EP0958671A1 - Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique - Google Patents

Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique

Info

Publication number
EP0958671A1
EP0958671A1 EP98907364A EP98907364A EP0958671A1 EP 0958671 A1 EP0958671 A1 EP 0958671A1 EP 98907364 A EP98907364 A EP 98907364A EP 98907364 A EP98907364 A EP 98907364A EP 0958671 A1 EP0958671 A1 EP 0958671A1
Authority
EP
European Patent Office
Prior art keywords
cryptography device
processor
cryptography
determining
secret information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP98907364A
Other languages
German (de)
English (en)
Inventor
Dan Boneh
Richard A. De Millo
Richard J. Lipton
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Iconectiv LLC
Original Assignee
Telcordia Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telcordia Technologies Inc filed Critical Telcordia Technologies Inc
Publication of EP0958671A1 publication Critical patent/EP0958671A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/26Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm

Definitions

  • the present invention relates to cryptanalysis and, more particularly, relates to methods for "cracking", or deciphering, cryptosystems, by analyzing one or more erroneous outputs to infer information ordinarily difficult or impossible for a party not privy to secret information. Knowing how a cryptosystem may be cracked suggests methods for avoiding attacks on the cryptosystem, thus further improving the integrity of the cryptosystem.
  • a security expert or cryptosystem designer may use the inventive methods in the design of cryptography devices to verify that an existing or proposed device is impervious to such attacks.
  • Cryptography has become essential to the acceptance of electronic commerce and sensitive electronic communications. For example, secure digital signatures and verification methods provide high assurance that a party is who it represents itself to be. This assurance is vital to the general acceptance of, for example, commerce over the Internet, the use of electronic money, cellular communications, and remote computer login procedures.
  • certain well-known cryptographic methods are used to encrypt information in a manner that is very difficult to decrypt without certain secret information, thus making these signatures and verifications secure.
  • One type of cryptographic method which is commonly used is public key cryptography. 1. Public Key Cryptography In a typical public key cryptographic system, each party /has a public key (or exponent) P, and a secret key (or exponent) S,.
  • the public key P is known to everyone, but the secret key S, is known only to party / ' .
  • Authentication is a (theoretically) fool-proof technique for a party to verify that a party contacting it is the party is asserts to be.
  • a confidential network may require that a party authenticate itself before gaining access to the network.
  • Fig. 1 A is a block diagram of a typical cryptography device 100.
  • the device 100 has a processor 102 including one or more CPUs 102, a main memory 104, a disk memory 106, an input/output device 108, and a network interface 110.
  • the devices 102-1 10 are connected to a bus 120 which transfers data, i.e., instructions and information between each of these devices 102-110.
  • Fig. 1 B illustrates a network 150 over which cryptography devices 100 may communicate.
  • Two or more cryptography devices 100, 100' may be connected to a communications network 152, such as a wide area network; which may be the Internet, a telephone network, or leased lines; or a local area network.
  • Each device 100 may include a modem 154 or other network communication device to send encrypted messages over the communications network 152.
  • the 100 may be a gateway to a sub-network 156. That is, the device 100 may be an interface between a wide area network 152 and a local area (sub) network 156.
  • An example of a public key cryptographic technique which may be performed by the device 100 is the well known RSA technique.
  • a party / has stored in memory 104 or 106 its own public key (or exponent) e, and modulus N (where ⁇ / is a product of two large prime numbers p,q) and a secret key in the form of an exponent s ; . It has stored or otherwise obtained the public key e, of a party to which it wishes to send a message.
  • the party may have a plain text message m which it wishes to send to party j without others knowing the content of m.
  • Another public key cryptographic technique is the Rabin modular square root.
  • the secret operation involves obtaining a modular square root and the public operation involves a modular squaring operation.
  • Rabin's Signature Scheme is similar to the RSA signature system and relies on the difficulty of factoring for its security.
  • party /s device 100 To sign a document D, party /s device 100 first hashes Dto a number D' between 1 and N.
  • the signer's device 100 which knows the secret factorization of the modulo N, computes the square root of D' (mod N) using the processor 102.
  • the signature E is:
  • Party /s secret keys are a set of invertible elements (i.e., bits) s,,..., ⁇ (mod N) stored in the memory 104 or 106 of its cryptography device 100.
