## a new CRT-RSA Algorithm Secure Against Bellcore”, CC’03

### Cached

### Download Links

Citations: | 23 - 2 self |

### BibTeX

@MISC{Otto_anew,

author = {Martin Otto and Jean-pierre Seifert and Secure Mobile Solutions},

title = {a new CRT-RSA Algorithm Secure Against Bellcore”, CC’03},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this paper we describe a new algorithm to prevent fault attacks on RSA signature algorithms using the Chinese Re-mainder Theorem (CRT-RSA). This variant of the RSA sig-nature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault at-tacks like the one described in [7]. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]). Therefore, they establish a practical need for fault at-tack protected CRT-RSA schemes. Starting from a careful derivation and classication of fault models, we describe a new variant of the CRT-RSA algorithm. For the most realis-tic fault model described, we rigorously analyze the success probability of an adversary. Thereby, we prove that our new algorithm is secure against the Bellcore attack. Only once in the analysis do we need to refer to a plausible number theoretic assumption.

### Citations

382 | Tamper resistance | a cautionary note
- Anderson, Kuhn
- 1996
(Show Context)
Citation Context ...he fault type), in the probability of the implied effect of an attack, and in prior work that has to be applied to the card in order to mount the attack, cf. among others [7], [16], [22], [14], [15], =-=[1]-=-, [3], [8], [23], [2], [21]. However, the characterization of the used fault models has been simple and insufficient to derive usable frameworks for a satisfactory analysis. Therefore, we present a ch... |

324 | On the Importance of Checking Cryptographic Protocols for Faults
- Boneh, DeMillo, et al.
- 1997
(Show Context)
Citation Context ...inder Theorem (CRT-RSA). This variant of the RSA signature algorithm is widely used on smartcards. Smartcards on the other hand are particularly susceptible to fault attacks like the one described in =-=[7]-=-. Recent results have shown that fault attacks are practical and easy to accomplish ([21], [17]). Therefore, they establish a practical need for fault attack protected CRT-RSA schemes. Starting from a... |

249 | Optimal Asymmetric Encryption
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...general (usually randomized) schemes that enhance the security of RSA can also prevent fault attacks or at least make them harder to realize. The most prominent of these randomization schemes is OAEP =-=[4]-=-. Most smartcard certification authorities, however, require that a smartcard implements a pure RSA signature algorithm that is secure without using OAEP or similar schemes. Although several software ... |

186 | Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded
- Coron
- 1999
(Show Context)
Citation Context ... m ≡ 0 mod t1. Comment. There are many possible ways to compute m dp mod pt1. Algorithm 3 presents a timing and simple power attack secure version of the well-known square-and-multiply algorithm (cf. =-=[10]-=-, [11]). The result holds for other exponentiation algorithms as well. Again, some messages are malicious, but similar to the reasoning before, the adversary can gain no advantage from this fact as he... |

145 |
Some problems of ‘partitio numerorum’ III: On the expression of a number as a sum of primes
- Hardy, Littlewood
- 1923
(Show Context)
Citation Context ... that a chosen t2 does not satisfy Condition 5 is at most 1/t2. Hence, we expect very few strong prime choices. Since the density of strong primes is conjectured to be asymptotically D · x/log 2 (x) (=-=[13]-=-), the task of finding suitable ti is easy. Here D ≈ 0.6601618 is the twin prime constant. Note that it is also possible to use a modified CRT combination that can handle the case t1 = t2. Hence, it s... |

77 | On the importance of eliminating errors in cryptographic computations
- Boneh, DeMillo, et al.
(Show Context)
Citation Context ...ing might require a probability or even a distribution to be completely described. For example, some physical attacks might have a greater probability of resetting a bit than of setting that bit (see =-=[8]-=-, [6]). No control on the location implies that a specific location is expected to be hit with a certain probability 1/(number of locations). To derive reasonable fault models, we combine parameter se... |

77 |
Fast decipherment algorithm for RSA publickey cryptosystem
- Quisquater, Couvreur
- 1982
(Show Context)
Citation Context ...st. They are combined using the Chinese Remainder Theorem (CRT) as S(m) := CRT(Sp, Sq) mod N. On average, this scheme is four times faster than the direct computation via a single exponentiation, cf. =-=[12]-=-. The major exploit of fault attacks on smartcards performing CRT-RSA signatures is an attack first presented in [7] (and named the ”Bellcore attack”). Here it is assumed that an adversary induces an ... |

