## On the Importance of Checking Cryptographic Protocols for Faults (1997)

Citations: | 289 - 6 self |

### BibTeX

@INPROCEEDINGS{Boneh97onthe,

author = {Dan Boneh and Richard A. Demillo and Richard J. Lipton},

title = {On the Importance of Checking Cryptographic Protocols for Faults},

booktitle = {},

year = {1997},

pages = {37--51},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a theoretical model for breaking various cryptographic schemes by taking advantage of random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. An implementation of RSA based on the Chinese Remainder Theorem can be broken using a single erroneous signature. Other implementations can be broken using a larger number of erroneous signatures. We also analyze the vulnerability to hardware faults of two identification protocols: Fiat-Shamir and Schnorr. The Fiat-Shamir protocol can be broken after a small number of erroneous executions of the protocol. Schnorr's protocol can also be broken, but a larger number of erroneous executions is needed. Keywords: Hardware faults, Cryptanalysis, RSA, Fiat-Shamir, Schnorr, Public key systems, Identification protocols. 1 Introduction Direct attacks on the famous RSA cryptosystem seem to require that one factor the modulus. Therefore, it is interesting to ask whether there are attacks that avoid this....

### Citations

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...w erroneous executions of the protocol enable an adversary to completely recover the private key of the party trying to authenticate itself. Similar results hold for Schnorr's identification protocol =-=[16]-=- though a larger number of erroneous executions is necessary. Both attacks use faults that corrupt the prover while waiting for a challenge from the verifier. In case the prover is a smartcard the adv... |

414 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...tosystem seem to require that one factor the modulus. Therefore, it is interesting to ask whether there are attacks that avoid this. The answer is yes: the first was the recent attack based on timing =-=[13]-=-. It was observed that a few bits could be obtained from the time that operations took. This would allow one to break the system without factoring. We have a new type of attack that also avoids direct... |

354 | Tamper Resistance — a Cautionary Note
- J, Kuhn
- 1996
(Show Context)
Citation Context ...y to purposely induce hardware faults. For instance, one may attempt to attack a tamper-resistant device by deliberately causing it to malfunction. See the informative discussion by Anderson and Kuhn =-=[1]-=- for more information on how to tamper with tamper resistant devices. We show that the erroneous cryptographic values computed by the device (e.g. erroneous RSA signatures) enable the adversary to ext... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...l memory by adding some error detection bits (e.g. CRC). Another way to prevent our attack on RSA signatures is the use of random padding. See for instance the system suggested by Bellare and Rogaway =-=[4]-=-. In such schemes the signer appends random bits to the message to be signed. To verify the RSA signature the verifier raises the signature to the power of the public exponent and verifies that the me... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...system though many more erroneous signatures are required. In Sections 4 and 5 we discuss the vulnerability of two identification schemes to hardware faults. For the Fiat-Shamir identification scheme =-=[7]-=- we show how a few erroneous executions of the protocol enable an adversary to completely recover the private key of the party trying to authenticate itself. Similar results hold for Schnorr's identif... |

289 |
Digitalized signatures and public-key functions as intractable as factorization,” Research Report
- Rabin
- 1979
(Show Context)
Citation Context ...ity of such faults is small so that only a small number of them occur during the computation. Our attack is effective against several cryptographic schemes such as the RSA system and Rabin signatures =-=[15]-=- as well as several identification schemes. As expected, the effectiveness of the attack depends on the exact implementation of each of these schemes. For an implementation of RSA based on the Chinese... |

226 | Low cost attacks on tamper resistant devices
- Anderson, Kuhn
- 1997
(Show Context)
Citation Context ...r cryptographic systems. Biham and Shamir [5] presented elegant and novel attacks on DES. Some of their techniques can be used to recover the secret key of a totally unknown cipher. Anderson and Kuhn =-=[2]-=- used a different fault model to obtain powerful attacks. Bao et al. [3] devised fault attacks against DSS and several other signature schemes. Joye and Quisquater [12] noted that the CRT attacks (des... |