  • Party Is cryptography device selects a random r, generates t 2 mod N, and transmits this value to party s cryptography device.
  • the Schnorr authentication scheme is another cryptosystem for a first party to authentic its identity to a second party.
  • the security of the Schnorr authentication scheme is based on the difficulty of computing discrete log modulo a prime.
  • Party /s cryptography device selects a random integer te [0, 7] and sends f to party / via an I/O.
  • T ⁇ p is an upper bound chosen beforehand.
  • a threat model for cracking a cryptosystem is useful because it verifies whether a cryptosystem or cryptography device is vulnerable to that attack. If so, the system or device is no longer considered to be secure.
  • the present invention is directed to methods for using one or more faulty computations made by a cryptography device to infer secret information stored in the cryptography device.
  • the inventive method is based on the well-accepted proposition that no computing system is perfectly fault free.
  • a security expert or cryptosystem designer may intentionally induce a tamper proof device or other cryptography device to generate a faulty computation by subjecting the device, such as a smart card, to physical stress.
  • Such physical stress may be, for example, certain types of radiation, atypical voltage levels, or a higher clock rate than the device was designed to operate at or accommodate.
  • Cryptosystems and/or cryptography devices should preferably be impervious to the attacks described herein. If not, the system or device should desirably be modified. In some cases it may be desirable to discard the system.
  • a single error of any type is sufficient to crack the system.
  • other cryptosystems such as certain authentication schemes, repeated errors of a specific type are used to crack the system.
  • the inventive methods are useful tools for security experts and cryptography experts when testing or developing a cryptosystem or cryptography device.
  • the inventive method may be used to provide cryptosystems and/or cryptography devices impervious to cracking due to transient hardware faults.
  • the RSA Chinese Remainder Theorem based signature scheme and Rabin's Signature scheme are cracked by comparing a single erroneous signature on a message with a correct signature on the same message.
  • these two schemes may be cracked with only a single erroneous signature if the content of the signed message is known.
  • a certain type of fault called a register fault is used to crack the Fiat-Shamir and Schnorr authentication schemes. This is done by receiving a correct and a faulty value during an authentication process to determine a secret value. Using this secret value, sets of data may be constructed which will reveal the other party's secret key.
  • erroneous signatures of randomly selected messages are each used to obtain a portion of a secret exponent. When a sufficient number of bits are obtained, the remaining bits may be "guessed” to obtain the entire secret exponent.
  • the inventive method is a creative use of a cryptography device's miscalculations. Because it is believed that all computers are prone to error, even cryptosystem servers stored in a secure environment may not be secure from these attacks. Thus, even such servers should be tested using the inventive method cracking cryptosystems. These attacks reveal an important finding: cryptography devices ⁇ from smart cards to network servers used by certification authorities which oversee the distribution of public key certificates - should now not only conceal their inner circuitry (to avoid revealing its secret key), but must also be fault resistant, to avoid generating erroneous calculations.
  • the present invention provides a method for designing and implementing cryptosystems and cryptography devices impervious to cracking due to transient hardware faults. BRIEF DESCRIPTION OF THE DRAWINGS
  • Fig. 1 A is a block diagram of a typical cryptography device
  • Fig. 1 B illustrates a communications network over which cryptography devices may communicate
  • Fig. 2 is a block diagram of a typical tamper proof device, such as a smart card.
  • Fig. 3 illustrates a first method according to the present invention
  • Fig. 4 illustrates a second method according to the present invention
  • Fig. 5 illustrates a third method according to the present invention
  • Figs. 6A and 6B are flow charts illustrating two conventional exponentiation functions.
  • Fig. 7 is a flow chart of an inventive method used with the methods of Figs. 6A and 6B.
  • faults may enable a cryptosystem to be cracked. These faults include transient hardware faults, latent faults, and induced faults.
  • Cryptography devices such as the device illustrated in Fig. 1A, described above, are subject to random transient hardware faults. Random transient hardware faults may cause an erroneous output from the cryptography device. Referring to Fig. 1 A, a random transient hardware fault in the processor 102 or memory 104, 106 may cause the certification authority to generate on rare occasion a faulty certificate. If a faulty certificate is sent to a client, that client may be able to break a certification authority's system and generate fake certificates.
