An RSA Implementation Resistant to Fault Attacks ... - Semantic Scholar

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 55, NO. 9,

SEPTEMBER 2006

An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis Christophe Giraud Abstract—Nowadays, Side Channel Attacks allow an attacker to recover secrets stored in embedded devices more efficiently than any other kind of attack. Among the former, Fault Attacks (FA) and Single Power Analysis (SPA) are probably the most effective: When applied to straightforward implementations of the RSA cryptosystem, only one execution of the algorithm is required to recover the secret key. Over recent years, many countermeasures have been proposed to prevent Side Channel Attacks on RSA. Regarding Fault Attacks, only one countermeasure offers effective protection and it can be very costly. In this paper, we focus on a means to counteract Fault Attacks by presenting a new way of implementing exponentiation algorithms. This method can be used to obtain fast FA-resistant RSA signature generations in both the Straightforward Method and Chinese Remainder Theorem modes. Moreover, as it has been shown that Fault Attacks can benefit from the weaknesses introduced by some SPA countermeasures, we ensure that our method resists SPA and, thus, does not require supplementary SPA countermeasures. Index Terms—Smart cards, side channel, fault injection, simple power analysis, public-key cryptosystems, RSA, exponentiation.

Ç 1

INTRODUCTION

IN 1996, Kocher introduced the concept of Side Channel Analysis [1] to attack cryptographic algorithms running in embedded devices such as smart cards. By using side channel leakages such as power consumption or electromagnetic radiations, any straightforwardly implemented cryptographic algorithm can be broken within a few hundred executions. Out of all of these attacks, Fault Attacks (FA) [2] and Single Power Analysis (SPA) [3] are the most effective. RSA was the first cryptosystem to be attacked by using fault analysis [2]. With only one faulty signature, an attacker can easily recover RSA secret parameters. An obvious countermeasure to prevent this attack consists of verifying the signature by using the corresponding public exponent [2]. However, this approach is very costly and sometimes extremely difficult to perform. Indeed, the public exponent is not always available and, so, it must be computed from the private parameters. To circumvent this drawback, many other countermeasures have been proposed, but all of them have been broken. In parallel with fault attacks, SPA can break unprotected RSA implementations in only one shot. Indeed, straightforward methods to implement RSA do not perform the same operations, depending on the value of the secret bit which is processed. Such behavior is easily distinguishable by monitoring the power consumption of the device. To counteract SPA on RSA, Coron introduced in [4] a SPA countermeasure which performs the same operations whatever the value of the secret bit. However, Joye and Yen showed in [5] that this kind of countermeasure can benefit fault analysis. Thus, the analysis of the FAresistance of RSA must also take into account the possible weaknesses induced by SPA countermeasures. In this paper, we present a way of implementing a fast RSA signature which resists Fault Attacks. We also ensure that our method resists Simple Power Analysis, thus avoiding introducing

. The author is with Oberthur Card Systems, 4, Alle´e du doyen Georges Brus, 33 600 Pessac, France. E-mail: [email protected]. Manuscript received 15 Apr. 2005; revised 31 Dec. 2005; accepted 11 Jan. 2006; published online 20 July 2006. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TCSI-0113-0405. 0018-9340/06/$20.00 ß 2006 IEEE

Published by the IEEE Computer Society

1

threats by the addition of SPA countermeasures. In Section 2, we present RSA with its two different modes of execution, Straightforward Method (SFM) and Chinese Remainder Theorem (CRT). In Section 3, we review the history of Fault Attacks on the RSA cryptosystem. In Section 4, we describe a new FA-SPA-resistant exponentiation algorithm and, in Section 5, we explain how to use the latter to obtain an FA-SPA-resistant RSA signature scheme in both SFM and CRT modes. Finally, Section 6 concludes the paper.

