Professional Documents
Culture Documents
Abstra
t. This arti
le des
ribes
on
rete results and pra
ti
ally approved
ountermeasures
on
erning dierential fault atta
ks on RSA using the CRT. It espe
ially investigates smart-
ards with a RSA
opro
essor where any hardware
ountermeasure to defeat su
h fault
atta
ks have been swit
hed o. This s
enario has been
hosen in order to
ompletely analyze
the resulting ee
ts and errors o
urring inside the hardware. Using the results of this kind
of physi
al stress atta
k enables the development of
ompletely reliable software
ounter-
measures. Although su
essful RSA atta
ks on the investigated hardware have been only
possible with an expensive enhan
ed laboratory equipment, the ee
ts on the unprote
ted
hardware have been tremendously. This
aused lots of analysis eorts to investigate what
really happened during the atta
k. Indeed, this will be addressed in this paper.
We rst report on the nature of the resulting errors within the hardware due to the physi
al
stress applied to the smart
ard. Hereafter, we des
ribe the experiments and results with a
very eÆ
ient and prominent software RSA-CRT DFA
ountermeasure. This method
ould
be shown to be insuÆ
ient, i.e., dete
ted nearly no error, when we introdu
ed stress at the
right position during the
omputation. Naturally, a detailed error analysis model followed,
spe
ifying every failure point during the RSA-CRT operation. This model nally allowed to
develop and present here new very pra
ti
ally oriented software
ountermeasures hedging
the observed and
hara
terized fault atta
ks. Eventually, we present the se
urity analysis
of our new developed software RSA-CRT DFA
ountermeasures. Thanks to their
areful
spe
i
ation a
ording to the observed and analyzed errors they resisted all kinds of physi
al
stress atta
ks and were able to dete
t any subtle
omputation error, thus avoiding to break
the smart
ard by fault atta
ks.
Nevertheless, we stress, that although our software
ountermeasures have been fully approved
by pra
ti
al experiments, we are
onvin
ed that only sophisti
ated hardware
ountermeasures
like sensors and lters in
ombination with software
ountermeasures will be able to provide
a se
ure and
omfortable base to defeat in general any
on
eivable fault atta
ks s
enario on
smart
ards properly.
Keywords: Fault atta
ks, Bell
ore atta
k, Hardware se
urity, Hardware robustness, RSA,
Chinese Remainder Theorem, Spike atta
ks, Transient fault model, Software
ountermea-
sures.
?
Readers should note that Inneon Te
hnologies Corp. has led an international patent appli
ation
ontaining this work.
??
hristian.aumuellerinfineon.
om
???
peter.bierinfineon.
om
y wieland.fis
herinfineon.
om
z peter.hofreiterinfineon.
om
x jean-pierre.seifertinfineon.
om
1 Introd
ution
This paper shows and proves that fault atta
ks on RSA with the CRT (also known as Bell
ore
atta
ks) due to [BDL℄ are indeed feasible and devastating if there are no hardware me
hanisms
(like sensors and lters) nor any appropriate software
ountermeasures implemented in the under-
lying smart
ard ICs. However, this does not imply that modern high-se
urity smart
ard ICs are
vulnerable by this kind of atta
ks. Instead, it shows that fault tolerant and robust hardware and
espe
ially sophisti
ated hardware
ountermeasures are essential for the design of physi
al se
ure
hardware to prevent su
h devastating ee
ts as investigated in the following.
Moreover, we stress that it is impossible in the eld to swit
h o these sophisti
ated hardware
ountermeasures preventing this kind of atta
ks | whi
h has been done ex
eptionally for our
detailed feasibility study
on
erning the pra
ti
ality of the Bell
ore atta
k by a spe
i
ally designed
hardware.
