SangJae Moon

RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis

This article considers the problem of how to prevent RSA signature and decryption computation with a residue number system (CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. CRT-based speedup for an RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Countermeasures using a simple verification function (e.g., raising a signature to the power of a public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature; however, it is pointed out that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault-free when developing countermeasures against hardware fault cryptanalysis. Research shows that the expanded modulus approach proposed by Shamir (1997, 1999) is superior to the approach using a simple verification function when another physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamirs method. In this paper, the new concepts of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concepts, two novel protocols are developed with a rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting selects a small public key and the proposed protocols can have comparable performance to Shamirs scheme. The other setting has better performance than Shamirs scheme (i.e., having comparable performance to conventional CRT speedup), but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault-free instructions. In this paper, related protocols are also considered and carefully examined to point out possible weaknesses.

A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack

Recently, many research works have been reported about how physical cryptanalysis can be carried out on cryptographic devices by exploiting any possible leaked information through side channels. In this paper, we demonstrate a new type of safe-error based hardware fault cryptanalysis which is mounted on a recently reported countermeasure against simple power analysis attack. This safe-error based attack is developed by inducing a temporary random computational fault other than a temporary memory fault which was explicitly assumed in the first published safe-error based attack (in which more precisions on timing and fault location are assumed) proposed by Yen and Joye. Analysis shows that the new safe-error based attack proposed in this paper is powerful and feasible because the cryptanalytic complexity (especially the computational complexity) is quite small and the assumptions made are more reasonable. Existing research works considered many possible countermeasures against each kind of physical cryptanalysis. This paper and a few previous reports clearly show that a countermeasure developed against one physical attack does not necessarily thwart another kind of physical attack. However, almost no research has been done on dealing the possible mutual relationship between different kinds of physical cryptanalysis when choosing a specific countermeasure. Most importantly, in this paper we wish to emphasize that a countermeasure developed against one physical attack if not carefully examined may benefit another physical attack tremendously. This issue has never been explicitely noticed previously but its importance can not be overlooked because of the attack found in this paper. Notice that almost all the issues considered in this paper on a modular exponentiation also applies to a scalar multiplication over an elliptic curve.

Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-Decryption

In this paper, we will point out a new side-channel vulnerability of cryptosystems implementation based on BRIP or square-multiply-always algorithm by exploiting specially chosen input message of order two. A recently published countermeasure, BRIP, against conventional simple power analysis (SPA) and differential power analysis (DPA) will be shown to be vulnerable to the proposed SPA in this paper. Another well known SPA countermeasure, the square-multiply-always algorithm, will also be shown to be vulnerable to this new attack. Further extension of the proposed attack is possible to develop more powerful attacks.

Stability analysis of a SEIQV epidemic model for rapid spreading worms

Internet worms have drawn significant attention owing to their enormous threats to the Internet. Due to the rapid spreading nature of Internet worms, it is necessary to implement automatic mitigation on the Internet. Inspired by worm vaccinations, we propose a novel epidemic model which combines both vaccinations and dynamic quarantine methods, referred to as SEIQV model. Using SEIQV model, we obtain the basic reproduction number that governs whether or not a worm is extinct. The impact of different parameters on this model is studied. Simulation results show that the performance of our model is significantly better than other models, in terms of decreasing the number of infected hosts and reducing the worm propagation speed.

A New Formal Proof Model for RFID Location Privacy

The privacy and security problems in RFID systems have been extensively studied. However, less research has been done on formal analysis of RFID security. The existing adversarial models proposed in the literature have limitations for analyzing RFID location privacy. In this paper, we propose a new formal proof model based on random oracle and indistinguishability. It not only considers passive/active attacks to the message flows between RFID reader and tag, but also takes into account physical attacks for disclosing tags internal state, thus making it more suitable for real RFID systems. We further apply our model to analyze location privacy of an existing RFID protocol.

The LILI-II Keystream Generator

The LILI-II keystream generator is a LFSR based synchronous stream cipher with a 128 bit key. LILI-II is a specific cipher from the LILI family of keystream generators, and was designed with larger internal components than previous ciphers in this class, in order to provide increased security. The design offers large period and linear complexity, is immune to currently known styles of attack, and is simple to implement in hardware or software. The cipher achieves a security level of 128 bits.

RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis

This article considers the problem of how to prevent the fast RSA signature and decryption computation with residue number system (or called the CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. The CRT-based speedup for RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, a hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Some countermeasures by using a simple verification function (e.g., raising a signature to the power of public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature, however it will be pointed out in this paper that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault free when developing countermeasures against hardware fault cryptanalysis. Researches show that the expanded modulus approach proposed by Shamir is superior to the approach of using a simple verification function when other physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamirs method. In this paper, the new concept of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concept, two novel protocols are developed with rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting is to select a small public key e and the proposed protocols can have comparable performance to Shamirs scheme. The other setting is to have better performance than Shamirs scheme (i.e., having comparable performance to conventional CRT speedup) but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault free instructions.

Dragon: a fast word based stream cipher

This paper presents Dragon, a new stream cipher constructed using a single word based non-linear feedback shift register and a non-linear filter function with memory. Dragon uses a variable length key and initialisation vector of 128 or 256 bits, and produces 64 bits of keystream per iteration. At the heart of Dragon are two highly optimised 8 × 32 s-boxes. Dragon uses simple operations on 32-bit words to provide a high degree of efficiency in a wide variety of environments, making it highly competitive when compared with other word based stream ciphers. The components of Dragon are designed to resist all known attacks.

Relative doubling attack against montgomery ladder

Highly regular execution and the cleverly included redundant computation make the square-multiply-always exponentiation algorithm well known as a good countermeasure against the conventional simple power analysis (SPA). However, the doubling attack threatens the square-multiply-always exponentiation by fully exploiting the existence of such redundant computation. The Montgomery ladder is also recognized as a good countermeasure against the conventional SPA due to its highly regular execution. Most importantly, no redundant computation is introduced into the Montgomery ladder. In this paper, immunity of the Montgomery ladder against the doubling attack is investigated. One straightforward result is that the Montgomery ladder can be free from the original doubling attack. However, a non-trivial result obtained in this research is that a relative doubling attack proposed in this paper threatens the Montgomery ladder. The proposed relative doubling attack uses a totally different approach to derive the private key in which the relationship between two adjacent private key bits can be obtained as either di=di−−1 or

Cryptanalysis of two protocols for RSA with CRT based on fault infection

d_i \ne d_{i-1}