a formal proof of countermeasures against fault injection
play

A Formal Proof of Countermeasures against Fault Injection Attacks on - PowerPoint PPT Presentation

Oct 03, 2022 •236 likes •711 views

A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013

  1. A Formal Proof of Countermeasures against Fault Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr sylvain.guilley@enst.fr pablo.rauzy.name perso.enst.fr/~guilley Telecom ParisTech LTCI / COMELEC / SEN August 24, 2013 — 9h45–10h15 PROOFS 2013 @ Santa Barbara IACR ePrint 2013/506 Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 1 / 31

  2. RSA CRT-RSA The BellCoRe Attack How it works? BellCoRe attack refinement Countermeasures Shamir Countermeasure Aum¨ uller et al. Countermeasure Shortcomings Formal Analysis CRT-RSA Computation Fault Injection Algorithm Description finja Testing Attacks Study of an Unprotected CRT-RSA Computation Study of the Shamir Countermeasure Study of the Aum¨ uller et al. Countermeasure Results Conclusions and Perspectives Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 2 / 31

  3. RSA RSA ( Rivest, Shamir, Adleman ) RSA [RSA78] is an algorithm for public key cryptography. It can be used as both an encryption and a signature algorithm. It works as follows (for simplicity we omit the padding operations): ◮ Let m be the message, ( N , e ) the public key, and ( N , d ) the private key such that d · e ≡ 1 mod ϕ ( N ). ◮ The signature S is computed by S ≡ m d mod N . ◮ The signature can be verified by checking that m ≡ S e mod N . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 3 / 31

  4. RSA RSA ( Rivest, Shamir, Adleman ) RSA [RSA78] is an algorithm for public key cryptography. It can be used as both an encryption and a signature algorithm. It works as follows (for simplicity we omit the padding operations): ◮ Let m be the message, ( N , e ) the public key, and ( N , d ) the private key such that d · e ≡ 1 mod ϕ ( N ). ◮ The signature S is computed by S ≡ m d mod N . ◮ The signature can be verified by checking that m ≡ S e mod N . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 3 / 31

  5. CRT-RSA CRT ( Chinese Remainder Theorem ) CRT-RSA [Ko¸ c94] is an optimization of the RSA computation which allows a fourfold speedup. It works as follows: ◮ Let p and q be the primes from the key generation ( N = p · q ). ◮ These values are pre-computed (considered part of the private key): ◮ d p . = d mod ( p − 1) ◮ d q . = d mod ( q − 1) ◮ i q . = q − 1 mod p ◮ S is then computed as follows: ◮ S p = m d p mod p ◮ S q = m d q mod q ◮ S = S q + q · ( i q · ( S p − S q ) mod p ) Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 4 / 31

  6. CRT-RSA CRT ( Chinese Remainder Theorem ) CRT-RSA [Ko¸ c94] is an optimization of the RSA computation which allows a fourfold speedup. It works as follows: ◮ Let p and q be the primes from the key generation ( N = p · q ). ◮ These values are pre-computed (considered part of the private key): ◮ d p . = d mod ( p − 1) ◮ d q . = d mod ( q − 1) ◮ i q . = q − 1 mod p ◮ S is then computed as follows: ◮ S p = m d p mod p ◮ S q = m d q mod q ◮ S = S q + q · ( i q · ( S p − S q ) mod p ) Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 4 / 31

  7. The BellCoRe Attack BellCoRe ( Bell Communications Research ) The BellCoRe attack [BDL97] consists in revealing the secret primes p and q by faulting the computation. It is very powerful as it works even with very random faulting. It works as follows: ◮ The intermediate variable S p (resp. S q ) is faulted as � S p (resp. � S q ). ◮ The attacker thus gets an erroneous signature � S . ◮ The attacker can recover p (resp. q ) as gcd( N , S − � S ). Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 5 / 31

  8. The BellCoRe Attack BellCoRe ( Bell Communications Research ) The BellCoRe attack [BDL97] consists in revealing the secret primes p and q by faulting the computation. It is very powerful as it works even with very random faulting. It works as follows: ◮ The intermediate variable S p (resp. S q ) is faulted as � S p (resp. � S q ). ◮ The attacker thus gets an erroneous signature � S . ◮ The attacker can recover p (resp. q ) as gcd( N , S − � S ). Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 5 / 31

  9. The BellCoRe Attack How it works? For all integer x , gcd( N , x ) can only take 4 values: ◮ 1, if N and x are co-prime, ◮ p , if x is a multiple of p , ◮ q , if x is a multiple of q , ◮ N , if x is a multiple of both p and q , i.e. , of N . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 6 / 31

  10. The BellCoRe Attack How it works? If S p is faulted ( i.e. , replaced by � S p � = S p ): � � ◮ S − � ( i q · ( S p − S q ) mod p ) − ( i q · ( � S = q · S p − S q ) mod p ) ⇒ gcd( N , S − � S ) = q Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 6 / 31

