Fault atta

ks on RSA with CRT:

Con rete Results and Pra ti al Countermeasures

?

C. Aumuller?? P. Bier? ? ? W. Fis hery P. Hofreiterz J.-P. Seifertx

Inneon Te hnologies
Se urity & ChipCard ICs
CC TI Con epts & Innovations
D-81609 Muni h
Germany

Abstra t. This arti le des ribes on rete results and pra ti ally approved ountermeasures
on erning dierential fault atta ks on RSA using the CRT. It espe ially investigates smart-
ards with a RSA opro essor where any hardware ountermeasure to defeat su h fault
atta ks have been swit hed o. This s enario has been hosen in order to ompletely analyze
the resulting ee ts and errors o urring inside the hardware. Using the results of this kind
of physi al stress atta k enables the development of ompletely reliable software ounter-
measures. Although su essful RSA atta ks on the investigated hardware have been only
possible with an expensive enhan ed laboratory equipment, the ee ts on the unprote ted
hardware have been tremendously. This aused lots of analysis eorts to investigate what
really happened during the atta k. Indeed, this will be addressed in this paper.
We rst report on the nature of the resulting errors within the hardware due to the physi al
stress applied to the smart ard. Hereafter, we des ribe the experiments and results with a
very eÆ ient and prominent software RSA-CRT DFA ountermeasure. This method ould
be shown to be insuÆ ient, i.e., dete ted nearly no error, when we introdu ed stress at the
right position during the omputation. Naturally, a detailed error analysis model followed,
spe ifying every failure point during the RSA-CRT operation. This model nally allowed to
develop and present here new very pra ti ally oriented software ountermeasures hedging
the observed and hara terized fault atta ks. Eventually, we present the se urity analysis
of our new developed software RSA-CRT DFA ountermeasures. Thanks to their areful
spe i ation a ording to the observed and analyzed errors they resisted all kinds of physi al
stress atta ks and were able to dete t any subtle omputation error, thus avoiding to break
the smart ard by fault atta ks.
Nevertheless, we stress, that although our software ountermeasures have been fully approved
by pra ti al experiments, we are onvin ed that only sophisti ated hardware ountermeasures
like sensors and lters in ombination with software ountermeasures will be able to provide
a se ure and omfortable base to defeat in general any on eivable fault atta ks s enario on
smart ards properly.

Keywords: Fault atta ks, Bell ore atta k, Hardware se urity, Hardware robustness, RSA,
Chinese Remainder Theorem, Spike atta ks, Transient fault model, Software ountermea-
sures.
?
Readers should note that Inneon Te hnologies Corp. has led an international patent appli ation
ontaining this work.
?? hristian.aumuellerinfineon. om
???
peter.bierinfineon. om
y wieland.fis herinfineon. om
z peter.hofreiterinfineon. om
x jean-pierre.seifertinfineon. om
1 Introd ution
This paper shows and proves that fault atta ks on RSA with the CRT (also known as Bell ore
atta ks) due to [BDL℄ are indeed feasible and devastating if there are no hardware me hanisms
(like sensors and lters) nor any appropriate software ountermeasures implemented in the under-
lying smart ard ICs. However, this does not imply that modern high-se urity smart ard ICs are
vulnerable by this kind of atta ks. Instead, it shows that fault tolerant and robust hardware and
espe ially sophisti ated hardware ountermeasures are essential for the design of physi al se ure
hardware to prevent su h devastating ee ts as investigated in the following.
Moreover, we stress that it is impossible in the eld to swit h o these sophisti ated hardware
ountermeasures preventing this kind of atta ks | whi h has been done ex eptionally for our
detailed feasibility study on erning the pra ti ality of the Bell ore atta k by a spe i ally designed
hardware.
In order to provide better se urity for data prote tion under strong en ryption s hemes (e.g.,
RSA [RSA℄, 3DES [MvOV℄, et .) more and more implementations based on tamper-proof devi es
(e.g., smart ard ICs) are proposed. The main reason for this trend is that smart ard ICs provide
high reliability and se urity with more memory apa ity and better performan e hara teristi s
than onventional magneti stripe ard. The CPU in smart ards ontrols its data input and output
and prevents unauthorized a ess to a smart ard. With spe ial hara teristi s of omputational
ability, large memory apa ity and se urity, a large variety of ryptographi appli ations benet
from smart ard ICs. Due to this popular usage of tamper-resistan e, the arising of several new ideas
for physi al atta ks against smart ards in 1996 due to [Ko h℄ and [BDL℄ and again 1999 by [KJJ℄,
followed by [SQ℄, has attra ted a huge amount of resear h. However, within this vain, most resear h
so far fo used on Timing or Power Analysis atta ks. This is surprising as the frauds with smart ards
by indu ing faults are reality, f., [A,AK1,AK2℄, whereas no frauds via Timing or Power Analysis
atta ks have been reported so far. Moreover, as seen from the s ienti literature, the resear h on
faults based ryptanalysis or its pra ti al realization is not very a tive, when ompared with the
other side- hannel resear h. Furthermore, no pra ti al investigation of the most interesting and
pra ti al s enario, i.e., the so alled Bell ore atta k [BDL℄ on RSA with CRT [RSA,CQ℄ has been
reported so far.
Indeed, this topi will be for the rst time publi ly addressed within this paper. Thus, it answers
a question of Kaliski and Robshaw [KR℄ of how pra ti al these atta ks might be, answered denitely
here by physi ists and the designers and manufa tures of se ure hardware.
A tually, the present paper has three main themes. First, we will a tually present a pra ti al
ase study of fault atta ks on smart ards implementations of RSA in CRT mode. We will indeed
explain how to realize so alled spike atta ks on smart ards, analyze hereafter their intrinsi om-
plexity from an atta ker's point of view and reveal an appropriate test equipment to implement
su h fault atta ks. Se ond, we will present the resulting errors on ompletely unprote ted hardware
and software for RSA in CRT mode. In addition, we will demonstrate the insuÆ ien y of a very
prominent and eÆ ient software ountermeasure due to [Sh℄. Third, we will derive from the anal-
ysis of the previously obtained resulting errors new software ountermeasures whi h were proved
to fully work under extensive spike atta ks.
Only very re ently the eld of resear h on fault atta ks and their ountermeasures has been
shown some a tivity. For instan e, a series of papers [YJ,YKLM1,YKLM2,JQYY℄ ame up with
some new ideas for atta ks s enarios and also new ountermeasures to defeat fault atta ks. The
relevan e of this line of resear h to this paper and espe ially its pra ti al relevan e will be dis ussed
later within se tion 2.
The present paper is organized as follows. Se tion 2 brie y repeats RSA using the CRT and
the fault based ryptanalysis of RSA using the CRT a ording to [BDL,JLQ℄; it also in ludes
and dis usses the advantages and limitations of so far publi ly known software ountermeasures to
defeat fault atta ks on RSA in CRT mode. Se tion 3 basi ally digs into the real physi s of enfor ing
errors during the ryptographi omputation of smart ard ICs. Within se tion 4 we basi ally