2

THE RSA CRYPTOSYSTEM

Let N ¼ p  q be the RSA public modulus which is the product of two large secret primes p and q. In the sequel, we denote by e (respectivley, by d) the public (respectively, private) exponent, the pair ðe; dÞ satisfying e  d  1 mod ðp  1Þ  ðq  1Þ. We also denote by n the bit-length of N, by dp (respectively, dq ) the value d mod p  1 (respectively, d mod q  1) and by a the inverse of p modulo q. The so-called Straight Forward Method (SFM) is the traditional way to compute the signature S ¼ md mod N of a message m: Algorithm 1 SFM-RSA signature algorithm. Input: m; d ¼ ðdn1 ; . . . ; d0 Þ; N Output: md mod N a0 m for i from n  2 to 0 do a20 mod N a0 if di ¼ 1 then a0 m  a0 mod N return a0 . For better efficiency, embedded devices usually compute S by using Garner’s CRT reconstruction method (cf. [6]). As pointed out in [7], this mode is four times faster than SFM-RSA. Algorithm 2 CRT-RSA signature algorithm. Input: m; p; q; dp ; dq ; a Output: md mod N Sp Algorithm 1 with m; dp ; p as inputs Sq Algorithm 1 with m; dq ; q as inputs S CRTðSp ; Sq Þ return S. where CRTðSp ; Sq Þ ¼ ðððSq  Sp Þ mod qÞ  a mod qÞ  p þ Sp mod ðp  qÞ:

3 3.1

FAULT ATTACKS ON RSA Attacks and Countermeasures

The principle of fault attacks is to disturb an embedded device during the execution of a sensitive operation. By analyzing the behavior of the device after the disturbance, secret information such as cryptographic keys can be revealed (cf. [8]). The researchers from Bellcore were the first to describe a fault attack on RSA in both the SFM and CRT modes [2]. As SFM-RSA is rarely used in embedded devices due to its slow execution, we will only describe fault attacks on CRT-RSA in this section.1 In the case of CRT-RSA, if a fault is induced during the computation of Sp , then a faulty Sep is used during the CRT e As recombination and the device outputs a faulty signature S. S  Sp mod p and S  Sq mod q, one can notice that Se  S mod q, e then the secret but Se 6 S mod p. Thus, if p does not divide S  S, 1. The reader can refer to [2] for a detailed description of a fault attack on SFM-RSA.

2

IEEE TRANSACTIONS ON COMPUTERS,

prime q can easily be recovered by computing the GCD of S  Se and N. A straightforward countermeasure against this fault attack is to verify the signature by using the public key ðe; NÞ. This method, which implies a second modular exponentiation, is very costly if the public exponent e is large. To bypass this inconvenience, another approach was proposed by Shamir in [9]. He suggested choosing a small integer t and computing Spt ¼ md mod p  t and Sqt ¼ md mod q  t. Then, he checked whether Spt  Sqt mod t before combining them with the CRT. However, Shamir’s method leaves the CRT recombination unprotected; this has been exploited by Aumu¨ller et al. to break Shamir’s countermeasure [10]. Over the last few years, many other countermeasures have been proposed (cf. [11], [10], [12]), but all of them have been broken (cf. [13], [14], [15]). Thus, despite many attempts to efficiently protect the RSA against fault attacks, all the countermeasures have been shown to be insecure in the presence of faults except the straightforward verification using the public exponent.

3.2

Fault Attacks Exploiting SPA Countermeasures

In parallel with Fault Attacks, Simple Power Analysis [3] is also a very powerful side-channel attack. Applied to unprotected exponentiation algorithms such as Algorithm 1, SPA allows an attacker to recover the whole value of the exponent with only one execution of the algorithm. Indeed, a straightforward implementation of an exponentiation performs an extra multiplication each time a bit of the secret exponent is equal to 1. To counteract SPA on exponentiation algorithms, Coron introduced in [4] the Square & Multiply Always algorithm which consists of performing a multiplication whatever the value of the secret bit. However, Yen et al. presented in [16] a SPA attack on the Square & Multiply Always algorithm which uses special chosen input messages. To prevent this attack, one can, for example, blind the modulus with a random value. In the case of CRT-RSA, one can perform the CRT recombination with blinded moduli to counteract other specific SPA attacks (cf. [17]). In [5], Yen and Joye published a very ingenious fault attack called safe-error (SE) on SPA-resistant exponentiation algorithms such as the Square & Multiply Always algorithm. They noticed that the result of the multiplication operation is not used if the bit of the exponent is 0. From this finding, they extracted the general idea of safe-error attacks: By inducing an error during a multiplication and by testing whether the result is correct or not, the attacker deduces the value of the corresponding bit of the secret exponent. To prevent this kind of attack, a safe-error resistant exponentiation based on the Montgomery Ladder was published by Joye and Yen in [18]:

VOL. 55,

NO. 9,

SEPTEMBER 2006

Compute S by using Algorithm 3 with m; d; k  N as inputs. S S mod N if CRT-RSA then Compute Sp by using Algorithm 3 with m; dp ; k  p as inputs. Compute Sq by using Algorithm 3 with m; dq ; k  q as inputs. S CRTblinded ðSp ; Sq Þ Compute mcheck ¼ S e mod N by using Algorithm 1 with S; e; N as inputs. if mcheck ¼ m then return S. else return (“A fault attack has been detected.”) where CRTblinded ðSp ; Sq Þ ¼ ðððSq  Sp Þ mod ðk  qÞÞ  a mod ðk  qÞÞ  p þ Sp mod ðp  qÞ: It is important to note that this method has two main disadvantages. First, it requires the public exponent e, which is not always available.2 Second, if the public exponent is large, then the verification step is very costly (up to four times slower than the signature step in the case of CRT-RSA).

4

FA AND SPA-RESISTANT EXPONENTIATION

In this section, we present a new FA-SPA-resistant modular exponentiation based on Algorithm 3 which ensures the integrity of the whole signature’s computation. Our method is more efficient than previous techniques and does not require knowledge of the public exponent.

4.1

Principle

We use the fact that the temporary couple ða0 ; a1 Þ is of the form ðm ; mþ1 Þ at each step of Algorithm 3. So, if an error occurs on a temporary result a0 or a1 or if a multiplication or a square is disturbed at any moment in the computation, then the coherence between a0 and a1 is lost. Since both of these values are used to compute the next temporary couple, the last couple ða0 ; a1 Þ is not of the form ðS; m  SÞ. The error will thus be detected by checking the coherence between the last two temporary results a0 and a1 , i.e., by testing if m  a0  a1 mod N. If this test fails, no signature is returned. This principle is described in the following algorithm; furthermore, we include integrity checks on the loop counter and on the exponent to prevent disturbance of these values.3

To sum up the different countermeasures proposed in the literature, one of the most efficient ways of protecting RSA against both Fault Attacks and SPA is to use the following algorithm:

Algorithm 5 FA-SPA-resistant modular exponentiation. Input: m; d ¼ ðdn1 ; :::; d1 ; d0 Þ odd, N Output: md mod n Pick a 32-bit random number k a0 m a1 a0 2 mod k  N for i from n  2 to 1 do ad i adi  adi mod k  N ad i a2di mod k  N a1 a1  a0 mod N a0 a20 mod N a0 a0  m mod N if (Loop Counter i not disturbed) & (Exponent d not disturbed) then

Algorithm 4 FA-SPA-resistant RSA. Input: m, e and ðp; q; dp ; dq ; aÞ for CRT-RSA or ðd; NÞ for SFM-RSA Output: md mod N Pick a 32-bit random number k. if SFM-RSA then

2. Generally, when using a Java Card in a public key infrastructure, only the secret key and the corresponding X.509 certificate are stored in the card. As there is no standard Java Card API to parse the contents of a certificate, the card cannot recover the value of the public key. 3. We only consider odd exponents as it is always the case for RSA. Extension to even exponents is straightforward.

Algorithm 3 Joye et al.’s SPA-SE-resistant modular exponentiation. Input: m; d ¼ ðdn1 ; :::; d0 Þ, N Output: md mod N a0 1, a1 m for i from n  1 to 0 do adi adi  adi mod N adi a2di mod N return a0

3.3

FA-SPA-Resistant RSA

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 55, NO. 9,

SEPTEMBER 2006

if a0 ¼ a1 then return a0 . return (“A fault attack has been detected.”)

