Attacking RSACRT Signatures with Faults on Montgomery Multiplication - - PowerPoint PPT Presentation

Attacking RSA–CRT Signatures with Faults on Montgomery Multiplication

Pierre-Alain Fouque (INRIA) Nicolas Guillermin (DGA) Delphine Lerestreux (DGA) Mehdi Tibouchi (NTT) Jean-Christophe Zapalowicz (INRIA) CHES 2012

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 1 / 15

About this talk

Cryptanalysis of RSA–CRT signatures which use of the efficient Montgomery Multiplication whatever the encoding function Fault attacks

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 2 / 15

Montgomery multiplication algorithm

Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x (R constant) CIOS(¯ x, ¯ y) = ¯ x¯ y · R−1 mod q = xy · R mod q

Classical representation − → Montgomery representation: CIOS(x, R2 mod q) = xR = ¯ x Montgomery representation − → Classical representation: CIOS(¯ x, 1) = xR = x

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Montgomery multiplication algorithm

Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x (R constant) CIOS(¯ x, ¯ y) = ¯ x¯ y · R−1 mod q = xy · R mod q

Classical representation − → Montgomery representation: CIOS(x, R2 mod q) = xR = ¯ x Montgomery representation − → Classical representation: CIOS(¯ x, 1) = xR = x

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Montgomery multiplication algorithm

Classical modular multiplication uses: multiplications, additions and divisions Montgomery multiplication (CIOS) uses... shifts instead of divisions! ⇒ cost only twice that of a non modular multiplication ¯ x = xR mod q is the Montgomery representation of x (R constant) CIOS(¯ x, ¯ y) = ¯ x¯ y · R−1 mod q = xy · R mod q

Classical representation − → Montgomery representation: CIOS(x, R2 mod q) = xR = ¯ x Montgomery representation − → Classical representation: CIOS(¯ x, 1) = xR = x

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15

Exponentiation algorithms

Square-and-Multiply MSB Montgomery Ladder

1: function EXPMSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = t down to 0 do

5:

A ← CIOS(A, A)

6:

if di = 1 then

7:

A ← CIOS(A, ¯ x)

8:

return CIOS(A, 1) = xd mod q

1: function EXPLADDER(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = t down to 0 do

5:

if di = 0 then

6:

¯ x ← CIOS(A, ¯ x)

7:

A ← CIOS(A, A)

8:

else if ei = 1 then

9:

A ← CIOS(A, ¯ x)

10:

¯ x ← CIOS(¯ x, ¯ x)

11:

return CIOS(A, 1) = xd mod q

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 4 / 15

RSA–CRT signature

p, q: two secret primes N = pq: public modulus e: public exponent d: secret exponent ed ≡ 1 mod ((p − 1)(q − 1))

RSA signature: S ≡ Md mod N RSA–CRT signature:

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

RSA–CRT signature

p, q: two secret primes N = pq: public modulus e: public exponent d: secret exponent ed ≡ 1 mod ((p − 1)(q − 1))

RSA signature: S ≡ Md mod N RSA–CRT signature:

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

RSA–CRT signature

p, q: two secret primes N = pq: public modulus e: public exponent d: secret exponent ed ≡ 1 mod ((p − 1)(q − 1))

RSA signature: S ≡ Md mod N RSA–CRT signature:

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

4× faster!!

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

Sp ← Md mod p−1 mod p

3:

Sq ← Md mod q−1 mod q

4:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

5:

return S

Attack

Sp → Sp S → S

• Sp = Md mod p

Sq = Md mod q

• Se = M mod p
• Se = M mod q

gcd( Se − M mod N, N) = q

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

M ← µ(m) ∈ ZN

3:

Sp ← Md mod p−1 mod p

4:

Sq ← Md mod q−1 mod q

5:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

6:

return S µ = deterministic encoding function ⇒ Attack works!

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

M ← µ(m) ∈ ZN

3:

Sp ← Md mod p−1 mod p

4:

Sq ← Md mod q−1 mod q

5:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

6:

return S µ = deterministic encoding function ⇒ Attack works! µ = probabilistic encoding function:

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

M ← µ(m) ∈ ZN

3:

Sp ← Md mod p−1 mod p

4:

Sq ← Md mod q−1 mod q

5:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

6:

return S µ = deterministic encoding function ⇒ Attack works! µ = probabilistic encoding function: random sent with signature ⇒ Attack works!