2
investigate sophisti ated software ountermeasures derived from our pra ti al observations and
our proposed model to ountera t fault atta ks on RSA in CRT mode. We also present pra ti al
results whi h were obtained with our ountermeasures. Eventually we will draw some pra ti al
on lusion in se tion 5 on erning software ountermeasures to hedge su h Bell ore atta ks.

2 Preliminaries
2.1 The RSA System

Let N = p
q be the produ t of two large primes ea h n=2 bits long. To sign a message m 2 ZN
using RSA one omputes S := md mod N , where d is the private exponent satisfying e
d 
1 mod (p 1)(q 1) for the publi exponent e. The omputationally expensive part of signing
using RSA is the modular exponentiation of m. For eÆ ien y most implementations exponentiate
as follows: using repeated square and multiply they rst ompute Sp := md mod p and hereafter
d d
Sq := m mod q . They then use the CRT to onstru t the signature S = m mod N . This last

CRT step takes negligible time ompared to with the two exponentiations. It is done eÆ iently by
omputing

S = Sq + (Sp Sq )  (q mod p) mod p  q; (1)
1

using Garner's algorithm, f. [Kn℄.

The reason to use the CRT is that the exponentiation using the CRT is mu h faster than square
and multiply mod N . To see this, observe that Sp = md mod p = md mod (p 1) mod p. Usually, d is
of order N , while d mod (p 1) is of order p. Consequently, omputing Sp requires half as many
multipli ations as omputing S dire tly. In addition, intermediate values during the omputation
of Sp are only half as big | they are in the range [1; : : : ; p℄, rather than [1; : : : ; N ℄. Clearly, the
same arguments are valid for the omputation of Sq . When quadrati time omplexity is used,
multiplying two numbers in Zp takes a quarter of the time as multiplying elements in ZN . Hen e,
omputing Sp takes an eight of the time of omputing S dire tly. Thus, omputing Sp and Sq
this way takes a quarter of the time of omputing S dire tly. Thus, CRT exponentiation is four
times faster than dire t exponentiation. This is why RSA with CRT is the preferred method for
generating RSA signatures, f. [CQ,MvOV℄.

