## Non-linear residue codes for robust public-key arithmetic (2006)

Venue: | In Proc. 3rd Workshop on Fault Tolerance and Diagnosis in Cryptography (FTDC |

Citations: | 12 - 8 self |

### BibTeX

@INPROCEEDINGS{Gaubatz06non-linearresidue,

author = {Gunnar Gaubatz and Berk Sunar and Mark G. Karpovsky},

title = {Non-linear residue codes for robust public-key arithmetic},

booktitle = {In Proc. 3rd Workshop on Fault Tolerance and Diagnosis in Cryptography (FTDC},

year = {2006},

pages = {173--184},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We present a scheme for robust multi-precision arithmetic over the positive integers, protected by a novel family of non-linear arithmetic residue codes. These codes have a very high probability of detecting arbitrary errors of any weight. Our scheme lends itself well for straightforward implementation of standard modular multiplication techniques, i.e. Montgomery or Barrett Multiplication, secure against active fault injection attacks. Due to the non-linearity of the code the probability of detecting an error does not only depend on the error pattern, but also on the data. Since the latter is not usually known to the adversary a priori, a successful injection of an undetected error is highly unlikely. We give a proof of the robustness of these codes by providing an upper bound on the number of undetectable errors.

### Citations

354 | Tamper Resistance — a Cautionary Note
- J, Kuhn
- 1996
(Show Context)
Citation Context ...onable assumption, since this is a common practice, e.g. in the smart card industry. However, even if the attacker should manage to remove the shielding and obtain direct access to the chip’s surface =-=[11]-=-, a successful fault analysis is still highly unlikely. Let us assume for a moment that he or she has the ability to toggle the state of an arbitrary number of bits with the required spatial and tempo... |

75 | Analyzing and comparing Montgomery multiplication algorithms
- Koç, Acar, et al.
- 1996
(Show Context)
Citation Context ...st Montgomery Multiplication We now show how to apply our robust code in a digit serial Montgomery Multiplication scheme. A good overview over several variants of the Montgomery algorithm is given in =-=[13]-=-. In this example we will refer to the finely integrated operand scanning (FIOS) variant. It is the most suitable one for hardware implementations since it can be used in a pipelined fashion offering ... |

62 |
Fault-Tolerant Computing Theory and Techniques
- Pradhan
- 1982
(Show Context)
Citation Context ...on between the predictor output and the recomputed joint check symbol is an easy target for an attack if carelessly implemented. We therefore require implementation as a totally self-checking circuit =-=[12]-=-. The same holds for any other integrity checks. 5 Robust Montgomery Multiplication We now show how to apply our robust code in a digit serial Montgomery Multiplication scheme. A good overview over se... |

37 | Checking before output may not be enough against fault-based cryptanalysis
- Yen, Joye
(Show Context)
Citation Context .... However, it was shown to be flawed by Aumüller et al. [2], since it does not protect all steps of the computation. More advanced protection schemes were proposed by Blömer et al. [3] and Yen et al. =-=[4]-=-, and there exist claims that some of them can be broken, too [5], although this seems to be disputed. Apart from Bellcore style attacks there exists another type of fault attack, which is aimed at co... |

31 | Fault attacks on RSA with CRT: Concrete results and practical countermeasures
- Aumüller, Bier, et al.
- 2002
(Show Context)
Citation Context ...ss of attacks now commonly referred to as “Bellcore attacks”. In the following a simple and “low-cost” countermeasure was proposed by Shamir [1]. However, it was shown to be flawed by Aumüller et al. =-=[2]-=-, since it does not protect all steps of the computation. More advanced protection schemes were proposed by Blömer et al. [3] and Yen et al. [4], and there exist claims that some of them can be broken... |

29 | Robust Protection Against Fault-Injection Attacks
- Karpovsky, Kulikowski, et al.
(Show Context)
Citation Context ...A family of systematic non-linear error detecting codes, termed ‘robust codes’, was derived from systematic linear block codes in [6]. Their use in symmetric ciphers like the AES has been proposed in =-=[7]-=- and later refined in [8]. The robustness of these codes is due to the much more uniform error detection capabilities these codes offer, which is independent of the error multiplicity. Furthermore, th... |

