On the Importance of Eliminating Errors in Cryptographic Computations
read more
Citations
Introduction to Embedded Systems - A Cyber-Physical Systems Approach
The Sorcerer's Apprentice Guide to Fault Attacks
BiTR: built-in tamper resilience
A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD
Non-control-data attacks are realistic threats
References
Handbook of Applied Cryptography
Differential Power Analysis
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
Efficient signature generation by smart cards
Related Papers (5)
Frequently Asked Questions (16)
Q2. How many times does it take to convert a message into an integer?
Usually one uses a hash and a formatting function to convert the message into an integer in that range [19], [4].time multiplication is used, multiplying two numbers in Zp takes a quarter of the time as multiplying elements in ZN .
Q3. How can an attacker extract the embedded key?
To extract the embedded key, an attacker could randomly add a single instruction to the decryption code, thus causing the decryption process to malfunction.
Q4. What is the use of register faults in RSA?
Register faults can be used to attack other implementations of the RSA system though many more erroneous signatures are required.
Q5. What is the reason why Bob was able to compute the random value r?
Recall that Bob was able to compute the random value r chosen by the device since he was given r2 and (r + E)2 where E is the fault value.
Q6. What is the probability that a wrong candidate u′ will pass the test of step 4?
By assumption, with probability at least 1/nc, at some point during the algorithm a signature Ŝv will incorrectly cause the wrong candidate u′ to be accepted in step 4.
Q7. what is the probability of a r event being satisfied?
Since the r ’s are independent of each other, the probability that the condition is satisfied for all i = 1, . . . , n is (1− 1/8n)n > 34 .To summarize, the authors see that for the algorithm to run correctly two events must simultaneously occur.
Q8. How many multiplications does it take to compute S?
To see this observe that S1 = xd mod p = xd mod(p−1) mod p. Usually d is of order N while d mod (p−1) is of order p. Consequently, computing S1 requires half as many multiplications as computing S directly.
Q9. What is the protocol Alice uses to authenticate herself to Bob?
To authenticate herself to Bob, Alice engages in the following protocol:1. Commitment: Alice picks a random integer r ∈ Zq and sends z = gr mod p to Bob.
Q10. what is the protocol Alice uses to authenticate herself to Bob?
To authenticate herself to Bob they engage in the following protocol:1. Commitment: Alice picks a random r ∈ Z∗N and sends z = r2 mod N to Bob.
Q11. What is the attack algorithm for a block of bits?
The attack algorithm works as follows:1. For all lengths r = 1, 2, 3 . . . ,m do: 2. For all candidate r -bit vectors u = ua−1ua−2 · · · ua−r do: 3. Set w =∑n−1j=a dj 2 j +∑a−1j=a−r u j 2 j .
Q12. how many secret signatures can be extracted from a black-box?
For any 1 ≤ m ≤ n, given (n/m) log(2n) pairs 〈Mi , Ŝi 〉, the secret exponent d can be extracted from a black-box implementing the above exponentiation algorithm with probability at least 12 .
Q13. How can Bob verify that a candidate value is correct?
Using the value of r and E Bob can compute∏i∈S si = ŷ r + E = 2E · ŷ [ŷ2/ ∏ i∈S vi ]− z + E2 (mod N ). (2)The authors now show that Bob can verify that a candidate value E is correct.
Q14. How many bits of r are known to Bob?
In other words, with probability at least 34 , for every 0 ≤ i < n there exists an r (i) among r (1), . . . , r (k) such that the i th bit of r (i) is known to Bob (we regard the first bit as the LSB).
Q15. What is the simplest way to expose the block of bits?
To expose the block of bits da−1da−2 · · · dc+1dc ∈ {0, 1}a−c the authors intend to try all possible bit vectors until the correct one is found.
Q16. What is the value of k in the exponentiation algorithm?
For each faulty signature, Ŝi , let ki denote the value of k at the time at which the fault occurred (recall k is the counter used in the exponentiation algorithm).