2.2 The fault-based ryptanalysis of RSA using CRT

For the sake of ompleteness we brie y re all the fault-based ryptanalysis of RSA using the CRT
due to [BDL℄ and assume the above notations.
Assume that during the omputation of a RSA signature for a message m via the CRT a random
error o urs during the omputation of Sp , thus yielding the faulty signature part Sp0 , whereas the
omputation of Sq is performed orre tly. Applying now the ombination of Sp0 and Sq via (1) will
yield an in orre t signature S 0 dierent from the orre t signature S , i.e., S S 0 6= 0. A ording
to the fault-based ryptanalysis of [BDL,JLQ℄, one obtains the fa torization of N by omputing
g d ((m (S 0 )e ) mod N; N ) = q:

2.3 Simple software ountermeasure to defeat the fault atta k

We will now present some simple ad-ho ountermeasures whi h have been already suggested within
[BDL,KR℄ to hedge the faults atta k s enario. One approa h is to perform al ulations twi e and
the other approa h suggests to verify the orre tness of the signature by omparing the inverse
result with the input.
The rst approa h is a very time- onsuming and it annot always provide a satisfa tory solution
sin e a permanent error ( aused by a permanenet hardware or software fault implementation bug)
may be undete table, even if the fun tion is omputed more than on e.

3
 The se ond approa h is to verify the orre tness by omparing the inverse result with the input
m . A RSA signature S = md mod N an be veried by raising S to the eth power and ompare
whether m  se mod N . Generally, this is not a satisfa tory solution sin e the parameter e ould
be a large integer and this he king pro edure be omes time- onsuming.
A ompletely dierent but very interesting ountermeasure is the introdu tion of randomness
into the RSA signature pro ess. Here, RSA is applied to F (m; r) where F is some formatting
fun tion and r is a random string whi h ensures that the user never signs the same message twi e.
Furthermore, given en erroneous signature the verier does not know the full plain-text that was
signed. Consequently, the above atta k annot be applied to this modied system f. [BDL,BR,KR℄.

2.4 Shamir's software Countermeasure

Shamir's basi idea, as presented in [Sh℄ is to sele t a random integer t and to do the following
omputations
Spt := m mod p  t;
d
Sqt := m mod q  t:
d

In the ase of Spt = Sqt mod t the omputation is dened to be error free and S is omputed
a ording to the CRT re ombination equation (1).
One drawba k in Shamir's method, as pointed out in [JPY℄, is the following. Within the CRT
mode of real RSA appli ations the value d is not known, only the values dp = d mod (p 1) and
dq = d mod (q 1) are known. Although d an be eÆ iently omputed from dp and dq only, as
des ribed in [FS℄, it will denitely limit the a eptan e of Shamir's method. Nevertheless, this
simple way of he king the omputations orre tness is anyway insuÆ ient as demonstrated later
by our pra ti al experiments.
But, the new software ountermeasures, as presented later, developed and motivated by our
experimental results alleviate the two formerly drawba ks of Shamir's method.

2.5 General remarks on methods to over ome fault atta ks

Only very re ently the eld of resear h on fault atta k ountermeasures has been emerged. For
instan e a series of papers [YJ,YKLM1,YKLM2,JQYY℄ assumed that the atta ker has a very
pre ise knowledge about the implementation details and espe ially an absolute a urate ontrol
on the timing of his fault indu tion. This possibility, together with an implemented signature
orre tness he k was then used by the above papers to get a ess to the bits of the private exponent
d. However, all the fault atta ks des ribed in [YJ,YKLM1,YKLM1,JQYY℄ an be easily prevented

by the various randomization possibilities for the RSA signature algorithm, e.g., randomization
of the message m, modul N and the private exponents dp and dq , or simply d. Note that these
te hniques must be anyway implemented in a se ure RSA signature algorithm to ountera t other
side- hannel atta ks.
Moreover, [YKLM1℄ proposed the following very interesting ountermeasure. Their key idea is
the assuran e to in uen e the omputation of Sq or the overall omputation of S when an error
o urred during the omputation of Sp , or vi e versa. By the explanation of the ryptanalysis given
in se tion 2 it follows, that in this ase no su essful fault atta k on RSA with CRT is possible.
They proposed this idea in order to over ome the problem that an atta ker might simply jump
over the spe ial riti al point where the de ision on erning the omputation's orre tness is done.
Although su h an atta k seems questionable, it an be simply defeated by a small appropriate
software. Unfortunately, re ently it was shown by [BMS℄ that their proposal to perform a so alled
infe tive RSA CRT omputation is not se ure, i.e. an be broken ompletely by latti e redu tion
methods.

