Keywords

1 Introduction

In a fault attack, an adversary is able to induce errors into the computation of a cryptographic algorithm and thereby to gain information about the secret key or other secret information used in the algorithm. The first fault attack [4] targets an RSA implementation using the Chinese remainder theorem, RSA-CRT, and is known as the Bellcore attack. The Bellcore attack aroused great interest and led to many publications about fault attacks on RSA-CRT, e.g., [1, 6, 9, 11, 22]. Countermeasures to prevent the Bellcore attack can be categorized into two families: the first one relies on a modification of the RSA modulus and the second one uses self-secure exponentiation. The countermeasures in the first family were recently analyzed [21], and a formal proof of their (in)security was provided.

We complement the work of [21] by comprehensively analyzing the countermeasures in the second family, i.e., those based on self-secure exponentiation. These countermeasures use specific algorithms that include redundancy within the exponentiations. The first such method is based on the Montgomery ladder [9]. This was adapted to the right-to-left version of the square-and-multiply-always algorithm [5, 6] and to double exponentiation [18, 22]. We test the security of these methods using an automated testing framework. We use the same fault model as in [21], but extend it to meet the particularities of self-secure exponentiation algorithms. We reveal that the countermeasures have certain vulnerabilities in this extended fault model. Based on these findings, we improve the countermeasures and present three self-secure exponentiation methods that are secure against fault injections, safe-error attacks, and power analyses. We note that non-algorithmic level countermeasures are not in the scope of this paper.

Our Contribution: In this paper, we test the security of the self-secure exponentiation countermeasures against the Bellcore attack by simulating random, zeroing, and skipping faults at all possible fault locations (Sect. 4). Thereafter, we propose secure countermeasures, step-by-step achieving protection against all fault injections and resistance to power analysis and safe-error attacks. We present one countermeasure for each of the exponentiation algorithms used as self-secure exponentiation: the Montgomery ladder, the square-and-multiply-always algorithm, and the double exponentiation method. Despite the natural overhead caused by the included measures against all the considered attack types, our algorithms remain highly efficient (Sect. 5).

2 Background

In this section, we give the necessary background information for our work.

2.1 The Bellcore Attack on RSA-CRT

We use the standard notation for RSA [23]: M denotes the message, \(N = pq\) the public modulus with secret primes p and q, \(\varphi (N) = (p-1)(q-1).\) The public exponent e with \(\mathrm {gcd}(e, \varphi (N)) = 1\) is chosen along with the secret exponent d, where \(e \cdot d \equiv 1 \bmod {\varphi (N)}\). The signature is calculated \(S = M^d \bmod N\), and \(S^e \equiv (M^d)^e \equiv M \bmod N.\) The calculation can be speeded up by a factor of four using the RSA-CRT implementation [20]. Two smaller exponentiations \(S_p = M^{d_p} \bmod p\) and \(S_q = M^{d_q} \bmod q\) are performed with exponents \(d_p = d \bmod (p-1)\), \(d_q = d \bmod (q-1)\), and recombined with the method \(S = \mathrm {CRT}(S_p, S_q) = ((S_p - S_q) i_q \bmod p) q + S_q,\) where \(i_q = q^{-1} \bmod p\). The public key of RSA-CRT is (eN) and the private key includes \(p, q, d_p, d_q\) and \(i_q\).

A fault attack is a physical attack where the attacker is able to induce faults into the execution of the algorithm. The first attack on RSA-CRT was proposed by Bellcore researchers [4]. The fault is induced into the calculation of strictly one of the intermediate signatures, resulting in \(\widehat{S_p}\) (or \(\widehat{S_q}\)). If \(\widehat{S_p}\) (or \(\widehat{S_q}\)) is used during recombination, a faulty signature \(\widehat{S}\) is returned. With high probability q (or p) can be deduced as \(\mathrm {gcd}(S - \widehat{S}, N)\) [4] or as \(\mathrm {gcd}(\widehat{S}^e-M \bmod N, N)\) [11].

During the discussion of fault attacks, the precise description of the fault model is essential: it includes the assumptions on the adversary’s abilities. The Bellcore attack targeting an unprotected implementation uses one fault injection and loose assumptions in the fault model, i.e., a very weak attacker. The attacker is only assumed to alter an intermediate signature, which can be achieved by an arbitrary modification of any variable throughout the exponentiation, i.e., affecting any bit or any byte results in a successful attack.

