WO2008027089A2

WO2008027089A2 - Security attack countermeasures

Info

Publication number: WO2008027089A2
Application number: PCT/US2007/011264
Authority: WO
Inventors: Brian S. King; Wei Wang; Sining Liu
Original assignee: Indiana University Research & Technology Corporation
Priority date: 2006-06-09
Filing date: 2007-05-11
Publication date: 2008-03-06
Also published as: WO2008027089A3

Abstract

One embodiment is a method including selecting a first integer which is substantially random over the set {0, 1, 2,..., 2s- 1} where s is a positive security integer, selecting a second integer which is substantially random over the set {0, 1, 2,..., 2s-1}, combining the first integer, the second integer and a key, and determining a scalar multiple of the combination of the first integer, the second integer, and the key. Other embodiments include unique apparatuses, systems and methods relating to hardware fault attack countermeasures. Another embodiment includes a computer readable medium storing a program executable to randomize a CRT calculation, calculate a value which is a function of the CRT calculation, the value being a pseudo-random number if a fault has been induced in the program, the value being a predetermined value if a fault has not been induced in the program, and generate a signature which is a function of the value. Other embodiments include unique apparatuses, systems, computer accessible media, and methods relating to hardware fault attack countermeasures.

Description

SECURITY ATTACK COUNTERMEASURES

PRIORITY

The benefits and rights of priority of U.S. Patent Application No. 60/804,379 which was filed June 9, 2006 and U.S. Patent Application No. 60/906,411 which was filed March 12, 2007, and those applications are incorporated by reference.

BACKGROUND

Smart cards are playing an increasingly important role in people's everyday lives. Smart Cards may provide tamper-resistant storage of a cardholder's identity and account information, and ensure secure exchange of data during transactions. Smart cards may also provide security through authentication, data secrecy and integrity, and non-repudiation. Public and private employers may utilize smart cards to regulate access to and within buildings and information and computer systems. E-banking and e-commerce businesses are using smart cards to authenticate users and secure online transactions. Mobile communication devices such as cellular phones utilize smart cards also known as SIMM cards. Satellite television systems utilize smart cards in connection with conditional access systems. Smart cards may be equipped with JAVA capabilities and dynamically programmed. Since smart cards often carry valuable and sensitive information they may be subject to a variety of security attacks from a variety of adversaries. This is especially true since secret information on a smart card be issued to parties who may have financial incentives to tap this secret information. Smart cards and other security devices are vulnerable to a variety of attacks including side channel attacks such as fault attacks. In these attacks, an adversary accesses a security device, such as a smart card, and is able to purposefully induce a fault into the device using any of a variety of techniques and devices. For example, fault attacks can be perpetrated using etching tools, optical microscopes, probe stations, laser cutters, scanning electron microscopes, focused ion bean systems and combinations of these and other techniques and devices. Fault attacks can induce faults in ROM, RAM, EEPROM, Flash or other memory locations. Fault attacks can be induced by probing IC locations, changing input voltage, changing clock frequency, irradiating IC target locations, targeting IC locations with Ion beams, or through other techniques. The faults can be permanent, short term, long term, transient, reparable and of other natures. By observing a set of faulty output from the device, the adversary can extract secret or private information (for example a secret key) stored in a security device. Fault attacks have been used to break the security a variety of smart card algorithms, and a wide variety of fault-inducing methods have emerged. Thus, there is a need for countermeasures against fault attacks and for development of fault attacks so that countermeasures against expected attacks can be developed.

SUMMARY

One embodiment is a method including selecting a first integer which is substantially random over the set {0, 1, 2, ... , 2^s- 1} where s is a positive security integer, selecting a second integer which is substantially random over the set {0, 1, 2, ... , 2^S-1}, combining the first integer, the second integer and a key, and determining a scalar multiple of the combination of the first integer, the second integer, and the key. Other embodiments include unique apparatuses, systems and methods relating to hardware fault attack countermeasures.