In order to provide better se
urity for data prote
tion under strong en
ryption s
hemes (e.g.,
RSA [RSA℄, 3DES [MvOV℄, et
.) more and more implementations based on tamper-proof devi
es
(e.g., smart
ard ICs) are proposed. The main reason for this trend is that smart
ard ICs provide
high reliability and se
urity with more memory
apa
ity and better performan
e
hara
teristi
s
than
onventional magneti
stripe
ard. The CPU in smart
ards
ontrols its data input and output
and prevents unauthorized a
ess to a smart
ard. With spe
ial
hara
teristi
s of
omputational
ability, large memory
apa
ity and se
urity, a large variety of
ryptographi
appli
ations benet
from smart
ard ICs. Due to this popular usage of tamper-resistan
e, the arising of several new ideas
for physi
al atta
ks against smart
ards in 1996 due to [Ko
h℄ and [BDL℄ and again 1999 by [KJJ℄,
followed by [SQ℄, has attra
ted a huge amount of resear
h. However, within this vain, most resear
h
so far fo
used on Timing or Power Analysis atta
ks. This is surprising as the frauds with smart
ards
by indu
ing faults are reality,
f., [A,AK1,AK2℄, whereas no frauds via Timing or Power Analysis
atta
ks have been reported so far. Moreover, as seen from the s
ienti
literature, the resear
h on
faults based
ryptanalysis or its pra
ti
al realization is not very a
tive, when
ompared with the
other side-
hannel resear
h. Furthermore, no pra
ti
al investigation of the most interesting and
pra
ti
al s
enario, i.e., the so
alled Bell
ore atta
k [BDL℄ on RSA with CRT [RSA,CQ℄ has been
reported so far.
Indeed, this topi
will be for the rst time publi
ly addressed within this paper. Thus, it answers
a question of Kaliski and Robshaw [KR℄ of how pra
ti
al these atta
ks might be, answered denitely
here by physi
ists and the designers and manufa
tures of se
ure hardware.
A
tually, the present paper has three main themes. First, we will a
tually present a pra
ti
al
ase study of fault atta
ks on smart
ards implementations of RSA in CRT mode. We will indeed
explain how to realize so
alled spike atta
ks on smart
ards, analyze hereafter their intrinsi
om-
plexity from an atta
ker's point of view and reveal an appropriate test equipment to implement
su
h fault atta
ks. Se
ond, we will present the resulting errors on
ompletely unprote
ted hardware
and software for RSA in CRT mode. In addition, we will demonstrate the insuÆ
ien
y of a very
prominent and eÆ
ient software
ountermeasure due to [Sh℄. Third, we will derive from the anal-
ysis of the previously obtained resulting errors new software
ountermeasures whi
h were proved
to fully work under extensive spike atta
ks.
Only very re
ently the eld of resear
h on fault atta
ks and their
ountermeasures has been
shown some a
tivity. For instan
e, a series of papers [YJ,YKLM1,YKLM2,JQYY℄
ame up with
some new ideas for atta
ks s
enarios and also new
ountermeasures to defeat fault atta
ks. The
relevan
e of this line of resear
h to this paper and espe
ially its pra
ti
al relevan
e will be dis
ussed
later within se
tion 2.
The present paper is organized as follows. Se
tion 2 brie
y repeats RSA using the CRT and
the fault based
ryptanalysis of RSA using the CRT a
ording to [BDL,JLQ℄; it also in
ludes
and dis
usses the advantages and limitations of so far publi
ly known software
ountermeasures to
defeat fault atta
ks on RSA in CRT mode. Se
tion 3 basi
ally digs into the real physi
s of enfor
ing
errors during the
ryptographi
omputation of smart
ard ICs. Within se
tion 4 we basi
ally
2
investigate sophisti
ated software
ountermeasures derived from our pra
ti
al observations and
our proposed model to
ountera
t fault atta
ks on RSA in CRT mode. We also present pra
ti
al
results whi
h were obtained with our
ountermeasures. Eventually we will draw some pra
ti
al
on
lusion in se
tion 5
on
erning software
ountermeasures to hedge su
h Bell
ore atta
ks.
2 Preliminaries
2.1 The RSA System
Let N = p q be the produ
t of two large primes ea
h n=2 bits long. To sign a message m 2 ZN
using RSA one
omputes S := md mod N , where d is the private exponent satisfying e d
1 mod (p 1)(q 1) for the publi
exponent e. The
omputationally expensive part of signing
using RSA is the modular exponentiation of m. For eÆ
ien
y most implementations exponentiate
as follows: using repeated square and multiply they rst
ompute Sp := md mod p and hereafter
d d
Sq := m mod q . They then use the CRT to
onstru
t the signature S = m mod N . This last
CRT step takes negligible time
ompared to with the two exponentiations. It is done eÆ
iently by
omputing
S = Sq + (Sp Sq ) (q mod p) mod p q; (1)
1
For the sake of
ompleteness we brie
y re
all the fault-based
ryptanalysis of RSA using the CRT
due to [BDL℄ and assume the above notations.