2.2 Safe-Error Attacks

Classical fault attacks exploit the corrupted result or the difference between a correct and faulty results. However, it was noted in [26] that secret information may leak depending on if a fault has effect on the result of the computation or not. The techniques that exploit such behavior are called safe-error (SE) attacks.

Computational safe-error attacks (C-SE) [27] target dummy operations. If the result remains error-free although a fault was induced, it affects a dummy operation and thus, information about the secret key can be revealed.

Memory safe-error attacks (M-SE) [26] assume a more powerful attacker. Knowing how the internal variables are processed in the memory throughout a certain step of the algorithm, one may be able to derive the secret key [26]. Memory safe-error attacks are prevented by randomizing the targeted variables.

2.3 Power Analysis Methods

Simple power analysis (SPA) studies the power consumption of a single execution of the algorithm. If the execution depends on the value of the secret key, the adversary is able to obtain information by analyzing the power trace.

Differential power analysis (DPA) is a natural extension of SPA [16]. When performing a DPA, an attacker collects several power trace measurements of the executions of the same algorithm and uses statistical methods to reveal the secret key. Prevention generally requires randomization of variables.

2.4 Algorithms for Regular Exponentiation

Classical modular exponentiation algorithms are vulnerable to SPA, since the power consumption of the different operations can be differentiated [17]. To prevent SPA, regularity of the modular exponentiation algorithms is required. It means that the same operations are performed independently from the value of the exponent. Below, we recapitulate the two most widely used binary methods.

figure a

Square-and-Multiply-Always: The right-to-left exponentiation algorithm was modified in [7] to the square-and-multiply-always method, shown in Algorithm 1a. By introducing dummy operations in register \(R_1\) (line 3), one squaring and one multiplication is performed at each iteration.

Montgomery Ladder: The powering ladder, shown in Algorithm 1b, was proposed in [19] and its correctness discussed in [13]. The algorithm is regular without including dummy operations and is resistant to safe-error attacks [13].

3 Countermeasures Against the Bellcore Attack

To counter the Bellcore attack, straightforward countermeasures aim to verify the integrity of the computation before returning the result, e.g., by repeating the computation and comparing the results. Due to the inefficiency of such measures, several improved countermeasures appeared starting from 1999.

3.1 Two Families of Countermeasures

The advanced countermeasures were divided into two families according to the difference in their nature [21]: Shamir’s family and Giraud’s family. We refer to the latter as self-secure exponentiation countermeasures.

Shamir’s family consists of the countermeasures that prevent the Bellcore attack by multiplicatively extending the modulus x with a random number s. They rely on the fact that an invariant, inherited from the calculations modulo the extended modulus, i.e., modulo \(x \cdot s\), must hold modulo s. Shamir’s algorithm from [24] motivated researchers to develop such countermeasures, e.g., [1, 12, 21].

The idea of self-secure exponentiation countermeasures was proposed in [9]. If the exponentiation algorithm returns more than one power of a given input and keeps a coherence between its registers throughout the exponentiation, an invariant can be formulated that must hold at the end of the algorithm. However, it is claimed to be lost if a fault injection takes place.

3.2 Self-secure Exponentiation Countermeasures

In this section, we recapitulate the existing self-secure exponentiation countermeasures. The algorithms are provided in Appendix A in Algorithms 5–10.