Another embodiment includes a computer readable medium storing a program executable to randomize a CRT calculation, calculate a value which is a function of the CRT calculation, the value being a pseudo-random number if a fault has been induced in the program, the value being a predetermined value if a fault has not been induced in the program, and generate a signature which is a function of the value. Other embodiments include unique apparatuses, systems, computer accessible media, and methods relating to hardware fault attack countermeasures.

BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 is a schematic representation of an exemplary smart card interfacing with a system.

Fig. 2 is a flow diagram of an exemplary scalar multiple calculation.

Fig. 3 is a flow diagram of an exemplary key exchange procedure.

Fig. 4 is a flow diagram of an exemplary countermeasure.

Fig. 5 is a flow diagram of an exemplary authentication procedure.

Fig. 6 is a flow diagram of an exemplary CRT calculation.

Fig. 7 is a flow diagram of an exemplary signature procedure.

Fig. 8 is a flow diagram of an exemplary signature procedure.

DETAILED DESCRIPTION

For the purposes of promoting an understanding of the principles of the invention, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, and that all alterations and further modifications of the following embodiments and such further applications of the principles of the invention as would occur to one skilled in the art to which the invention relates are contemplated. With reference to Fig. 1 there is illustrated an exemplary smart card 100 which includes

CPU 110, ROM 120, serial I/O interface 130, RAM 140, and EEPROM 150 which are interconnected by bus 180. These components are typically found in one or more encapsulated integrated circuit(s) which is/are embedded in a card and connected to an array of contacts (not illustrated) which are accessible from the exterior of the card to provide Vcc, Reset, Clock, Ground, Vpp, and I/O signal capabilities to the encapsulated IC. A variety of smart card embodiments are contemplated. One inexpensive smart card contains an 8-bit CPU, 256B-IkB RAM, lkB-lόkB EEPROM, and 6kB-24kB ROM. One high-end smart card contains a 32-bit CPU, 16kB RAM, 256kB EEPROM and 368kB ROM. In other smart cards flash memory can be utilized in place of or in addition to one or more memory elements. Smart cards may also include additional features, for example, test logic, security logic, pseudo-random number generation capabilities, and a variety of other capabilities implemented in hardware, software (including firmware), or combinations thereof. Smart card 100 can interface with a system 111 which can communicate with smart card 100 via communications link 190, for example, to request authentication. System 111 could be any type of system including computing capability and could include local components, remote components, or both. Communications link 190 could be any type of communications link operable to facilitate the transfer of information between smart card 100 and system 111.

With reference to Fig. 2 there is illustrated a flow diagram 200 of an exemplary procedure for determining a scalar multiple, kP, in connection with an elliptic curve cryptosystem. For the purpose of elliptic curve cryptography, one defines an elliptic curve over some finite field F. The set of all ordered pairs (x, y) € F x F that satisfies Equation 1: y² + aixy + a₃y = x² + a₂x² + a4X + a₆ together with a special point O (called the point of infinity) defines the elliptic curve E (here ai e F and the a; must satisfy a set of criteria, dependent on the field F). There is a natural arithmetic that can be defined on the curve E, such that E can be interpreted as an additive abelian group. Two common fields to utilize to define the elliptic curve are: Zp, where p is prime, and the Galois field GF(2ⁿ). In cryptographic applications, the curve E is preferably chosen so that it has a subgroup of large prime order. The order of the subgroup of E of large prime order will be denoted by q. A preferred calculation to compute the scalar multiple of a point kP where P G E and P belongs to the subgroup of large prime order and k is the secret key is given by Equation 2: n-1 . kP = 2(' --2(2k_n_₁P + k_n_₂P) + -^{■ ■} + Ic₁P) + k₀P = J 2¹Jk₁-P i=0 The secret key k belongs to some field Zq where q is prime. Assume that q can be represented using n bits, consequently k is a n-bit value k = k^^11'1 + k_n-22^n'2 + ^{• • •} + ki2 + Ic₀.