Assume that during the
omputation of a RSA signature for a message m via the CRT a random
error o
urs during the
omputation of Sp , thus yielding the faulty signature part Sp0 , whereas the
omputation of Sq is performed
orre
tly. Applying now the
ombination of Sp0 and Sq via (1) will
yield an in
orre
t signature S 0 dierent from the
orre
t signature S , i.e., S S 0 6= 0. A
ording
to the fault-based
ryptanalysis of [BDL,JLQ℄, one obtains the fa
torization of N by
omputing
g
d ((m (S 0 )e ) mod N; N ) = q:
We will now present some simple ad-ho
ountermeasures whi
h have been already suggested within
[BDL,KR℄ to hedge the faults atta
k s
enario. One approa
h is to perform
al
ulations twi
e and
the other approa
h suggests to verify the
orre
tness of the signature by
omparing the inverse
result with the input.
The rst approa
h is a very time-
onsuming and it
annot always provide a satisfa
tory solution
sin
e a permanent error (
aused by a permanenet hardware or software fault implementation bug)
may be undete
table, even if the fun
tion is
omputed more than on
e.
3
The se
ond approa
h is to verify the
orre
tness by
omparing the inverse result with the input
m . A RSA signature S = md mod N
an be veried by raising S to the eth power and
ompare
whether m se mod N . Generally, this is not a satisfa
tory solution sin
e the parameter e
ould
be a large integer and this
he
king pro
edure be
omes time-
onsuming.
A
ompletely dierent but very interesting
ountermeasure is the introdu
tion of randomness
into the RSA signature pro
ess. Here, RSA is applied to F (m; r) where F is some formatting
fun
tion and r is a random string whi
h ensures that the user never signs the same message twi
e.
Furthermore, given en erroneous signature the verier does not know the full plain-text that was
signed. Consequently, the above atta
k
annot be applied to this modied system
f. [BDL,BR,KR℄.
Shamir's basi
idea, as presented in [Sh℄ is to sele
t a random integer t and to do the following
omputations
Spt := m mod p t;
d
Sqt := m mod q t:
d
In the
ase of Spt = Sqt mod t the
omputation is dened to be error free and S is
omputed
a
ording to the CRT re
ombination equation (1).
One drawba
k in Shamir's method, as pointed out in [JPY℄, is the following. Within the CRT
mode of real RSA appli
ations the value d is not known, only the values dp = d mod (p 1) and
dq = d mod (q 1) are known. Although d
an be eÆ
iently
omputed from dp and dq only, as
des
ribed in [FS℄, it will denitely limit the a
eptan
e of Shamir's method. Nevertheless, this
simple way of
he
king the
omputations
orre
tness is anyway insuÆ
ient as demonstrated later
by our pra
ti
al experiments.
But, the new software
ountermeasures, as presented later, developed and motivated by our
experimental results alleviate the two formerly drawba
ks of Shamir's method.
Only very re
ently the eld of resear
h on fault atta
k
ountermeasures has been emerged. For
instan
e a series of papers [YJ,YKLM1,YKLM2,JQYY℄ assumed that the atta
ker has a very
pre
ise knowledge about the implementation details and espe
ially an absolute a
urate
ontrol
on the timing of his fault indu
tion. This possibility, together with an implemented signature
orre
tness
he
k was then used by the above papers to get a
ess to the bits of the private exponent
d. However, all the fault atta
ks des
ribed in [YJ,YKLM1,YKLM1,JQYY℄
an be easily prevented
by the various randomization possibilities for the RSA signature algorithm, e.g., randomization
of the message m, modul N and the private exponents dp and dq , or simply d. Note that these
te
hniques must be anyway implemented in a se
ure RSA signature algorithm to
ountera
t other
side-
hannel atta
ks.
Moreover, [YKLM1℄ proposed the following very interesting
ountermeasure. Their key idea is
the assuran
e to in
uen
e the
omputation of Sq or the overall
omputation of S when an error
o
urred during the
omputation of Sp , or vi
e versa. By the explanation of the
ryptanalysis given
in se
tion 2 it follows, that in this
ase no su
essful fault atta
k on RSA with CRT is possible.
They proposed this idea in order to over
ome the problem that an atta
ker might simply jump
over the spe
ial
riti
al point where the de
ision
on
erning the
omputation's
orre
tness is done.
Although su
h an atta
k seems questionable, it
an be simply defeated by a small appropriate
software. Unfortunately, re
ently it was shown by [BMS℄ that their proposal to perform a so
alled
infe
tive RSA CRT
omputation is not se
ure, i.e.
an be broken
ompletely by latti
e redu
tion
methods.