  • a latent fault is a hardware or software bug which may be difficult to detect. Such bugs may occur in the design of the processor 102, or in the design of software stored in the main memory 104 or the disk memory 106. On rare occasions such bugs may cause a certification authority or other cryptography device to generate a faulty output.
  • Induced faults may occur when a security expert or cryptosystem designer has physical access to a cryptography device.
  • the security expert or cryptosystem designer may purposely induce hardware faults by, for example, attacking a tamper proof device by deliberately causing it to malfunction.
  • An induced fault may, for example, briefly alter a value stored in the main memory 104 or the disk memory 106. Erroneous values computed by the device allow the security expert or cryptosystem designer to extract secret information stored in the cryptography device.
  • the present invention generally assumes that any faults generated by the cryptography device are transient. That is, the faults only affect current data, but not subsequent data.
  • a transient fault may be a bit stored in a register which spontaneously flips or a gate which spontaneously produces an incorrect value. In such instances, the hardware system is typically unaware that any change has taken place.
  • the present invention also assumes that the probability of such faults is so small that only a small number of them ever occur during a single computation. b. Register Faults
  • a certain type of fault ⁇ a register fault - is used to crack certain public key authentication cryptosystems, as described below.
  • a register fault is a transient corruption of data stored in one or more registers. Because one or a few bits in a register are corrupted, the erroneous calculation will have certain predictable properties (such as being a power of 2 or a sum of a few powers of 2).
  • a tamper proof device 200 such as a smart card, comprises circuity such as a processor 202 and a small amount of memory 204. The circuity 202 performs certain arithmetic operations and the memory (typically several registers 206 and a small RAM 208) stores temporary values.
  • An I/O 210 is provided to receive and transmit data.
  • An electrically erasable programmable read only memory (EEPROM) 212 may be provided for storing secret information, such as secret keys.
  • one or a few of the bits of the value stored in some register 206 may invert (e.g., change from a logic 0 to a logic 1 or vice-versa). It is assumed that this event occurs with sufficiently low probability so that there is some likelihood of a fault occurring only once throughout a computation. These errors may be transient and the hardware may not be aware that the data corruption has occurred.
  • register faults Under normal operating conditions, hardware is substantially error free. However, when such hardware is placed under physical stress, such as being placed in an extreme environment such as exposing it to certain radiation, atypical voltage levels, or fast clock signals, errors are likely to occur. This extreme environment may not affect the circuity, but may cause certain register cells to spontaneously, temporarily invert. Such faults are referred to herein as "register faults".
  • a security expert or cryptosystem designer may intentionally subject a tamper proof device 200, such as a smart card (or other cryptography device), to an extreme environment in order to test whether the device may be induced to generate an erroneous output. If so, the system may be cracked. Also, it is a well- accepted that no computing system is entirely error-free. Thus, even in the absence of physical stress any cryptography device is susceptible to generating an erroneous output on rare occasions.
  • CTR Chinese Remainder Theorem
  • the Chinese Remainder Theorem is well known and described, for example, in A. Aho, J. Hopcroft, and J. Uilman, The Design and Analysis of Computer Algorithms, pp. 294-303 (Addison-Wesley 1974). The content of this reference is incorporated herein by reference. a. The RSA Signature Scheme And The Chinese Remainder
  • the RSA signature scheme may be implemented in a tamper proof device 200, such as a smart card, and may be used to perform various encryption and decryption functions for its owner, party / ' .
  • the tamper proof device typically contains in the registers 206 a secret RSA decryption key which is used to decrypt messages for party /.
  • This device 200 may be used, for example, to prepare digital signatures for party / ' , to authenticate party / to another party /, and to decrypt incoming encrypted messages. Assume that some secret information (such as party Is secret key) is stored in a tamper proof device. Because the device 200 is tamper proof, it cannot be opened and its contents examined.
  • the present version of the invention will be described as a device for obtaining digital signatures for party / ' .
  • the message m is assumed to be an integer in the range from 1 to N. As described above, the security of this system relies on the fact that factoring the modulus N is difficult.