Flow diagram 200 illustrates a preferred procedure for implementing the scalar multiple determination of equation 2 by parsing the key k in a left to right fashion. The operations of flow diagram 200 can receive k and P G E as input and output kP. Flow diagram 200 generally proceeds from operation 210 to operation 260 although various embodiments contemplate greater on fewer operations, suboperations, and/or other operation orders. At operation 210 Q_n is assigned the value O . At operation 220 the operation 230 is performed repeatedly for j assigned the initial value n-1 down to the value 0. At operation 230 Q •^• is

defined the value 2<2 ,_+j . At operation 240 a conditional evaluation of whether k_j = 1 is

performed. At operation 250 Q j is assigned the value of Q ,^• + P . At operation 260 the value

of Qo is returned.

With reference to Fig. 3 there is illustrated a flow diagram 300 of an exemplary key exchange procedure. At operation 310 a first party A, determines a scalar multiple kiP, for example, using a private key k₁ and the scalar multiple technique described above in connection with Fig. 2. At operation 320 a second party B , determines a scalar multiple k₂P, for example, using a private key k₂ and the scalar multiple technique described above in connection with Fig. 2. At operation 330 party A shares a public key given by kiP with party B. At operation 340 party B shares a public key given by k₂P with party A. At operation 350 party A determines k_tføP). At operation 360 party B determines k₂(kiP). At operation 370 parties A and B use the keys kiføP) and k₂(kiP) to communicate with one another. Since k₁(k₂P) = k₂(k₁P), secure communication between parties A and B is accomplished without party A or party B having to reveal their respective private keys, ki and k₂. The attack and countermeasure described herein can be utilized in connection with the foregoing key exchange protocol as well as in any other situation where the secret key k is used as a scalar in an elliptic curve cryptosystem where an attack is used to get kP. The attack and countermeasure described herein can also be applied to discrete-log cryptosystems which works in integers modulo a prime p, where for a base integer g and secret key k the cryptographic computation is exponentiation g^k mod p. Examples of such systems include discrete log Diffie-Hellman, El Gamal, and others. The attack can be applied to any discrete- log cryptosystem or system using discrete log primitives in order to determine the key whenever the key is the exponent. The attack can determine k when for any apparatus, computer accessible medium, system, or method utilizing the cryptographic computation is g^k. The countermeasure can protect any apparatus, system, or method utilizing this cryptographic operation from an adversary who is trying to determine the key in a low-to-high manner or high-to-low manner and can be applied to any apparatus, system, or process including such a cryptographic computation. According to the countermeasure, rather than computing g^k mod p one computes g^k mod p.

With reference to Fig. 4 there is illustrated a flow diagram 400 of a process for an exemplary fault attack countermeasure. At operation 410 an integer T₁ is selected so that T₁ is uniformly random over the set {0, 1, 2, . . . 2^s - 1} where s is a security parameter which is a positive integer sufficiently large so that 2^s fault attacks are infeasible to perform by an adversary against a smart card and its application. The security parameter s can be selected based on the desired level of security for a particular smart card and its application. At operation 420 an integer r₂ is selected so that r₂ is uniformly random over the set {0, 1, 2, . . . 2^s - 1}. At operation 430 h and r₂ are combined with a key k. The key k belongs to the prime field Zq, thus both rf¹ and T₂ ^"1 exist in Zq and 2^s « q. Further, 2^"1 exists in Zq, hence 2 ^s exists. X is computed in the field Zq as an n-bit value (prepended with zeros if it requires less than n bits) according to Equation 3: X = k - 2^~s - r₂2ⁿ - r{l^~s

At operation 440 value of k' can be determined according to Equation 4:

*'= dWh where the operator || represents concatenation, T₁ is an s-bit value (if it requires less than s-bits we prepend with a sufficient number of zeros). .There is no modular reduction performed on k'. At operation 450 a scalar multiple operation is preformed and Q is assigned the value of k'P which is calculated according to Equation 2 or process 200 described above in connection with Fig. 2. At operation 460 process 200 returns the value of Q. It should be appreciated that an apparatus, system, or method which performs a scalar multiple calculation can use a countermeasure protected key k' according to the process described above since k'P = kP. This can be demonstrated as follows. Recall that P belongs to the prime subgroup and has order q. Let

where ri is expressed as s-bit value and X is a n-bit value such that X

= k ^• 2^"s -r₂2ⁿ -ri2^"s mod q. Thus k' = r₂2^n+s + X2^S + T₁. Here all scalar arithmetic are performed in the field Zq. Hence: k'P = (r₂2^n+s + X2^S + T₁)P = r₂2^n+sP + X2^SP + T₁P

= r₂2^n+sP + (k ^• X^s - r₂2ⁿ - r^^P + T₁P = r₂2^n+sP + kP - r₂2ⁿ2^sP - T₁P + T₁P = kP Thus, it has been shown that process 200 and Equation 2 correctly computes the scalar multiple

kP. The performance of countermeasure is such that one is working in the same base field F of

the elliptic curve, but have lengthened the key to n + 2s bits. On average, the number of

elliptic curve operations (adds or doubles) that are required to perform the scalar multiple is

3n/2. For the countermeasure, on average 3(n+2s)/2 = 3n/2 +3s would be required.

The foregoing countermeasure can be used to guard against exemplary attacks, which

will be referred to as counter fault attacks. An exemplary counter fault attack can be described

as follows. Suppose k = k^"^"1 + k_n-22^n'2 + ^{• • •} + k{2 + ko is a n-bit element and let m < n.

Suppose that n/m log(2n) faults are generated uniformly random on variable i during the

execution of the scalar multiple calculation described in Equation 2. Then the probability that every interval of i with length m contains a fault is 1/2. The following notation is used to i describe a counter fault attack. For each i,0 ≤ i ≤ n-l define L₁ (k) = \ 2^Jk_j and

;=0

«-1

Hι(k) = Y 2* k_j ; . Thus Li(k) represents the low i + 1 bits of key k and Hj(k) represents the j-i

high n - i bits of the key k. Consequently k = L_n-^k) = Ho(k).

A counter fault attack may be used to attack the process of flow diagram 200 during the

execution of the decrement of the counter variable j (or at an increment in the case of an

incrementing counter, though, for simplicity, a decrement operation is referred to elsewhere

herein). A fault is generated during the execution of j 4- j - 1, which is implicitly stated in

operation 220 of flow diagram 200. A counter fault attack is such that a fault prevents j from

being decremented, the result is that for some value operations 230 - 250 are executed two

consecutive times with the same key bit ki. This result is equivalent to having a key k of the form k = &„_!...A₇₊ifc_jfc,fci_i...A:₁fco . An exemplary process for carrying out the counter fault

attack can be described as follows:

1: Let B <- (n/m) log(2n)

2: Create B faulty output of the process of flow diagram 200 by inducing a fault on counter i by preventing a decrementation

3: Let B = {Q_§ : fj is the jth counter fault of the process of flow diagram 200 with inputs k and P, j = 1, ... , B}

4: Set r <- -l(r + 1 = 0 many bits of the key k are known)

5: while r <= n - m do

{here keybits {kj : j < r} of the secret key k are known by the adversary}

7: for all valid patterns x = x_r+v, . . . , x_r+1 (where a valid pattern is x = x_v, . . . , xl is a binary sequence of length v where v <= m such that x_v = 1 or x_v = 0 and x_v-i = 1) do

8: Let G_x <- L + (-2^r+v x_r+v + \ ^{r + v~}\ x ; 2 ^j )P

9: for Q e B do

10: {The following is the verification step and tests if valid pattern is correct

}

11: if (G_x + 0 = 2β then

12: if x_r+v = 0 then

13: Conclude k_r+1 = x_r+1, . . . , k_r+v = x_r+v 14: Set r <- r + v and continue go to line 5.