4
3 Physi
al fault atta
ks realization
First of all, we would like to stress again that modern high-end
ryptographi
devi
es, e.g., smart-
ards, are usually prote
ted by means of various and numerous sophisti
ated hardware me
hanisms
to dete
t any intrusion attempt into their system behavior,
f. [Ma,NR℄. This is due to the fa
t
that hardware manufa
turers of
ryptographi
devi
es su
h as smart
ard ICs have been aware of
the importan
e of prote
ting against intrusions by, e.g., external voltage variations, external
lo
k
variations, et
. for a long time. However, it should be
lear that the design of su
h me
hanisms is a
very diÆ
ult engineering task. Su
h me
hanisms must be able to tolerate natural slight deviations
from the standard values of the ele
tri
al parameter to be safeguarded, in order to ensure proper
fun
tionality of the underlying devi
e within the spe
ied range, as for example des
ribed in [ISO℄.
And, on the other side they have to dete
t very fast and low unnatural deviations from the spe
-
ied standard range, in order to dete
t any atta
k attempt by modifying the ele
tri
al exe
ution
onditions to alter a
omputation's result. For example, the standard spe
i
ation for smart
ard
ICs [ISO℄ allows for the smart
ard ICs
onta
t VCC under normal operating
onditions a voltage
supply between 4; 5V and 5; 5V.
Although there are lots of possibilities to introdu
e an error during the
ryptographi
operation
of an unprote
ted smart
ard hardware, i.e., the CPU working in
on
ert with a
rypto
opro
essor,
we will only explain en detail so
alled spikes atta
ks. The reason is that spike atta
ks are non
invasive atta
ks, whi
h require espe
ially no physi
al opening and no
hemi
al preparation of the
smart
ard IC. Thus, spike atta
ks are the most obvious method for atta
king smart
ard ICs. For
further information on various methods how to enfor
e erroneous
omputations of
hips without
hardware
ountermeasures, we refer to [A,AK1,AK2,Gu1,Gu2,Ko
a,Ma℄.
Spikes As seen above, a smart
ard must be able to tolerate on the
onta
t VCC a supply voltage
between 4; 5V and 5; 5V, where the standard voltage is spe
ied at 5V. Within this range the
smart
ard will be able to work properly. However, a deviation of the external power supply of
mu
h more than the spe
ied 10% toleran
e
ould
ause problems for a proper fun
tionality of
the smart
ard IC. Indeed, it
ould then lead to a wrong
omputation result, provided that the
smart
ard IC is still able to nish its
omputation
ompletely. But most often this is not possible,
as the spike
aused too mu
h trouble to the CPU of the smart
ard IC.
Although a spike seems from the above explanation very simple, a spe
i
type of a power spike
is determined by altogether nine dierent parameters. These nine parameters are determined by
a
ombination of time and voltage values and as well by the shape of the transition as shown in
gure 1. This indi
ates the range of dierent parameters whi
h must be s
anned for penetration
atta
ks against
ryptographi
devi
es. However, it also reveals the strong requirements for the
orresponding sensor me
hanisms.
From the former dis
ussion of spike atta
k, one
an envision the diÆ
ulties an atta
ker is
onfronted with, when he wants to over
ome all the a
tivated hardware
ountermeasures within
modern high-se
urity smart
ard ICs. Amongst them, there a various, numerous and espe
ially
nely tuned sensors and lters monitoring the frequen
y, voltage supply, et
., designed via highest
sophisti
ated ele
troni
ally me
hanisms.
In the eld of PayTV there exist lots of dierent penetration atta
ks. For instan
e, to lo
k
old smart
ard devi
es the TV-
hannel is used by the TV
ompanies to reprogram the smart
ards
when
onne
ted to the de
oder. Thus, after their legal usage time the smart
ards are exe
uting an
innity loop. The following gure 2 shows a
lassi
al \spike-hardware", whi
h is available from the
Internet and is used to
ra
k su
h lo
ked PayTV smart
ards. It does simply spikes on invalidated
smart
ards in order to leave the programmed innity loop, whi
h was intended to lo
k these
smart
ards. Therefore, these pirate devi
es are a
tually
alled \unlooper"
5
voltage
V3
V2
V1
t1 t2 t3 t4 time
6
3.1 Laboratory setting
In order to systemati
ally investigate the ee
ts of spikes and espe
ially our proposed
ountermea-
sures, we basi
ally used the following spike enfor
ing hardware set-up, whi
h is shown in gure
3.
