Arnaud BOSCHER
Spansion EMEA
Robert NACIRI
Oberthur Card Systems
Emmanuel PROUFF
Oberthur Card Systems
CRT RSA Algorithm
Protected Against Fault
Attacks
WISTP - 5/10/07
Agenda
• RSA and Physical Attacks
• Modular Exponentiation Algorithm Resistant against
Physical Attacks
• CRT RSA Algorithm Resistant against Physical Attacks
2
© 2007 Spansion Inc.
RSA and Physical Attacks
3
© 2007 Spansion Inc.
RSA Algorithm
• Public key:
– Modulus: N
– Public Exponent: e
• Private key:
– Modulus: N = p . q
– Private Exponent: d = e-1 mod (p-1) . (q-1)
• RSA Signature Generation:
– S = Md mod N
• RSA Signature Verification:
– Check M = Se mod N ?
4
© 2007 Spansion Inc.
RSA Algorithm Using Chinese Remainder
Theorem
• Private key CRT format:
– Private Modulus: prime number p
– Private Modulus: prime number q
– Private Exponent: dp = e-1 mod p-1
– Private Exponent: dq = e-1 mod q-1
– Value : A = p-1 mod q
• RSA Signature using CRT:
– Sp = Mdp mod p
– Sq = Mdq mod q
– S = ((Sq - Sp) . A mod q) . p + Sp
5
© 2007 Spansion Inc.
Right-to-Left Modular Exponentation
•
Input: M, d = (dn−1, . . . , d0)2, N
•
Output: Md mod N
•
S←1
•
A←M
•
For i from 0 to n − 1 do
– If di = 1 then S ← S . A mod N
– A ← A2 mod N
•
6
Return (S)
© 2007 Spansion Inc.
Simple Power Analysis
• Measurement of power consumption when the embedded
device executes RSA
• Modular Multiplication and Modular Square with different
power consumptions:
– 2 consecutive Modular Squares  di = 0
– Modular Multiplication followed by a Modular Square  di = 1
• Classical Countermeasure: always perform a Modular
Multiplication
7
© 2007 Spansion Inc.
Fault Analysis and Differential Fault Analysis
• Make external perturbation when the embedded device executes
RSA to get an erroneous result
• DFA on CRT RSA:
– Sp’ = Mdp mod p + ε
– Sq = Mdq mod q
– S’ = ((Sq - Sp’) . A mod q) . p + Sp’
– Gcd(S’e mod N - M, N) = q
• Classical Countermeasures:
– perform twice the signature
– check it with the public exponent (if known)
8
© 2007 Spansion Inc.
Safe-Errors Attacks
• Other kind of Fault Attacks
• Countermeasure against SPA  weakness w.r.t Fault Attacks
• Attack the multiplication :
– Final result correct  dummy multiplication  exponent bit was 0
– Final result wrong  real multiplication  exponent bit was 1
• Retrieve the whole secret exponent bit by bit
• Difficult to counteract SPA and FA together
9
© 2007 Spansion Inc.
Modular Exponentiation
Resistant to Simple Power
Analysis and Fault Attacks
10
© 2007 Spansion Inc.
SPA-Resistant Modular Exponentiation Algorithm
•
•
•
Starting from the SPA-resistant algorithm:
Input: M, d = (dn−1, . . . , d0)2, N
Output: Md mod N
•
•
•
•
S[0] ← 1
S[1] ← 1
A←M
For i from 0 to n − 1 do
– If di = 1 then S[0] ← S[0] . A mod N
– If di = 0 then S[1] ← S[1] · A mod N
– A ← A2 mod N
•
11
Return (S[0])
© 2007 Spansion Inc.
Observations
•
Loop of the algorithm:
–
12
For i from 0 to n − 1 do
• If di = 1 then S[0] ← S[0].A mod N
• If di = 0 then S[1] ← S[1].A mod N
• A ← A2 mod N
•
A is independent of the exponent d :
n
A = M2 mod N
•
S[1]
is the result of the modular exponentiation of M by not(d) =
n
2 -d-1 :
n
S[1] = M2 -d-1 mod N
•
At every step, we have the following relation:
M . S[0] . S[1] = A mod N
© 2007 Spansion Inc.
