CRT RSA Algorithm Protected Against Fault Attacks

CRT RSA Algorithm Protected Against FaultAttacksWISTP - 5/10/07

Arnaud BOSCHERSpansion EMEA

Robert NACIRIOberthur Card Systems

Emmanuel PROUFFOberthur Card Systems

2 © 2007 Spansion Inc.

Agenda

•RSA and Physical Attacks

•Modular Exponentiation Algorithm Resistant against Physical Attacks

•CRT RSA Algorithm Resistant against Physical Attacks

3 © 2007 Spansion Inc.

RSA and Physical Attacks

4 © 2007 Spansion Inc.

RSA Algorithm

• Public key:

–Modulus: N

–Public Exponent: e

• Private key:

–Modulus: N = p . q

–Private Exponent: d = e-1 mod (p-1) . (q-1)

• RSA Signature Generation:

–S = Md mod N

• RSA Signature Verification:

–Check M = Se mod N ?

5 © 2007 Spansion Inc.

RSA Algorithm Using Chinese Remainder Theorem

• Private key CRT format:

–Private Modulus: prime number p

–Private Modulus: prime number q

–Private Exponent: dp = e-1 mod p-1

–Private Exponent: dq = e-1 mod q-1

–Value : A = p-1 mod q

• RSA Signature using CRT:

–Sp = Mdp mod p

–Sq = Mdq mod q

–S = ((Sq - Sp) . A mod q) . p + Sp

6 © 2007 Spansion Inc.

Right-to-Left Modular Exponentation

• Input: M, d = (dn−1, . . . , d0)2, N

• Output: Md mod N

• S ← 1

• A ← M

• For i from 0 to n − 1 do

– If di = 1 then S ← S . A mod N

– A ← A2 mod N

• Return (S)

7 © 2007 Spansion Inc.

Simple Power Analysis

•Measurement of power consumption when the embedded device executes RSA

•Modular Multiplication and Modular Square with different power consumptions:

–2 consecutive Modular Squares di = 0

–Modular Multiplication followed by a Modular Square di = 1

• Classical Countermeasure: always perform a Modular Multiplication

8 © 2007 Spansion Inc.

Fault Analysis and Differential Fault Analysis

• Make external perturbation when the embedded device executes RSA to get an erroneous result

• DFA on CRT RSA:

– Sp’ = Mdp mod p + ε

– Sq = Mdq mod q

– S’ = ((Sq - Sp’) . A mod q) . p + Sp’

– Gcd(S’e mod N - M, N) = q

• Classical Countermeasures:

– perform twice the signature

– check it with the public exponent (if known)

9 © 2007 Spansion Inc.

Safe-Errors Attacks

• Other kind of Fault Attacks

• Countermeasure against SPA weakness w.r.t Fault Attacks

• Attack the multiplication :

–Final result correct dummy multiplication exponent bit was 0

–Final result wrong real multiplication exponent bit was 1

• Retrieve the whole secret exponent bit by bit

• Difficult to counteract SPA and FA together

10 © 2007 Spansion Inc.

Modular Exponentiation Resistant to Simple Power Analysis and Fault Attacks

11 © 2007 Spansion Inc.

SPA-Resistant Modular Exponentiation Algorithm

• Starting from the SPA-resistant algorithm:

• Input: M, d = (dn−1, . . . , d0)2, N

• Output: Md mod N

• S[0] ← 1

• S[1] ← 1

• A ← M

• For i from 0 to n − 1 do

– If di = 1 then S[0] ← S[0] . A mod N

– If di = 0 then S[1] ← S[1] · A mod N

– A ← A2 mod N

• Return (S[0])

12 © 2007 Spansion Inc.

Observations

• Loop of the algorithm:– For i from 0 to n − 1 do

• If di = 1 then S[0] ← S[0].A mod N• If di = 0 then S[1] ← S[1].A mod N• A ← A2 mod N

• A is independent of the exponent d :

A = M2n mod N

• S[1] is the result of the modular exponentiation of M by not(d) = 2n-d-1 :

S[1] = M2n-d-1 mod N

• At every step, we have the following relation:

M . S[0] . S[1] = A mod N

13 © 2007 Spansion Inc.