spike generator
trigger 1234
PC
spike
control/
chip card IC
communication
With su
h a test set-up it is indeed possible to enfor
e a spike with a very high pre
iseness. This
is ne
essary, if the spike shall enfor
e only a tiny random
omputation fault rather than a
omplete
destru
tion of the smart
ard's
omputation, whi
h would make the smart
ard's
omputation result
unusable for a su
essful atta
k. Through the
oupling of the
ontrol and
ommuni
ation of the
smart
ard with a PC, whi
h is running a dedi
ated test-software, it is possible to observe and
analyze the smart
ard's rea
tion with respe
t to the applied spike-form as dis
ussed above, e.g.,
answering with a
orre
t/wrong answer sequen
e. Now, one has to nd by altering the 9 parameters
of the applied spike a set of parameters enabling a tiny random
omputation fault, but leaving the
smart
ard 's main
omputation untou
hed.
We will now dis
uss our results of su
essfully applied spike-atta
ks on our spe
i
ally designed
smart
ard hardware derived from a typi
al low-end smart
ard. The design modi
ation was ba-
si
ally a disenabling of any hardware
ountermeasures, to allow fault atta
ks on RSA using the
CRT. Moreover, for ease of exposition, we have also swit
hed o any (hardware and software)
ountermeasures to defeat other
lassi
al side-
hannel atta
ks, like Timing Analysis [Ko
h℄, Power
Analysis [KJJ℄, Ele
tromagneti
Analysis [SQ℄, et
.
However, to introdu
e a spike at the right position of the RSA with the CRT, one rst must
investigate the power prole of the
riti
al
omputation. Su
h a power prole of our investigated
opro
essor is shown in gure 4, whi
h we will now explain a little bit more further. The upper line
represents the prole of the smart
ard's I =O behavior. The rst I =O a
tivity is the start impulse
for the smart
ard and the se
ond peak is the answer sequen
e given by the smart
ard. Between
these two peaks the smart
ard is
omputing a 2048-bit RSA signature using the CRT. This is
shown in the lower line where the main power prole of the smart
ard is depi
ted.
The RSA-CRT
omputation starts at the time blo
k 1.5 and ends at the time blo
k 9.2. This
an be seen by the fa
t that the power
onsumption in
reases | due to the
opro
essors a
tivity.
One immediately re
ognizes the two dierent exponentiations, as they are the
onsumers whi
h
need for their whole duration the highest power
onsumption.
In our
ase the rst exponentiation lies in the time frame 1.6 to 5.1, and the se
ond exponen-
tiation lies in the time frame 5.3 to 8.8. Between these two exponentiations there is the loading of
7
the new data into the
rypto
opro
essor for the se
ond exponentiation and as well the
orre
tness
he
ks of the rst exponentiation. Before the rst exponentiation one re
ognizes the loading of the
data into the
rypto
opro
essor for the rst exponentiation, after the rst exponentiation the
or-
responding
orre
tness
he
ks and as well the loading of the data into the
rypto
opro
essorand
for the se
ond exponentiation and after the se
ond exponentiation again the
orre
tness
he
ks
of the se
ond exponentiation and nally the CRT
ombination of the two partial exponentiations
followed eventually by additional
orre
tness
he
k for the CRT
ombination.
The rst algorithm we atta
ked with our spike equipment was the pure RSA signature algorithm
using the CRT:
input: m; p; q; dp ; dq ; q
1
mod p
Sp := mdp mod p
d
Sq := m q mod q
S := Sq + ((Sp Sq ) q mod p) q
1
return(S )
output: m
d mod N
Before dis
ussing the results of our spike atta
ks on the above algorithm we note that the
inputs p; q; dp ; dq ; q 1 mod p are usually stored in EEPROM, while the message m is stored in
RAM. However, to
ompute with the data p; q; dp ; dq ; q 1 mod p they must moved during the
omputation from EEPROM into the
rypto
opro
essor. By varying the time when we applied
the appropriate spike to the smart
ard ICs power supply VCC , we were able to indu
e the following
dierent error s
enarios.
8
Observed error s
enarios
modi
ation of p; q
modi
ation of dp ; dq
modi
ation of q 1 mod p
wrong answer sequen
e of smart
ard IC
wrong exponentiation mod p
wrong exponentiation mod q
faulty signature mod p and mod q
error during
ombination of Sp and Sq
Due to the la
k of spa
e we must refer a
omplete dis
ussion and interpretation of our observed
error s
enarios to the full version of the present paper. However, from the above table it
learly
follows, that an atta
ker
an enfor
e any error he likes, when hitting the
orre
t time and spike
parameters as needed for the underlying unprote
ted hardware.