  11. The BellCoRe Attack How it works? If S q is faulted ( i.e. , replaced by � S q � = S q ): ◮ S − � S ≡ ( S q − � S q ) − ( q mod p ) · i q · ( S q − � S q ) ≡ 0 mod p (because ( q mod p ) · i q ≡ 1 mod p ) ⇒ gcd( N , S − � S ) = p Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 6 / 31

  12. The BellCoRe Attack How it works? If S q is faulted ( i.e. , replaced by � S q � = S q ): ◮ S − � S ≡ ( S q − � S q ) − ( q mod p ) · i q · ( S q − � S q ) ≡ 0 mod p (because ( q mod p ) · i q ≡ 1 mod p ) ⇒ gcd( N , S − � S ) = p Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 6 / 31

  13. The BellCoRe Attack BellCoRe attack refinement This attack has been improved [JLQ99] so it only needs the faulty signature to recover p or q , by computing gcd( N , m − � S e ). ◮ If S p if faulted, then most likely gcd( N , S − � S ) = q , ◮ which means that we have S �≡ � S mod p thus, S e �≡ � S e mod p ; ◮ and that we also have S ≡ � S mod q thus, S e ≡ � S e mod q . ⇒ As S e ≡ m mod N , this proves the result. A symmetrical reasoning can be done if the fault occurs during the computation of S q . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 7 / 31

  14. The BellCoRe Attack BellCoRe attack refinement This attack has been improved [JLQ99] so it only needs the faulty signature to recover p or q , by computing gcd( N , m − � S e ). ◮ If S p if faulted, then most likely gcd( N , S − � S ) = q , ◮ which means that we have S �≡ � S mod p thus, S e �≡ � S e mod p ; ◮ and that we also have S ≡ � S mod q thus, S e ≡ � S e mod q . ⇒ As S e ≡ m mod N , this proves the result. A symmetrical reasoning can be done if the fault occurs during the computation of S q . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 7 / 31

  15. Countermeasures Several protections against the BellCoRe attacks have been proposed. Some of them are given below: ◮ Obvious countermeasures: no CRT, or with signature verification; ◮ Shamir [Sha99]; ◮ Aum¨ uller et al. [ABF + 02]; ◮ Vigilant, original [Vig08] and with some corrections by Coron et al. [CGM + 10]; ◮ Kim et al. [KKHH11]. Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 8 / 31

  16. Countermeasures Several protections against the BellCoRe attacks have been proposed. Some of them are given below: ◮ Obvious countermeasures: no CRT, or with signature verification; ◮ Shamir [Sha99]; ◮ Aum¨ uller et al. [ABF + 02]; ◮ Vigilant, original [Vig08] and with some corrections by Coron et al. [CGM + 10]; ◮ Kim et al. [KKHH11]. Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 8 / 31

  17. Countermeasures Shamir Countermeasure ◮ Introduces a small random number r , co-prime with p and q . ◮ Carries out computations modulo p ′ = p · r and q ′ = q · r . ⇒ Allows retrieval of the results by reduction modulo p and modulo q . ⇒ Enables verification by reduction modulo r . Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 9 / 31

  18. Countermeasures / Shamir Countermeasure Algorithm Input : Message m , key ( p , q , d , i q ), 32-bit random prime r Output : Signature m d mod N , or error if some fault injection is detected. 1 p ′ = p · r 2 d p = d mod ( p − 1) · ( r − 1) p = m d p 3 S ′ mod p ′ 4 q ′ = q · r 5 d q = d mod ( q − 1) · ( r − 1) q = m d q 6 S ′ mod q ′ 7 S p = S ′ mod p p 8 S q = S ′ mod q q 9 S = S q + q · ( i q · ( S p − S q ) mod p ) 10 if S ′ p �≡ S ′ mod r then q return error 11 12 else return S 13 14 end Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 10 / 31

  19. Countermeasures / Shamir Countermeasure Algorithm Input : Message m , key ( p , q , d , i q ), 32-bit random prime r Output : Signature m d mod N , or error if some fault injection is detected. 1 p ′ = p · r 2 d p = d mod ( p − 1) · ( r − 1) p = m d p 3 S ′ mod p ′ 4 q ′ = q · r 5 d q = d mod ( q − 1) · ( r − 1) q = m d q 6 S ′ mod q ′ 7 S p = S ′ mod p p 8 S q = S ′ mod q q 9 S = S q + q · ( i q · ( S p − S q ) mod p ) 10 if S ′ p �≡ S ′ mod r then q return error 11 12 else return S 13 14 end Pablo Rauzy (Telecom ParisTech) Formal CRT-RSA Fault Attacks Analysis PROOFS 2013 10 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006

