The present invention relates generally to cryptography, and in particular to a countermeasure against fault attacks in RSA-based or discrete-log based cryptography.
This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
Throughout the application, the RSA cryptosystem will be used as an illustrative, non-limitative example, but it will be appreciated that the problem and its solution can for example be readily extended to cryptosystems based on discrete logarithms like for example the Diffie-Hellman key exchange and the ElGamal encryption scheme.
It is well known that the RSA cryptosystem, particularly when implemented using Chinese remaindering, is sensitive to fault attacks. This holds true for plain RSA but also for versions using a provable secure padding.
An efficient way to preclude fault attacks was proposed by Vigilant [see RSA with CRT: A new cost-effective solution to thwart fault attacks. In E. Oswald and P. Rohatgi, editors, Cryptographic Hardware and Embedded Systems—CHES 2008, volume 5154 of Lecture Notes in Computer Science, pages 130-145. Springer, 2008].
Vigilant's method works as follows. On input x and d, one has to compute S=xd mod N (or xd mod {p, q} in CRT mode), where the modulus N is a product of two chosen prime number p and q.
1. Choose a random integer r co-prime to N;
2. Compute β=N(N−1 mod r2) and a=1−β mod Nr2;
3. Compute {circumflex over (x)}=ax+β(1+r) mod Nr2 and {circumflex over (N)}=Nr2;
4. Compute Sr={circumflex over (x)}d mod {circumflex over (N)};
5. If Sr≡1+dr(mod r2) then return S=Sr mod N; otherwise return an error message.
Vigilant's countermeasure works well to some extent, but it suffers from drawbacks: it involves the computation of a modular inverse (in step 2) and it extends the modulus (which is unavoidable) in a random manner. Since the modular inverse and the extension of the modulus depend on the random number, they are different from one exponentiation to the next.
It will thus be appreciated that it is desired to have a countermeasure that does not involve the computation of the modular inverse as Vigilant does. The present invention provides a countermeasure that overcomes at least some of the disadvantages of Vigilant's countermeasure.
In a first aspect, the invention is directed to a method of performing fault-resistant exponentiation using an input x, a secret exponent d and a modulus N to obtain a result S. A processor having a predetermined value r: receives the input x; computes an intermediate result Sr using modular exponentiation involving the secret exponent d, an extended base 2 and an extended modulus {circumflex over (N)}, wherein the extended base {circumflex over (x)} is computed using the input x and a random value a, and wherein the extended modulus {circumflex over (N)} is computed using the modulus N and the predetermined value r and is independent of the random value a; verifies that Sr satisfies an equation involving the random value a calculated modulus a multiple of the predetermined value r, and returns the result S=Sr mod N if and only if the verifying is successful.
In a first embodiment, the processor further chooses the random element a.
In a second embodiment, the random value a ε/r.
In a third embodiment, the processor further computes the extended base {circumflex over (x)}=x+N·[iN(1+ar−x)mod t], wherein iN=N−1 mod t is a modular inverse, t is co-prime to the modulus N and t=br2, where r and b are integers. It is advantageous that the processor further computes the extended modulus {circumflex over (N)}=Nt.
In a fourth embodiment, the intermediate value Sr is calculated as Sr={circumflex over (x)}d mod {circumflex over (N)}.
In a fifth embodiment, the equation that the intermediate value Sr is to satisfy is Sr≡1+dar(mod r2).
In a second aspect, the invention is directed to a device for performing exponentiation using an input x, a secret exponent d and a modulus N to obtain a result S, the exponentiation being resistant to fault attacks. The device comprises: an interface configured to received the input x and to output the result S; and a processor configured to: compute an intermediate result Sr using modular exponentiation involving the secret exponent d, an extended base {circumflex over (x)} and an extended modulus {circumflex over (N)}, wherein the extended base {circumflex over (x)} is computed using the input x and a random value a, and wherein the extended modulus {circumflex over (N)} is computed using the modulus N and a predetermined value r and is independent of the random value a, wherein the processor is configured to use the predetermined value r for a plurality of exponentiations; verify that Sr satisfies an equation involving the random value a calculated modulus a multiple of the predetermined value r, and send the result S=Sr mod N to the interface (110) if and only if the verifying is successful.
In a first embodiment, the processor is further configured to choose the random element a.
In a second embodiment, the random value a ε/r.
In a third embodiment, the processor is further configured to compute the extended base {circumflex over (x)}=x+N·[iN(1+ar−x)mod t], wherein iN=N−1 mod t is a modular inverse, t is co-prime to the modulus N and t=br2, where r and b are integers.
In a fourth embodiment, the device is one of: a computer, a mobile telephone, a Smartphone, a tablet and a gateway.