4.2

Security Discussion

The countermeasure described above resists Boneh et al.’s attack [2, Section 6] and safe-error attacks [5], [19]. However, two other threats have to be considered: zero value attack on a0 or a1 and disturbance of the security comparison after a perturbation during the exponentiation. The first attack supposes that the attacker sets to zero one of the buffers containing a0 or a1 during the execution of the exponentiation. In this case, the last couple ða0 ; a1 Þ is equal to ð0; 0Þ. Thus, the coherence test does not detect the attack. According to us, it is impossible in practice to set a large buffer to zero. Indeed, due to memory and bus scrambling, it is impossible for an attacker to choose the value of the induced fault. Thus, the probability of setting an n-bit buffer to zero is 2n . We thus assume in the rest of this paper that it is impossible to set to zero an n-bit buffer, n  80. This implies, in particular, that the first fault attack is impossible to perform in practice. The second attack supposes that the attacker disturbs the device twice during one execution of the algorithm: First, a temporary value or an operation is disturbed during the exponentiation and, second, the coherence test m  a0  a1 mod N is disrupted. In our opinion, this kind of attack is impossible to perform in practice. The attacker must disturb two precise parts of the computation instead of one. Such a fault model is much more difficult to apply in practice than the one-shot fault model. Moreover, even if the attacker is able to disturb the component twice, the coherence test is very difficult to bypass. Indeed, to do so he will have to modify the zero flag of the status register (cf. [11]). However, in smart cards, these sensitive registers are protected by very efficient redundancy mechanisms such as hardwired checksums or error correcting codes. 1. 2.

5

FA AND SPA-RESISTANT RSA ALGORITHMS

From Section 4, Algorithm 5 can be straightforwardly applied to obtain an FA-SPA-resistant SFM-RSA. Thus, in this section, we only describe how to use Algorithm 5 in order to obtain an RSA signature generation resistant to FA and SPA in CRT mode.

5.1 5.1.1

FA-SPA-Resistant CRT-RSA Presentation

Before describing a new FA-SPA-resistant CRT-RSA, we introduce a slightly modified version of Algorithm 5 to compute Sp and Sq . This algorithm does not check the coherence between the last two temporary results, which are used throughout the algorithm, and it outputs them both. Moreover, we keep the outputs blinded to counteract SPA attacks during the CRT recombination [17]. In this section, k denotes a 32-bit random number. Algorithm 6 Modified SPA-SE-resistant modular exponentiation. Input: m; d odd, N, k Output: ðmd1 mod k  N; md mod k  NÞ a0 m a1 a0 2 mod k  N for i from n  2 to 1 do adi adi  adi mod k  N adi a2di mod k  N a1 a1  a0 mod k  N a0 a20 mod k  N

3

if (Loop Counter i not disturbed) & (Exponent d not disturbed) then return ða0 ; a1 Þ. else return (“A fault attack has been detected.”) By applying this algorithm to ðm; dp ; p; kÞ (respectively, to ðm; dq ; q; kÞ) we obtain ðSp0 ; Sp Þ (respectively, ðSq0 ; Sq Þ), where Sp ¼ mdp mod k  p and Sp0 ¼ mdp 1 mod k  p (respectively, Sq ¼ mdq mod k  q and Sq0 ¼ mdq 1 mod k  q). Then, the CRT recombination is performed twice, once with ðSp ; Sq Þ and once with ðSp0 ; Sq0 Þ. We thus obtain S ¼ md mod N and S 0 ¼ md1 mod N. Finally, we check to see if no faults have occurred during the whole computation by comparing S and m  S 0 mod N. If they are equal, then we return S. To enhance the security of this scheme, the integrity of the secret parameters p, q, and a must be checked before returning the signature S. Indeed, if one of these parameters is allowed to be disturbed, the fault attack described by Boneh et al. in [2] applies (cf. Section 3.1). Algorithm 7 SPA and FA-resistant CRT-RSA. Input: m; p; q; dp ; dq ; a Output: md mod N Pick a 32-bit random number k. ðSp0 ; Sp Þ Algorithm 6 with m; dp ; p; k as inputs. Algorithm 6 with m; dq ; q; k as inputs. ðSq0 ; Sq Þ S0 CRTblinded ðSp0 ; Sq0 Þ S CRTblinded ðSp ; Sq Þ S0 m  S 0 mod ðp  qÞ 0 if ðS ¼ SÞ & (Parameters p, q, a not modified) then return S. else return (“A fault attack has been detected.”) Remark 1. The memory consumption and the timing of Algorithm 7 can be slightly improved by noticing that the comparison S ¼ m  S 0 mod ðp  qÞ can be replaced by S  m  Sp0 mod p and S  m  Sq0 mod q. In this case, the two multiplications m  Sp0 and m  Sq0 must be performed after computing the two couples ðSp0 ; Sp Þ and ðSq0 ; Sq Þ; otherwise, a fault attack on the message m is possible. A further advantage is that it is no longer necessary to check the integrity of a (indeed, if a fault is induced on a, then the faulty signature is not congruent to m  Sq0 mod q).

