DOI: 10.1007/s001450010016
J. Cryptology (2001) 14: 101–119
©
2001 International Association for
Cryptologic Research
On the Importance of Eliminating Errors in
Cryptographic Computations
∗
Dan Boneh
Department of Computer Science, Stanford University,
Stanford, CA 94305-9045, U.S.A.
dabo@cs.stanford.edu
Richard A. DeMillo
Telcordia, 445 South Street,
Morristown, NJ 07960, U.S.A.
rad@telcordia.com
Richard J. Lipton
Princeton University, 35 Olden Street,
Princeton, NJ 08544, U.S.A.
rjl@cs.princeton.edu
Communicated by Bart Preneel
Received July 1997 and revised August 2000
Online publication 27 November 2000
Abstract. We present a model for attacking various cryptographic schemes by taking
advantage of random hardware faults. The model consists of a black-box containing
some cryptographic secret. The box interacts with the outside world by following a
cryptographic protocol. The model supposes that from time to time the box is affected
by a random hardware fault causing it to output incorrect values. For example, the
hardware fault flips an internal register bit at some point during the computation. We
show that for many digital signature and identification schemes these incorrect outputs
completely expose the secrets stored in the box. We present the following results: (1)
The secret signing key used in an implementation of RSA based on the Chinese Re-
mainder Theorem (CRT) is completely exposed from a single erroneous RSA signature,
(2) for non-CRT implementations of RSAthe secret keyisexposedgiven a large number
(e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat–Shamir identifica-
tion is exposed after a small number (e.g. 10) of faulty executions of the protocol, and
(4) the secret keyused in Schnorr’s identification protocol is exposed after a much larger
number (e.g. 10,000) of faulty executions. Our estimates for the number of necessary
faults are based on standard security parameters such as a 1024-bit modulus, and a 2
−40
identification error probability. Our results demonstrate the importance of preventing
∗
This is an expanded version of an earlier paper that appeared in Proc. of Eurocrypt ’97.
101
102 D. Boneh, R. A. DeMillo, and R. J. Lipton
errors in cryptographic computations. We conclude the paper with various methods for
preventing these attacks.
Key words. Hardware faults, Cryptanalysis, RSA, CRT, Fiat–Shamir identification,
Schnorr identification, Public key systems, Identification protocols.
1. Introduction
Direct attacks on the famous RSA cryptosystem seem to require that one factors the
modulus. Therefore, it is interesting to ask whether there are attacks that avoid this. The
answerisyes: the firstwasan attackdueto Kocher[14]basedon timing. Kocherobserved
that the secret key can be obtained by precisely measuring the time that operations
took. This allows one to attack the system without directly factoring the modulus. More
powerfulattacks,duetoKocheretal.[15],showhowtoobtainthesecretkeybymeasuring
a device’s power consumption during decryption.
We present another type of attack that also avoids directly factoring the modulus. We
essentially use the fact that from time to time the hardware or software performing the
computations may introduce errors. We show that erroneous cryptographic values (e.g.
erroneous RSA signatures) jeopardize security by enabling an attacker to expose secret
information. We describe a number of environments where the attack may apply:
Certificate Authority. A certificate authority (CA) issues certificates to various enti-
ties. During certificate generation, the CA uses its private key to sign the data contained
in the certificate [18]. The CA’s private keyis highly guarded since anyonepossessing the
private key can issue fake certificates. Suppose that during certificate generation a rare
computer error on the CA’s machine (hardware or software) results in a certificate con-
taining an erroneous CA signature. We show that such invalid certificates can completely
expose the CA’s private key. At the extreme, a single erroneous certificate is sufficient to
recover the CA’s private key. Note that typically the user is alerted whenever an invalid
certificate is received, at which point the user could try to exploit this certificate to attack
the CA’s key.
Web Server. A web server uses a secret key to authenticate itself to a web browser
and to establish a secure session with the browser. Suppose that during key exchange, a
rare computer error on the web server causes it to miscalculate. The resulting value sent
to the browser can completely expose the server’s private key.
Smartcard. Smartcards are typically used to authenticatetheir ownersand sign certain
contracts on behalf of their owners. As before, a glitch in the smartcard’s processor may
cause it to send an erroneous value to the outside world. These values expose the secret
keys stored on the card.