15: else

16: Set k_r+1 = x_r+1 and let r <- r + 1 and continue go to line 5.

17: if no valid pattern satisfies the verification step then 18: Set k_r+1 = 0 and let r ^- r + 1

19: if r < n then

20: At this point the adversary knows key bits k_r . . . , kiko where r > n - m. By exhaustive search determine k_n-i, . . . , k_r+1 so that Q = kP.

21: if exhaustive search fails to produce Q = kP then

22: return failure

23: else

24: Verify Q = kP, if this fails return "failure"

25: output k

Similar to a sign change attack, there exist several special yet common settings, where counter

faults can be realized. Examples are provided for attacks on ECC on the algorithmic level as

well as examples for attacks on certain properties of a crypto co-processor. The goal of the

counter fault attack is to tamper the variable j that controls the loop of ECC scalar multiple

calculations. The loop operations has to incorporate a conditional branch, where j = j - 1 is

executed and a "return" operation follows. Currently, there are a number of physical attacks

available that targets such conditional decisions, e.g., power spikes or clock glitches. These

attacks aim at forcing the conditional statement to miss some instructions. In the counter fault

attack, it means to miss one j = j - 1 instruction. This results in a counter fault induced into k.

It is noted that some other instructions might be missed during the ECC calculation, which

might leak even more information to the attackers. Besides attacking the ECC algorithm on a

high level, counter faults can also be realized by attacking the circuitry in the ECC hardware

processor. One practical scenario for this attack relies on the internal functionality of many

real-world embedded crypto co-processors. The processor will use a register to store the j value. In normal operation, the control signal "ENABLE" will remain low most of the time. When j = j-1 is executed, the "ENABLE" signal will become high for a clock cycle. Thus, the attacker can purposely inject jitters to this control signal "ENABLE" of the register. Since the attacker just needs to short the "ENABLE" signal for a long period of time larger than one loop operation time, one high "ENABLE" will be missed. This tampering is not difficult to implement. Various mechanism can cause such jitters or faults. For example, lasers, multichromatic light, X-rays and ion beams can be used to induce such faults.

An exemplary sign change attack is such that during an execution of the process of flow diagram 200 a fault at bit i is injected so that βi = -Qi- The counter fault attack is such that during an internal execution of the process of flow diagram 200, a counter is prevented from decrementing at bit i, in this case Q₁ = 2Qi + kjP. This attack can be generalized to a family of attacks. Suppose that a fault is generated such that at bit i we have Qi = tQi + g(i, k)P where t is some constant and g(i, k) is some known function dependent on i and the lower i + 1 bits of the keystream k. In the Sign Change Attack, t = -1 and g(i, k) = 0. In the counter fault attack t = 2 and g(i, k) = ki. Now if a fault f is generated such that Qi = tQi + g(i, k)P, then the output of the process of flow diagram 200 is Q = Q + (1 - i ) Li(k)P + 2^(1, k)P. Thus the counter fault attack process described above can be modified to construct an attack where the fault at bit i generates Q_\ = tQi + g(i, k)P. For example, it can be recognized that in attempting to induce the counter fault attack, perhaps in software, the adversary created a fault to skip the decrement instruction but due to the adversary's lack of precision, timing and location more than one instructions was discarded. The resulting key stream becomes

k = k_n_ι ... k- JcιQkι_ι..Jc_Q , here the 0 appears in the (i + l)^st position (as described from the right). The reasoning for this appearance concerns the possibility of the discarding of the instructions concerning the execution of instruction 240 if ki = 1 then and the corresponding sum of Qi <- Qi + P when true (see operations 240 and 250). The corresponding faulty output Q fits the equation Q = Q + (1 - i ) Li(k)P + 2^Jg(i, k)P, here Q = Q - Li(k)P where t = 2 and g(i, k) = 0. Another possibility includes rather than disabling the decrementing of j in the process of flow diagram 200, decrementing j twice. In this case the key stream

k = k_n_ι ... k- JcιOkι_ι...kQ . The resulting fault is equivalent to a fault output of the form

Q = 2^"1Q - 2¹^k;. All of these forms can be collapsed to a counter-fault-like attack described above.

