Jae-Cheol Ha

Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-Decryption

In this paper, we will point out a new side-channel vulnerability of cryptosystems implementation based on BRIP or square-multiply-always algorithm by exploiting specially chosen input message of order two. A recently published countermeasure, BRIP, against conventional simple power analysis (SPA) and differential power analysis (DPA) will be shown to be vulnerable to the proposed SPA in this paper. Another well known SPA countermeasure, the square-multiply-always algorithm, will also be shown to be vulnerable to this new attack. Further extension of the proposed attack is possible to develop more powerful attacks.

A New Formal Proof Model for RFID Location Privacy

The privacy and security problems in RFID systems have been extensively studied. However, less research has been done on formal analysis of RFID security. The existing adversarial models proposed in the literature have limitations for analyzing RFID location privacy. In this paper, we propose a new formal proof model based on random oracle and indistinguishability. It not only considers passive/active attacks to the message flows between RFID reader and tag, but also takes into account physical attacks for disclosing tags internal state, thus making it more suitable for real RFID systems. We further apply our model to analyze location privacy of an existing RFID protocol.

Relative doubling attack against montgomery ladder

Highly regular execution and the cleverly included redundant computation make the square-multiply-always exponentiation algorithm well known as a good countermeasure against the conventional simple power analysis (SPA). However, the doubling attack threatens the square-multiply-always exponentiation by fully exploiting the existence of such redundant computation. The Montgomery ladder is also recognized as a good countermeasure against the conventional SPA due to its highly regular execution. Most importantly, no redundant computation is introduced into the Montgomery ladder. In this paper, immunity of the Montgomery ladder against the doubling attack is investigated. One straightforward result is that the Montgomery ladder can be free from the original doubling attack. However, a non-trivial result obtained in this research is that a relative doubling attack proposed in this paper threatens the Montgomery ladder. The proposed relative doubling attack uses a totally different approach to derive the private key in which the relationship between two adjacent private key bits can be obtained as either di=di−−1 or

A common-multiplicand method to the Montgomery algorithm for speeding up exponentiation

d_i \ne d_{i-1}

Hardware fault attack on RSA with CRT revisited

. Finally, a remark is given to the problem of whether the upward (right-to-left) regular exponentiation algorithm is necessary against the original doubling attack and the proposed relative doubling attack.

A Secure and Practical CRT-Based RSA to Resist Side Channel Attacks

A common-multiplicand method to the Montgomery algorithm makes an improvement in speed when right-to-left binary exponentiation is applied. The idea is that the same common part in two modular multiplications can be computed once rather than twice. It reduces the overall number of single-precision multiplications by about 16%, compared to exponentiation with the Montgomery algorithm.

Provably secure countermeasure resistant to several types of power attack for ECC

In this paper, some powerful fault attacks will be pointed out which can be used to factorize the RSA modulus if CRT is employed to speedup the RSA computation. These attacks are generic and can be applicable to Shamirs countermeasure and also applicable to a recently published enhanced countermeasure (trying to improve Shamirs method) for RSA with CRT. These two countermeasures share some similar structure in their designs and both suffer from some of the proposed attacks. The first kind of attack proposed in this paper is to induce a fault (which can be either a computational fault or any fault when data being accessed) into an important modulo reduction operation of the above two countermeasures. Note that this hardware fault attack can neither be detected by Shamirs countermeasure nor by the recently announced enhancement. The second kind of attack proposed in this paper considers permanent fault on some stored parameters in the above two countermeasures. The result shows that some permanent faults cannot be detected. Hence, the CRT-based factorization attack still works. The proposed CRT-based fault attacks once again reveals the importance of developing a sound countermeasure against RSA with CRT.

Permanent fault attack on the parameters of RSA with CRT

A secure and practical CRT-based RSA signature scheme is proposed against side channel attacks, including power analysis attack, timing attack, and fault analysis attack. The performance advantage obtained over other existing countermeasures is demonstrated. To prevent from fault attack, the proposed countermeasure employs a fault diffusion concept which is to spread the fault into the correct term during the recombination process by using CRT. This new countermeasure is also secure against differential power attack by using the message random blinding technique on RSA with CRT.

A New CRT-RSA Scheme Resistant to Power Analysis and Fault Attacks

Recently, it has been shown that some cryptographic devices, such as smart card, RFID and USB token, are vulnerable to the power attacks if they have no defence against them. With the introduction of new types of power analysis attack on elliptic curve cryptosystem (ECC) which is implemented in these secure devices, most existing countermeasures against differential power analysis (DPA) are now vulnerable to new power attacks, such as a doubling attack (DA), refined power analysis attack (RPA), and zero-value point attack (ZPA). Mamiya et al. recently proposed a countermeasure (so-called BRIP) against the DPA, RPA, ZPA, and simple power analysis (SPA) by introducing a random initial value. Yet, the BRIP was also shown to be vulnerable to the address-bit DPA by Itoh et al. and the 2-torsion attack by Yen et al.. Accordingly, this paper proposes a secure countermeasure based on a message-blinding technique. A security analysis demonstrates that the proposed countermeasure is secure against most existing power attacks with just a few additional registers.

A CRT-based RSA countermeasure against physical cryptanalysis

Chinese remainder theorem has been widely employed to speedup the RSA computation. In this paper, one kind of permanent fault attack on RSA with CRT will be pointed out which exploits a permanent fault on the storage of either p or q. This proposed attack is generic and powerful which can be applicable to both the conventional RSA with CRT and Shamirs fault attack immune design of RSA with CRT. Two popular and one recently proposed CRT recombination algorithms which are necessary for the above two mentioned RSA with CRT will be carefully examined in this paper for their immunity against the proposed parameter permanent fault attack.