SPA/FA-Resistant Right-to-Left Modular Exponentiation

• Input: M, d = (dn−1, . . . , d0)2,N

• Output: Md mod N or ”Error”

• S[0] ← 1

• S[1] ← 1

• A ← M

• For i from 0 to n − 1 do

– S[di] ← S[di] · A mod N

– A ← A2 mod N

• If (M . S[0] . S[1] = A mod N) then

• Return (S[0])

• Else

• Return (”Error”)

14 © 2007 Spansion Inc.

Algorithm Analysis

• Cost : 2 modular multiplications compared to the SPA version

• Resistance against SPA: always a multiplication before a square.

• Security proof against DFA and Safe-Errors Attacks in the following Attacker Model :

–Can only perform one fault

–Can make any modification ε on any variable X’ = X + ε

15 © 2007 Spansion Inc.

Security Proof

• Algorithm divided in finite states that corresponds to single steps computation:

S[0]: 1 Md0 Md1.2+d0 … Md

• Fault Attack between two computations in S[0]:

1 … M(di-1, … , d0)2 M(di, … , d0)2 + ε … Md + ε’

• Final result : S’[0] = Md + ε . (M2i)(dn, … , di+1)2

• Equality doesn’t hold: S’[0] . S[1] . M ≠ M2n if ε ≠ 0

• Same behavior for S[1]

16 © 2007 Spansion Inc.

Security Proof: the A variable case

• Error on variable A also impacts S[0] and S[1]

• Error needs to be written in a multiplicative way:

A’ = A + ε = A . β

• A’ = M2n . β2n-i

• S[0] . S[1] . M = M2n . β2n-i-1

• Equality doesn’t hold: S[0] . S[1] . M ≠ A’ if β ≠ 1, i.e. if ε ≠ 0

17 © 2007 Spansion Inc.

CRT RSA Resistant to Fault Attacks

18 © 2007 Spansion Inc.

FA-Resistant CRT-RSA

• Having a DFA-resistant exponentiation is not enough to have a DFA-resistant CRT RSA:

– recombination step can be attacked

• Involve all the variables of the DFA-resistant exponentiation algorithm to protect the recombination

• SPA/DFA-resistant exponentiation algorithm outputs:

– (S1 , S2 , T) ← (Md , Mnot(d) , M2n

)

• Perform 3 recombinations and make final check

19 © 2007 Spansion Inc.

FA-Resistant CRT-RSA Signature

• Input: M, p, q, dp, dq, A, and b the bit-length of p and q

• Output: S or ”Error”

• (S1p , S2p , Tp) ← (Mdp mod p , M2b−dp−1 mod p , M2b mod p)

• (S1q , S2q , Tq) ← (Mdq mod q , M2b−dq−1 mod q , M2b mod q)

• S1 ← ((S1q − S1p) · A mod q) · p + S1p

• S2 ← ((S2q − S2p ) · A mod q) · p + S2p

• T ← ((Tq − Tp) · A mod q) · p + Tp

• If (M · S1 · S2 = T mod N) then

• Return (S1)

• Else

• Return (”Error”)

20 © 2007 Spansion Inc.

Correctness of the algorithm

• Result of the 3 recombinations:

• S1 = ((S1q − S1p) · A mod q) · p + S1p = Md mod N

• S2 = ((S2q − S2p ) · A mod q) · p + S2p = M2b-d-1 mod N

• T = ((Tq − Tp) · A mod q) · p + Tp = M2b

mod N

• Equality holds: M · S1 · S2 = T mod N

21 © 2007 Spansion Inc.

Algorithm Analysis

• Cost: 2 additional recombinations

•Memory occupation larger : alternative solution with less memory overhead proposed in the paper

–detects an error with some probability

22 © 2007 Spansion Inc.

Conclusion

• New modular exponentiation algorithm resistant against SPA/DFA

• Proof of security in a realistic fault model

• Suitable for low cost devices

• Can be used to construct SPA/DFA-resistant CRT RSA signature algorithm

• Can be adapted to compute SPA/DFA-resistant scalar multiplication for elliptic curve cryptography

23 © 2007 Spansion Inc.

THANK YOU FOR YOUR ATTENTION

25 © 2007 Spansion Inc.

Trademark Attribution

Spansion, the Spansion Logo, MirrorBit, HD-SIM, ORNAND, and combinations thereof are trademarks of Spansion LLC. Other names used in this presentation are for informational purposes only and may be trademarks of their respective owners.