5.1.2

Security Analysis

In this section, we apply the different possible fault attacks and we observe how our CRT-RSA algorithm reacts. First kind of attack. With regard to fault attacks on an input parameter, it is easy to see that this kind of fault is detected by the integrity checks of Algorithm 6 or of Algorithm 7. Second kind of attack. Let us apply Wagner’s attack [15] which supposes that the message m is disturbed when computing Sq but is correct when computing Sp . The CRT recombination is applied twice, once with ðSp0 ; Seq0 Þ to obtain Se0 and once with ðSp ; Seq Þ to e where Se0 ¼ m e dq 1 mod k  q and Seq ¼ m e dq mod k  q, m e obtain S, q denoting the faulty message. By definition, we have Sp0 ¼ mdp 1 mod k  p, so there exists a unique  2 IN such that Sp0 ¼ mdp 1    p. Consequently, Sp can be written as mdp  m    p. In the same manner, there exists a unique  2 IN such that Sq0 (respectively, Sq ) can be written as mdq 1    q (respectively, as mdq  m    q). When we use these relations together with Garner’s CRT formula, we obtain: Se  m  Se0  ððSeq  Sp Þ  a mod qÞ  p þ Sp  m  ðððSe0  S 0 Þ  a mod qÞ  p þ S 0 Þ mod N; q

p

p

4

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 55,

NO. 9,

SEPTEMBER 2006

TABLE 1 Comparative Table of the Different FA-Countermeasures on CRT-RSA

4. These results suppose that the CRT recombination is performed by using the formula presented at the end of Section 2. 5. This attack works if p is wrong when computing Sp but is correct when computing the CRT recombination (i.e., if p is reloaded between the computation of Sp and the CRT recombination). 6. This attack works with a permanent fault model. 7. After the CRT recombination, Yen et al. [11] and Blo¨mer et al. [12] perform some extra manipulations to spread out the error. 8. This timing does not take into account the precomputations.

then we have m  Sep0 6 Sep mod p (otherwise, the computations of Se0 and Se are correct). By definition, there exists a unique  2 IN such that Sq0 ¼ mdq 1    q and Sq ¼ mdq  m    q. So, using these relations to compute Se  m  Se0 , we obtain:

which is equivalent to: e dq  m    q  mdp þ m    pÞ  a þ 0  qÞ  p Se  m  Se0  ððm þ mdp  m    p e dq 1  m    q  mdp þ m    pÞ  a  ððm  m þ m  1  qÞ  p  mdp þ m    p mod ðp  qÞ ;

Se  m  Se0  ððSq  Sep Þ  a mod qÞ  p þ Sep  m  ðððSq0  Sep0 Þ

0 ; 1 2 ZZ;

 a mod qÞ  p þ Sep0 Þ mod N

that is, with:

 ððmdq  m    q  Sep Þ  a þ 0  qÞ  p þ Sep  ðððmdq  m    q  m  Se0 Þ  a þ m  1  qÞ  p

e dq 1  ðm e  mÞ mod N: Se  m  Se0  a  p  m

p

 m  Sep0 mod ðp  qÞ ;

As argued in Section 4.2, setting a large buffer to zero is assumed

 ðm  Sep0  Sep Þ  ða  p  1Þ mod N:

e 6¼ 0. As m 6 m e mod q to be impossible in practice; this implies m 0 e e e  m is not (otherwise, the computation of ðS ; SÞ is correct), then m

As a ¼ p1 mod q, the value a  p is congruent to 1 mod q. Thus, there exists a unique  2 IN such that a  p ¼ 1 þ   q. So, we have:

divisible by q and differs from 0. Thus, one deduces Se  m  Se0 6 0 mod N and our coherence test detects this attack.4 The same reasoning holds if the message is disturbed when computing Sp

Se  m  Se0  ðm  Sep0  Sep Þ    q mod N:

but is correct when computing Sq . Third kind of attack. Now, let us analyze the impact of an error induced during the different steps of the computation of S: .