The foregoing fault attacks and countermeasures can be applied in connection with multiple cryptosystems and algorithms. In certain exemplary embodiments cryptosystems use the scalar multiple kP where the scalar k is the private key (or for discrete-log cryptosystems using g^k). Such cryptosystems include Elliptic Curve Diffie-Hellman or, for discrete log cryptosystems, Diffie-Hellman. Another exemplary embodiment is ECIES or the discrete-log equivalent DLIES or IES. These cryptosystems and algorithms can be used in a variety of applications, for example, to purchase digital content, for example, text, music or video content, from a vendor. The vendor can provide a secret key k for the customer to use to purchase content. The key can be placed on some type of secure device such as a smart card. The key is on the secure device, but not easily accessible to the customer. The vendor also provides the customer a public key Y which equals kP. When the customer selects some music to purchase they could use ECIES which is: they select a random scalar r and compute G which equals rP. The customer also computes rY which equals rkP this is a point on the elliptic curve so it is an ordered pair, they use the x-coordinate of rY apply a public function to it, and use this as a key for a symmetric-encryption system (like Triple DES or AES or...) they encrypt all the content with this KEY call this E_{KEY}(content). The vendor then sends the customer G Il E_{KEY}(content) (here || is concatenation, i.e., appending). The customer submits G=rP to the smart card, it can compute the symmetric key by using k, that is kG=krP = rkP= rY, it then has the elliptic curve point and can then retrieve the x-coordinate and so it then can compute the symmetric key "KEY", DLIES or IES could also be employed in a similar manner. There are also other primitives that use the secret key k as the scalar in the scalar multiple calculation, for example elliptic curve El Gamal.

With reference to Fig. 5 there is illustrated a flow diagram 500 of an authentication procedure. Flow diagram 500 begins at operation 510 where a challenge message is issued, for example, by system 111 described above. The challenge message is received at operation 520, for example, by smart card 100. At operation 530 a signature of the challenge message is generated. According to RSA signature schemes the signature may be calculated as

Sig = m mod N where Sig is the signature, m is the challenge message, d is the private exponent, and N is the modulus (which is public). Let it be understood that the challenge message m could be the hash value of the challenge message, and that the term message includes this possibility. In resource limited environments, such as smart cards, CRT-RSA schemes can be used to improve calculation time over pure RSA schemes. CRT-RSA schemes are further described below in connection with Fig. 7.

At operation 540 the signature is output from the smart card, and is received by the system at operation 550. At operation 560 the signature is unsigned according to one RSA signature scheme where Sig = m^d mod N, m is the hash of the message M, m=h(M), h is a publicly known cryptographic hash function, and Sig^e mod N = h(M) is the hash of the message.

At step 570, authentication can be determined based upon whether or not UnSig = m. If the challenge message was correctly signed using the proper private exponent authentication will be true, otherwise authentication will be false. In other words authentication can be based upon the ability to restore the signature the original challenge message since this will require the challenged device to have possession of the private exponent. Finally at operation 580 a consequence of authentication or of failure of authentication can occur. For example, access can be granted or denied to a facility or to an account, a withdrawal can be authorized or denied, and/or a fee can be incurred or not.