The first countermeasure was proposed by Giraud [9]. It exploits the fact that while using the Montgomery ladder, the temporary registers \(R_0\) and \(R_1\) are of the form (\(M^{k-1} \bmod x\), \(M^k\bmod x\)) for some integer k after each iteration of Algorithm 1b. After two exponentiations that result in the pairs \((S_p' = M^{d_p-1} \bmod p,\) \(S_p = M^{d_p} \bmod p)\) and \((S_q' = M^{d_q - 1} \bmod q,\) \(S_q = M^{d_q} \bmod q)\), and two recombinations \(S' = \mathrm {CRT}(S_p', S_q')=M^{d-1} \bmod pq\) and \(S=\mathrm {CRT}(S_p, S_q) = S^d \bmod pq\), the invariant \(M\cdot S' \equiv S \bmod pq\) holds. Giraud claims that in case of a fault attack within the exponentiation, the coherence is lost for \(S_p, S_p'\) (or \(S_q, S_q'\)) and thus for S and \(S'\). Despite its advantages, the Montgomery ladder exponentiation remains vulnerable to DPA [16] (DPAexp). Fumaroli and Vigilant blinded the base element with a small random number r [8], using one more register \(R_2\) in the exponentiation. Besides being more memory-costly, this method was proven to be insecure against fault attacks [14], due to the lack of coherence between \(R_2\) and the other registers. Moreover, it remains vulnerable to the DPA attack on the CRT recombination from [25] (DPACRT).

The square-and-multiply-always algorithm (Algorithm 1a), uses dummy operations to prevent SPA. Boscher et al. in 2007 proposed a self-secure exponentiation countermeasure based on this algorithm [6]. In the end of the execution, \(R_0\) holds the value \(M^d \mod x\), \(R_1\) holds \(M^{2^n-d-1} \bmod x\), while \(R_2\) only depends on the binary length n of the exponent, and equals to \(M^{2^n} \bmod x\). Thus, the coherence \(M\cdot R_0\cdot R_1 \equiv R_2 \bmod x\) is kept throughout the algorithm. Boscher et al. in 2009 [5], modified the method in order to achieve resistance against DPA on the exponentiation without significant overhead. \(2^w\)-ary versions of the algorithm were proposed [2, 10].

Table 1. Self-secure exponentiation countermeasures. CRT, check, inv., reg., mult., and sq. denote the number of CRT recombinations, checking procedures, inversions, additional large registers, multiplications, and squaring operations respectively, in terms of the bit-length n of the exponent. PA and SE denote the resistance against power analysis and safe-error attacks. \(\checkmark \) means that there are included countermeasures, \(\times \) refers to the lack of them.
Full size table

Rivain proposed a solution that uses double exponentiation [22]. Such a method receives the base M, two exponents \(d_1\), \(d_2\), the modulus x, and outputs both \(M^{d_1}\bmod x\) and \(M^{d_2} \bmod x\). It makes use of a double addition chain for the pair \((d_1, d_2)\), by means of which the two modular exponentiations are performed at once, using altogether 1.65n operations on average We assume this chain to be precomputed. Le et al. presented a double exponentiation algorithm, that does not rely on precomputation [18]. The binary exponentiation works as two parallel executions of the right-to-left exponentiation and uses register \(R_0\) for calculations with \(d_1\) and register \(R_1\) for calculations with \(d_2\). \(M^{2^n} \bmod x\) is computed only once and is stored in \(R_2\).

Table 1 summarizes the different properties of the self-secure exponentiation countermeasures. We consider the security and efficiency of the methods, since measures against physical attacks imply overhead. When discussing efficiency, we describe the following relevant properties to achieve low time and memory consumption: number of registers containing large values that are used additionally to the input registers (Mdx) during the exponentiation, number of multiplications, squaring operations and inversions using large registers. We summarize if they include protection against physical attacks such as power analysis on the exponentiation and the CRT recombination and safe-error attacks.

4 Security of Self-secure Exponentiation Methods

The security of self-secure exponentiation countermeasures relies mainly on the exponentiation algorithms. Each method has an invariant that holds throughout its execution, which is claimed to be lost in case a fault is injected. Accordingly, the modular exponentiation methods have to be tested against fault attacks. In this section, we recapitulate the fault model that we adopt, briefly describe our methodology and discuss our results.

4.1 Simulating Fault Injections Against Self-secure Exponentiation Countermeasures

The designers of the countermeasures provide either formal and informal explanations for their security assumptions and their fault models differ from each other. To the best of our knowledge, we are the first to simulate all possible fault injections in a common fault model.