SPA/FA-Resistant Right-to-Left Modular
Exponentiation
• Input: M, d = (dn−1, . . . , d0)2,N
• Output: Md mod N or ”Error”
•
•
•
•
S[0] ← 1
S[1] ← 1
A←M
For i from 0 to n − 1 do
– S[di] ← S[di] · A mod N
– A ← A2 mod N
• If (M . S[0] . S[1] = A mod N) then
•
Return (S[0])
• Else
•
13
Return (”Error”)
© 2007 Spansion Inc.
Algorithm Analysis
• Cost : 2 modular multiplications compared to the SPA
version
• Resistance against SPA: always a multiplication before a
square.
• Security proof against DFA and Safe-Errors Attacks in the
following Attacker Model :
– Can only perform one fault
– Can make any modification ε on any variable X’ = X + ε
14
© 2007 Spansion Inc.
Security Proof
• Algorithm divided in finite states that corresponds to single
steps computation:
S[0]: 1  Md0  Md1.2+d0  …  Md
• Fault Attack between two computations in S[0]:
1  …  M(di-1, … , d0)2  M(di, … , d0)2 + ε  …  Md + ε’
i
• Final result : S’[0] = Md + ε . (M2 )(dn, … , di+1)2
n
• Equality doesn’t hold: S’[0] . S[1] . M ≠ M2 if ε ≠ 0
• Same behavior for S[1]
15
© 2007 Spansion Inc.
Security Proof: the A variable case
• Error on variable A also impacts S[0] and S[1]
• Error needs to be written in a multiplicative way:
A’ = A + ε = A . β
2n
• A’ = M . β
2n-i
n
• S[0] . S[1] . M = M2 . β2
n-i-1
• Equality doesn’t hold: S[0] . S[1] . M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0
16
© 2007 Spansion Inc.
CRT RSA Resistant to Fault
Attacks
17
© 2007 Spansion Inc.
FA-Resistant CRT-RSA
• Having a DFA-resistant exponentiation is not enough to
have a DFA-resistant CRT RSA:
– recombination step can be attacked
• Involve all the variables of the DFA-resistant exponentiation
algorithm to protect the recombination
• SPA/DFA-resistant exponentiation algorithm outputs:
n
– (S1 , S2 , T) ← (Md , Mnot(d) , M2 )
• Perform 3 recombinations and make final check
18
© 2007 Spansion Inc.
FA-Resistant CRT-RSA Signature
• Input: M, p, q, dp, dq, A, and b the bit-length of p and q
• Output: S or ”Error”
• (S1p , S2p , Tp) ← (Mdp mod p , M2
• (S1q , S2q , Tq) ← (Mdq mod q , M2
b−d
p−1
b−d
q−1
b
mod p , M2 mod p)
• S1 ← ((S1q − S1p) · A mod q) · p + S1p
• S2 ← ((S2q − S2p ) · A mod q) · p + S2p
• T ← ((Tq − Tp) · A mod q) · p + Tp
• If (M · S1 · S2 = T mod N) then
•
Return (S1)
• Else
•
19
b
mod q , M2 mod q)
Return (”Error”)
© 2007 Spansion Inc.
Correctness of the algorithm
• Result of the 3 recombinations:
• S1 = ((S1q − S1p) · A mod q) · p + S1p = Md mod N
• S2 = ((S2q − S2p ) · A mod q) · p + S2p = M
b
2b-d-1
• T = ((Tq − Tp) · A mod q) · p + Tp = M2 mod N
• Equality holds: M · S1 · S2 = T mod N
20
© 2007 Spansion Inc.
mod N
Algorithm Analysis
• Cost: 2 additional recombinations
• Memory occupation larger : alternative solution with less
memory overhead proposed in the paper
– detects an error with some probability
21
© 2007 Spansion Inc.
Conclusion
• New modular exponentiation algorithm resistant against
SPA/DFA
• Proof of security in a realistic fault model
• Suitable for low cost devices
• Can be used to construct SPA/DFA-resistant CRT RSA
signature algorithm
• Can be adapted to compute SPA/DFA-resistant scalar
multiplication for elliptic curve cryptography
22
© 2007 Spansion Inc.
THANK YOU FOR YOUR ATTENTION
23
© 2007 Spansion Inc.
Trademark Attribution
Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and
combinations thereof are trademarks of Spansion LLC. Other
names used in this presentation are for informational purposes
only and may be trademarks of their respective owners.
25
© 2007 Spansion Inc.