Thus, we
an
on
lude that it is absolutely ne
essary to have sophisti
ated hardware and
software
ountermeasures to hedge su
h kinds of atta
ks to break the RSA signature algorithm
using the CRT. Within the remaining se
tions we will analyze su
h already existing software
ountermeasures and also develop new sophisti
ated and espe
ially more reliable
ountermeasures.
Motivated by the devastating results obtained within the previous se
tion, we hereafter tested the
reliability of the software
ountermeasures due to [Sh℄ as desribed in se
tion 2. Thus, we applied at
arefully
hosen time points our formerly
hosen spikes parameters to the unprote
ted smart
ard
IC when
omputing the following RSA signature algorithm, shown in gure 5.
input: m; p; q; d; q
1 mod p
0 0d 0
Sq := (m mod q ) q mod q
0
Sp := Sp0 mod p
0
Sq := Sq mod q
S := Sq + ((Sp Sq ) q 1 mod p) q
output: m
d
mod (p q )
We will now brie
y summarize in a table the observed errors. But again, due to the la
k of
spa
e we must refer a detailed explanation and dis
ussion of the observed errors, their nature
9
and espe
ially their se
urity
onsequen
es to the full version of the present paper. But to give an
impression of possible problems,
onsider the
ase that during the
omputation of p0 the value of
p is
hanged to some value p ~, su
h that p0 = p~r. Then the
orre
tness
he
k mod r will fail.
The above table is organized as follows. The rst
olumn denotes the kind of error whi
h might
o
ur. The se
ond
olumn indi
ates whether the
ountermeasure re
ognizes the indu
ed fault, while
the se
ond indi
ates whether the
orresponding type of fault reveals the se
ret key. Finally, the
last
olumn says whether the
ountermeasure re
ognizes the devastating faults.
From the observed error s enario, we have learned by an extensive data analysis the following fa ts.
{ During the
omputation, every input value to the RSA signature algorithm
ould be altered
to a value dierent from the original value.
{ During the
omputation, every variable
an be
hanged.
{ The only values to trust, are the values whi
h are stored in ROM or EEPROM.
Che
k (at least in a probabilisti
sense) every
omputed intermediate result wrt. its
orre
tness
by relying on trusted values only.
In a rough sense, this
he
king philosophy is re
e
ted by gure 6, showing the old and the new
he
king philosophy.
Inspired by the previous se
tion and strong eÆ
ien
y requirements, we developed the following
ountermeasures to hedge the fault atta
k s
enario on RSA using the CRT. Also it takes into
a
ount, that a pra
ti
al appli
ation is given dp and dq only, instead of having a
ess to the full d.
Also, it avoids the use of the publi
exponent e, whi
h is most often not known to the signature
algorithm in real appli
ations.
10
old checking philosophy
p d (p)
check
p q p -1
RSA d, p
sp
p * p -1 = 1 (q) ?
m Combine s
RSA d, q
sq
q d (q)
p dp
RSA s pt mod p sp
dp, pt
cross
Combine check s
m
check
RSA s qt mod q sq
dq, qt
s
q dq
11
input: m; p; q; dp ; dq ; q
1 mod p
p
0 := p t
dp
0 := dp + random1 (p 1)
0 d
0
Sp := m p mod p
0
0 0
if :(p mod p 0 ^ dp mod (p 1) dp ) then return (error)
q
0 := q t
dq
0 := dq + random2 (q 1)
0 d0
Sq := m q mod q
0
0 0
if :(q mod q 0 ^ dq mod (q 1) dq ) then return(error)
Sp := Sp0 mod p
0
Sq := Sq mod q
S := Sq + ((Sp Sq ) q
1 mod p) q
if :((S mod p = Sp ) ^ (S mod q = Sq )) then return (error)
output: m
d
mod (p q )
12
4.3 Measurement results for enhan
ed software
ountermeasures
Through extensive penetration tests via spikes on the algorithm shown in gure 6 we obtained the
following table proving empiri
ally the reliability of our software
ountermeasures.
Clearly, the probability that an error is undete
ted is equal to 1=t. For t a 64-bit integer, this
probability is small enough; t
an thus be seen as a se
urity parameter.
5 Con
lusion
We have shown that the
lassi
al RSA with CRT fault atta
k is in prin
ipal feasible when using
ompletely unprote
ted mi
ro
ontrollers and moreover, that also prominent and eÆ
ient software
ountermeasures are not always
ompletely reliable. Thus, it answers again a question of Kaliski
and Robshaw [KR℄ to the aÆrmative, that these atta
ks are indeed pra
ti
al. Moreover, our in-
vestigation also reveals that one should test any
on
eivable
ountermeasures in reality against all
possible atta
k s
enarios before trusting them. This was espe
ially done with our newly developed
software
ountermeasures whi
h are indeed pra
ti
al, eÆ
ient and fully approved by extensive
pra
ti
al penetration test. We would like to stress again, that our su
essful atta
ks have been
only possible by swit
hing o the whole zoo of implemented hardware
ountermeasures. In the
eld these me
hanisms are always swit
hed on to
ountera
t spike atta
ks and lots of other at-
ta
ks in order to give the smart
ard user a full fun
tional tamper-resistant devi
e. And indeed,
su
h me
hanisms must be implemented on the
ard to prevent other known atta
ks rather than
ountera
ting the simple (but eÆ
ient) atta
k on the RSA signature algorithm.
So, we
lose with an advi
e due to Kaliski and Robshaw [KR℄ from the RSA Laboratories that
good engineering pra
ti
es in the design of se
ure hardware are essential.
6 A
knowledgments
We would like to thank Jorg S
hepers for helpful dis
ussions.
Referen
es
[A℄ R. Anderson, Se
urity Engineering, John Wiley & Sons, New York, 2001.
[AK1℄ R. Anderson, M. Kuhn, \Tamper Resistan
e { a
autionary note", Pro
. of 2nd USENIX Work-
shop on Ele
troni
Commer
e, pp. 1-11, 1996.
[AK2℄ R. Anderson, M. Kuhn, \Low
ost atta
ks atta
ks on tamper resistant devi
es", Pro
. of 1997
Se
urity Proto
ols Workshop, Springer LNCS vol. 1361, pp. 125-136, 1997.
[BDL℄ D. Boneh, R. A. DeMillo, R. Lipton, \On the Importan
e of Eliminating Errors in Cryptographi
Computations" Journal of Cryptology 14(2):101-120, 2001.
13
[BDHJ+ ℄ F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimbalu, T. Ngair, \Breaking publi
key
ryptosystems on tamper resistant dives in the presen
e of transient faults", Pro
. of 1997
Se
urity Proto
ols Workshop, Springer LNCS vol. 1361, pp. 115-124, 1997.
[BR℄ M. Bellare, P. Rogaway, \The exa
t se
urity of digital signatures | how to sign with RSA and
Rabin", Pro
. of EUROCRYPTO '96, Springer LNCS vol. 1070, pp. 399-416, 1996.
[BS℄ E. Biham, A. Shamir, \Dierential fault analysis of se
ret key
ryptosystems", Pro
. of
CRYPTO '97, Springer LNCS vol. 1294, pp. 513-525, 1997.
[BMM℄ I. Biehl, B. Meyer, V. Muller, \Dierential fault atta
ks on ellipti
urve
ryptosystems", Pro
.
of CRYPTO '00, Springer LNCS vol. 1880, pp. 131-146, 2000.
[BMS℄ J. Blomer, A. May, J.-P. Seifert, personal
ommuni
ation, April 2002.
[CQ℄ C. Couvreur, J.-J. Quisquater, \Fast de
ipherment algorithm for RSA publi
-key
ryptosystem",
Ele
troni
s Letters 18(21):905-907, 1982.
[FS℄ W. Fis
her, J.-P. Seifert, \Note on fast
omputation of se
ret RSA exponents", Pro
. of ACISP
'02, Springer LNCS vol. ?, pp. ?-?, 2002.
[Gu1℄ P. Gutmann, \Se
ure deletion of data from magneti
and solid-state memory", Pro
. of 6th
USENIX Se
urity Symposium, pp. 77-89, 1997.
[Gu2℄ P. Gutmann, \Data Remanen
e in Semi
ondu
tor Devi
es", Pro
. of 7th USENIX Se
urity
Symposium, pp. ?-?, 1998.
[HP1℄ H. Hands
huh, P. Pailler, \Smart Card Crypto-Copro
essors for Publi
-Key Cryptography",
CryptoBytes 4(1):6-11, 1998.
[HP2℄ H. Hands
huh, P. Pailler, \Smart Card Crypto-Copro
essors for Publi
-Key Cryptography",
Pro
. of CARDIS '98, Springer LNCS vol. 1820, pp. 372-379, 1998.
[ISO℄ International Organization for Standardization, \ISO/IEC 7816-3: Ele
troni
signals and trans-
mission proto
ols", http://www.iso.
h, 2002.