Fault Model: We adopt the generic fault model of [21]. Therefore, we simulate three types of fault injections: random and zeroing faults in case of which the affected variable is changed to a random value and null, respectively, and skipping faults which cause instruction skips, i.e., jumps over some lines of the pseudocode. We take the following fault types into consideration: faults on local variables, on input parameters, and on conditional tests. An adversary is able to target any variable, but cannot specify the bits his fault affects. When inducing a random fault, he does not know its concrete value. Since refined methods appear for performing instruction skips in practice (e.g. [3]), we consider it as a possible threat when discussing physical attacks. The injection of skipping faults was observed as practical in [21], but was covered by means of random and zeroing faults. This does not hold for self-secure exponentiation. When considering skipping faults, we count the number of lines that have to be skipped in the pseudocode. In the Montgomery ladder shown in Algorithm 1b, the pair \((R_0, R_1)\) is of the form \((M^{k-1} \bmod x, M^{k}\bmod x)\) at each iteration, which coherence is assumed to be lost in case of a fault injection. However, an adversary might skip two consecutive lines (3 and 4) at any iteration of the loop. The invariant holds for the corrupted \(\widehat{R_0}\) and \(\widehat{R_1}\) and thus, the fault is not detected.

Table 2. Results of our fault injection tests on the exponentiation algorithms, assuming that the checking procedures are protected We note that we rely on the original fault models of the countermeasures from column Ref., recapitulated in Appendix A. \(\checkmark \) denotes that our tests did not reveal any vulnerability against the fault type, M and \(d_1\), \(d_2\) denote the vulnerability of the message and the exponents in the exponentiation algorithm, respectively. When considering skipping faults, we indicate which lines are skipped together to achieve a successful attack. The register numbering \(R_i\)\(i \in \{0, 1, 2\}\) and the lines are according to the algorithms in column Alg.
Full size table

Our Framework: In case of self-secure exponentiation countermeasures, the underlying exponentiation algorithm has to be tested and checked that the invariant is lost if a fault is injected. When simulating the attacks, we needed features that the tool used for the analysis of Shamir’s family lacked [21]: redefinition of variables and support for loops. Therefore, we created our own framework in Java. A manual step of our method was identifying the possible fault injection locations within the exponentiation algorithms. After this manual step, the simulation of multiple fault injections in all possible combination of fault locations was fully automated, for all the three fault types. A simulation results in a successful Bellcore attack if a corrupted signature is returned. For more details on our simulation framework, the reader is referred to the full version [15].

4.2 Simulation Results

The results of our fault injection simulations are shown in Table 2. While performing the tests with multiple faults, we considered protected checking procedures, since skipping or zeroing any of the checks would enable a successful Bellcore attack. When considering faults on the checking procedures, a method can be protected against n fault injections by repeating each check n times.

Random Faults: If a countermeasure is protected against one random fault injection, it cannot be broken with more than one random faults either. This is due to the fact that a random fault cannot induce a verification skip [21]. Our results confirm that in case of the algorithms that use the Montgomery ladder or the square-and-multiply-always algorithm, the intermediate secret exponent and the loop counter have to be protected against random faults. [6, 8, 9] use the checksum of the exponent to verify its integrity and thwart the attack. It was revealed in [14], that the introduction of register \(\mathbf {R_2}\) in Fumaroli and Vigilant’s countermeasure [8] made it vulnerable to any random fault on \(R_2\) at any iteration of the algorithm. This is due to the fact that \(R_2\) is calculated independently of the other two registers, which are multiplied with its final value. In case of the countermeasures using double exponentiation, a possible random fault is the corruption of the intermediate message \(\mathbf {M}\), resulting in \(\widehat{M}\). Rivain identified this vulnerability and suggested to compute a cyclic redundancy code [22].

Zeroing Faults: Without a specific checking procedure against zeroing faults, the exponentiation algorithms (Sect. 2.4) are vulnerable. According to [9], it is unlikely to be able to zero a large buffer in practice. However, as [6, 21], we take zeroing faults into consideration but note that their injection is very difficult to achieve in practice. In case of the methods that use the Montgomery ladder and the square-and-multiply-always exponentiation, if the message \(\mathbf {M}\) in the beginning of the algorithms is zeroed, zeroes are returned. The same holds for any of the registers \(\mathbf {R_0, R_1}\) in the method using the Montgomery ladder and for \(\mathbf {R_2}\) in Fumaroli and Vigilant’s and Boscher et al.’s methods. Then, the checking procedure holds even though the recombination is computed with only one of the intermediate signatures. Giraud considered this vulnerability impossible, while Boscher et al. included checks against it. The two countermeasures that use double exponentiation are not vulnerable to a single zeroing fault. In the case of Rivain’s method [22], the exponent is given by the addition chain, which we assume to be protected. For the algorithm by Le et al. [18], two zeroing faults on the exponents \(\mathbf {d_1, d_2}\) are necessary to conduct a Bellcore attack. If any other values are zeroed, the coherence check does not hold and the fault is detected.

