Arnaud Boscher

CRT RSA algorithm protected against fault attacks

Embedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we propose a new generic method of computing modular exponentiation and we prove its security in a realistic fault model. By construction, our proposal is also protected against Simple Power Analysis. Based on our new resistant exponentiation algorithm, we present two different ways of computing CRT RSA signatures in a secure way. We show that those methods do not increase execution time and can be easily implemented on low-resource devices.

Blinded Fault Resistant Exponentiation Revisited

Cryptographic algorithm implementations are subject to specific attacks, called side channel attacks, focusing on the analysis of their power consumption or execution time or on the analysis of faulty computations. At FDTC06, Fumaroli and Vigilant presented a generic method to compute an exponentiation resistant against different side channel attacks. However, even if this algorithm does not reveal information on the secrets in case of a fault attack, it can not be used to safely implement a crypto-system involving an exponentiation. In this paper, we propose a new exponentiation method without this drawback and give a security proof of resistance to fault attacks. As an application, we propose an RSA algorithm implemented using the Chinese Remainder Theorem protected against side channel attacks. The exponentiation algorithm is also33% faster than the previous method.

Masking Does Not Protect Against Differential Fault Attacks

Over the past ten years, cryptographic algorithms have been found to be vulnerable against side-channel attacks such as power analysis attacks, timing attacks, electromagnetic radiation attacks and fault attacks. These attacks capture leaking information from an implementation of the algorithm in software or in hardware and apply cryptanalytical and statistical tools to recover the secret keys. A very well-known countermeasure against these attacks is to randomize every execution of the algorithm and every intermediate piece of data with a so-called masking method. In this paper we demonstrate that traditional countermeasures such as masking methodsfor symmetric cryptosystems are completely inefficient against fault attacks. In other words, differential fault attacks still apply on masked data. As an example we show how to recover secret keys from two masked AES implementations using a basic differential fault attack.

Optimal use of montgomery multiplication on smart cards

Montgomery multiplication is used to speed up modular multiplications involved in public-key cryptosystems. However, it requires conversion of parameters into N-residue representation. These additional pre-computations can be costly for low resource devices like smart cards. In this paper, we propose a new, more efficient method, suitable for smart card implementations of most of public-key cryptosystems. Our approach essentially consists in modifying the representation of the key and the algorithm embedded in smart card in order to take advantage of the Montgomery multiplication properties.