4
3 Physi al fault atta ks realization

First of all, we would like to stress again that modern high-end ryptographi devi es, e.g., smart-
ards, are usually prote ted by means of various and numerous sophisti ated hardware me hanisms
to dete t any intrusion attempt into their system behavior, f. [Ma,NR℄. This is due to the fa t
that hardware manufa turers of ryptographi devi es su h as smart ard ICs have been aware of
the importan e of prote ting against intrusions by, e.g., external voltage variations, external lo k
variations, et . for a long time. However, it should be lear that the design of su h me hanisms is a
very diÆ ult engineering task. Su h me hanisms must be able to tolerate natural slight deviations
from the standard values of the ele tri al parameter to be safeguarded, in order to ensure proper
fun tionality of the underlying devi e within the spe ied range, as for example des ribed in [ISO℄.
And, on the other side they have to dete t very fast and low unnatural deviations from the spe -
ied standard range, in order to dete t any atta k attempt by modifying the ele tri al exe ution
onditions to alter a omputation's result. For example, the standard spe i ation for smart ard
ICs [ISO℄ allows for the smart ard ICs onta t VCC under normal operating onditions a voltage
supply between 4; 5V and 5; 5V.
Although there are lots of possibilities to introdu e an error during the ryptographi operation
of an unprote ted smart ard hardware, i.e., the CPU working in on ert with a rypto opro essor,
we will only explain en detail so alled spikes atta ks. The reason is that spike atta ks are non
invasive atta ks, whi h require espe ially no physi al opening and no hemi al preparation of the
smart ard IC. Thus, spike atta ks are the most obvious method for atta king smart ard ICs. For
further information on various methods how to enfor e erroneous omputations of hips without
hardware ountermeasures, we refer to [A,AK1,AK2,Gu1,Gu2,Ko a,Ma℄.

Spikes As seen above, a smart ard must be able to tolerate on the onta t VCC a supply voltage
between 4; 5V and 5; 5V, where the standard voltage is spe ied at 5V. Within this range the
smart ard will be able to work properly. However, a deviation of the external power supply of
mu h more than the spe ied 10% toleran e ould ause problems for a proper fun tionality of
the smart ard IC. Indeed, it ould then lead to a wrong omputation result, provided that the
smart ard IC is still able to nish its omputation ompletely. But most often this is not possible,
as the spike aused too mu h trouble to the CPU of the smart ard IC.
Although a spike seems from the above explanation very simple, a spe i type of a power spike
is determined by altogether nine dierent parameters. These nine parameters are determined by
a ombination of time and voltage values and as well by the shape of the transition as shown in
gure 1. This indi ates the range of dierent parameters whi h must be s anned for penetration
atta ks against ryptographi devi es. However, it also reveals the strong requirements for the
orresponding sensor me hanisms.
From the former dis ussion of spike atta k, one an envision the diÆ ulties an atta ker is
onfronted with, when he wants to over ome all the a tivated hardware ountermeasures within
modern high-se urity smart ard ICs. Amongst them, there a various, numerous and espe ially
nely tuned sensors and lters monitoring the frequen y, voltage supply, et ., designed via highest
sophisti ated ele troni ally me hanisms.
In the eld of PayTV there exist lots of dierent penetration atta ks. For instan e, to lo k
old smart ard devi es the TV- hannel is used by the TV ompanies to reprogram the smart ards
when onne ted to the de oder. Thus, after their legal usage time the smart ards are exe uting an
innity loop. The following gure 2 shows a lassi al \spike-hardware", whi h is available from the
Internet and is used to ra k su h lo ked PayTV smart ards. It does simply spikes on invalidated
smart ards in order to leave the programmed innity loop, whi h was intended to lo k these
smart ards. Therefore, these pirate devi es are a tually alled \unlooper"

5
voltage

V3

V2

V1

t1 t2 t3 t4 time

Fig. 1. Spike-parameters dening the shape of a spe i spike.

Fig. 2. \Unlooper" hardware from the internet to ra k PayTV smart ards.

6
3.1 Laboratory setting

In order to systemati ally investigate the ee ts of spikes and espe ially our proposed ountermea-
sures, we basi ally used the following spike enfor ing hardware set-up, whi h is shown in gure
3.

spike generator

trigger 1234

PC
spike

control/

chip card IC
communication

Fig. 3. S hemati of our test equipment.

With su h a test set-up it is indeed possible to enfor e a spike with a very high pre iseness. This
is ne essary, if the spike shall enfor e only a tiny random omputation fault rather than a omplete
destru tion of the smart ard's omputation, whi h would make the smart ard's omputation result
unusable for a su essful atta k. Through the oupling of the ontrol and ommuni ation of the
smart ard with a PC, whi h is running a dedi ated test-software, it is possible to observe and
analyze the smart ard's rea tion with respe t to the applied spike-form as dis ussed above, e.g.,
answering with a orre t/wrong answer sequen e. Now, one has to nd by altering the 9 parameters
of the applied spike a set of parameters enabling a tiny random omputation fault, but leaving the
smart ard 's main omputation untou hed.

