1999. 375, 377, 381
S. M. Yen and M. Joye, “Checking before output may not be enough against fault-based cryptanalysis,” IEEE Trans. on Computers, vol. 49, no. 9, pp. 967–970, Sept. 2000. 375
P. J. Smith and M. J. J. Lennon, “LUC: A new public key system,” In Ninth IFIP Symposium on Computer Security, Elsevier Science Publishers, pp. 103–117, 1993. 375
J.-J. Quisquater and C. Couvreur, “Fast decipherment algorithm for RSA publickey cryptosystem,” Electronics Letters, vol. 18, no. 21, pp. 905–907, 1982. 375, 377
A. J. Menezes, P. C. van Oorschot, and S.A. Vanstone. Handbook of applied cryptography. CRC Press, 1997. 375, 376
C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault attacks on RSA with CRT: Concrete results and practical countermeasures,” Posted at the ePrint Archive of IACR web page with paper number 073. 375, 376, 379, 380, 381, 382, 385, 386
C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault attacks on RSA with CRT: Concrete results and practical countermeasures,” In Pre-proceedings of Cryptographic Hardware and Embedded Systems-CHES 2002, pp. 261–276, August 13–15, 2002, California, USA. 375, 376, 382, 385, 386
M. Joye, P. Pailler, and S.M. Yen, “Secure evaluation of modular functions,” In Proc. of 2001 International Workshop on Cryptology and Network Security-CNS 2001, pp. 227–229, September 26–28, 2001. 379, 381
S.M. Yen, S. J. Kim, S.G. Lim, and S. J. Moon, “RSA speedup with residue number system immune against hardware fault cryptanalysis,” In Information Security and Cryptology-ICISC 2001, LNCS 2288, pp. 397–413, Springer-Verlag, 2002. 382
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yen, SM., Moon, S., Ha, JC. (2003). Hardware Fault Attack on RSA with CRT Revisited. In: Lee, P.J., Lim, C.H. (eds) Information Security and Cryptology — ICISC 2002. ICISC 2002. Lecture Notes in Computer Science, vol 2587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36552-4_26
Download citation
DOI: https://doi.org/10.1007/3-540-36552-4_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00716-6
Online ISBN: 978-3-540-36552-5
eBook Packages: Springer Book Archive