55 | Differential power analysis in the presence of hardware countermeasures
- Clavier, Coron, et al.
- 2000
(Show Context)
Citation Context ...ot completely predictable for an adversary. The hardware mechanisms we are referring to include randomized clocks, memory encryption / decryption schemes, and randomized address scrambling (see [18], =-=[9]-=-). Like randomized schemes, these hardware features try to make fault attacks harder by randomizing the effects of a fault attack in a manner that can not be controlled or predicted by an adversary. B... |

50 |
Fault based cryptanalysis of the Advanced Encryption Standard (AES
- Blomer, Seifert
(Show Context)
Citation Context ...esets or error messages pointless. This is an important feature of our scheme, since error messages or security resets may leak important and useful information to an adversary (see for example [14], =-=[6]-=- for more details). Finally, unlike the scheme proposed in [24], our algorithm works with any RSA key, no restriction on the key space applies. To prove security, we present a rigorous analysis of our... |

38 | Statistics and secret leakage
- Coron, Kocher, et al.
- 2000
(Show Context)
Citation Context ... mod t1. Comment. There are many possible ways to compute m dp mod pt1. Algorithm 3 presents a timing and simple power attack secure version of the well-known square-and-multiply algorithm (cf. [10], =-=[11]-=-). The result holds for other exponentiation algorithms as well. Again, some messages are malicious, but similar to the reasoning before, the adversary can gain no advantage from this fact as he canno... |

37 | Fault attacks on RSA with CRT: Concrete results and practical countermeasures
- Aumuller, Bier, et al.
- 2002
(Show Context)
Citation Context ...ay wish. Hence side-channel attacks like fault, power, and timing attacks, on smartcards have attracted a lot of attention. Among the side-channel attacks, fault attacks seem to be easiest to realize =-=[2]-=-. In particular, CRTRSA proved to be susceptible to fault attacks. In [7] an extremely simple attack on CRT-RSA is described. Named the Bellcore attack, this attack reveals the secret factorization of... |

35 | Breaking public key cryptosystems on tamper resistant dives in the presence of transient faults
- Bao, Deng, et al.
- 1997
(Show Context)
Citation Context ...ult type), in the probability of the implied effect of an attack, and in prior work that has to be applied to the card in order to mount the attack, cf. among others [7], [16], [22], [14], [15], [1], =-=[3]-=-, [8], [23], [2], [21]. However, the characterization of the used fault models has been simple and insufficient to derive usable frameworks for a satisfactory analysis. Therefore, we present a charact... |

24 |
Resistance against Di®erential Power Analysis for Elliptic Curve Cryptosystems
- Coron
- 1999
(Show Context)
Citation Context ...s m 0 mod t1. Comment. There are many possible ways to compute mdp mod pt1. Algorithm 3 presents a timing and simple power attack secure version of the well-known square-and-multiply algorithm (cf. =-=[10]-=-, [11]). The result holds for other exponentiation algorithms as well. Again, some messages are malicious, but similar to the reasoning before, the adversary can gain no advantage from this fact as he... |

6 | Observability analysis: Detecting when improved cryptosystems fail
- Joye, Quisquater, et al.
(Show Context)
Citation Context ...rity resets or error messages pointless. This is an important feature of our scheme, since error messages or security resets may leak important and useful information to an adversary (see for example =-=[14]-=-, [6] for more details). Finally, unlike the scheme proposed in [24], our algorithm works with any RSA key, no restriction on the key space applies. To prove security, we present a rigorous analysis o... |

3 |
Dierential power analysis in the presence of hardware countermeasures
- Clavier, Coron, et al.
- 2000
(Show Context)
Citation Context ...ot completely predictable for an adversary. The hardware mechanisms we are referring to include randomized clocks, memory encryption / decryption schemes, and randomized address scrambling (see [18], =-=[9]-=-). Like randomized schemes, these hardware features try to make fault attacks harder by randomizing the eects of a fault attack in a manner that can not be controlled or predicted by an adversary. Ba... |