Abstract. In the recent years, side channel analysis has received a lot of attention, and attack techniques have been improved. Side channel analysis of second order is now successful in breaking implementations of block ciphers supposed to be effectively protected. This progress shows not only the practicability of second order attacks, but also the need for provably secure countermeasures. Surprisingly, while many studies have been dedicated to the attacks, only a few papers have been published about the dedicated countermeasures. In fact, only the method proposed by Schramm and Paar at CT-RSA 2006 enables to thwart second order side channel analysis. In this paper, we introduce two new methods which constitute a worthwhile alternative to Schramm and Paar's proposal. We prove their security in a strong security model and we exhibit a way to significantly improve their efficiency by using the particularities of the targeted architectures. Finally, we argue that the introduced methods allow us to efficiently protect a wide variety of block ciphers, including AES.
Since their publication in 1996, Fault Attacks have been widely studied from both theoretical and practical points of view and most of cryptographic systems have been shown vulnerable to this kind of attacks. Until recently, most of the theoretical fault attacks and countermeasures used a fault model which assumes that the attacker is able to disturb the execution of a cryptographic algorithm only once. However, this approach seems too restrictive since the publication in 2007 of the successful experiment of an attack based on the injection of two faults, namely a second-order fault attack. Amongst the few papers dealing with second-order fault analysis, three countermeasures were published at WISTP'07 and FDTC'07 to protect the RSA cryptosystem using the CRT mode. In this paper, we analyse the security of these countermeasures with respect to the second-order fault model considered by their authors. We show that these countermeasures are not intrinsically resistant and we propose a new method allowing us to implement a CRT-RSA that resists to this kind of second-order fault attack.A fault attack description must specify the fault model it assumes [13]. This model clarifies the capabilities of the attacker such as the kind of error (e.g. bit flip in data, program execution modification), the timing precision or the number of errors. The latter characteristic is called the order of the attack: first-order attacks assume an attacker who can induce only one error per execution of the target algorithm. Similarly, second-order attacks assume an attacker who can induce two errors per execution, and so forth. The practicability of the model is of importance to assess the feasibility of an attack.The seminal work [5] introduces several first-order attacks among which one targets an RSA implementation using the Chinese Remainder Theorem (CRT for short). Indeed, most RSA implementations in embedded systems use CRT because of its performance benefits. Let N denote the public modulus composed of two secret prime numbers p and q such that N = p · q. Let e refer to the public exponent and d refer to the private exponent. Whereas a straightforward implementation computes the signature of a message m by performing S = m d mod N , a CRT-based implementation is composed of two exponentiations S p = m dp mod p and S q = m dq mod q, where d p = d mod (p−1) and d q = d mod (q − 1). As the signature S satisfies S ≡ S p mod p and S ≡ S q mod q, it can be computed from S p and S q by using the CRT [9]. This additional computation is called the recombination step. The principle of the so-called Bellcore attack [5] is to disturb one of the exponentiations, say S q , so that the recombination step results in a faulty signature S satisfying S ≡ S mod p and S ≡ S mod q. The secret parameter p can then be recovered by computing gcd (S − S, N ). The fault model of this attack is very weak because the attacker only needs to disturb one exponentiation to succeed. The fault can be introduced at any time during the computation, either in code or i...
At the Asiacrypt 2003 conference, Billet and Gilbert introduce a block cipher, which, to quote them, has the following paradoxical property: it is computationally easy to derive many equivalent distinct descriptions of the same instance of the block cipher; but it is computationally difficult, given one or even many of them, to recover the socalled meta-key from which they were derived, or to find any additional equivalent description, or more generally to forge any new untraceable description of the same instance of the block cipher. They exploit this property to introduce the first traceable block cipher.Their construction relies on the Isomorphism of Polynomials (IP) problem. At Eurocrypt 2006, Faugère and Perret show how to break this scheme by algebraic attack. We here strengthen the original traceable block cipher against this attack by concealing the underlying IP problems. Our modification is such that our description of the block cipher now does not give the expected results all the time and parallel executions are used to obtain the correct value.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.