Attack during the computation of ðSp0 ; Sp Þ or of ðSq0 ; Sq Þ: If an error occurs during the computation of the couple ðSp0 ; Sp Þ, then the coherence between Sp0 and Sp is lost (cf. Section 4). So, if we denote the faulty couple by ðSep0 ; Sep Þ,

e  Se0 mod N. So, the attack is also detected if 4. One may note that Se 6¼ m e is used for the coherence test instead of m. the faulty message m

0 ; 1 2 ZZ

.

As m  Sep0 6 Sep mod p, then m  Sep0  Sep is not divisible by p and differs from 0. Thus, the relation Se  m  Se0 6 0 mod N is satisfied and our coherence test detects the attack. The same reasoning holds if an error occurs during the computation of the couple ðSq0 ; Sq Þ. Attack during the computation of S 0 or S: Any disturbance induced during the CRT recombination will break the relationship S ¼ m  S 0 mod N. Thus, such an attack is detected by our coherence test.

IEEE TRANSACTIONS ON COMPUTERS,

VOL. 55, NO. 9,

SEPTEMBER 2006

5

Therefore, Algorithm 7 always detects a fault induced either on the message or on one of its parameters or during the execution of the algorithm. In particular, we can notice that Algorithm 7 is resistant to both Aumu¨ller et al.’s [10] and Blo¨mer et al.’s [12] attacks, which require the knowledge of several faulty outputs.

REFERENCES

5.1.3

[3]

Comparative Table

[1] [2]

Table 1 summarizes the number of faulty signatures required to recover the secret key according to whether the fault is induced on the message, on an input parameter or during a computation. We also present the timing performances of the different FA countermeasures. We implemented the different methods on a smart card containing a cryptoprocessor that performs fast additions and modular multiplications over IFp . The timings were obtained for a 1,024-bit RSA with the CPU and the crypto processor running at 30 MHz. Finally, we indicate the inconveniences of each method from a practical point of view.

[4]

5.2

[9]

Characteristics of Our Algorithms

As the exponentiation with the public exponent required by the classical verification step is not performed, our FA-SPA-resistant RSAs (Algorithms 5 and 7) are much faster than the traditional methods (Algorithm 4). Our SFM-RSA (respectively, CRT-RSA) needs 1 (respectively, 2) multiplication(s) to test if a fault has been induced, whereas the timing overhead of the classical countermeasure depends on the bit-length of the public exponent. For example, if e is very short, such as e ¼ 216 þ 1, Algorithm 4 requires 16 squarings and one multiplication for the verification of a signature. This difference is much more significant if e is as long as the modulus: Algorithm 4 requires 2,048 squarings and 1,024 multiplications on average for the verification of a 2,048-bit RSA signature.

6

CONCLUSION

In this paper, we describe a new exponentiation algorithm which is resistant to Fault Attacks and to Simple Power Analysis. This algorithm is a very effective way to implement an FA-SPAresistant RSA. Our countermeasure only adds two modular multiplications and four checksum computations. This overhead is negligible compared to the cost of the whole exponentiation. Moreover, unlike most existing countermeasures, our proposal only requires the private key which is used in concrete applications. Above all, it does not require the public exponent. This last point is an invaluable advantage when working with architectures which do not supply this parameter.