Symbolic Fault Injection Reiner H ahnle & Daniel Larsson KeY Symposium Speyer, June 2006 1/28 Symbolic Fault Injection An attempt to introduce Formal Methods into the area of Fault Injection Objective: Evaluate dependability of

691 views • 28 slides
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain

Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley Telecom ParisTech CNRS LTCI / COMELEC / SEN FDTC 2014 Eleventh

460 views • 43 slides
Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Institut Mines-Tlcom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS September 17, 2015 Presentation Outline Introduction, Motivation Multi-level Formal Verification

485 views • 27 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August 20, 2016 PROOFS 2016 Sarani Bhattacharya

591 views • 42 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci,

Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci,

Daniel Torres Fault-tolerant matrix factorisation: a formal model and proof 1/26 Fault-tolerant matrix factorisation: a formal model and proof Camille Coti, Laure Petrucci, Daniel Alberto Torres Gonz alez Laboratoire dInformatique de

683 views • 49 slides
Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers

Debunking Fault Injection Myths and Misconceptions Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault injection, what is it? Fault injection,

920 views • 69 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides
Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research

Characterization of a Cortex-M4 microcontroller with backside optical fault injection Research Project 1 Jasper Hupkens Dominika Rusek 05.02.2019 1 Introduction to the world of fault injection Research project at Riscure Fault

678 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas & Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
A Persona-based Modeling for Contextual Requirements Genana Nunes Rodrigues 1 , Carlos Joel

A Persona-based Modeling for Contextual Requirements Genana Nunes Rodrigues 1 , Carlos Joel

A Persona-based Modeling for Contextual Requirements Genana Nunes Rodrigues 1 , Carlos Joel Tavares 1 , Naiara Watanabe 1 Carina Alves 2 Raian Ali 3 1 Department of Computer Science, University of Braslia, 2 Department of Computer Science,

592 views • 25 slides
Metallicity and morphology of the cool circumgalactic medium Ting-Wen Lan Kavli Fellow In

Metallicity and morphology of the cool circumgalactic medium Ting-Wen Lan Kavli Fellow In

Metallicity and morphology of the cool circumgalactic medium Ting-Wen Lan Kavli Fellow In collaboration with Masataka Fukugita Mg II doublet 1 . 0 0 . 9 residual 0 . 8 0 . 7 Circumgalactic medium 0 . 6 (CGM) 0 . 5 2796 2803 A A

471 views • 15 slides
Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F.

Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F.

Introduction Multiple Sequence Alignment Distributed Memory Shared Memory Computational Results Conclusions and Future Work Efficient Parallel Implementations of Multiple Sequence Alignment Using BSP/CGM Model Jucele F. A. Vasconcellos,

459 views • 21 slides
Causal Models for Scientific Discovery Research Challenges and Opportunities David Jensen

Causal Models for Scientific Discovery Research Challenges and Opportunities David Jensen

Causal Models for Scientific Discovery Research Challenges and Opportunities David Jensen College of Information and Computer Sciences Computational Social Science Institute Center for Data Science University of Massachusetts

733 views • 46 slides
Accretion, Buoyancy, and Chaos: ABCs of Galaxy Formation Ben Keller Universitt Heidelberg

Accretion, Buoyancy, and Chaos: ABCs of Galaxy Formation Ben Keller Universitt Heidelberg

Accretion, Buoyancy, and Chaos: ABCs of Galaxy Formation Ben Keller Universitt Heidelberg Diederik Kruijssen, James Wadsley, Samantha Benincasa, Hugh Couchman, Liang Wang Outfmows, Buoyancy, and Chaos: OBCs of Galaxy Formation Ben Keller

614 views • 44 slides
COSTA: Co-occurrence statistics for zero-shot classification Thomas Mensink University of

COSTA: Co-occurrence statistics for zero-shot classification Thomas Mensink University of

COSTA: Co-occurrence statistics for zero-shot classification Thomas Mensink University of Amsterdam Parts & Attributes Workshop ECCV 2014 September 12th Parts & Attributes PnA 2014 COSTA 2 Parts & Attributes Semantic

746 views • 29 slides
Cyber@UC Meeting 53 Cross-Site Request Forgery If Youre New! Join our Slack:

Cyber@UC Meeting 53 Cross-Site Request Forgery If Youre New! Join our Slack:

Cyber@UC Meeting 53 Cross-Site Request Forgery If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

520 views • 18 slides
Quench calculations calculations for for the the Super Super- -FRS FRS quadrupoles

Quench calculations calculations for for the the Super Super- -FRS FRS quadrupoles

Quench calculations calculations for for the the Super Super- -FRS FRS quadrupoles quadrupoles Quench - Studied magnets: short and long quadrupoles designed by CIEMAT (22 Jan. 2009) - Brief presentation of the magnets (stored energy,

595 views • 27 slides

More recommend