Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

Authors:
Pablo Rauzy;Sylvain Guilley
Affiliations:
Institut Mines-Té/lé/com/ Té/lé/com ParisTech/ CNRS LTCI;Institut Mines-Té/lé/com/ Té/lé/com ParisTech/ CNRS LTCI
Venue:
Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014
Year:
2014

Citing 9
Cited 0

A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks

CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
Formal certification of code-based cryptographic proofs

Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
On the importance of checking cryptographic protocols for faults

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Public-key cryptosystems based on composite degree residuosity classes

EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm

FDTC '10 Proceedings of the 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography
Practical Optical Fault Injection on Secure Microcontrollers

FDTC '11 Proceedings of the 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a ``challenging issue" by the authors of the countermeasure themselves.