25 | New class of nonlinear systematic error detecting codes,” Information Theory
- Karpovsky, Taubin
- 2004
(Show Context)
Citation Context ...monstrates the urgent need for a truly robust error detection scheme. A family of systematic non-linear error detecting codes, termed ‘robust codes’, was derived from systematic linear block codes in =-=[6]-=-. Their use in symmetric ciphers like the AES has been proposed in [7] and later refined in [8]. The robustness of these codes is due to the much more uniform error detection capabilities these codes ... |

20 | A new CRT-RSA algorithm secure against Bellcore attacks
- Blömer, Otto, et al.
- 2003
(Show Context)
Citation Context ...posed by Shamir [1]. However, it was shown to be flawed by Aumüller et al. [2], since it does not protect all steps of the computation. More advanced protection schemes were proposed by Blömer et al. =-=[3]-=- and Yen et al. [4], and there exist claims that some of them can be broken, too [5], although this seems to be disputed. Apart from Bellcore style attacks there exists another type of fault attack, w... |

18 |
Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attack
- Shamir
- 1999
(Show Context)
Citation Context ...tations of public-key cryptographic algorithms are to a class of attacks now commonly referred to as “Bellcore attacks”. In the following a simple and “low-cost” countermeasure was proposed by Shamir =-=[1]-=-. However, it was shown to be flawed by Aumüller et al. [2], since it does not protect all steps of the computation. More advanced protection schemes were proposed by Blömer et al. [3] and Yen et al. ... |

14 |
Arithmetic codes with large distance
- Mandelbaum
- 1967
(Show Context)
Citation Context ...sidue and non-separate (AN) codes were also introduced early on. Designed for the purpose of detecting only sporadically occuring bit errors their arithmetic distance is limited to 2 or 3. Mandelbaum =-=[10]-=- introduced arithmetic codes with larger distance properties, however, with an unattractively large amount of redundancy. Unfortunately, due to the linear encoding scheme, standard arithmetic residue ... |

10 |
Versatile Montgomery Multiplier Architectures,” master’s thesis
- Gaubatz
- 2002
(Show Context)
Citation Context ... to the finely integrated operand scanning (FIOS) variant. It is the most suitable one for hardware implementations since it can be used in a pipelined fashion offering some degree of parallelization =-=[14]-=-. Algorithm 1 k-bit Digit-Serial FIOS Montgomery Multiplication Require: d = {0, . . . , 0}, M ′ 0 = −M −1 0 mod 2k 1: for j = 0 to e − 1 do 2: (C,S) ⇐ a0bj + d0 3: U ⇐ SM ′ 0 mod 2 k 4: (C,S) ⇐ (C, S... |

9 | Cryptanalysis of a provably secure CRT-RSA algorithm
- Wagner
- 2004
(Show Context)
Citation Context ...e it does not protect all steps of the computation. More advanced protection schemes were proposed by Blömer et al. [3] and Yen et al. [4], and there exist claims that some of them can be broken, too =-=[5]-=-, although this seems to be disputed. Apart from Bellcore style attacks there exists another type of fault attack, which is aimed at common countermeasures to passive attacks. In order to prevent powe... |

5 | Robust Codes for Fault Attack Resistant Cryptographic Hardware
- Kulikowski, Karpovsky, et al.
- 2005
(Show Context)
Citation Context ...n-linear error detecting codes, termed ‘robust codes’, was derived from systematic linear block codes in [6]. Their use in symmetric ciphers like the AES has been proposed in [7] and later refined in =-=[8]-=-. The robustness of these codes is due to the much more uniform error detection capabilities these codes offer, which is independent of the error multiplicity. Furthermore, the probability Q(e) of an ... |

5 |
Cyclic and multiresidue codes for arithmetic operations
- RAO, GARCIA
- 1971
(Show Context)
Citation Context ...are virtually unusable within the finite field arithmetic structure that forms the basis of most public-key algorithms. During the early years of fault-tolerant computing, residue codes were proposed =-=[9]-=- as a means for checking arithmetic operations for errors, while preserving the integrity between operands and their check symbols. The check symbol in residue codes is computed as the remainder of th... |