  • the computationaly expensive part of signing using the RSA scheme is the modular exponentiation of the input m, which is performed by the processor 202.
  • E X s (mod p)
  • E 2 X s (mod q)
  • the signature E is computed by processor 202 by forming a linear combination of
  • the modulus N may be determined by a cryptography device such as the device 100 seen in Fig. 1A or a computer or other processor by comparing a correct signature Ewith an incorrect signature Eforthe same message.
  • party /s cryptography device 200 generates signature Efor message m.
  • E is transmitted to party /s cryptography device (or other processor) 100.
  • Party /s cryptography device stores E-in memory (step 1 ).
  • Party / may be a security expert or cryptosystem designer.
  • the inventive method is described as a first cryptography device generating faulty computations and a second cryptography device or processor "cracking" the cryptosystem. It is also contemplated, however, that the inventive method may be performed by a single cryptography device.
  • Party /s cryptography device generates an erroneous signature Eforthe same message m.
  • This erroneous signature may be generated, for example, while a tamper proof device 200 is placed under physical stress, such as being placed in an extreme environment, which is likely to cause hardware faults.
  • Eis transmitted to party /s cryptography device or processor.
  • Party /s cryptography device 100 stores E in memory (step 2).
  • E E + bE 2 (mod N)
  • E a hardware fault occurs during the computation of only one of E v E 2 .
  • E 2 E 2 .
  • Party /s cryptography device now uses E and E to obtain N in the following manner. Observe that:
  • step 3 party /s cryptography device or processor 100 may easily determine N (step 4).
  • the modulus used in the RSA system can be easily determined. In this attack, it makes no difference what type of fault occurs or how many faults occur in the computation of E y Moreover, to determine the modulus N, only one correct and one incorrect signature of the same message needs to be received. All that is assumed is that the fault occurs in the computation modulo of one of the primes p, q only.
  • step 1 It now follows that:
  • party /s cryptography device 100 or processor may easily factor N (step 3).
  • the cryptography device 100 or processor knows message m, it may factor the modulus given only one faulty signature. This is important because some RSA signature implementations avoid signing the same message twice by using a "padding" technique.
  • the message m may be determined. This improvement shows that as long as the entire signed message is known, even non-random padding protected RSA/CRT systems are vulnerable to the hardware faults attack with only a single faulty signature. If the padding is random, then the message m cannot be separated from the padding and the message m is not known. This method will not work if the message is not known. c. Cracking the Rabin Signature Scheme
  • a cryptography device such as a smart card 200, may use its processor 202 to compute:
  • the processor 202 first computes:
  • the processor 202 may use the Chinese Remainder Theorem to compute signature E. Using the same a, b, defined above, E is determined as:
  • the same attacks described above with reference to Figs. 3 and 4 may be used to crack the device using the Rabin signature scheme.
  • the device signs the same message twice, one signature, E, is obtained in normal conditions and is therefore the correct one.
  • the second signature, E is erroneous.
  • the erroneous signature E may be obtained, for example, in an extreme physical environment and therefore is likely to be the erroneous signature.
  • gcd (E-E, N) is likely to yield a factorization of N.
  • the cryptography device 100 or other processor knows document D it may factor the modulus without comparing it to a correct signature of the same message.
  • the Fiat-Shamir authentication scheme may be cracked by correctly guessing the value of the error caused by a register fault. Because register faults have known properties (they are powers of 2 or a product of powers of 2), the error may be easily guessed by a processor.
  • a security expert's or cryptosystem designer's cryptography device 100, computer, or other processor may compare an erroneous message with a correct message to obtain a random number r selected by party Is cryptography device, such as a tamper proof device 200 of Fig. 2. Once ris known, the security expert's or cryptosystem designer's cryptography device 100 or other processor may perform calculations to determine party ⁇ s secret key.
  • Party Is secret key comprising a number of bits s 7 ,...,s terme may be recovered by party /s cryptography device by using register faults. Given f faulty runs of the protocol, party /s cryptography device may recover the secret key bits sirri...,s, with probability of 1/2 using 0 ⁇ rft) arithmetic operations, where 0 is order of magnitude.
  • party / uses a tamper proof device 200 on which the secret key bits are embedded in register 206 and from which the secret key bits cannot be extracted.