3.2 Results on unprote ted hardware and software

We will now dis uss our results of su essfully applied spike-atta ks on our spe i ally designed
smart ard hardware derived from a typi al low-end smart ard. The design modi ation was ba-
si ally a disenabling of any hardware ountermeasures, to allow fault atta ks on RSA using the
CRT. Moreover, for ease of exposition, we have also swit hed o any (hardware and software)
ountermeasures to defeat other lassi al side- hannel atta ks, like Timing Analysis [Ko h℄, Power
Analysis [KJJ℄, Ele tromagneti Analysis [SQ℄, et .
However, to introdu e a spike at the right position of the RSA with the CRT, one rst must
investigate the power prole of the riti al omputation. Su h a power prole of our investigated
opro essor is shown in gure 4, whi h we will now explain a little bit more further. The upper line
represents the prole of the smart ard's I =O behavior. The rst I =O a tivity is the start impulse
for the smart ard and the se ond peak is the answer sequen e given by the smart ard. Between
these two peaks the smart ard is omputing a 2048-bit RSA signature using the CRT. This is
shown in the lower line where the main power prole of the smart ard is depi ted.
The RSA-CRT omputation starts at the time blo k 1.5 and ends at the time blo k 9.2. This
an be seen by the fa t that the power onsumption in reases | due to the opro essors a tivity.
One immediately re ognizes the two dierent exponentiations, as they are the onsumers whi h
need for their whole duration the highest power onsumption.
In our ase the rst exponentiation lies in the time frame 1.6 to 5.1, and the se ond exponen-
tiation lies in the time frame 5.3 to 8.8. Between these two exponentiations there is the loading of

7
the new data into the rypto opro essor for the se ond exponentiation and as well the orre tness
he ks of the rst exponentiation. Before the rst exponentiation one re ognizes the loading of the
data into the rypto opro essor for the rst exponentiation, after the rst exponentiation the or-
responding orre tness he ks and as well the loading of the data into the rypto opro essorand
for the se ond exponentiation and after the se ond exponentiation again the orre tness he ks
of the se ond exponentiation and nally the CRT ombination of the two partial exponentiations
followed eventually by additional orre tness he k for the CRT ombination.

Fig. 4. Power prole of RSA with the CRT.

The rst algorithm we atta ked with our spike equipment was the pure RSA signature algorithm
using the CRT:

input: m; p; q; dp ; dq ; q
1
mod p

Sp := mdp mod p
d
Sq := m q mod q

S := Sq + ((Sp Sq )  q mod p)  q
1

return(S )

output: m
d mod N

Before dis ussing the results of our spike atta ks on the above algorithm we note that the
inputs p; q; dp ; dq ; q 1 mod p are usually stored in EEPROM, while the message m is stored in
RAM. However, to ompute with the data p; q; dp ; dq ; q 1 mod p they must moved during the
omputation from EEPROM into the rypto opro essor. By varying the time when we applied
the appropriate spike to the smart ard ICs power supply VCC , we were able to indu e the following
dierent error s enarios.

8
 Observed error s enarios
modi ation of p; q
modi ation of dp ; dq
modi ation of q 1 mod p
wrong answer sequen e of smart ard IC
wrong exponentiation mod p
wrong exponentiation mod q
faulty signature mod p and mod q
error during ombination of Sp and Sq
Due to the la k of spa e we must refer a omplete dis ussion and interpretation of our observed
error s enarios to the full version of the present paper. However, from the above table it learly
follows, that an atta ker an enfor e any error he likes, when hitting the orre t time and spike
parameters as needed for the underlying unprote ted hardware.
Thus, we an on lude that it is absolutely ne essary to have sophisti ated hardware and
software ountermeasures to hedge su h kinds of atta ks to break the RSA signature algorithm
using the CRT. Within the remaining se tions we will analyze su h already existing software
ountermeasures and also develop new sophisti ated and espe ially more reliable ountermeasures.

3.3 Results on unprote ted hardware with simple software ountermeasures

Motivated by the devastating results obtained within the previous se tion, we hereafter tested the
reliability of the software ountermeasures due to [Sh℄ as desribed in se tion 2. Thus, we applied at
arefully hosen time points our formerly hosen spikes parameters to the unprote ted smart ard
IC when omputing the following RSA signature algorithm, shown in gure 5.

input: m; p; q; d; q
1 mod p

randomly hoose a short prime r, e.g., 32 bits

0
p := p  r
0
dp := d mod (p 1)  (r 1)
0
q := q  r
0
dq := d mod (q 1)  (r 1)
0 := (m mod p0 )dp mod p0
Sp
0

0 0d 0
Sq := (m mod q ) q mod q
0

Sp := Sp0 mod p
0
Sq := Sq mod q

S := Sq + ((Sp Sq )  q 1 mod p)  q

if ((Sp0 mod r) = (Sq0 mod r)) then

return(S )
else
return (error)

output: m
d
mod (p  q )

Fig. 5. Shamir's ountermeasure.

