Cryptology ePrint Archive: Report 2002/073

Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures

C.\ Aum\"uller and P.\ Bier and P. Hofreiter and W. Fischer and J.-P. Seifert

Abstract: This article describes concrete results and practically approved countermeasures concerning differential fault attacks on RSA using the CRT. It especially investigates smartcards with a RSA coprocessor where any hardware countermeasure to defeat such fault attacks have been switched off. This scenario has been chosen in order to completely analyze the resulting effects and errors occurring inside the hardware. Using the results of this kind of physical stress attack enables the development of completely reliable software countermeasures. Although {\em successful\/} RSA attacks on the investigated hardware have been only possible with an expensive enhanced laboratory equipment, the effects on the unprotected hardware have been tremendously. This caused lots of analysis efforts to investigate what really happened during the attack. Indeed, this will be addressed in this paper.

We first report on the nature of the resulting errors within the hardware due to the physical stress applied to the smartcard. Hereafter, we describe the experiments and results with a very efficient and prominent software RSA-CRT DFA countermeasure. This method could be shown to be insufficient, i.e., detected nearly no error, when we introduced stress at the right position during the computation. Naturally, a detailed error analysis model followed, specifying every failure point during the RSA-CRT operation. This model finally allowed to develop and present here new very practically oriented software countermeasures hedging the observed and characterized fault attacks. Eventually, we present the security analysis of our new developed software RSA-CRT DFA countermeasures. Thanks to their careful specification according to the observed and analyzed errors they resisted all kinds of physical stress attacks and were able to detect any subtle computation error, thus avoiding to break the smartcard by fault attacks.

Nevertheless, we stress, that although our software countermeasures have been fully approved by practical experiments, we are convinced that only sophisticated hardware countermeasures like sensors and filters in combination with software countermeasures will be able to provide a secure and comfortable base to defeat in general any conceivable fault attacks scenario on smartcards properly.

Category / Keywords: implementation / Fault attacks, Bellcore attack, Hardware security, Hardware robustness, RSA, Chinese Remainder Theorem, Spike attacks, Transient fault model, Software countermeasures

Date: received 4 Jun 2002

Contact author: Jean-Pierre Seifert at infineon com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20020607:183814 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]