Public Key Perturbation of Randomized RSA Implementations

Berzati, Alexandre; Dumas, Cécile; Goubin, Louis

doi:10.1007/978-3-642-15031-9_21

Cited by 11 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This assumption can be justified by the fact that RSA-CRT computations are usually the privileged target of fault attacks since the secret exponent as well as the secret primes are involved. Sometimes, faults can be injected on public parameters [10,6], however such faults modify computation with secret values, σ p and σ q during CRT recombinaison and so this is treated in our model. In this model, we do not consider safe errors which consider specific implementations.…”

Section: Figure 3 Initial and Final Gamesmentioning

confidence: 99%

Making RSA–PSS Provably Secure against Non-random Faults

Barthe

Dupressoir

Fouque

et al. 2014

Advanced Information Systems Engineering

View full text Add to dashboard Cite

Abstract. RSA-CRT is the most widely used implementation for RSA signatures. However, deterministic and many probabilistic RSA signatures based on CRT are vulnerable to fault attacks. Nevertheless, Coron and Mandal (Asiacrypt 2009) show that the randomized PSS padding protects RSA signatures against random faults. In contrast, Fouque et al. (CHES 2012) show that PSS padding does not protect against certain non-random faults that can be injected in widely used implementations based on the Montgomery modular multiplication. In this article, we prove the security of an infective countermeasure against a large class of non-random faults; the proof extends Coron and Mandal's result to a strong model where the adversary can force the faulty signatures to be a multiple of one of the prime factors of the RSA modulus. Such non-random faults induce more complex probability distributions than in the original proof, which we analyze using careful estimates of exponential sums attached to suitable rational functions. The security proof is formally verified using appropriate extensions of EasyCrypt, and provides the first application of formal verification to provable (i.e. reductionist) security in the context of fault attacks.

show abstract

Section: Figure 3 Initial and Final Gamesmentioning

confidence: 99%

Making RSA–PSS Provably Secure against Non-random Faults

Barthe

Dupressoir

Fouque

et al. 2014

Advanced Information Systems Engineering

View full text Add to dashboard Cite

show abstract

“…For example, a parity check of an addition or a multiplication. [27], [4], [3], [44], [11] [12], [21], [36], [39], [8], [23], [41], [42], [48], [28], [5], [24], [7], [17], [38], [43] [41], [42], [38], [43] Fault Model Bit Wise Word Wise Variable Wise [39], [9], [2], [5], [36], [12], [21], [8], [23] [4], [3], [47] [51], [25], [27], [44], [11], [48], [28], [24], [49], [7], [17] Abstraction Level…”

Section: Classification Of Countermeasuresmentioning

confidence: 99%

“…Cryptographic Primitive Level Protocol Level [3], [42], [28], [5], [24], [49], [7], [17], [38], [43] [36], [39], [4], [8], [23], [44], [11], [41], [48], [21] [12], [25], [27] At this point, it is important to emphasize that the security pyramid which depicts a design flow of a cryptographic engine does not consider validity of input parameters or the integrity of a program code intended to run on a platform. Since an attacker can exploit the faulty input parameters or a malicious program flow to leak a secret from a device, countermeasures that thwart such kinds of attacks are considered here too.…”

Section: Classification Of Countermeasuresmentioning

confidence: 99%

The Fault Attack Jungle - A Classification Model to Guide You

Verbauwhede

Karaklajic

Schmidt

2011

2011 Workshop on Fault Diagnosis and Tolerance in Cryptography

View full text Add to dashboard Cite

Abstract-For a secure hardware designer, the vast array of fault attacks and countermeasures looks like a jungle. This paper aims at providing a guide through this jungle and at helping a designer of secure embedded devices to protect a design in the most efficient way. We classify the existing fault attacks on implementations of cryptographic algorithms on embedded devices according to different criteria. By doing do, we expose possible security threats caused by fault attacks and propose different classes of countermeasures capable of preventing them.

show abstract

“…The initial attack [27] only allowed to bypass RSA verification, but key-recovery attacks were later discovered by Brier et al [9], and improved or extended in [19,6,4,5]. These key-recovery attacks only apply to RSA without CRT, and they require significantly more faults than Boneh et al 's attack, at least on the order of 1000 faulty signatures.…”

Section: Fault Attacks On Rsa-crt Signaturesmentioning

confidence: 99%

“…The previously mentioned fault attacks [9,19,6,4,5] on RSA using faulty moduli only apply to standard RSA without CRT, and they use non-lattice techniques. Our attack seems to be the first attack on RSA-CRT with faulted moduli.…”

Section: Related Workmentioning

confidence: 99%

Modulus fault attacks against RSA–CRT signatures

et al. 2011

View full text Add to dashboard Cite

Abstract. RSA-CRT fault attacks have been an active research area since their discovery by Boneh, DeMillo and Lipton in 1997. We present alternative key-recovery attacks on RSA-CRT signatures: instead of targeting one of the sub-exponentiations in RSA-CRT, we inject faults into the public modulus before CRT interpolation, which makes a number of countermeasures against Boneh et al.'s attack ineffective.Our attacks are based on orthogonal lattice techniques and are very efficient in practice: depending on the fault model, between 5 to 45 faults suffice to recover the RSA factorization within a few seconds. Our simplest attack requires that the adversary knows the faulty moduli, but more sophisticated variants work even if the moduli are unknown, under reasonable fault models. All our attacks have been fully validated experimentally with fault-injection laser techniques.

show abstract

Public Key Perturbation of Randomized RSA Implementations

Cited by 11 publications

References 12 publications

Making RSA–PSS Provably Secure against Non-random Faults

Making RSA–PSS Provably Secure against Non-random Faults

The Fault Attack Jungle - A Classification Model to Guide You

Modulus fault attacks against RSA–CRT signatures

Contact Info

Product

Resources

About