Fault Resistant RSA Signatures: Chinese Remaindering in Both Directions
نویسندگان
چکیده
Fault attacks are one of the most severe attacks against secure embedded cryptographic implementations. Block ciphers such as AES, DES or public key algorithms such as RSA can be broken with as few as a single or a handful of erroneous computation results. Many countermeasures have been proposed both at the algorithmic level and using ad-hoc methods. In this paper, we address the problem of finding efficient countermeasures for RSA signature computations based on the Chinese Remainder Theorem for which one uses the inverse operation (verification) in order to secure the algorithm against fault attacks. We propose new efficient methods with associated security proofs in two different models; our methods protect against run-time errors, computation errors, and most permanent errors in the key parameters as well. We also extend our methods with infective computation strategies to secure the algorithm against doublefaults.
منابع مشابه
Practical Fault Countermeasures for Chinese Remaindering Based RSA
Most implementations of the widely-used RSA cryptosystem rely on Chinese remaindering (CRT) as this greatly improves the performances in both running times and memory requirements. Unfortunately, CRT-based implementations are also known to be more sensitive to fault attacks: a single fault in an RSA exponentiation may reveal the secret prime factors trough a GCD computation, that is, a total br...
متن کاملCRT RSA Algorithm Protected Against Fault Attacks
Embedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we propose a new generic method of computing modular exponentiation and we prove its security in a realistic fault model. By construction, our pro...
متن کاملA Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants
We describe a strategy for finding small modular and integer roots of multivariate polynomials using lattice-based Coppersmith techniques. Applying our strategy, we obtain new polynomial-time attacks on two RSA variants. First, we attack the Qiao-Lam scheme that uses a Chinese Remaindering decryption process with a small difference in the private exponents. Second, we attack the so-called Commo...
متن کاملOn the Multiple Fault Attacks on RSA Signatures with LSBs of Messages Unknown
In CHES 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (CJKNP) introduced a fault attack on RSA signatures with partially unknown messages. They factored RSA modulus N using a single faulty signature and increased the bound of unknown messages by multiple fault attack, however, the complexity multiple fault attack is exponential in the number of faulty signatures. At RSA 2010, it was impro...
متن کاملDouble Counting in $2^t$-ary RSA Precomputation Reveals the Secret Exponent
A new fault attack, double counting attack (DCA), on the precomputation of 2t-ary modular exponentiation for a classical RSA digital signature (i.e., RSA without the Chinese remainder theorem) is proposed. The 2t-ary method is the most popular and widely used algorithm to speed up the RSA signature process. Developers can realize the fastest signature process by choosing optimum t. For example,...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2010 شماره
صفحات -
تاریخ انتشار 2010