RSA speedup with residue number system immune against hardware fault cryptanalysis

Sung Ming Yen, Seung-Joo Kim, Seongan Lim, Sangjae Moon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

40 Citations (Scopus)

Abstract

This article considers the problem of how to prevent the fast RSA signature and decryption computation with residue number system (or called the CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. The CRT-based speedup for RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, a hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Some countermeasures by using a simple verification function (e.g., raising a signature to the power of public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature, however it will be pointed out in this paper that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault free when developing countermeasures against hardware fault cryptanalysis. Researches show that the expanded modulus approach proposed by Shamir is superior to the approach of using a simple verification function when other physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamir’s method. In this paper, the new concept of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concept, two novel protocols are developed with rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting is to select a small public key e and the proposed protocols can have comparable performance to Shamir’s scheme. The other setting is to have better performance than Shamir’s scheme (i.e., having comparable performance to conventional CRT speedup) but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault free instructions.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
PublisherSpringer Verlag
Pages397-413
Number of pages17
Volume2288
ISBN (Print)3540433198, 9783540433194
Publication statusPublished - 2002
Externally publishedYes
Event4th International Conference on Information Security and Cryptology, ICISC 2001 - Seoul, Korea, Republic of
Duration: 2001 Dec 62001 Dec 7

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2288
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other4th International Conference on Information Security and Cryptology, ICISC 2001
CountryKorea, Republic of
CitySeoul
Period01/12/601/12/7

Fingerprint

Residue number System
Numbering systems
Cathode ray tubes
Cryptanalysis
Speedup
Fault
Hardware
Network protocols
Public key
Modulus
Signature
Countermeasures
Fault detection
Smart Card
Factoring
Servers
Fault Detection
Acoustic waves
Recombination
Two Parameters

Keywords

  • Chinese remainder theorem (CRT)
  • Cryptography
  • Factorization
  • Fault detection
  • Fault infective CRT
  • Fault tolerance
  • Hardware fault cryptanalysis
  • Physical cryptanalysis
  • Residue number system
  • Side channel attack

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Yen, S. M., Kim, S-J., Lim, S., & Moon, S. (2002). RSA speedup with residue number system immune against hardware fault cryptanalysis. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2288, pp. 397-413). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 2288). Springer Verlag.

RSA speedup with residue number system immune against hardware fault cryptanalysis. / Yen, Sung Ming; Kim, Seung-Joo; Lim, Seongan; Moon, Sangjae.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 2288 Springer Verlag, 2002. p. 397-413 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 2288).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yen, SM, Kim, S-J, Lim, S & Moon, S 2002, RSA speedup with residue number system immune against hardware fault cryptanalysis. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 2288, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 2288, Springer Verlag, pp. 397-413, 4th International Conference on Information Security and Cryptology, ICISC 2001, Seoul, Korea, Republic of, 01/12/6.
Yen SM, Kim S-J, Lim S, Moon S. RSA speedup with residue number system immune against hardware fault cryptanalysis. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 2288. Springer Verlag. 2002. p. 397-413. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Yen, Sung Ming ; Kim, Seung-Joo ; Lim, Seongan ; Moon, Sangjae. / RSA speedup with residue number system immune against hardware fault cryptanalysis. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 2288 Springer Verlag, 2002. pp. 397-413 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{8b14c416237e4b2e817c4ef07674ca7e,
title = "RSA speedup with residue number system immune against hardware fault cryptanalysis",
abstract = "This article considers the problem of how to prevent the fast RSA signature and decryption computation with residue number system (or called the CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. The CRT-based speedup for RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, a hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Some countermeasures by using a simple verification function (e.g., raising a signature to the power of public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature, however it will be pointed out in this paper that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault free when developing countermeasures against hardware fault cryptanalysis. Researches show that the expanded modulus approach proposed by Shamir is superior to the approach of using a simple verification function when other physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamir’s method. In this paper, the new concept of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concept, two novel protocols are developed with rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting is to select a small public key e and the proposed protocols can have comparable performance to Shamir’s scheme. The other setting is to have better performance than Shamir’s scheme (i.e., having comparable performance to conventional CRT speedup) but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault free instructions.",
keywords = "Chinese remainder theorem (CRT), Cryptography, Factorization, Fault detection, Fault infective CRT, Fault tolerance, Hardware fault cryptanalysis, Physical cryptanalysis, Residue number system, Side channel attack",
author = "Yen, {Sung Ming} and Seung-Joo Kim and Seongan Lim and Sangjae Moon",
year = "2002",
language = "English",
isbn = "3540433198",
volume = "2288",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "397--413",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - RSA speedup with residue number system immune against hardware fault cryptanalysis

AU - Yen, Sung Ming

AU - Kim, Seung-Joo

AU - Lim, Seongan

AU - Moon, Sangjae

PY - 2002

Y1 - 2002

N2 - This article considers the problem of how to prevent the fast RSA signature and decryption computation with residue number system (or called the CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. The CRT-based speedup for RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, a hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Some countermeasures by using a simple verification function (e.g., raising a signature to the power of public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature, however it will be pointed out in this paper that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault free when developing countermeasures against hardware fault cryptanalysis. Researches show that the expanded modulus approach proposed by Shamir is superior to the approach of using a simple verification function when other physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamir’s method. In this paper, the new concept of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concept, two novel protocols are developed with rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting is to select a small public key e and the proposed protocols can have comparable performance to Shamir’s scheme. The other setting is to have better performance than Shamir’s scheme (i.e., having comparable performance to conventional CRT speedup) but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault free instructions.

AB - This article considers the problem of how to prevent the fast RSA signature and decryption computation with residue number system (or called the CRT-based approach) speedup from a hardware fault cryptanalysis in a highly reliable and efficient approach. The CRT-based speedup for RSA signature has been widely adopted as an implementation standard ranging from large servers to very tiny smart IC cards. However, given a single erroneous computation result, a hardware fault cryptanalysis can totally break the RSA system by factoring the public modulus. Some countermeasures by using a simple verification function (e.g., raising a signature to the power of public key) or fault detection (e.g., an expanded modulus approach) have been reported in the literature, however it will be pointed out in this paper that very few of these existing solutions are both sound and efficient. Unreasonably, in these methods, they assume that a comparison instruction will always be fault free when developing countermeasures against hardware fault cryptanalysis. Researches show that the expanded modulus approach proposed by Shamir is superior to the approach of using a simple verification function when other physical cryptanalysis (e.g., timing cryptanalysis) is considered. So, we intend to improve Shamir’s method. In this paper, the new concept of fault infective CRT computation and fault infective CRT recombination are proposed. Based on the new concept, two novel protocols are developed with rigorous proof of security. Two possible parameter settings are provided for the protocols. One setting is to select a small public key e and the proposed protocols can have comparable performance to Shamir’s scheme. The other setting is to have better performance than Shamir’s scheme (i.e., having comparable performance to conventional CRT speedup) but with a large public key. Most importantly, we wish to emphasize the importance of developing and proving the security of physically secure protocols without relying on unreliable or unreasonable assumptions, e.g., always fault free instructions.

KW - Chinese remainder theorem (CRT)

KW - Cryptography

KW - Factorization

KW - Fault detection

KW - Fault infective CRT

KW - Fault tolerance

KW - Hardware fault cryptanalysis

KW - Physical cryptanalysis

KW - Residue number system

KW - Side channel attack

UR - http://www.scopus.com/inward/record.url?scp=84949936541&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84949936541&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84949936541

SN - 3540433198

SN - 9783540433194

VL - 2288

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 397

EP - 413

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

PB - Springer Verlag

ER -