Skipping Faults: Our simulations show that only the method by Fumaroli and Vigilant [8] is vulnerable to the instruction skip of one line, the calculation of register \({R_2}\), which has a similar effect as the random fault on \(R_2\). When two lines are skipped together, both regular, SPA-resistant algorithms, i.e., the Montgomery ladder and the square-and-multiply-always methods are vulnerable. By skipping two consecutive lines within the loop, they preserve the coherence between the variables even though the results are corrupted. Even if the loop counter i is protected, skipping faults result in successful Bellcore attacks.

5 PA-SE-FA-Resistant Self-secure Exponentiation Countermeasures

We propose a secure countermeasure for each of the exponentiation algorithms that are used for constructing self-secure exponentiation methods We claim that our proposed countermeasures are secure against power analysis (PA), safe-error (SE) attacks, and fault attacks (FA) and remain highly efficient. For the verification of the resistance against fault injection attacks, we applied our framework from Sect. 4.1 on the proposed algorithms. We discuss the implied overhead by the introduced protection against physical attacks. FA\(_i^j\) denotes fault attacks of type j (rzs denote random, zeroing and skipping faults, resp.), against variable(s) i.

figure b

5.1 Countermeasure Using the Montgomery Ladder

Fumaroli and Vigilant’s countermeasure [8] (Algorithm 6) which aimed to improve Giraud’s method [9] (Algorithm 5) was proven to be vulnerable to random fault attacks [14]. Algorithm 2 presents our secure method with the Montgomery ladder.

To prevent fault attacks on register \(\mathbf {R_2}\) (FA \(^\mathbf r _{\mathbf {R_2}}\), FA \(^\mathbf s _\mathbf{(8) }\)), we return the blinded registers \(R_0\) and \(R_1\) and perform the multiplication with the inverse contained in \(R_2\). This multiplication happens modulo pq, after the blinded CRT recombinations of all the three registers in lines 9–11 in Algorithm 2b.

To achieve prevention against skipping faults (FA \(^\mathbf s _\mathbf{({6}-{7}) }\)), we include a check for verifying the integrity of the exponentiations. Since the coherence in the regular exponentiation algorithms is not lost when skipping faults are injected, we create a hybrid countermeasure with a technique used in Shamir’s family by Aumüller et al. [1]. We conclude the necessity of the modulus extension to prevent skipping faults and multiply the modulus with a k-bit random prime s. \(S_p\) and \(S_q\) are calculated modulo \(p\cdot s\) and \(q\cdot s\), respectively, and the signature is recombined to \(S=M^d \bmod pq\) using the blinded recombination from [9]:

$$\begin{aligned} S = \text {CRT}_\text {blinded} (S_p, S_q) =(((S_p-S_q) \bmod sp)\cdot i_q \bmod sp)\cdot q + S_q \bmod pq. \end{aligned}$$
(1)

To verify that no instruction was skipped, two small exponentiations modulo the k-bit number s with the k-bit exponents are performed as in lines 16 and 17. If a skipping fault occurs and the value of \(S_p\) or \(S_q\) is corrupted, the check in line 18 does not hold with probability \(2^{-k}\). Besides protecting against skipping faults, this measure detects faults on the exponent and loop counter \(\mathbf {i}\) (FA \(^\mathbf {r, z}_\mathbf {d, i}\)) of the exponentiation algorithm, without an additional large register. If the small exponentiations are calculated using the Montgomery ladder (Algorithm 1b), then besides the k-bit message, exponent, and modulus, two k-bit registers, k multiplications and squarings are used. However, a checksum as an input has to be included to detect the corruption of \(p, q, i_q, d_p\) or \(d_q\) in Algorithm 2b in line 21.