[JLQ℄ M. Joye, A. K. Lenstra, J.-J. Quisquater, \Chinese remaindering based
ryptosystem in the
presen
e of faults", Journal of Cryptology 12(4):241-245, 1999.
[JPY℄ M. Joye, P. Pailler, S.-M. Yen, \Se
ure Evaluation of Modular Fun
tions", Pro
. of 2001 Inter-
national Workshop on Cryptology and Network Se
urity, pp. 227-229, 2001.
[JQBD℄ M. Joye, J.-J. Quisquater, F. Bao, R. H. Deng, \RSA-type signatures in the presen
e of transient
faults", Cryptography and Coding , Springer LNCS vol. 1335, pp. 155-160, 1997.
[JQYY℄ M. Joye, J.-J. Quisquater, S. M. Yen, M. Yung, \Observability analysis | dete
ting when
improved
ryptosystems fail", Pro
. of CT-RSA Conferen
e 2002 , Springer LNCS vol. 2271,
pp. 17-29, 2002.
[KR℄ B. Kaliski, M. J. B. Robshaw, \Comments on some new atta
ks on
ryptographi
devi
es",
RSA Laboratories Bulletin 5, July 1997.
[Kn℄ D. E. Knuth, The Art of Computer Programming, Vol.2: Seminumeri
al Algorithms , 3rd ed.,
Addison-Wesley, Reading MA, 1999.
[Ko
a℄ O. Ko
ar, \Hardwaresi
herheit von Mikro
hips in Chipkarten", Datens
hutz und Datensi
her-
heit 20(7):421-424, 1996.
[Ko
h℄ P. Ko
her, \Timing atta
ks on implementations of DiÆe-Hellmann, RSA, DSS and other sys-
tems", Pro
. of CYRPTO '97, Springer LNCS vol. 1109, pp. 104-113, 1997.
[KJJ℄ P. Ko
her, J. Jae, J. Jun, \Dierential Power Analysis", Pro
. of CYRPTO '99, Springer
LNCS vol. 1666, pp. 388-397, 1999.
[Ma℄ D. P. Maher, \Fault indu
tion atta
ks, tamper resistan
e, and hostile reverse engineering in
perspe
tive", Pro
. of Finan
ial Cryptography, Springer LNCS vol. 1318, pp. 109-121, 1997.
[MvOV℄ A. J. Menezes, P. van Oors
hot, S. Vanstone, Handbook of Applied Cryptography, CRC Press,
New York, 1997.
[NR℄ D. Na
a
he, D. M'Raihi, \Cryptographi
smart
ards", IEEE Mi
ro, pp. 14-24, 1996.
[Pe℄ I. Petersen, \Chinks in digital armor | Exploiting faults to break smart
ard
ryptosystems",
S
ien
e News 151(5):78-79, 1997.
[RSA℄ R. Rivest, A. Shamir, L. Adleman, \A method for obtaining digital signatures and publi
-key
ryptosystems", Comm. of the ACM 21:120-126, 1978.
[SQ℄ D. Samyde, J.-J. Quisquater, \Ele
troMagneti
Analysis (EMA): Measures and Countermea-
sures for Smart Cards", Pro
. of Int. Conf. on Resear
h in Smart Cards, E-Smart 2001, Springer
LNCS vol. 2140, pp. 200-210, 2001.
[Sh℄ A. Shamir, \Method and Apparatus for prote
ting publi
key s
hemes from timing and fault
atta
ks", U.S. Patent Number 5,991,415, November 1999; also presented at the rump session of
EUROCRYPT'97.
14
[YJ℄ S.-M. Yen, M. Joye, \Che
king before output may not be enough against fault-based
ryptanal-
ysis", IEEE Trans. on Computers 49:967-970, 2000.
[YKLM1℄ S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, \RSA Speedup with Residue Number System
immune from Hardware fault
ryptanalysis", Pro
. of the ICISC 2001, Springer LNCS vol. ?,
pp. ?-?, 2001.
[YKLM2℄ S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, \A
ountermeasure against one physi
al
rypt-
analysis may benet another atta
k", Pro
. of the ICISC 2001, Springer LNCS vol. ?, pp. ?-?,
2001.
[ZM℄ Y. Zheng, T. Matsumoto, \Breaking real-world implementations of
ryptosystems by manipu-
lating their random number generation", Pro
. of the 1997 Symposium on Cryptography and
Information Se
urity, Springer LNCS vol. ?, pp. ?-?, 1997.
15