Obfuscated Keys. Several software products contain an embedded secret key. The
secret key is “hidden” in the software so that it is supposedly hard to extract from the
executable. For example, several software audio players running on desktop computers
contain a secret key used to defend against music piracy. The embedded key is used to
On the Importance of Eliminating Errors in Cryptographic Computations 103
decrypt encrypted music sent to the user. To extract the embedded key, an attacker could
randomly add a single instruction to the decryption code, thus causing the decryption
process to malfunction. The invalid decryptions produced expose the secret key embed-
ded in the player. This attack extracts the secret key without reverse engineering the
software.
One may wonder whether hardware or software errors are a concern. After all, most
hardware and software used in every day life appears to be reliable. Nevertheless, several
scenarios may enable an adversary to collect and possibly cause faults. We group these
into three categories.
Latent Faults. Latent errors are hardware or software bugs that are difficult to catch.
As an example, consider Intel’s floating point division bug [12]. A crypto library using a
faulty floating point unit for multi-precision arithmetic may, on rare occasions, generate
incorrect values. Similarly, latent software bugs in the multi-precision package could
also lead to incorrect results.
Transient faults. Transient faults are random hardware glitches that cause the proces-
sor to miscalculate. These may be caused by power glitches, high temperature, static
electricity, etc. A transient error that takes place during signature generation will result
in an invalid signature.
Induced Faults. When an adversary has physical access to a device she may try to
induce hardware faults purposely. For instance, one may attempt to attack a tamper-
resistantdeviceby deliberately causing it tomalfunction.See the discussion by Anderson
and Kuhn [1] for examples of tampering with tamper resistant devices. Fortunately, most
smartcards have built in sensors to detect various forms of tampering. Hence, it is likely
that the cost of inducing useful faults is higher than the potential gains.
1.1. The Attack Model
Throughout the paper our model consists of a black-box interacting with the outside
world according to a predefined protocol. The black-box contains secret keys that are
inaccessible to the outside world. For example, a CA may be viewed as a black-box
that issues certificates on demand. The CA’s private key is stored inside the box. The
adversary’s goal is to interact with the black-box and extract the secret keys stored in
it using only the values output by the box. The assumption is that, on rare occasions,
errors within the box machinery (either hardware or software) cause it to output incorrect
values. The attacks described in the paper show how these values enable an adversary to
deduce the secret keys stored inside the box.
The attack described in Section 2.2 is the most powerful and is capable of dealing
with arbitrary errors. Other attacks in the paper assume more “hardware-like” errors. We
refer to these more specialized errors as register faults. The idea is as follows: suppose
that at some point during a computation (such as signature generation) a temporary value
stored in a register is corrupted. More precisely, one bit in the register flips between the
time the value is loaded onto the register and the time it is read out of the register. The
104 D. Boneh, R. A. DeMillo, and R. J. Lipton
bit flip causes one of the register bits to flip from a “1” to a “0” or vice versa. Typically,
the bit flip results from a premature power drain on one of the register cells. We will
show that the secret keys used in several cryptographic schemes are completely exposed
in the presence of register faults.
1.2. Summary of Results
Our attack is effective against several cryptographic schemes such as the RSA system
and Rabin signatures [21] as well as several identification protocols. As expected, the
effectivenessof the attack depends ontheexact implementationofeach of these schemes.
We briefly review the results:
• For public key systems we present the following results:
RSA + CRT. For an implementation of RSA based on the Chinese Remainder
Theorem(CRT) weshowthatgivenone erroneous RSAsignature onecan efficiently
factor the RSA modulus with high probability. The same approach can also be used
to attack Rabin’s signature scheme. Our attack shows that one invalid signature
along with a valid signature on the same message is sufficient for factoring the
modulus. A later improvement due to Lenstra [16] shows that an invalid signature
along with the original message to be signed is sufficient.
RSA. Register faults can be used to attack other implementations of the RSA
system though many more erroneous signatures are required. When an n-bit RSA
modulus is used the number of required faults is O(n).