We note that the blinded CRT recombination recapitulated in Eq. 1 also prevents the DPA attack on the CRT recombination (\(\mathbf {DPA}_\mathbf{{CRT}}\)) from [25].

To avoid zeroing faults (FA \(^\mathbf z _\mathbf {M, R_0, R_1, R_2}\)), we check that none of the values returned by the exponentiation is zero. We perform this before the CRT recombinations in Algorithm 2b, by verifying \(S_p\cdot S_q \ne 0\) in line 6. In order to make sure that this check does not violate the correctness of the algorithm when the message is a multiple of ps or qs, we choose s such that \(ps \not \mid M\) and \(qs \not \mid M\).

Algorithm 2 presents the algorithm that is based on the Montgomery ladder and is protected against power analysis (PA), safe-error (SE), and fault attacks (FA). For eliminating the revealed vulnerabilities against fault injection attacks, we included an additional CRT recombination, transformed two small inversions to one of doubled size, included one large input register D, two times k multiplications and k squaring operations on k-bit registers, where k is the security parameter that defines the probability of undetected skipping faults as \(2^{-k}\). We note that since modular inversion and prime generation imply significant costs, lines (1–3) can be precomputed (without the assumption \(ps\not \mid M, qs\not \mid M\)) and sr and \(r_{\text {inv}}\) can be provided as inputs to Algorithm 2b.

5.2 Countermeasure Using the Square-and-Multiply-Always Exp.

Boscher et al. described a square-and-multiply always algorithm that is resistant to SPA, DPA, and SE [5] (Algorithm 7). The algorithm includes a technique against the exponent modification, and the check \(R_2\ne 0\) in the end of the exponentiation to detect zeroing faults (FA \(^\mathbf z _\mathbf {M, R_2}\)) [6]. Instead of this check in both exponentiations, we suggest to verify \(S_p\cdot S_q \ne 0\) in Algorithm 3b as in Algorithm 2b.

figure c

Against skipping faults (FA \(^\mathbf s _{{6}-{7})}\)) we suggest the same measure as in Algorithm 2: blinding the modulus and performing two small exponentiations in the RSA-CRT algorithm. For retrieving the signature, the CRT recombination in Eq. 1 is used. Though not mentioned in [5], the random value r in Algorithm 3b should not be too small to avoid the following SPA during the computation of Algorithm 3a: if an adversary is allowed to input the message \(M = 1\), the value of register \(R_2\) remains 1 for the whole computation. Therefore, the multiplication in line 6 would only depend on the bits of the secret exponent d, multiplied either with a small number (r) or with a large number (\(r_\text {inv}\)). This could result in differences in the power consumption trace and therefore we chose r to be an at least \((n+k)\)-bit integer, where n is the bitlength of p and of q, since it is used for operations of that size in Algorithm 3a.

figure d

Our PA-SE-FA-resistant algorithm with the square-and-multiply-always exponentiation is depicted in Algorithm 3. To eliminate the identified vulnerabilities, we included one large input register D along with two times k multiplications and k squaring operations on k-bit registers, in a similar manner as in Algorithm 2.

5.3 Countermeasure Using Double Exponentiation

Rivain proposed the first countermeasure that uses double exponentiation [22] (Algorithm 8). He included modifications by means of which it becomes SPA-DPA-SE-resistant, still requiring the precomputation of the addition chain (Algorithm 9). Our aim is to consider measures in the insecure but more efficient algorithm by Le et al. [18] (Algorithm 10), which does not include precomputation but ignores protection against PA and SE.

Firstly, we transform the algorithm to become resistant to SPA. We use two additional registers with dummy operations in order to achieve regularity. Thus, the algorithm requires the use of altogether 5 registers: \(R_{(0, 1)}\) and \(R_{(1, 1)}\) belonging to exponent \(d_1\), \(R_{(0, 2)}\) and \(R_{(1, 2)}\) belonging to exponent \(d_2\), and \(R_2\) used as before. Since for every bit of the exponents the same operations have to performed, this results in altogether 2n multiplications and n squaring operations.