  • Party / is a security expert or cryptosystem designer trying to discover the secret key bits stored in party Is tamper proof device.
  • party Is device outputs:
  • party /s cryptography device may compute:
  • party /s cryptography device can easily determine the value of Eby selecting all possible values of E until the correct value is determined (step 4). If E is correctly guessed, then party /s cryptography device may recover r because:
  • party /s cryptography device may compute:
  • party / may compute the value ⁇ ES S, by guessing the fault value E and using the formula:
  • party /has a method for determining l s s,for various sets of Sof party /s cryptography device's choosing party / may easily find party /s secret key bits s ⁇ ... ⁇ .
  • Party j's cryptography device may select sets at random such that resulting characteristic vectors are linearly independent.
  • Party/picks sets S ...,S, such that a corresponding set of characteristic vectors L/ supervise...,l/, form a x f full rank matrix over Z 2 , where Z 2 is a ring of integers, modulo 2 (step 7).
  • Part /s cryptography device may now compute S T using the formula:
  • party /"s secret key is a set of invertible elements (bits) s 1 ,...,s t (mod N).
  • Party /s cryptography device, computer, or other processor selects a random r, generates f mod ⁇ / and transmits this value to party /via an I/O.
  • Party Is cryptography device computes rH ⁇ s,.
  • party/may obtain the value Lf-f (mod N) and 2 ⁇ r+E) e mod N.
  • party / may recover rby computing the greatest common divisor of the two polynomials.
  • secret integer s of the Schnorr authentication scheme may be extracted from party /s cryptography device.
  • p is an n-bit prime number
  • the attack requires n log n faulted values and O ⁇ rf) arithmetic operations. This is done as follows:
  • secret key s may be recovered with probability at least V ⁇ using 0 ⁇ tf) arithmetic operations.
  • the method runs in linear time and outputs x with probability at least V ⁇ .
  • the reason for the V ⁇ is that all bits of r should be "covered” by faults and all ⁇ should not be too large. Both events are satisfied with probability at least ⁇ A.
  • the running time of this step is 0 ⁇ tf) .
  • Register faults may be used to break other RSA implementations that are not based on the Chinese Remainder Theorem.
  • N be an n-bit RSA composite and s, be a secret exponent.
  • the exponentiation function x - X s ' mod N may be computed using either of the following conventional methods 600, 650 illustrated in Figs. 6A and 6B:
  • step 606 if / th bit of s is 1 (step 606) then z ⁇ - zy (mod N) (step 608). y - 2 (mod N) (step 610). Output z (step 612).
  • a security expert's or cryptosystem designer's cryptography device, computer, or processor may obtain the secret exponent in polynomial time.
  • faulty values are obtained in the presence of register faults.
  • This attack uses erroneous signatures of randomly chosen messages; the attacker need not obtain the correct signature of any of the messages.
  • an attacker's cryptography device or processor need not obtain multiple signatures of the same message.
  • the secret exponent s can be extracted from a device (such as smart card 200) implementing the first exponentiation algorithm by collecting ⁇ nlm) log n faults and 0 (2 m -n 3 ) RSA encryptions, for any 1 ⁇ m ⁇ n.
  • a device such as smart card 200
  • RSA encryptions for any 1 ⁇ m ⁇ n.
  • this takes 0 (2 m -n 4 ) time.
  • a random e it takes 0 (2 m -n 5 ) time.
  • Steps 706-716 are repeated for each r between 0 and n (steps 718, 704).
  • the condition at step 710 is satisfied by the correct candidate u kh u k 2 ,...,u k Recall that E is obtained from a fault at the k ⁇ sX iteration.
  • step 710 the signature E is correct, it properly verifies when raised to the public exponent e. Consequently, when the correct candidate is tested, the faulty signature E ⁇ guarantees that it is accepted. There is a high probability that a wrong
  • the unknown 62 bits may be tested by trying different combinations of these unknown bits. Each combination is used as the secret key s, and a received message is attempted to be decrypted. If the message is properly decrypted, the combination used is correct.
  • a cryptography device, computer, or other processor may recover the secret exponent in polynomial time. That is, for a message m e Z N , given n log n faulted values output by a device computing the function m s mod N, the secret exponent s, may be recovered in polynomial time in n.
  • a cryptography device or computer may employ either one of the exponentiation methods above. Note that faulted values for this version of the present invention are register faults.
  • the method illustrated in Fig. 7 may also be used to crack EIGamal's public key cryptosystem.
  • the smart card contains in a register 206 the secret exponent s, and will output the plain text message.
  • the attack on the RSA implementation discussed above permits the extraction of the secret exponent s, from the smart card.
  • Skipjack These are secret (or symmetric) key systems, not public key systems. Nevertheless, hardware based faults may permit these systems to be cracked.
  • a cryptosystem is a public or private key system
