## Parallel FPGA implementation of RSA with residue number systems – can side-channel threats be avoided (2003)

### Cached

### Download Links

Venue: | 46 th . International Midwest Symposium on Circuits and Systems: MWSCAS ’03 |

Citations: | 10 - 0 self |

### BibTeX

@INPROCEEDINGS{Ciet03parallelfpga,

author = {Mathieu Ciet and Michael Neve and Eric Peeters and Jean-jacques Quisquater},

title = {Parallel FPGA implementation of RSA with residue number systems – can side-channel threats be avoided},

booktitle = {46 th . International Midwest Symposium on Circuits and Systems: MWSCAS ’03},

year = {2003}

}

### OpenURL

### Abstract

Abstract — In this paper, we present a new parallel architecture to avoid side-channel analysis such as: timing attack, simple/differential power analysis, fault induction attack and simple/differential electromagnetic analysis. We use a Montgomery Multiplication based on Residue Number Systems. Thanks to RNS, we develop a design able to perform an RSA signature in parallel on a set of identical and independent coprocessors. Of independent interest, we propose a new DPA countermeasure when RNS are used that is only (slightly) memory consuming. Finally, we synthesized our new architecture on FPGA and it presents promising performance results. Even if our aim is to sketch a secure architecture, the RSA signature is performed in less than 150 ms, with competitive hardware resources. To our knowledge, this is the first proposal of an architecture counteracting electromagnetic analysis apart from hardware countermeasures reducing electromagnetic radiations. I.

### Citations

664 | Differential power analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ...quires hardware and software countermeasures. We consider here countermeasures that can be directly added in the design of a processor. Kocher et al. introduced the notion of side-channel analysis in =-=[23,24]-=- and showed the importance for an implementation to be resistant against side-channel analysis and leakages from power consumption. Resistance against fault analysis [11,12] is another issue: sensitiv... |

414 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...quires hardware and software countermeasures. We consider here countermeasures that can be directly added in the design of a processor. Kocher et al. introduced the notion of side-channel analysis in =-=[23,24]-=- and showed the importance for an implementation to be resistant against side-channel analysis and leakages from power consumption. Resistance against fault analysis [11,12] is another issue: sensitiv... |

289 | On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract). Eurocrypt ’97 - Boneh, DeMillo, et al. - 1997 |

217 | Differential Fault Analysis of Secret Key Cryptosystems
- Biham, Shamir
- 1997
(Show Context)
Citation Context ...f side-channel analysis in [23,24] and showed the importance for an implementation to be resistant against side-channel analysis and leakages from power consumption. Resistance against fault analysis =-=[11,12]-=- is another issue: sensitive information may leak when the cryptosystem operates under unexpected conditions. More recently, in [17,29] a new type of analysis has been found, based on electromagnetic ... |

59 | On the importance of eliminating errors in cryptographic computations
- Boneh, DeMillo, et al.
(Show Context)
Citation Context ...f side-channel analysis in [23,24] and showed the importance for an implementation to be resistant against side-channel analysis and leakages from power consumption. Resistance against fault analysis =-=[11,12]-=- is another issue: sensitive information may leak when the cryptosystem operates under unexpected conditions. More recently, in [17,29] a new type of analysis has been found, based on electromagnetic ... |

57 |
Electromagnetic Analysis: Concrete Results
- Gandol, Mourtel, et al.
- 2001
(Show Context)
Citation Context ...akages from power consumption. Resistance against fault analysis [11,12] is another issue: sensitive information may leak when the cryptosystem operates under unexpected conditions. More recently, in =-=[17,29]-=- a new type of analysis has been found, based on electromagnetic radiations of the processor when a crypto-algorithm is processed, (see also [3]), called ElectroMagnetic Analysis. In this paper, we tr... |

48 | Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity
- Chevalier-Mames, Ciet, et al.
- 2004
(Show Context)
Citation Context ...ical treatment of several power traces, see [2, 8, 13]. This is called Differential Power Analysis (DPA for short). To avoid SPA, a variant of the ‘square-and-multiply always’ algorithm has been used =-=[14]-=-. Randomization of the message and of the exponent are classically applied to defeat DPA. However, thanks to RNS, independent randomization for each base can be performed. Another efficient DPA counte... |

31 | Fault attacks on RSA with CRT: Concrete results and practical countermeasures
- Aumüller, Bier, et al.
- 2002
(Show Context)
Citation Context ...rst proposed by Yen et al. in [43], see also [9, 44]. To our knowledge, this is the best way to prevent fault attack against DFA, since no “if” test is needed contrary to some other efficient methods =-=[4, 34, 35]-=-. The second one is directly related to the use of RNS. Single-error detection can be done using redundant modulus mr such that: ∀i ∈ {1 · · ·k}, mi < mr. The error is detected checking if the convert... |

29 |
Design of an efficient public-key cryptographic library for RISC-based smart cards
- Dhem
- 1998
(Show Context)
Citation Context ...own side-channel analysis is Timing Attack presented by Kocher [23], see also [32] in the case of use of CRT. The countermeasures consist of a modification of the well-known Montgomery multiplication =-=[16,18, 40, 41]-=-, i.e. avoiding the final substraction such as obtaining timing independent processes. Another side-channel analysis uses power consumption, suggested by Kocher et al. in [24]. Two families have to be... |

20 | A new CRT-RSA algorithm secure against Bellcore attacks
- Blömer, Otto, et al.
- 2003
(Show Context)
Citation Context ...t Induction Attacks (also sometimes ‘Differential Fault Analysis’, DFA for short) [11, 12]. We decided to combine two countermeasures. The first one was first proposed by Yen et al. in [43], see also =-=[9, 44]-=-. To our knowledge, this is the best way to prevent fault attack against DFA, since no “if” test is needed contrary to some other efficient methods [4, 34, 35]. The second one is directly related to t... |