Introducing regularity includes dummy operations. Registers \(R_{(1, 1)}\) and \(R_{(1, 2)}\) are unused and thus all the multiplications that assign values to them are dummy operations. To avoid computational safe-error attacks (C-SE) on these operations, in the end of the exponentiation we include the check whether \(R_{(0, 1)}\cdot R_{(1, 1)} \equiv R_{(0, 2)}\cdot R_{(1, 2)} \bmod x\). Since both the products corresponding to the two exponents are \(M^{2^n-1} \bmod x\), this holds if the values are not corrupted. With this, we verify the correctness of the dummy values.

To achieve resistance against differential power analysis on the exponentiation (DPA \(_\mathbf exp \)) and memory safe-error attacks (M-SE), we include the exponent blinding method of Rivain in the RSA-CRT algorithm [22]. Against DPA on the CRT recombination (DPA \(_\mathbf{CRT }\)), we apply the blinded CRT recombination method with extended modulus from [9]. For the description of \(r_1\) and \(r_2\) and the correctness of the blinding method, the reader is referred to [9, 22].

To detect any randomizing fault on the message \(\mathbf {M}\) (FA \(^\mathbf r _\mathbf {M}\)), we include its value in the coherence checks as it was seen in case of the countermeasures from [5, 6, 8, 9]. We decrease the value of the exponents used for the calculation of \(c_p\) and \(c_q\) by one, and multiply the results with M, during the verification in lines 7 and 10 of Algorithm 4b. For instance, if \(S_p\) and \(c_p\) are calculated by means of a corrupted \(\widehat{M}\), the verification \(M\cdot \widehat{M}^{d_p+r_1\varphi (p)}\cdot \widehat{M}^{r_2\varphi (p)-d_p-1}\equiv 1 \bmod p\) does not hold with high probability. With this, the zeroing faults on exponents \(\mathbf {d_1}\) and \(\mathbf {d_2}\) (FA \(^\mathbf z _\mathbf {(d_1, d_2)}\)) are also thwarted, the algorithm returns (1, 1) in case of two null exponents, and the modified check does not hold anymore.

Our PA-SE-FA-resistant countermeasure using double exponentiation is depicted in Algorithm 4. Though the modified countermeasure is less memory-efficient than Le et al.’s algorithm, we note its advantage against physical attacks.

Table 3. Comparison of our PA-SE-FA self-secure exponentiation countermeasures with previous methods. The notation is consistent with that of Tables 1 and 2, k denoting the included k operations (squaring and multiplication). We highlight with bold checkmarks (\(\checkmark \)) those vulnerabilities that we eliminated in our secure countermeasures and we bold the additional resources needed to be used in order to achieve security against all the considered attacks.
Full size table

6 Conclusion

In this paper, we analyzed the existing self-secure exponentiation countermeasures against the Bellcore attack on RSA-CRT. Using our framework, we simulated all possible fault injections considering random and zeroing faults as well as instruction skips on the lines of pseudocode. We found that all the countermeasures using regular exponentiation algorithms lacked protection against some kind of faults or power analyses.

We presented three countermeasures, one for each exponentiation algorithm used for designing self-secure exponentiation countermeasures (cf. Table 3). All the three methods are based on regular algorithms to prevent simple power analysis (SPA), include randomization to be resistant to differential power analysis (DPA) and memory safe-error (M-SE) attacks, and eliminate dummy operations which could be exploited by computational safe-error (C-SE) attacks. Measures are included against all considered fault injection attacks (FA) as well. We verified that we eliminated the previous vulnerabilities of the methods without introducing new ones by applying our simulation framework on the pseudocode of the improved algorithms. To prevent skipping faults, we included additional checks into two of our methods, inspired by a countermeasure in Shamir’s family, resulting in hybrid methods. We included prevention against fault attacks on the previously vulnerable register in the countermeasure that uses the Montgomery ladder. Our proposed solution that uses double exponentiation includes protection against power analyses and safe-error attacks in the algorithm where it was not considered.

We note that the vulnerability of the message corruption and of the DPA on the CRT recombination in Rivain’s SPA-resistant method can be eliminated in a similar algorithmic manner as in Sect. 5.3, gaining another, the most efficient secure software countermeasure when precomputation is allowed. When precomputation is not allowed, our proposed solution using the square-and-multiply-always algorithm is the most efficient algorithmic countermeasure.