We will now brie y summarize in a table the observed errors. But again, due to the la k of
spa e we must refer a detailed explanation and dis ussion of the observed errors, their nature

9
and espe ially their se urity onsequen es to the full version of the present paper. But to give an
impression of possible problems, onsider the ase that during the omputation of p0 the value of
p is hanged to some value p ~, su h that p0 = p~r. Then the orre tness he k mod r will fail.

Observed error s enarios re og.? relev.? working?

modi ation of p; q time dep. time dep. time dep.
modi ation of d; d0p ; d0q time dep. no yes
modi ation of q 1 mod p no yes no
modi ation of r time dep. time dep. yes
wrong exp. mod p prob. 1 1=t yes yes
wrong exp. mod q prob. 1 1=t yes yes
faulty signature mod p and mod q prob. 1 1=t no no
error during omb. of Sp and Sq no yes no
modi ation of Sp or Sq time dep. yes no

The above table is organized as follows. The rst olumn denotes the kind of error whi h might
o ur. The se ond olumn indi ates whether the ountermeasure re ognizes the indu ed fault, while
the se ond indi ates whether the orresponding type of fault reveals the se ret key. Finally, the
last olumn says whether the ountermeasure re ognizes the devastating faults.

4 Pra ti al Fault atta ks ountermeasures for unprote ted hardware

Within this se tion we will rst analyze the observed error s enarios from the two former se tions
and hereafter propose our new ountermeasures. However, due to the la k of spa e this se tion will
be very shortened and we again refer the reader to the full version of our paper.

4.1 Model to understand resulting/possible faults

From the observed error s enario, we have learned by an extensive data analysis the following fa ts.

{ During the omputation, every input value to the RSA signature algorithm ould be altered
to a value dierent from the original value.
{ During the omputation, every variable an be hanged.
{ The only values to trust, are the values whi h are stored in ROM or EEPROM.

Armed with this knowledge, we formulated the following he king philosophy:

Che k (at least in a probabilisti sense) every omputed intermediate result wrt. its orre tness
by relying on trusted values only.

In a rough sense, this he king philosophy is re e ted by gure 6, showing the old and the new
he king philosophy.

4.2 Software ountermeasures derived a ording to the model

Inspired by the previous se tion and strong eÆ ien y requirements, we developed the following
ountermeasures to hedge the fault atta k s enario on RSA using the CRT. Also it takes into
a ount, that a pra ti al appli ation is given dp and dq only, instead of having a ess to the full d.
Also, it avoids the use of the publi exponent e, whi h is most often not known to the signature
algorithm in real appli ations.

10
 old checking philosophy

p d (p)
check

p q p -1

RSA d, p
sp
p * p -1 = 1 (q) ?

m Combine s

RSA d, q
sq

q d (q)

p dp

RSA s pt mod p sp
dp, pt

cross
Combine check s
m
check

RSA s qt mod q sq
dq, qt
s

q dq

new checking philosophy

Fig. 6. Information ow during he king.

11
input: m; p; q; dp ; dq ; q
1 mod p

let t be a short prime number, e.g., 16 bits

p
0 := p  t
dp
0 := dp + random1  (p 1)
0 d
0
Sp := m p mod p
0
0 0
if :(p mod p  0 ^ dp mod (p 1)  dp ) then return (error)

q
0 := q  t
dq
0 := dq + random2  (q 1)
0 d0
Sq := m q mod q
0
0 0
if :(q mod q  0 ^ dq mod (q 1)  dq ) then return(error)

Sp := Sp0 mod p
0
Sq := Sq mod q

S := Sq + ((Sp Sq )  q
1 mod p)  q
if :((S mod p = Sp ) ^ (S mod q = Sq )) then return (error)

Spt := Sp0 mod t

dpt := d0p mod (t 1)
0
Sqt := Sq mod t
0
dqt := dq mod (t 1)
if (Spt  Sqt mod t)
dqt dpt
then
return(S )
else
return (error)

output: m
d
mod (p  q )

Fig. 7. Pra ti ally se ured RSA with CRT.

12
4.3 Measurement results for enhan ed software ountermeasures

Through extensive penetration tests via spikes on the algorithm shown in gure 6 we obtained the
following table proving empiri ally the reliability of our software ountermeasures.

Observed error s enarios re og.? relev.? working?