17 |
1363-2000. IEEE Standard Specifications for Public-Key Cryptography
- Std
(Show Context)
Citation Context ...Counter-measures, FPGA implementations. 1 Introduction Implementation of public key cryptography requests the manipulation of large numbers, typically 1024 bits for most current applications like RSA =-=[1]-=-. That is the reason why Residue Number Systems (RNS for short) can be very useful. RNS have the main advantage of fast additions, fast ⋆ The original paper has been published in the Proceedings of th... |

11 |
Ways to Enhance Differential Power Analysis
- Bevan, Knudsen
- 2003
(Show Context)
Citation Context ...t one uses a single trace of a power consumption and is called Simple Power Analysis (SPA for short). The second one is more sophisticated and needs statistical treatment of several power traces, see =-=[2, 8, 13]-=-. This is called Differential Power Analysis (DPA for short). To avoid SPA, a variant of the ‘square-and-multiply always’ algorithm has been used [14]. Randomization of the message and of the exponent... |

10 |
and Pankaj Rohatgi The EM side-channel(s
- Agrawal, Archambeault, et al.
- 2002
(Show Context)
Citation Context ...ates under unexpected conditions. More recently, in [17,29] a new type of analysis has been found, based on electromagnetic radiations of the processor when a crypto-algorithm is processed, (see also =-=[3]-=-), called ElectroMagnetic Analysis. In this paper, we try to tackle the problem at its root in order to design an architecture that can resist some side-channels attacks. A design able to perform an R... |

10 | Integer division in residue number systems
- Hitz, Kaltofen
- 1995
(Show Context)
Citation Context ...of an integer X smaller than M, such that: X = x ′ 1 + x ′ 2m1 + x ′ 3m1m2 + . . . + x ′ k−1 � k mi . i=1 7. Comparison and division are very difficult operations to perform on the RNS representation =-=[19,20, 39]-=-. That is the reason why Montgomery multiplication is well suited to RNS. 3 Montgomery Multiplication in RNS In 1985, Montgomery introduced a method [26], widely used nowadays, for modular multiplicat... |

9 | More generalized Mersenne numbers - Chung, Hasan - 2003 |

5 |
Optimal Statistical Power Analysis Cryptology ePrint Archive
- Brier, Clavier, et al.
(Show Context)
Citation Context ...t one uses a single trace of a power consumption and is called Simple Power Analysis (SPA for short). The second one is more sophisticated and needs statistical treatment of several power traces, see =-=[2, 8, 13]-=-. This is called Differential Power Analysis (DPA for short). To avoid SPA, a variant of the ‘square-and-multiply always’ algorithm has been used [14]. Randomization of the message and of the exponent... |

4 |
exponentiation with no final subtractions: Improved results
- Montgomery
- 2000
(Show Context)
Citation Context ...own side-channel analysis is Timing Attack presented by Kocher [23], see also [32] in the case of use of CRT. The countermeasures consist of a modification of the well-known Montgomery multiplication =-=[16,18, 40, 41]-=-, i.e. avoiding the final substraction such as obtaining timing independent processes. Another side-channel analysis uses power consumption, suggested by Kocher et al. in [24]. Two families have to be... |

3 |
Atsushi Shimbo. Cox-rower architecture for fast parallel montgomery multiplication
- Kawamura, Koike, et al.
- 2000
(Show Context)
Citation Context ...propose a full hardware implementation of RSA with RNS in [30]. They describe a new RNS base extension algorithm and implement the whole system in an LSI prototype based on the Cox-Rower architecture =-=[22]-=- that lays in an efficient bases conversion. Another important objective for crypto-algorithms implementation is to counteract side-channel analysis. Physical and side-channel attacks refer to attacks... |

2 |
analysis, What is now possible
- Power
- 2000
(Show Context)
Citation Context ...t one uses a single trace of a power consumption and is called Simple Power Analysis (SPA for short). The second one is more sophisticated and needs statistical treatment of several power traces, see =-=[2, 8, 13]-=-. This is called Differential Power Analysis (DPA for short). To avoid SPA, a variant of the ‘square-and-multiply always’ algorithm has been used [14]. Randomization of the message and of the exponent... |

1 |
Laurent-Stéphane Didier and Peter Kornerup, Modular Multiplication and Base
- Bajard
- 1998
(Show Context)
Citation Context ...FRIA Belgium fund.smultiplications, carry-free, high speed arithmetic, some fault detection, possible error correction and foremost parallel implementations. Many studies have been carried out on RNS =-=[5,6, 30, 31, 33]-=-, but, as far as we know, only Kawamura et al. propose a full hardware implementation of RSA with RNS in [30]. They describe a new RNS base extension algorithm and implement the whole system in an LSI... |

1 |
Hung and Behrooz Parhami. Fast RNS division algorithms for fixed divisors with application to RSA encryption
- Yu
- 1994
(Show Context)
Citation Context ...of an integer X smaller than M, such that: X = x ′ 1 + x ′ 2m1 + x ′ 3m1m2 + . . . + x ′ k−1 � k mi . i=1 7. Comparison and division are very difficult operations to perform on the RNS representation =-=[19,20, 39]-=-. That is the reason why Montgomery multiplication is well suited to RNS. 3 Montgomery Multiplication in RNS In 1985, Montgomery introduced a method [26], widely used nowadays, for modular multiplicat... |

1 | A full RNS implementation of RSA Research Report 02068, LIRMM, available at - Imbert, Bajard |