  • vulnerability to a fault-based attack results in a cryptosystem which has questionable security, regardless of whether the fault is generated by machine imperfection, software bugs, intentionally induced faults, or faults planted at the chip level during design and/or manufacturing.
  • the Secure Electronic Transmission (SET) standard for on-line Internet bank card transactions address faulty computations.
  • the standard provides that if a received message fails an authentication test, an error message is returned. Thus, erroneous security data is not expected, but acknowledged. This acknowledgement is available to eavesdroppers. Ideally, an assurance of zero faulty computation is the best protection. However, as discussed above, it is well-accepted that no computing system is entirely error-free. As a result, verifying cryptographic computations before outputting results is preferred.
  • a simple way to avoid cracking due to hardware faults is to check the output of a computation before releasing it. This may require recomputing functions, which may sometimes result in an expensive or time consuming process which may be unacceptable.
  • Authentication schemes may be attacked based on register faults in the internal memory of a cryptography device. Protection against such an attack may include (1) detecting the fault; and (2) correcting the fault. Because a register fault changes the stored data, the device may have computed the (temporarily incorrect) data correctly. This recomputing the data may not reveal an error.
  • error detection/correction bits such as CRC bits, may be added to protect the validity of the stored data.
  • Signature schemes may be attacked based on a fault during the computation of the signature.
  • One way to overcome this attack is to verify the signature before outputting it.
  • the device generating the signature may, for example, apply the signature verification algorithm on the signature before transmission. For example, this may be done in RSA signatures by applying the public key to the signature.
  • a second way to overcome this attack is to pad the signed message with random bits. This may prevent an adversary from obtaining two copies of an identical message.
  • Chinese Remainder Theorem is the use of blinding.
  • future cryptography devices may have the same overall structure as seen in Figs. 1 A and 2, such devices should preferably be modified to be impervious to hardware-fault based attacks.
  • One way to design such a device may be to implement one of the software solutions described above.
  • Another way to design such a device is protect the device's internal storage from extreme environments by providing shielding or other hardware solutions.
  • a cryptography device may be verified to be impervious to a hardware fault- based attack by subjecting the device to one or more of the attacks described above.
  • the cryptography device may be verified to be secure against these attacks by verifying that an adversary cannot determine secret information stored in the cryptography device.
  • inventive methods are particularly useful to security experts and cryptosystem designers.
  • Existing and proposed cryptosystems are cryptography devices should be impervious to the attacks described. If not, the system or device should be modified or discarded.
  • Smart cards for example, should now not only conceal their inner circuitry (to avoid revealing its secret key), but also be fault resistant and/or check computed values before transmission, to avoid revealing secret information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Procédé utile servant à vérifier l'intégrité d'un système cryptographique et consistant à mettre en application des sorties erronées afin d'obtenir une information secrète (700). Dans certaines combinaisons à signatures basées sur le théorème chinois du reste, une signature correcte d'un message et une signature erronée du même message permettent d'obtenir le module sans difficultés. Si le contenu du message est connu, on peut déchiffrer ce type de systèmes cryptographiques avec une seule signature erronée du message. On peut déchiffrer certaines autres combinaisons à autorisations au moyen de l'analyse de certaines sorties erronées provoquées par un type particulier d'erreur appelé faute de registre. Un expert en sécurité ou un concepteur de système cryptographique peuvent provoquer intentionnellement la génération d'un calcul défectueux par un dispositif anti-fraude, en soumettant ce dernier, tel qu'une carte de crédit, à une contrainte physique, telle que certains types de rayonnement, de niveaux de tensions atypiques, ou à un rythme d'horloge supérieur à celui pour lequel le dispositif a été conçu. Les systèmes cryptographiques devraient être insensibles aux attaques décrites ci-dessus. Dans le cas contraire, il conviendrait de modifier ou d'éliminer ces systèmes.
EP98907364A 1997-02-07 1998-02-04 Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique Withdrawn EP0958671A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US3692597P 1997-02-07 1997-02-07
PCT/US1998/002086 WO1998035467A1 (fr) 1997-02-07 1998-02-04 Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique
US36925 2001-12-21