0
modi ation of p; p ; q; q 0 yes yes yes
modi ation of d0p ; d0q yes yes yes
modi ation of q 1 mod p yes yes yes
modi ation of t yes yes yes
wrong exp. mod p prob. 1 1=t yes yes
wrong exp. mod q prob. 1 1=t yes yes
faulty signature mod p and mod q prob. 1 1=t no yes
error during omb. of Sp and Sq yes yes yes
modi ation of Sp or Sq yes yes yes

Clearly, the probability that an error is undete ted is equal to 1=t. For t a 64-bit integer, this
probability is small enough; t an thus be seen as a se urity parameter.

5 Con lusion
We have shown that the lassi al RSA with CRT fault atta k is in prin ipal feasible when using
ompletely unprote ted mi ro ontrollers and moreover, that also prominent and eÆ ient software
ountermeasures are not always ompletely reliable. Thus, it answers again a question of Kaliski
and Robshaw [KR℄ to the aÆrmative, that these atta ks are indeed pra ti al. Moreover, our in-
vestigation also reveals that one should test any on eivable ountermeasures in reality against all
possible atta k s enarios before trusting them. This was espe ially done with our newly developed
software ountermeasures whi h are indeed pra ti al, eÆ ient and fully approved by extensive
pra ti al penetration test. We would like to stress again, that our su essful atta ks have been
only possible by swit hing o the whole zoo of implemented hardware ountermeasures. In the
eld these me hanisms are always swit hed on to ountera t spike atta ks and lots of other at-
ta ks in order to give the smart ard user a full fun tional tamper-resistant devi e. And indeed,
su h me hanisms must be implemented on the ard to prevent other known atta ks rather than
ountera ting the simple (but eÆ ient) atta k on the RSA signature algorithm.
So, we lose with an advi e due to Kaliski and Robshaw [KR℄ from the RSA Laboratories that
good engineering pra ti es in the design of se ure hardware are essential.

6 A knowledgments
We would like to thank Jorg S hepers for helpful dis ussions.

Referen es
[A℄ R. Anderson, Se urity Engineering, John Wiley & Sons, New York, 2001.
[AK1℄ R. Anderson, M. Kuhn, \Tamper Resistan e { a autionary note", Pro . of 2nd USENIX Work-
shop on Ele troni Commer e, pp. 1-11, 1996.

[AK2℄ R. Anderson, M. Kuhn, \Low ost atta ks atta ks on tamper resistant devi es", Pro . of 1997
Se urity Proto ols Workshop, Springer LNCS vol. 1361, pp. 125-136, 1997.

[BDL℄ D. Boneh, R. A. DeMillo, R. Lipton, \On the Importan e of Eliminating Errors in Cryptographi
Computations" Journal of Cryptology 14(2):101-120, 2001.

13
[BDHJ+ ℄ F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimbalu, T. Ngair, \Breaking publi key
ryptosystems on tamper resistant dives in the presen e of transient faults", Pro . of 1997
Se urity Proto ols Workshop, Springer LNCS vol. 1361, pp. 115-124, 1997.

[BR℄ M. Bellare, P. Rogaway, \The exa t se urity of digital signatures | how to sign with RSA and
Rabin", Pro . of EUROCRYPTO '96, Springer LNCS vol. 1070, pp. 399-416, 1996.
[BS℄ E. Biham, A. Shamir, \Dierential fault analysis of se ret key ryptosystems", Pro . of
CRYPTO '97, Springer LNCS vol. 1294, pp. 513-525, 1997.

[BMM℄ I. Biehl, B. Meyer, V. Muller, \Dierential fault atta ks on ellipti urve ryptosystems", Pro .
of CRYPTO '00, Springer LNCS vol. 1880, pp. 131-146, 2000.

[BMS℄ J. Blomer, A. May, J.-P. Seifert, personal ommuni ation, April 2002.
[CQ℄ C. Couvreur, J.-J. Quisquater, \Fast de ipherment algorithm for RSA publi -key ryptosystem",
Ele troni s Letters 18(21):905-907, 1982.

[FS℄ W. Fis her, J.-P. Seifert, \Note on fast omputation of se ret RSA exponents", Pro . of ACISP
'02, Springer LNCS vol. ?, pp. ?-?, 2002.

[Gu1℄ P. Gutmann, \Se ure deletion of data from magneti and solid-state memory", Pro . of 6th
USENIX Se urity Symposium, pp. 77-89, 1997.

[Gu2℄ P. Gutmann, \Data Remanen e in Semi ondu tor Devi es", Pro . of 7th USENIX Se urity
Symposium, pp. ?-?, 1998.

[HP1℄ H. Hands huh, P. Pailler, \Smart Card Crypto-Copro essors for Publi -Key Cryptography",
CryptoBytes 4(1):6-11, 1998.