• For identification schemes we show the following:
Fiat–Shamir. A few erroneous executions of the Fiat–Shamir identification pro-
tocol [8] enable an adversary to recover the private key of the party trying to
authenticate itself. When a single execution of the protocol has security 2
−t
we
require O(t) erroneous executions. Furthermore, in case the prover is a smartcard
the adversary mounts the attack by inducing a register fault while the card is waiting
for a challenge. Thus, precise timing of the induced register fault is not necessary.
Schnorr. Similar results hold for Schnorr’s identification protocol [22] though a
larger number of erroneous executions is necessary. When an n-bit modulus is used
thenumberof executionsis O(n log n).Theattack uses faults thatcorruptthe prover
while it is waiting for a challenge from the verifier.
Since the initial publication of our results several authors devised attacks based on
faults for other cryptographic systems. Biham and Shamir [5] presented elegant and
novel attacks on DES. Some of their techniques can be used to recover the secret key of
a totally unknown cipher. Anderson and Kuhn [2] used a different fault model to obtain
attacks against symmetric ciphers. Bao et al. [3] devised fault attacks against DSS and
several other signature schemes. Joye et al. [13] noted that CRT attacks (described in the
next section) can also be mounted against several elliptic curve systems. Finally, Zheng
and Matsumoto [24] showed how faults in the random number generator can be used to
attack systems.
It is important to emphasize that the attacks described in this paper are currently
theoretical. We are not aware of any published results physically experimenting with this
On the Importance of Eliminating Errors in Cryptographic Computations 105
type of attack. The purpose of these results is to demonstrate the danger that hardware
or software bugs pose to various cryptographic systems. In conjunction with Kocher’s
work our results show that a pure mathematical analysis of a cryptographic algorithm is
insufficient. One must also analyze the actual implementation to ensure it does not leak
timing or power information and never outputs faulty values.
Therearemanywaysto prevent attacksbasedon hardwarefaults.Thesimplest solution
is to ensure the black-box verifies the values it computes before sending them out to
the outside world. In protocols where the black-box has to keep some state (such as
in identification protocols) our results show the importance of protecting the registers
storing the state information using error detection bits. Preventing errors is crucial in
many areas unrelated to cryptography. For instance, special precautions are taken to
ensure error-free computations in core memories of large computers [17], in computers
onboardsatellites crossingtheVanAllen belt,and manyother embeddedcontrol systems.
Scientists working in these areas may not be aware that their techniques are also critical
for securing cryptographic implementations. We discuss methods for preventing errors
in cryptographic computations in Section 4.
WenotethatFIPS publication140-1[9]suggeststhat hardwarefaultsmaycompromise
the security of a module. Our results explicitly demonstrate the extent of damage caused
by such faults. We give algorithms that show how certain faults can expose sensitive
security information. FIPS 140-1 also specifies a list of self-tests a module should apply
to itself. Our results suggest that these tests are insufficient and a full verification of
computed values is necessary.
2. RSA’s Vulnerability to Hardware Faults
We are now ready to describe the various attacks. We begin by describing RSA’s vulner-
ability to hardware faults.
2.1. The RSA System
Let N = pq be a product of two large primes each n/2 bits long. To sign a message x ∈
Z
N
using RSA one computes S = x
d
mod N where d is a secret signing exponent.
1
The
computationally expensive part of signing using RSA is the modular exponentiation of
x. For efficiency most implementations exponentiate as follows: using repeated squaring
they first compute S
1
= x
d
mod p and S
2
= x
d
mod q. They then use CRT to construct
the signature S = x
d
mod N. This last CRT steptakesnegligibletime comparedwith the
twoexponentiations.It isdone by computing S = aS
1
+bS
2
mod N forsome predefined
constants a, b ∈ Z
N
.
Exponentiationusing CRT ismuch fasterthanrepeated squaringmodulo N.Tosee this
observe that S
1
= x
d
mod p = x
dmod( p−1)
mod p. Usually d is of order N while d mod
( p −1) is of order p. Consequently, computing S
1
requires half as many multiplications
as computing S directly. In addition, intermediate values during the computation of S
1
are only half as big—they are in the range [1, p] rather than [1, N]. When quadratic
1
Note that for simplicity we assume the message x is an integer in the range 1 to N. Usually one uses a
hash and a formatting function to convert the message into an integer in that range [19], [4].