217 | Differential Fault Analysis of Secret Key Cryptosystems
- Biham, Shamir
- 1997
(Show Context)
Citation Context ... Thus, precise timing of the induced fault is not necessary. Since the initial publication of our results several authors devised faults based attacks on other cryptographic systems. Biham and Shamir =-=[5]-=- presented elegant and novel attacks on DES. Some of their techniques can be used to recover the secret key of a totally unknown cipher. Anderson and Kuhn [2] used a different fault model to obtain po... |

200 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...emes as well. For instance, we explained how the Fiat-Shamir and Schnorr identification protocols may be broken using hardware faults. The same applies to the Guillou-Quisquater identification scheme =-=[10]-=- though we do not give the details here. Verifying the computation and protecting internal storage using error detection bits defeats attacks based on hardware faults. We hope that this paper demonstr... |

32 | Breaking Public Key Cryptosystems and Tamper Resistant Devices
- Bao, Deng, et al.
(Show Context)
Citation Context ...l attacks on DES. Some of their techniques can be used to recover the secret key of a totally unknown cipher. Anderson and Kuhn [2] used a different fault model to obtain powerful attacks. Bao et al. =-=[3]-=- devised fault attacks against DSS and several other signature schemes. Joye and Quisquater [12] noted that the CRT attacks (described in the next section) can also be mounted against several elliptic... |

20 |
Memo on RSA signature generation in the presence of faults
- Lenstra
- 1996
(Show Context)
Citation Context ...akes no difference what type of fault or how many faults occur in the computation of E 1 . All we rely on is the fact that faults occur in the computation modulo only one of the primes. Arjen Lenstra =-=[14]-=- observed that one faulty signature of a known message M is sufficient. For completeness we describe Lenstra's improvement here. Let E = M s mod N . LetsE be a faulty signature obtained under the same... |

10 |
Witness Based Cryptographic Program Checking and Robust Function Sharing
- Frankel, Gemmell, et al.
(Show Context)
Citation Context ...re necessary for security reasons. Methods of program checking [6] may come in useful when verifying computations in cryptographic protocols. Specifically, a recent result of Frankel, Gemmel and Yung =-=[9]-=- could prove useful in this context. An obvious open problem is whether the attacks described in this paper can be improved. That is, can one mount a successful attack using fewer faults? For instance... |

9 | Attacks on systems using Chinese remaindering
- Joye, Quisquater
- 1996
(Show Context)
Citation Context ...nknown cipher. Anderson and Kuhn [2] used a different fault model to obtain powerful attacks. Bao et al. [3] devised fault attacks against DSS and several other signature schemes. Joye and Quisquater =-=[12]-=- noted that the CRT attacks (described in the next section) can also be mounted against several elliptic curve systems. Finally, Zheng and Matsumoto [18] and Johnson [11] showed how faults in the rand... |

3 |
How to check modular exponentiation", Rump session, Eurocrypt 97
- Shamir
- 1997
(Show Context)
Citation Context ...ility of RSA/CRT checking appears to be necessary whenever it is used. This is especially true for Certification Authorities where a single transient fault could leak the private key. Recently Shamir =-=[17]-=- presented an ingenious method for verifying signatures generated by the RSA/CRT method. When the public exponent e is small (e.g. 3) standard verification (i.e. raising the signature to the power of ... |

2 | Breaking smartcard implementations of ElGamal signatures and its variants", Rump session, AsiaCrypt '96, preprint available at http://www.pscit.monash.edu.au/~yuliang
- Zheng, Matsumoto
(Show Context)
Citation Context ...l other signature schemes. Joye and Quisquater [12] noted that the CRT attacks (described in the next section) can also be mounted against several elliptic curve systems. Finally, Zheng and Matsumoto =-=[18]-=- and Johnson [11] showed how faults in the random number generator can be used to attack various systems. It is important to emphasize that the attacks described in this paper are currently theoretica... |

1 |
Program result checking", in proc. of 35th annual symposium on foundations of computer science
- Blum, Wasserman
- 1994
(Show Context)
Citation Context ...l storage using error detection bits defeats attacks based on hardware faults. We hope that this paper demonstrates that these measures are necessary for security reasons. Methods of program checking =-=[6]-=- may come in useful when verifying computations in cryptographic protocols. Specifically, a recent result of Frankel, Gemmel and Yung [9] could prove useful in this context. An obvious open problem is... |