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

Bellcore attack

1: function SIGNRSA–CRT(M) 2:

M ← µ(m) ∈ ZN

3:

Sp ← Md mod p−1 mod p

4:

Sq ← Md mod q−1 mod q

5:

       S = CRT(Sp, Sq) mod N

• r

S = Garner(Sp, Sq) mod N

6:

return S µ = deterministic encoding function ⇒ Attack works! µ = probabilistic encoding function: random sent with signature ⇒ Attack works!

• therwise, in general (RSA–PSS . . . ) ⇒ No attack!

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15

For now:

We focus on hardware designs for RSA signatures using: RSA–CRT Montgomery multiplication regardless of the encoding function

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 7 / 15

Null faults: Presentation

Fault model: force a small precomputed value to zero

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Presentation

Fault model: force a small precomputed value to zero

1: function CIOS(¯ x, ¯ y) 2: a ← 0 3: ¯ y0 ← ¯ y mod 2r r: size of the registers 4: for j = 0 to k − 1 do k s.t R = 2rk (R > q, gcd(q, R) = 1) 5: a0 ← a mod 2r 6: uj ← (a0 + ¯ xj · ¯ y0) · q′ mod 2r q′ = −q−1 mod 2r precomputed 7: a ← a + ¯ xj · ¯ y + uj · q 2r

• division implemented as right shift

8: if a ≥ q then a ← a − q 9: return a = ¯ x¯ yR−1 mod q

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Presentation

Fault model: force a small precomputed value to zero

1: function CIOS(¯ x, ¯ y) 2: a ← 0 3: ¯ y0 ← ¯ y mod 2r r: size of the registers 4: for j = 0 to k − 1 do k s.t R = 2rk (R > q, gcd(q, R) = 1) 5: a0 ← a mod 2r 6: uj ← (a0 + ¯ xj · ¯ y0) · q′ mod 2r q′ = −q−1 mod 2r precomputed 7: a ← a + ¯ xj · ¯ y + uj · q 2r

• division implemented as right shift

8: if a ≥ q then a ← a − q 9: return a = ¯ x¯ yR−1 mod q

Objective: S = Sq + q · (q−1 · (Sp − Sq) mod p) (Garner) If Sq = 0 then gcd( S, N) = q with a single faulted signature

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p) ⇒ Sq in classical representation required

2 attacks: Attacking CIOS(A, 1) (A = Sq) Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)

2 attacks: Attacking CIOS(A, 1) Attacking consecutive CIOS steps

1: function CIOS(A, 1) 2:

a ← 0

3:

y0 ← 1

4:

for j = 0 to k − 1 do

5:

a0 ← a mod 2r

6:

uj ← (a0 + Aj) · q′ mod 2r

7:

a ← a + xj · 1 + uj · q 2r

• 8:

if a ≥ q then a ← a − q

9:

return a = Sq

1: function EXPLSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = 0 to t do

5:

if di = 1 then

6:

A ← CIOS(A, ¯ x)

7:

¯ x ← CIOS(¯ x, ¯ x)

8:

return CIOS(A, 1) = Sq

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)

2 attacks: Attacking CIOS(A, 1) Attacking consecutive CIOS steps

1: function CIOS(A, 1) 2:

a ← 0

3:

y0 ← 1

4:

for j = 0 to k − 1 do

5:

a0 ← a mod 2r

6:

0 =uj ← (a0+Aj)·q′ mod 2r

7:

0 =a ← a + xj · 1 +✘✘ ✘ uj · q 2r

• 8:

if a ≥ q then a ← a − q

9:

return a = Sq= 0

1: function EXPLSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = 0 to t do

5:

if di = 1 then

6:

A ← CIOS(A, ¯ x)

7:

¯ x ← CIOS(¯ x, ¯ x)

8:

return CIOS(A, 1) = Sq

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p) CRT: S = (Sq · p−1 mod q

• V

) · p + (Sp · q−1 mod p) · q mod N Sq · V in classical representation required: CIOS(V, Sq · R)

2 attacks: Attacking CIOS(A, 1) Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p) CRT: S = (Sq · p−1 mod q) · p + (Sp · q−1 mod p) · q mod N

2 attacks: Attacking CIOS(A, 1) Attacking consecutive CIOS steps

1: function CIOS(¯

x, ¯ x)

2:

a ← 0

3:

¯ x0 ← ¯ x mod 2r

4:

for j = 0 to k − 1 do

5:

a0 ← a mod 2r

6:

uj ← (a0 + ¯ xj · ¯ x0) · q′ mod 2r

7:

a ← a + ¯ xj · ¯ x + uj · q 2r

• 8:

if a ≥ q then a ← a − q

9:

return a

1: function EXPLSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = 0 to t do

5:

if di = 1 then

6:

A ← CIOS(A, ¯ x)

7:

¯ x ← CIOS(¯ x, ¯ x)

8:

return CIOS(A, 1)

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

2 possible recombinations: Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p) CRT: S = (Sq · p−1 mod q) · p + (Sp · q−1 mod p) · q mod N

2 attacks: Attacking CIOS(A, 1) Attacking consecutive CIOS steps

1: function CIOS(¯

x, ¯ x)

2:

a ← 0

3:

¯ x0 ← ¯ x mod 2r

4:

for j = 0 to k − 1 do

5:

a0 ← a mod 2r

6:

uj ← (a0 + ¯ xj · ¯ x0) · 0 mod 2r

7:

a ← a + ¯ xj · ¯ x +✘✘ ✘ uj · q 2r

• 8:

if a ≥ q then a ← a − q

9:

return a = ¯

xk−1¯ x 2r

• + o(2r(k−1))

1: function EXPLSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = 0 to t do

5:

if ei = 1 then

6:

A ← CIOS(A, ¯ x)

7:

¯ x ← CIOS(¯ x, ¯ x)

8:

return CIOS(A, 1)

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

1: function CIOS(¯

x, ¯ x)

2:

a ← 0

3:

¯ x0 ← ¯ x mod 2r

4:

for j = 0 to k − 1 do

5:

a0 ← a mod 2r

6:

uj ← (a0 + ¯ xj · ¯ x0) · 0 mod 2r

7:

a ← a + ¯ xj · ¯ x +✘✘ ✘ uj · q 2r

• 8:

if a ≥ q then a ← a − q

9:

return a = ¯

xk−1¯ x 2r

• + o(2r(k−1))

1: function EXPLSB(x, d, q) 2:

¯ x ← CIOS(x, R2 mod q)

3:

A ← R mod q

4:

for i = 0 to t do

5:

if ei = 1 then

6:

A ← CIOS(A, ¯ x)

7:

¯ x ← CIOS(¯ x, ¯ x)

8:

return CIOS(A, 1) ¯ x ← ¯

xk−1¯ x 2r

• + o(2r(k−1))

|¯ x| ≤ ⌈log2 q⌉ − 1

• true with probability 1/2

CIOSf

⇒ |¯ x| ≤ ⌈log2 q⌉ − 2

CIOSf

⇒ |¯ x| ≤ ⌈log2 q⌉ − 4 ... ⌈log2⌈log2 q⌉⌉ consecutive faulted iterations ⇒ Sq = 0

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Attacks

S&M LSB S&M MSB Montgomery Ladder Faulty iterations (%) Start (%) Anywhere (%) Start (%) Anywhere (%) 8 31 93 62 45 30 9 65 100 93 87 76 10 89 100 100 99 93

Table: 100 faulty signatures computed with SAGE for a 512-bit prime q and r = 16.

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15

Null faults: Conclusion

2 attacks: Attacking CIOS(A, 1) ⇒ 1 signature and 1 fault Attacking consecutive CIOS steps ⇒ 1 signature and a few faulty iterations (sometimes even a single fault if q′ is not recomputed!) Realistic attacks: A single signature Targeting small registers Targeting a precomputed value Few faulty iterations required

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 10 / 15

Constant faults: Presentation

Fault model: force a small value to some (possibly unknown) constant value

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15

Constant faults: Presentation

Fault model: force a small value to some (possibly unknown) constant value

1: function CIOS(¯ x, ¯ y) 2: a ← 0 3: ¯ y0 ← ¯ y mod 2r 4: for j = 0 to k − 1 do 5: a0 ← a mod 2r 6: uj ← (a0 + ¯ xj · ¯ y0) · q′ mod 2r 7: a ← a + ¯ xj · ¯ y + uj · q 2r

• 8:

if a ≥ q then a ← a − q 9: return a

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15

Constant faults: Presentation

Fault model: force a small value to some (possibly unknown) constant value

1: function CIOS(¯ x, ¯ y) 2: a ← 0 3: ¯ y0 ← ¯ y mod 2r 4: for j = 0 to k − 1 do 5: a0 ← a mod 2r 6: uj ← (a0 + ¯ xj · ¯ y0) · q′ mod 2r 7: a ← a + ¯ xj · ¯ y + uj · q 2r

• 8:

if a ≥ q then a ← a − q 9: return a

Objective: Having S a close multiple of q

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

◮

Sq is close to the real number u · q/(2r − 1).

◮

(2r − 1) · ( S + 1) − qT

• ≤ 2r+1 with T an integer.

◮ A single faulty signature yields V = (2r − 1) · (

S + 1) mod N.