[HP2℄ H. Hands huh, P. Pailler, \Smart Card Crypto-Copro essors for Publi -Key Cryptography",
Pro . of CARDIS '98, Springer LNCS vol. 1820, pp. 372-379, 1998.

[ISO℄ International Organization for Standardization, \ISO/IEC 7816-3: Ele troni signals and trans-
mission proto ols", http://www.iso. h, 2002.
[JLQ℄ M. Joye, A. K. Lenstra, J.-J. Quisquater, \Chinese remaindering based ryptosystem in the
presen e of faults", Journal of Cryptology 12(4):241-245, 1999.
[JPY℄ M. Joye, P. Pailler, S.-M. Yen, \Se ure Evaluation of Modular Fun tions", Pro . of 2001 Inter-
national Workshop on Cryptology and Network Se urity, pp. 227-229, 2001.

[JQBD℄ M. Joye, J.-J. Quisquater, F. Bao, R. H. Deng, \RSA-type signatures in the presen e of transient
faults", Cryptography and Coding , Springer LNCS vol. 1335, pp. 155-160, 1997.
[JQYY℄ M. Joye, J.-J. Quisquater, S. M. Yen, M. Yung, \Observability analysis | dete ting when
improved ryptosystems fail", Pro . of CT-RSA Conferen e 2002 , Springer LNCS vol. 2271,
pp. 17-29, 2002.
[KR℄ B. Kaliski, M. J. B. Robshaw, \Comments on some new atta ks on ryptographi devi es",
RSA Laboratories Bulletin 5, July 1997.

[Kn℄ D. E. Knuth, The Art of Computer Programming, Vol.2: Seminumeri al Algorithms , 3rd ed.,
Addison-Wesley, Reading MA, 1999.
[Ko a℄ O. Ko ar, \Hardwaresi herheit von Mikro hips in Chipkarten", Datens hutz und Datensi her-
heit 20(7):421-424, 1996.

[Ko h℄ P. Ko her, \Timing atta ks on implementations of DiÆe-Hellmann, RSA, DSS and other sys-
tems", Pro . of CYRPTO '97, Springer LNCS vol. 1109, pp. 104-113, 1997.
[KJJ℄ P. Ko her, J. Jae, J. Jun, \Dierential Power Analysis", Pro . of CYRPTO '99, Springer
LNCS vol. 1666, pp. 388-397, 1999.
[Ma℄ D. P. Maher, \Fault indu tion atta ks, tamper resistan e, and hostile reverse engineering in
perspe tive", Pro . of Finan ial Cryptography, Springer LNCS vol. 1318, pp. 109-121, 1997.
[MvOV℄ A. J. Menezes, P. van Oors hot, S. Vanstone, Handbook of Applied Cryptography, CRC Press,
New York, 1997.
[NR℄ D. Na a he, D. M'Raihi, \Cryptographi smart ards", IEEE Mi ro, pp. 14-24, 1996.
[Pe℄ I. Petersen, \Chinks in digital armor | Exploiting faults to break smart ard ryptosystems",
S ien e News 151(5):78-79, 1997.

[RSA℄ R. Rivest, A. Shamir, L. Adleman, \A method for obtaining digital signatures and publi -key
ryptosystems", Comm. of the ACM 21:120-126, 1978.
[SQ℄ D. Samyde, J.-J. Quisquater, \Ele troMagneti Analysis (EMA): Measures and Countermea-
sures for Smart Cards", Pro . of Int. Conf. on Resear h in Smart Cards, E-Smart 2001, Springer
LNCS vol. 2140, pp. 200-210, 2001.
[Sh℄ A. Shamir, \Method and Apparatus for prote ting publi key s hemes from timing and fault
atta ks", U.S. Patent Number 5,991,415, November 1999; also presented at the rump session of
EUROCRYPT'97.

14
[YJ℄ S.-M. Yen, M. Joye, \Che king before output may not be enough against fault-based ryptanal-
ysis", IEEE Trans. on Computers 49:967-970, 2000.
[YKLM1℄ S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, \RSA Speedup with Residue Number System
immune from Hardware fault ryptanalysis", Pro . of the ICISC 2001, Springer LNCS vol. ?,
pp. ?-?, 2001.
[YKLM2℄ S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, \A ountermeasure against one physi al rypt-
analysis may benet another atta k", Pro . of the ICISC 2001, Springer LNCS vol. ?, pp. ?-?,
2001.
[ZM℄ Y. Zheng, T. Matsumoto, \Breaking real-world implementations of ryptosystems by manipu-
lating their random number generation", Pro . of the 1997 Symposium on Cryptography and
Information Se urity, Springer LNCS vol. ?, pp. ?-?, 1997.

15