Attacking RSA–CRT Signatures with Faults onMontgomery Multiplication
Pierre-Alain Fouque (INRIA) Nicolas Guillermin (DGA)
Delphine Lerestreux (DGA) Mehdi Tibouchi (NTT)
Jean-Christophe Zapalowicz (INRIA)
CHES 2012
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 1 / 15
About this talk
Cryptanalysis of RSA–CRT signatures
which use of the efficient Montgomery Multiplication
whatever the encoding function
Fault attacks
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 2 / 15
Montgomery multiplication algorithmClassical modular multiplication uses:multiplications, additions and divisionsMontgomery multiplication (CIOS) uses...shifts instead of divisions!⇒ cost only twice that of a non modular multiplication
x = xR mod q is the Montgomery representation of x (R constant)
CIOS(x , y) = x y · R−1 mod q = xy · R mod q
Classical representation −→ Montgomery representation:
CIOS(x ,R2 mod q) = xR = x
Montgomery representation −→ Classical representation:
CIOS(x ,1) = xR = x
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15
Montgomery multiplication algorithmClassical modular multiplication uses:multiplications, additions and divisionsMontgomery multiplication (CIOS) uses...shifts instead of divisions!⇒ cost only twice that of a non modular multiplication
x = xR mod q is the Montgomery representation of x (R constant)
CIOS(x , y) = x y · R−1 mod q = xy · R mod q
Classical representation −→ Montgomery representation:
CIOS(x ,R2 mod q) = xR = x
Montgomery representation −→ Classical representation:
CIOS(x ,1) = xR = x
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15
Montgomery multiplication algorithmClassical modular multiplication uses:multiplications, additions and divisionsMontgomery multiplication (CIOS) uses...shifts instead of divisions!⇒ cost only twice that of a non modular multiplication
x = xR mod q is the Montgomery representation of x (R constant)
CIOS(x , y) = x y · R−1 mod q = xy · R mod q
Classical representation −→ Montgomery representation:
CIOS(x ,R2 mod q) = xR = x
Montgomery representation −→ Classical representation:
CIOS(x ,1) = xR = x
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 3 / 15
Exponentiation algorithms
Square-and-Multiply MSB Montgomery Ladder
1: function EXPMSB(x , d , q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = t down to 0 do5: A← CIOS(A,A)6: if di = 1 then7: A← CIOS(A, x)
8: return CIOS(A, 1) = xd mod q
1: function EXPLADDER(x , d , q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = t down to 0 do5: if di = 0 then6: x ← CIOS(A, x)7: A← CIOS(A,A)8: else if ei = 1 then9: A← CIOS(A, x)10: x ← CIOS(x , x)
11: return CIOS(A, 1) = xd mod q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 4 / 15
RSA–CRT signature
p, q: two secret primes N = pq: public moduluse: public exponent d : secret exponent
ed ≡ 1 mod ((p − 1)(q − 1))
RSA signature: S ≡ Md mod N
RSA–CRT signature:1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
4× faster!!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15
RSA–CRT signature
p, q: two secret primes N = pq: public moduluse: public exponent d : secret exponent
ed ≡ 1 mod ((p − 1)(q − 1))
RSA signature: S ≡ Md mod N
RSA–CRT signature:1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
4× faster!!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15
RSA–CRT signature
p, q: two secret primes N = pq: public moduluse: public exponent d : secret exponent
ed ≡ 1 mod ((p − 1)(q − 1))
RSA signature: S ≡ Md mod N
RSA–CRT signature:1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
4× faster!!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 5 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
Attack
Sp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
Attack
Sp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: Sp ← Md mod p−1 mod p3: Sq ← Md mod q−1 mod q
4:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N5: return S
AttackSp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: M ← µ(m) ∈ ZN3: Sp ← Md mod p−1 mod p4: Sq ← Md mod q−1 mod q
5:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N6: return S
AttackSp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
µ = deterministic encoding function⇒ Attack works!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: M ← µ(m) ∈ ZN3: Sp ← Md mod p−1 mod p4: Sq ← Md mod q−1 mod q
5:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N6: return S
AttackSp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
µ = deterministic encoding function⇒ Attack works!
µ = probabilistic encoding function:
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: M ← µ(m) ∈ ZN3: Sp ← Md mod p−1 mod p4: Sq ← Md mod q−1 mod q
5:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N6: return S
AttackSp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
µ = deterministic encoding function⇒ Attack works!
µ = probabilistic encoding function:
random sent with signature⇒ Attack works!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
Bellcore attack
1: function SIGNRSA–CRT(M)2: M ← µ(m) ∈ ZN3: Sp ← Md mod p−1 mod p4: Sq ← Md mod q−1 mod q
5:
S = CRT(Sp,Sq) mod N
or
S = Garner(Sp,Sq) mod N6: return S
AttackSp → Sp S → SSp 6= Md mod p Sq = Md mod qSe 6= M mod p Se = M mod q
gcd(Se − M mod N, N) = q
µ = deterministic encoding function⇒ Attack works!
µ = probabilistic encoding function:
random sent with signature⇒ Attack works!
otherwise, in general (RSA–PSS . . . ) ⇒ No attack!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 6 / 15
For now:
We focus on hardware designs for RSA signatures using:RSA–CRTMontgomery multiplicationregardless of the encoding function
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 7 / 15
Null faults: Presentation
Fault model: force a small precomputed value to zero
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r r : size of the registers4: for j = 0 to k − 1 do k s.t R = 2rk (R > q, gcd(q,R) = 1)5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r q′ = −q−1 mod 2r precomputed
7: a←⌊
a + xj · y + uj · q2r
⌋division implemented as right shift
8: if a ≥ q then a← a− q9: return a = x yR−1 mod q
Objective: S = Sq + q · (q−1 · (Sp − Sq) mod p) (Garner)If Sq = 0 then gcd(S,N) = q with a single faulted signature
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15
Null faults: Presentation
Fault model: force a small precomputed value to zero
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r r : size of the registers4: for j = 0 to k − 1 do k s.t R = 2rk (R > q, gcd(q,R) = 1)5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r q′ = −q−1 mod 2r precomputed
7: a←⌊
a + xj · y + uj · q2r
⌋division implemented as right shift
8: if a ≥ q then a← a− q9: return a = x yR−1 mod q
Objective: S = Sq + q · (q−1 · (Sp − Sq) mod p) (Garner)If Sq = 0 then gcd(S,N) = q with a single faulted signature
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15
Null faults: Presentation
Fault model: force a small precomputed value to zero
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r r : size of the registers4: for j = 0 to k − 1 do k s.t R = 2rk (R > q, gcd(q,R) = 1)5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r q′ = −q−1 mod 2r precomputed
7: a←⌊
a + xj · y + uj · q2r
⌋division implemented as right shift
8: if a ≥ q then a← a− q9: return a = x yR−1 mod q
Objective: S = Sq + q · (q−1 · (Sp − Sq) mod p) (Garner)If Sq = 0 then gcd(S,N) = q with a single faulted signature
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 8 / 15
Null faults: Attacks
2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)⇒ Sq in classical representation required
2 attacks:Attacking CIOS(A,1) (A = Sq)Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)
2 attacks:Attacking CIOS(A,1)
Attacking consecutive CIOS steps
1: function CIOS(A,1)2: a← 03: y0 ← 14: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + Aj ) · q′ mod 2r
7: a←⌊
a + xj · 1 + uj · q2r
⌋8: if a ≥ q then a← a− q9: return a = Sq
1: function EXPLSB(x ,d ,q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = 0 to t do5: if di = 1 then6: A← CIOS(A, x)
7: x ← CIOS(x , x)
8: return CIOS(A,1) = Sq
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)
2 attacks:Attacking CIOS(A,1)
Attacking consecutive CIOS steps
1: function CIOS(A,1)2: a← 03: y0 ← 14: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: 0 =uj ← (a0 +Aj ) ·q′ mod 2r
7: 0 =a←⌊
a + xj · 1 +���uj · q2r
⌋8: if a ≥ q then a← a− q9: return a = Sq= 0
1: function EXPLSB(x ,d ,q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = 0 to t do5: if di = 1 then6: A← CIOS(A, x)
7: x ← CIOS(x , x)
8: return CIOS(A,1) = Sq
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks
2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)
CRT: S = (Sq · p−1 mod q︸ ︷︷ ︸V
) · p + (Sp · q−1 mod p) · q mod N
Sq · V in classical representation required: CIOS(V ,Sq · R)
2 attacks:Attacking CIOS(A,1)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)
CRT: S = (Sq · p−1 mod q) · p + (Sp · q−1 mod p) · q mod N
2 attacks:Attacking CIOS(A,1)Attacking consecutive CIOS steps
1: function CIOS(x , x)2: a← 03: x0 ← x mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · x0) ·q′ mod 2r
7: a←⌊
a + xj · x + uj · q2r
⌋8: if a ≥ q then a← a− q9: return a
1: function EXPLSB(x ,d ,q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = 0 to t do5: if di = 1 then6: A← CIOS(A, x)
7: x ← CIOS(x , x)
8: return CIOS(A,1)
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks2 possible recombinations:
Garner: S = Sq + q · (q−1 · (Sp − Sq) mod p)
CRT: S = (Sq · p−1 mod q) · p + (Sp · q−1 mod p) · q mod N
2 attacks:Attacking CIOS(A,1)Attacking consecutive CIOS steps
1: function CIOS(x , x)2: a← 03: x0 ← x mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · x0) · 0 mod 2r
7: a←⌊
a + xj · x +���uj · q2r
⌋8: if a ≥ q then a← a− q9: return a =
⌊xk−1x
2r
⌋+ o(2r(k−1))
1: function EXPLSB(x ,d ,q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = 0 to t do5: if ei = 1 then6: A← CIOS(A, x)
7: x ← CIOS(x , x)
8: return CIOS(A,1)
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks
1: function CIOS(x , x)2: a← 03: x0 ← x mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · x0) · 0 mod 2r
7: a←⌊
a + xj · x +���uj · q2r
⌋8: if a ≥ q then a← a− q9: return a =
⌊xk−1x
2r
⌋+ o(2r(k−1))
1: function EXPLSB(x ,d ,q)2: x ← CIOS(x ,R2 mod q)3: A← R mod q4: for i = 0 to t do5: if ei = 1 then6: A← CIOS(A, x)
7: x ← CIOS(x , x)
8: return CIOS(A,1)
x ←⌊
xk−1x2r
⌋+ o(2r(k−1))
|x | ≤ dlog2 qe − 1︸ ︷︷ ︸true with probability 1/2
CIOSf⇒ |x | ≤ dlog2 qe − 2 CIOSf⇒ |x | ≤ dlog2 qe − 4 ...
dlog2dlog2 qee consecutive faulted iterations⇒ Sq = 0
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Attacks
S&M LSB S&M MSB Montgomery Ladder
Faulty iterations (%) Start (%) Anywhere (%) Start (%) Anywhere (%)
8 31 93 62 45 30
9 65 100 93 87 76
10 89 100 100 99 93
Table: 100 faulty signatures computed with SAGE for a 512-bit prime q andr = 16.
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 9 / 15
Null faults: Conclusion
2 attacks:Attacking CIOS(A,1)⇒ 1 signature and 1 faultAttacking consecutive CIOS steps⇒ 1 signature and a few faultyiterations (sometimes even a single fault if q′ is not recomputed!)
Realistic attacks:A single signatureTargeting small registersTargeting a precomputed valueFew faulty iterations required
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 10 / 15
Constant faults: Presentation
Fault model: force a small value to some (possibly unknown) constantvalue
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r
7: a←⌊
a + xj · y + uj · q2r
⌋8: if a ≥ q then a← a− q9: return a
Objective: Having S a close multiple of q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15
Constant faults: Presentation
Fault model: force a small value to some (possibly unknown) constantvalue
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r
7: a←⌊
a + xj · y + uj · q2r
⌋8: if a ≥ q then a← a− q9: return a
Objective: Having S a close multiple of q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15
Constant faults: Presentation
Fault model: force a small value to some (possibly unknown) constantvalue
1: function CIOS(x , y )2: a← 03: y0 ← y mod 2r
4: for j = 0 to k − 1 do5: a0 ← a mod 2r
6: uj ← (a0 + xj · y0) · q′ mod 2r
7: a←⌊
a + xj · y + uj · q2r
⌋8: if a ≥ q then a← a− q9: return a
Objective: Having S a close multiple of q
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 11 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
Attacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
I Sq is close to the real number u · q/(2r − 1).I∣∣(2r − 1) · (S + 1)− qT
∣∣ ≤ 2r+1 with T an integer.I A single faulty signature yields V = (2r − 1) · (S + 1) mod N.
I (r = 8,16) : gcd(V + X ,N) for |X | ≤ 2r+1
I (r = 32) : Baby step, giant step-like algorithm by Chen and NguyenI (r < dlog2 q/2e): Howgrave-Graham’s algorithm
Attacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
I Sq is close to the real number u · q/(2r − 1).I∣∣(2r − 1) · (S + 1)− qT
∣∣ ≤ 2r+1 with T an integer.I A single faulty signature yields V = (2r − 1) · (S + 1) mod N.
I (r = 8,16) : gcd(V + X ,N) for |X | ≤ 2r+1
I (r = 32) : Baby step, giant step-like algorithm by Chen and NguyenI (r < dlog2 q/2e): Howgrave-Graham’s algorithm
Attacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
I Sq is close to the real number u · q/(2r − 1).I∣∣(2r − 1) · (S + 1)− qT
∣∣ ≤ 2r+1 with T an integer.I A single faulty signature yields V = (2r − 1) · (S + 1) mod N.
I (r = 8,16) : gcd(V + X ,N) for |X | ≤ 2r+1
I (r = 32) : Baby step, giant step-like algorithm by Chen and NguyenI (r < dlog2 q/2e): Howgrave-Graham’s algorithm
Attacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
I Sq is close to the real number u · q/(2r − 1).I∣∣(2r − 1) · (S + 1)− qT
∣∣ ≤ 2r+1 with T an integer.I A single faulty signature yields V = (2r − 1) · (S + 1) mod N.
I (r = 8,16) : gcd(V + X ,N) for |X | ≤ 2r+1
I (r = 32) : Baby step, giant step-like algorithm by Chen and NguyenI (r < dlog2 q/2e): Howgrave-Graham’s algorithm
Attacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
Attacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
Attacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
⇒ some signatures and some faultsAttacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
⇒ some signatures and some faultsAttacking consecutive CIOS steps
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Constant faults: Attacks
4 attacks:Attacking CIOS(A,1) without miss (u0 = · · · = uk−1 = u)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with some misses (uj = · · · = uk−1 = u, j < k/2)
⇒ 1 signature and a few faultsAttacking CIOS(A,1) with more misses (uj = · · · = uk−1 = u, j > k/2)
⇒ some signatures and some faultsAttacking consecutive CIOS steps⇒ 2 signatures and some faults
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 12 / 15
Are the models realistic?
Fault injection has to be made on several rounds of the CIOS algorithm
q′ or uj must be isolated in the architecture:
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
RAM
RAM
PE 1 PE 2 PE t
1 11
CS to binaryconversion
data pathCS adder
ai−1(j)
xi
Control logic
ai(j)
q(j)
y(j) y(j)
q(j)· · ·
xi xi+1 xi+t−1
queue
Control logic
y(j)
ai(j)
input
result Vulnerable areas
q(j)
n-bit Right t-shifter for x
w
2w
w
Tenca and Koç
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15
Are the models realistic?
Fault injection has to be made on several rounds of the CIOS algorithm
q′ or uj must be isolated in the architecture:
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
���������������������������������������������������������������������������������
RAM
RAM
PE 1 PE 2 PE t
1 11
CS to binaryconversion
data pathCS adder
ai−1(j)
xi
Control logic
ai(j)
q(j)
y(j) y(j)
q(j)· · ·
xi xi+1 xi+t−1
queue
Control logic
y(j)
ai(j)
input
result Vulnerable areas
q(j)
n-bit Right t-shifter for x
w
2w
w
Tenca and Koç
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15
Are the models realistic?
Fault injection has to be made on several rounds of the CIOS algorithm
q′ or uj must be isolated in the architecture:
������������������������������������
������������������������������������
������������������������������������������
������������������������������������������
������������������������������������
��������������������������������
��������������������������������
ui−1 ui−2 ui−j
y(0) q(0) y(1) q(1) y(2) q(2) y(j) q(j)
Vulnerable areas
1 bit Right shift register containing x
1 bit Right shift register containing U
· · ·
x(i)
PE1 PEjPE2PE0
x(i − 1) x(i − 2) x(i − j)
regi
ster
logic
Combinational
xi
Vulnerable areas
si(1)
ci(1)
ui y(0) q(0)
ui
si(1)
ci(1) ci−1(2)
si−1(2)
· · ·
Huang et al.
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15
Are the models realistic?
Fault injection has to be made on several rounds of the CIOS algorithm
q′ or uj must be isolated in the architecture:
������������������������������������������������������������������������
������������������������������������������������������������������������
������������������������������������������������������������������������
������������������������������������������������������������������������
������������
���������������������������������
���������������������������������
q′
3 input carry save adder
ai register
Vulnerable areas
y(i)
x(0) · y(i)
x y
ui
ai(0)
q
ui · q
x · y(i)
Mentens et al.
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 13 / 15
Conclusion
Fault model: force the highest-order bits of a small value to zero⇒ Another attack!
SummaryRSA–CRT and Montgomery multiplication are widespreadAttacks defeat unprotected RSA–CRT signatures with anypadding schemeNo need to know the message (works with message recovery)First fault attacks effective against the widespread RSA–PSSscheme (proven secure against random faults)Realistic faults (yet to be implemented)Countermeasure: verifying the signature
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 14 / 15
Thank you!
Jean-Christophe Zapalowicz (INRIA) CHES 2012 September, 12th 2012 15 / 15