◮ (r = 8, 16) : gcd(V + X, N) for |X| ≤ 2r+1 ◮ (r = 32) : Baby step, giant step-like algorithm by Chen and Nguyen ◮ (r < ⌈log2 q/2⌉): Howgrave-Graham’s algorithm

Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

◮

Sq is close to the real number u · q/(2r − 1).

◮

(2r − 1) · ( S + 1) − qT

• ≤ 2r+1 with T an integer.

◮ A single faulty signature yields V = (2r − 1) · (

S + 1) mod N.

◮ (r = 8, 16) : gcd(V + X, N) for |X| ≤ 2r+1 ◮ (r = 32) : Baby step, giant step-like algorithm by Chen and Nguyen ◮ (r < ⌈log2 q/2⌉): Howgrave-Graham’s algorithm

Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

◮

Sq is close to the real number u · q/(2r − 1).

◮

(2r − 1) · ( S + 1) − qT

• ≤ 2r+1 with T an integer.

◮ A single faulty signature yields V = (2r − 1) · (

S + 1) mod N.

◮ (r = 8, 16) : gcd(V + X, N) for |X| ≤ 2r+1 ◮ (r = 32) : Baby step, giant step-like algorithm by Chen and Nguyen ◮ (r < ⌈log2 q/2⌉): Howgrave-Graham’s algorithm

Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

◮

Sq is close to the real number u · q/(2r − 1).

◮

(2r − 1) · ( S + 1) − qT

• ≤ 2r+1 with T an integer.

◮ A single faulty signature yields V = (2r − 1) · (

S + 1) mod N.

◮ (r = 8, 16) : gcd(V + X, N) for |X| ≤ 2r+1 ◮ (r = 32) : Baby step, giant step-like algorithm by Chen and Nguyen ◮ (r < ⌈log2 q/2⌉): Howgrave-Graham’s algorithm

Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

⇒ some signatures and some faults Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

⇒ some signatures and some faults Attacking consecutive CIOS steps

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Constant faults: Attacks

4 attacks: Attacking CIOS(A, 1) without miss (u0 = · · · = uk−1 =

u)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with some misses (uj = · · · = uk−1 =

u, j < k/2)

⇒ 1 signature and a few faults Attacking CIOS(A, 1) with more misses (uj = · · · = uk−1 =

u, j > k/2)

⇒ some signatures and some faults Attacking consecutive CIOS steps ⇒ 2 signatures and some faults

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15

Are the models realistic?

Fault injection has to be made on several rounds of the CIOS algorithm q′ or uj must be isolated in the architecture:

• Jean-Christophe Zapalowicz (INRIA)

CHES 2012 September, 12th 2012 13 / 15

Are the models realistic?

Fault injection has to be made on several rounds of the CIOS algorithm q′ or uj must be isolated in the architecture:

• RAM

RAM PE 1 PE 2 PE t 1 1 1 CS to binary conversion

data path CS adder

ai−1(j) xi

Control logic

ai(j) q(j) y(j) y(j) q(j)

· · ·

xi xi+1 xi+t−1 queue

Control logic

y(j) ai(j)

input result Vulnerable areas

q(j) n-bit Right t-shifter for x w 2w w

Tenca and Koç

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15

Are the models realistic?

Fault injection has to be made on several rounds of the CIOS algorithm q′ or uj must be isolated in the architecture:

• ui−1

ui−2 ui−j y(0) q(0) y(1) q(1) y(2) q(2) y(j) q(j)

Vulnerable areas

1 bit Right shift register containing x 1 bit Right shift register containing U

· · ·

x(i)

PE1 PEj PE2 PE0

x(i − 1) x(i − 2) x(i − j) register

logic Combinational

xi

Vulnerable areas

si(1) ci(1) ui y(0) q(0) ui si(1) ci(1) ci−1(2) si−1(2)

· · ·

Huang et al.

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15

Are the models realistic?

Fault injection has to be made on several rounds of the CIOS algorithm q′ or uj must be isolated in the architecture:

• q′

3 input carry save adder ai register Vulnerable areas y(i) x(0) · y(i) x y ui ai(0) q ui · q x · y(i)

Mentens et al.

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15

Conclusion

Fault model: force the highest-order bits of a small value to zero ⇒ Another attack!

Summary

RSA–CRT and Montgomery multiplication are widespread Attacks defeat unprotected RSA–CRT signatures with any padding scheme No need to know the message (works with message recovery) First fault attacks effective against the widespread RSA–PSS scheme (proven secure against random faults) Realistic faults (yet to be implemented) Countermeasure: verifying the signature

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 14 / 15

Thank you!

Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 15 / 15