Publications (1)

Publication Number Publication Date
EP0958671A1 true EP0958671A1 (fr) 1999-11-24

Family

ID=21891441

Family Applications (1)

Application Number Title Priority Date Filing Date
EP98907364A Withdrawn EP0958671A1 (fr) 1997-02-07 1998-02-04 Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique

Country Status (5)

Country Link
EP (1) EP0958671A1 (fr)
JP (1) JP2000509521A (fr)
AU (1) AU6319098A (fr)
CA (1) CA2278754A1 (fr)
WO (1) WO1998035467A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003069841A1 (fr) * 2001-12-28 2003-08-21 Gemplus Procede de detection des attaques par mise en defaut contre les algorithmes cryptographiques
FR2838262B1 (fr) * 2002-04-08 2004-07-30 Oberthur Card Syst Sa Procede de securisation d'une electronique a acces crypte
WO2008114310A1 (fr) * 2007-03-16 2008-09-25 Fujitsu Limited Intégration d'un dispositif doté d'une fonction de contre-mesures contre les attaques par insertion ('fa')
FR3015080B1 (fr) 2013-12-17 2016-01-22 Oberthur Technologies Verification d'integrite de paire de cles cryptographiques
JP6262085B2 (ja) * 2014-06-25 2018-01-17 ルネサスエレクトロニクス株式会社 データ処理装置及び復号処理方法
JP6724829B2 (ja) * 2017-03-16 2020-07-15 株式会社デンソー 制御装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5365591A (en) * 1993-10-29 1994-11-15 Motorola, Inc. Secure cryptographic logic arrangement

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9835467A1 *

Also Published As

Publication number Publication date
WO1998035467A1 (fr) 1998-08-13
JP2000509521A (ja) 2000-07-25
CA2278754A1 (fr) 1998-08-13
AU6319098A (en) 1998-08-26

Similar Documents

Publication Publication Date Title
US6965673B1 (en) Method of using transient faults to verify the security of a cryptosystem
US20220083665A1 (en) Security chip with resistance to external monitoring attacks
Boneh et al. On the importance of eliminating errors in cryptographic computations
Boneh et al. On the importance of checking cryptographic protocols for faults
US7506165B2 (en) Leak-resistant cryptographic payment smartcard
JP3659178B2 (ja) 分散ディジタル署名作成方法及び装置及び分散ディジタル署名付ディジタル文書作成方法及び装置及び分散ディジタル署名作成プログラム及び分散ディジタル署名作成プログラムを格納した記憶媒体
Moore Protocol failures in cryptosystems
US20160352525A1 (en) Signature protocol
CN109818752B (zh) 信用评分生成方法、装置、计算机设备和存储介质
US11838431B2 (en) Cryptographic operation
US20150006900A1 (en) Signature protocol
Dorey et al. Indiscreet Logs: Diffie-Hellman Backdoors in TLS.
WO1998035467A1 (fr) Procede d'utilisation de defauts transitoires afin de verifier la securite d'un systeme cryptographique
US6976169B1 (en) Undeniable digital signature scheme based on quadratic field
WO2016187689A1 (fr) Protocole de signature
TWI381696B (zh) 基於利用個人化秘密的rsa非對稱式密碼學之使用者認證
EP1691501B1 (fr) Procède et appareil cryptographiques résistant aux fuites
Duc et al. DiAE: Re-rolling the DiSE
Dorey et al. Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS
Nikodem DSA signature scheme immune to the fault cryptanalysis
Voyiatzis et al. Active hardware attacks and proactive countermeasures
JP2004222330A (ja) ソフトウェアベンディングサービスの提供方法
CA2892318C (fr) Protocole de signature
Richard et al. On the Importance of Checking Cryptographic
Osborn Security aspects of the QCARD project.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 19990803

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): DE FR GB IT SE

RIN1 Information on inventor provided before grant (corrected)

Inventor name: LIPTON, RICHARD, J.

Inventor name: DE MILLO, RICHARD, A.

Inventor name: BONEH, DAN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20020829

RIN1 Information on inventor provided before grant (corrected)

Inventor name: LIPTON, RICHARD, J.

Inventor name: DE MILLO, RICHARD, A.

Inventor name: BONEH, DAN