CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA...

CRT RSA Algorithm Protected Against FaultAttacksWISTP - 5/10/07

Arnaud BOSCHERSpansion EMEA

Robert NACIRIOberthur Card Systems

Emmanuel PROUFFOberthur Card Systems

2 © 2007 Spansion Inc.

Agenda

•RSA and Physical Attacks

•Modular Exponentiation Algorithm Resistant against Physical Attacks

•CRT RSA Algorithm Resistant against Physical Attacks


RSA and Physical Attacks


RSA Algorithm

• Public key:

–Modulus: N

–Public Exponent: e

• Private key:

–Modulus: N = p . q

–Private Exponent: d = e-1 mod (p-1) . (q-1)

• RSA Signature Generation:

–S = Md mod N

• RSA Signature Verification:

–Check M = Se mod N ?


RSA Algorithm Using Chinese Remainder Theorem

• Private key CRT format:

–Private Modulus: prime number p

–Private Modulus: prime number q

–Private Exponent: dp = e-1 mod p-1

–Private Exponent: dq = e-1 mod q-1

–Value : A = p-1 mod q

• RSA Signature using CRT:

–Sp = Mdp mod p

–Sq = Mdq mod q

–S = ((Sq - Sp) . A mod q) . p + Sp


Right-to-Left Modular Exponentation

• Input: M, d = (dn−1, . . . , d0)2, N

• Output: Md mod N

• S ← 1

• A ← M

• For i from 0 to n − 1 do

– If di = 1 then S ← S . A mod N

– A ← A2 mod N

• Return (S)


Simple Power Analysis

•Measurement of power consumption when the embedded device executes RSA

•Modular Multiplication and Modular Square with different power consumptions:

–2 consecutive Modular Squares di = 0

–Modular Multiplication followed by a Modular Square di = 1

• Classical Countermeasure: always perform a Modular Multiplication


Fault Analysis and Differential Fault Analysis

• Make external perturbation when the embedded device executes RSA to get an erroneous result

• DFA on CRT RSA:

– Sp’ = Mdp mod p + ε

– Sq = Mdq mod q

– S’ = ((Sq - Sp’) . A mod q) . p + Sp’

– Gcd(S’e mod N - M, N) = q

• Classical Countermeasures:

– perform twice the signature

– check it with the public exponent (if known)


Safe-Errors Attacks

• Other kind of Fault Attacks

• Countermeasure against SPA weakness w.r.t Fault Attacks

• Attack the multiplication :

–Final result correct dummy multiplication exponent bit was 0

–Final result wrong real multiplication exponent bit was 1

• Retrieve the whole secret exponent bit by bit

• Difficult to counteract SPA and FA together


Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks


SPA-Resistant Modular Exponentiation Algorithm

• Starting from the SPA-resistant algorithm:

• Input: M, d = (dn−1, . . . , d0)2, N

• Output: Md mod N

• S[0] ← 1

• S[1] ← 1

• A ← M


– If di = 1 then S[0] ← S[0] . A mod N

– If di = 0 then S[1] ← S[1] · A mod N

– A ← A2 mod N

• Return (S[0])


Observations

• Loop of the algorithm:– For i from 0 to n − 1 do

• If di = 1 then S[0] ← S[0].A mod N• If di = 0 then S[1] ← S[1].A mod N• A ← A2 mod N

• A is independent of the exponent d :

A = M2n mod N

• S[1] is the result of the modular exponentiation of M by not(d) = 2n-d-1 :

S[1] = M2n-d-1 mod N

• At every step, we have the following relation:

M . S[0] . S[1] = A mod N


SPA/FA-Resistant Right-to-Left Modular Exponentiation

• Input: M, d = (dn−1, . . . , d0)2,N

• Output: Md mod N or ”Error”

• S[0] ← 1

• S[1] ← 1

• A ← M


– S[di] ← S[di] · A mod N

– A ← A2 mod N

• If (M . S[0] . S[1] = A mod N) then

• Return (S[0])

• Else

• Return (”Error”)


Algorithm Analysis

• Cost : 2 modular multiplications compared to the SPA version

• Resistance against SPA: always a multiplication before a square.

• Security proof against DFA and Safe-Errors Attacks in the following Attacker Model :

–Can only perform one fault

–Can make any modification ε on any variable X’ = X + ε


Security Proof

• Algorithm divided in finite states that corresponds to single steps computation:

S[0]: 1 Md0 Md1.2+d0 … Md

• Fault Attack between two computations in S[0]:

1 … M(di-1, … , d0)2 M(di, … , d0)2 + ε … Md + ε’

• Final result : S’[0] = Md + ε . (M2i)(dn, … , di+1)2

• Equality doesn’t hold: S’[0] . S[1] . M ≠ M2n if ε ≠ 0

• Same behavior for S[1]


Security Proof: the A variable case

• Error on variable A also impacts S[0] and S[1]

• Error needs to be written in a multiplicative way:

A’ = A + ε = A . β

• A’ = M2n . β2n-i

• S[0] . S[1] . M = M2n . β2n-i-1

• Equality doesn’t hold: S[0] . S[1] . M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0


CRT RSA Resistant to Fault Attacks


FA-Resistant CRT-RSA

• Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA:

– recombination step can be attacked

• Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination

• SPA/DFA-resistant exponentiation algorithm outputs:

– (S1 , S2 , T) ← (Md , Mnot(d) , M2n

)

• Perform 3 recombinations and make final check


FA-Resistant CRT-RSA Signature

• Input: M, p, q, dp, dq, A, and b the bit-length of p and q

• Output: S or ”Error”

• (S1p , S2p , Tp) ← (Mdp mod p , M2b−dp−1 mod p , M2b mod p)

• (S1q , S2q , Tq) ← (Mdq mod q , M2b−dq−1 mod q , M2b mod q)

• S1 ← ((S1q − S1p) · A mod q) · p + S1p

• S2 ← ((S2q − S2p ) · A mod q) · p + S2p

• T ← ((Tq − Tp) · A mod q) · p + Tp

• If (M · S1 · S2 = T mod N) then

• Return (S1)

• Else

• Return (”Error”)


Correctness of the algorithm

• Result of the 3 recombinations:

• S1 = ((S1q − S1p) · A mod q) · p + S1p = Md mod N

• S2 = ((S2q − S2p ) · A mod q) · p + S2p = M2b-d-1 mod N

• T = ((Tq − Tp) · A mod q) · p + Tp = M2b

mod N

• Equality holds: M · S1 · S2 = T mod N


Algorithm Analysis

• Cost: 2 additional recombinations

•Memory occupation larger : alternative solution with less memory overhead proposed in the paper

–detects an error with some probability


Conclusion

• New modular exponentiation algorithm resistant against SPA/DFA

• Proof of security in a realistic fault model

• Suitable for low cost devices

• Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm

• Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography


THANK YOU FOR YOUR ATTENTION


Trademark Attribution

Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and combinations thereof are trademarks of Spansion LLC. Other names used in this presentation are for informational purposes only and may be trademarks of their respective owners.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA...

Documents

Transcript of CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA...