Results 1  10
of
25
On the Importance of Checking Cryptographic Protocols for Faults
, 1997
"... We present a theoretical model for breaking various cryptographic schemes by taking advantage of random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. An implementation of RSA based on the Chinese Remainder Theorem can be broken using a single erroneous s ..."
Abstract

Cited by 289 (6 self)
 Add to MetaCart
We present a theoretical model for breaking various cryptographic schemes by taking advantage of random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. An implementation of RSA based on the Chinese Remainder Theorem can be broken using a single erroneous signature. Other implementations can be broken using a larger number of erroneous signatures. We also analyze the vulnerability to hardware faults of two identification protocols: FiatShamir and Schnorr. The FiatShamir protocol can be broken after a small number of erroneous executions of the protocol. Schnorr's protocol can also be broken, but a larger number of erroneous executions is needed. Keywords: Hardware faults, Cryptanalysis, RSA, FiatShamir, Schnorr, Public key systems, Identification protocols. 1 Introduction Direct attacks on the famous RSA cryptosystem seem to require that one factor the modulus. Therefore, it is interesting to ask whether there are attacks that avoid this....
On the Importance of Eliminating Errors in Cryptographic Computations
 Journal of Cryptology
, 2001
"... We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time t ..."
Abstract

Cited by 59 (0 self)
 Add to MetaCart
We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a blackbox containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is aected by a random hardware fault causing it to output incorrect values. For example, the hardware fault ips an internal register bit at some point during the computation. We show that for many digital signature and identication schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for nonCRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in FiatShamir ...
Checking before Output May Not Be Enough against FaultBased Cryptanalysis
, 2000
"... In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the informa ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the information whether the device produces after a temporary fault a correct answer or not. This information is available to the adversary even if a check is performed before output.
Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults
 DESIGNS, CODES AND CRYPTOGRAPHY
, 2003
"... Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But these two latter models are less `practical' in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location. This paper
Chinese Remaindering Based Cryptosystems in the Presence of Faults
 Journal of Cryptology
"... . We present some observations on publickey cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Publicke ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
. We present some observations on publickey cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Publickey cryptosystems, Faulty computations, Chinese remaindering. 1 Introduction In publickey cryptosystems two distinct computations can be distinguished: the computation that makes use of the secret, public key pair, and the one that only makes use of the public key. The former usually corresponds to the secret decryption or to the signature generation operation, the latter to the public encryption or to the signature verification operation. In this paper we restrict our attention to public key cryptosystems in which the former computation can be sped up using the Chinese remaindering algorithm. Examples of such cryptosystems are: RSA [16], LUC [19], KMOV [11], and Demytko's cryptosystem [6]. ...
A new CRTRSA algorithm secure against bellcore attacks
 CCS 2003, ACM SIGSAC, ACM Press
, 2003
"... In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Remainder Theorem (CRTRSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Remainder Theorem (CRTRSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the one described in [7]. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]). Therefore, they establish a practical need for fault attack protected CRTRSA schemes. Starting from a careful derivation and classification of fault models, we describe a new variant of the CRTRSA algorithm. For the most realistic fault model described, we rigorously analyze the success probability of an adversary. Thereby, we prove that our new algorithm is secure against the Bellcore attack. Only once in the analysis do we need to refer to a plausible number theoretic assumption. Categories and Subject Descriptors B.8.1 [Reliability, Testing, and FaultTolerance]: fault attacks; C.3 [SpecialPurpose and Applicationbased
Randomized signedscalar multiplication of ECC to resist power attacks
 In Cryptographic Hardware and Embedded Systems – CHES ’02, LNCS
, 2002
"... Abstract. Recently it has been shown that smart cards as cryptographic devices are vulnerable to power attacks if they have no defence against them. Randomization on ECC scalar multiplication is one of the fundamental concepts in methods of defence against sidechannel attacks. In this paper by usin ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Abstract. Recently it has been shown that smart cards as cryptographic devices are vulnerable to power attacks if they have no defence against them. Randomization on ECC scalar multiplication is one of the fundamental concepts in methods of defence against sidechannel attacks. In this paper by using the randomization concept together with the NAF recoding algorithm, we propose an efficient countermeasure for ECCs against power attacks. The countermeasure provides a randomized signedscalar representation at every scalar multiplication to resist DPA. To protect against SPA it additionally employs a simple SPAimmune additionsubtraction multiplication algorithm. Our analysis shows that it needs no additional computation load compared to the ordinary binary scalar multiplication, where the average number of doublings plus additions for a bit length n is 1.5n+O(1).
DFA on AES
 Advanced Encryption Standard  AES, 4th International Conference, AES 2004
, 2003
"... In this paper we describe two different DFA attacks on the AES. The first one uses a theoretical fault model that induces a fault on only one bit of an intermediate result, hence allowing us to obtain the key by using 50 faulty ciphertexts for an AES128. The second attack uses a more realistic faul ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
In this paper we describe two different DFA attacks on the AES. The first one uses a theoretical fault model that induces a fault on only one bit of an intermediate result, hence allowing us to obtain the key by using 50 faulty ciphertexts for an AES128. The second attack uses a more realistic fault model: we assume that we may induce a fault on a whole byte. For an AES128, this second attack provides the key by using less than 250 faulty ciphertexts.
RSAtype Signatures in the Presence of Transient Faults
, 1997
"... . In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucasbased and elliptic curve systems. Keywords. RSA, Lucas sequences, el ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
. In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucasbased and elliptic curve systems. Keywords. RSA, Lucas sequences, elliptic curves, transient faults. 1 Introduction At the last Workshop on Security Protocols, Bao, Deng, Han, Jeng, Narasimhalu and Ngair from the Institute of Systems Science (Singapore) exhibited new attacks against several cryptosystems [2]. These attacks exploit the presence of transient faults. By exposing a device to external constraints, one can induce some faults with a nonnegligible probability [1]. In this paper, we show that these attacks are of very general nature and remain valid for cryptosystems based on other algebraic structures. We will illustrate this topic on the Lucasbased and elliptic curve cryptosystems. Moreover, we will focus on the signatures generation, reducing t...
Attacks on systems using Chinese remaindering
 Journal of Cryptology
, 1996
"... In September 1996, Boneh, DeMillo and Lipton [2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In September 1996, Boneh, DeMillo and Lipton [2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and the faulty one. Independently, Lenstra [5] showed that only one message and the corresponding faulty signature were required to recover p and q. This paper shows that this attack applies to any RSAtype cryptosystem. Particularly, we show how to extend it to LUC [8] and Demytko [3] cryptosystems.