In a fifth embodiment, the processor is configured to calculate the intermediate value Sr as Sr={circumflex over (x)}d mod {circumflex over (N)}.
In a sixth embodiment, the equation that the intermediate value Sr is to satisfy is Sr≡1+dar(mod r2).
In a third aspect, the invention is directed to a non-transitory computer medium storing instructions that, when executed by a processor, perform the method of the first aspect.
Preferred features of the present invention will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which:
It will be appreciated that, given a random integer r, Vigilant's countermeasure transforms input base x into extended base {circumflex over (x)} such that
As already mentioned, apart from the computation of the modular inverse in step 2, a further drawback is that the extended modulus Nr2 is constructed at random, which can contradict its efficient use. Indeed, some exponentiation algorithms impose conditions on the modulus. As a consequence, the extended modulus must then usually be further enlarged to comply with these conditions.
A main idea of the present invention is thus to construct a “random” element modulo r2 for a fixed element r (and thus a fixed extended modulus {circumflex over (N)}). In other words, the extended modulus is now predetermined for a chosen, fixed r. This way, both the computation of the modular inverse can be avoided (it can be calculated once and for all) and the extended modulus can be selected so as to comply with the conditions imposed on the modulus. For security, randomness is needed. In Vigilant's method, randomness is introduced by the choice of r. Note that in the present invention, since r is fixed, randomness is needed elsewhere; this is why the extended base modulo r2 (i.e., {circumflex over (x)} mod r2) is chosen as a random element, as opposed to Vigilant's method. Indeed, if r were fixed in Vigilant's method then so would be {circumflex over (x)} mod r2, namely {circumflex over (x)}≡130 r(mod r2).
As for the exponentiation algorithm (which, it is again pointed out, is compatible with RSA as a non-limitative example), it is first to be noted and easily verified that (1+r) generates the subgroup G1={x ε/r2|x≡1(mod r)}. The elements of G1 are 1+a·r with a ε {0, . . . , r−1}.
As already mentioned, the preferred embodiment uses an a priori selected integer r. In order to provide the countermeasure, a random element a ε {0, . . . , r−1} is chosen and the extended base {circumflex over (x)} is formed such that
This can easily be generalized to an a priori selected integer t=br2 (where b is an integer>0 that can be squarefree or not).
For the a priori selected integer t=br2 co-prime to N, the processor 110 obtains or computes a modular inverse iN =N−1 mod t.
The device 100 is then ready to perform modular exponentiation resistant to fault attacks, using an input x received via the interface 110 and a (secret) exponent d, as follows and as illustrated in
S1. Choose a random element a ε/r;
S2. Compute {circumflex over (x)}=x+N·[iN(1+ar −x)mod t];
S3. Compute {circumflex over (N)}=Nt;
S4. Compute Sr={circumflex over (x)}dmod{circumflex over (N)};
S5. Verify if Sr≡1+dar(mod r2).
S6. If and only if so, return S=Sr mod N via the interface 110; otherwise return an error message.
It is worth noting that since t is fixed, the value of iN can be precomputed. No modular inverse is therefore required for the evaluation of {circumflex over (x)}.
As will be shown, the method of the present invention nicely combines with existing implementations. For example, Quisquater's algorithm [see U.S. Pat. No. 5,166,978, Encoding system according to the so-called RSA method, by means of a microcontroller and arrangement implementing this system]—used in all Philips's (now NXP) co-processors—requires a modulus with its c most significant bits equal to 1. This can be achieved by multiplying modulus N by some appropriately chosen factor δ [see M. Joye. On Quisquater's multiplication algorithm. In D. Naccache, editor, Cryptography and Security: From Theory to Applications, volume 6805 of Lecture Notes in Computer Science, pages 3-7. Springer, 2012].
Applied to the proposed method, it is for example possible to set t=δ. In this particular case, it is worth noting that the countermeasure comes virtually for free (as no extra working memory is required and the overall cost is very low).
It will thus be appreciated that the present invention can provide a countermeasure that does not require inversion (apart from the one that can be pre-computed), which is the main bottleneck in Vigilant's countermeasure and which means that the present method can achieve better performance speed-wise and reduced requirements for working memory if the same processors and sensible implementations are used. Further, the proposed countermeasure nicely combines with certain modular multiplication algorithms that already extend the modulus.
Each feature disclosed in the description and (where appropriate) the claims and drawings may be provided independently or in any appropriate combination. Features described as being implemented in hardware may also be implemented in software, and vice versa. Reference numerals appearing in the claims are by way of illustration only and shall have no limiting effect on the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
13305266.2 | Mar 2013 | EP | regional |