[5]

[6] [7]

[8]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advances in Cryptology, Proc. CRYPTO ’96, N. Koblitz, ed., pp. 104-113, 1996. D. Boneh, R. DeMillo, and R. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults,” Advances in Cryptology, Proc. EUROCRYPT ’97, W. Fumy, ed., pp. 37-51, 1997. P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” Advances in Cryptology, Proc. CRYPTO ’99, M. Wiener, ed., pp. 388-397, 1999. J.-S. Coron, “Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems,” Proc. Cryptographic Hardware and Embedded Systems (CHES ’99), C ¸ . Koc¸ and C. Paar, eds., pp. 292-302, 1999. S.-M. Yen and M. Joye, “Checking before Output May Not Be Enough against Fault-Based Cryptanalysis,” IEEE Trans. Computers, vol. 49, no. 9, pp. 967-970, June 2000. H. Garner, “The Residue Number System,” IRE Trans. Electronic Computers, vol. 8, no. 6, pp. 140-147, 1959. C. Couvreur and J.-J. Quisquater, “Fast Decipherment Algorithm for RSA Public-Key Cryptosystem,” Electronics Letters, vol. 18, no. 21, pp. 905-907, 1982. C. Giraud and H. Thiebeauld, “A Survey on Fault Attacks,” Proc. Smart Card Research and Advanced Applications VI (CARDIS 2004), J.-J. Quisquater, P. Paradinas, Y. Deswarte, and A.E. Kalam, eds., pp. 159-176, 2004. A. Shamir, “Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks,” Int’l Patent Number: WO 98/ 52319, Nov. 1998. C. Aumu¨ller, P. Bier, W. Fischer, P. Hofreiter, and J.-P. Seifert, “Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures,” Proc. Cryptographic Hardware and Embedded Systems (CHES 2002), B. Kaliski Jr., C ¸ . Koc¸, and C. Paar, eds., pp. 260-275, 2002. S.-M. Yen, S.-J. Kim, S.-G. Lim, and S.-J. Moon, “RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis,” Proc. Information Security and Cryptology (ICISC 2001), K. Kim, ed., pp. 397-413, 2001. J. Blo¨mer, M. Otto, and J.-P. Seifert, “A New RSA-CRT Algorithm Secure against Bellcore Attacks,” Proc. ACM Conf. Computer and Comm. Security (CCS ’03), S. Jajodia, V. Atluri, and T. Jaeger, eds., pp. 311-320, 2003. S.-M. Yen and D. Kim, “Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection,” Proc. Workshop Fault Diagnosis and Tolerance in Cryptography (FDTC ’04), L. Breveglieri and I. Koren, eds., pp. 381-385, 2004. S.-M. Yen, S. Moon, and J.-C. Ha, “Hardware Fault Attack on RSA with CRT Revisited,” Proc. Information Security and Cryptology (ICISC 2002), P. Lee and C. Lim, eds., pp. 374-388, 2002. D. Wagner, “Cryptanalysis of a Provable Secure CRT-RSA Algorithm,” Proc. ACM Conf. Computer and Comm. Security (CCS ’04), B. Pfitzmann and P. Liu, eds., pp. 82-91, 2004. S.-M. Yen, W.-C. Lien, S.-J. Moon, and J.-C. Ha, “Power Analysis by Exploiting Chosen Message and Internal Collisions—Vulnerability of Checking Mechanism for RSA-Decryption,” Progress in Cryptology, Proc. Mycrypt 2005, E. Dawson and S. Vaudenay, eds., pp. 183-195, 2005. R. Novak, “SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation,” Proc. Public Key Cryptography (PKC 2002), D. Naccache and P. Paillier, eds., pp. 252-262, 2002. M. Joye and S.-M. Yen, “The Montgomery Powering Ladder,” Proc. Cryptographic Hardware and Embedded Systems (CHES 2002), B. Kaliski Jr., C ¸ . Koc¸, and C. Paar, eds., pp. 291-302, 2002. S.-M. Yen, S.-J. Kim, S.-G. Lim, and S.-J. Moon, “A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack,” Proc. Information Security and Cryptology (ICISC 2001), K. Kim, ed., pp. 414-427, 2001.

ACKNOWLEDGMENTS The author would like to thank Emmanuel Prouff, Re´gis Bevan, Benoıˆt Feix, Jean-Bernard Fischer, and the anonymous referees for their fruitful comments on the preliminary versions of this paper.

. For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.