With reference to Fig. 6 there is illustrated a flow diagram 600 of a CRT calculation. As stated above, CRT-RSA schemes reduce the calculation time required for calculations such as those used to compute RSA signatures. At operation 610 m_k = m mod p_k is calculated

for at least two values m_k where m is the challenge message and p_k are prime factors of the

modulus N such that N = TTj^₁ jP_jt • ^A* operation 620 d_k = d mod p_k is calculated. At

operation 630 s_k = m ^k mod p_k is calculated. At operation 640

CRT(S₁, ... , Sj) =

- M,- mod N is calculated where

M₁ - signature Sig is equal to the value calculated

at operation 640.

With reference to Fig. 7 there is illustrated a flow diagram 700 of a signature operation. At operation 710 a randomized CRT computation is performed. At operation 720 a fault detection computation is performed which can be used to determine whether a fault was induced in operation 710. At operation 730 a valid de-randomized signature computation is performed using the computations from operations 710 and 720. The operations of flow diagram can themselves include multiple operations. The signature operation of flow diagram 700 provides countermeasures against hardware fault attacks. Randomness is introduced in operation 710 and not removed until a de-randomized signature is computed at operation 730. Furthermore, operation 720 provides a fault detection mechanism. Such countermeasures can reduce susceptibility to all hardware fault attacks and can eliminate any susceptibility to a single fault attack where an adversary induces only one fault during operations of flow diagram 700, but can repeat the operation multiple times and introduce different faults each time.

With reference to Fig. 8, there is illustrated a flow diagram 800 of an embodiment of the signature operation of flow diagram 700. N is an RSA public modulus, and p_k (1 ≤ k <j) are) prime factors of N. In a two prime embodiment, pi and p₂ are two prime factors of N. In a three prime embodiment, pi , p₂ and p$ are three prime factors of N. Thus, p_k describes all multiprime embodiments where the modulus N has two or more prime factors p_k (1 < k <j).

The public exponent is e and the corresponding private exponent is d. The RSA signature Sig for a message m is given by Sig = m^d mod N, which can be verified by m = Sig^e mod N. There is set of secret parameters t_k (1 < k < j). t_h ^{• • •} , tj which are sufficiently large to resist exhaustive search, are coprime and square free, gcd(d, φ(t_k)) = 1 and t_k ≡ 3 mod 4.

Furthermore, t_k f M^, where M^₁ is defined below. Furthermore p^_t = p_k ' t_k ,

N_t

d mod pfr _t . For calculating CRT within N_t one can use

M _{k t} = ^; Pi_j J- In embodiments where the technique

of flow diagram 800 is implemented in a smart card, the values e, N, t_k, p^_t, N_h d^_t and M^₁ (1 ≤ k <j) can be stored in the smart card ROM or in another memory. It is also possible to store fewer values and calculate the remaining values from the more limited set, though this represents a sacrifice in execution speed.

When there is no hardware fault, the signature technique of flow diagram will correctly calculate a value equal to the RSA signature Sig - m^d mod N for a given message m but will do so in a manner that retains the speed advantages of CRT-RSA while at the same time implementing countermeasures to hardware fault induction attacks that an adversary might use.

At operation 810, the CRT value is calculated as s^ = m ^k>t mod p^ _t . As stated above, use of multiprime ^-notation describes all multiprime embodiments. Thus, in a two

prime embodiment, operation 510 calculates S₁ = m * mod p^ ^• t^ and

S₂ = nt ² mod p₂ ' t₂. These calculations can be performed by operations executed by a microprocessor which calculate the value of s_k and store it in memory. Let it be understood that while the remaining description will employ multiprime notation, two prime, three prime, and all other multiprime embodiments are also contemplated and are described by the multiprime notation. At operation 820 a large random or pseudo-random number R is generated. In a smart card embodiment R is a pseudo-random number which can be generated by a pseudo-random number generator provided in the smart card.

At operation 830 the CRT value is randomized using R by calculating Afc = R - S_jc mod pfc _t . Operation 840 then performs a CRT calculation on A_k by

calculating A = CRT [A₁, ... ,A_jjmod N_t . Operation 840 is a randomized CRT operation

where A mod p_{k t} = A_k , thus A mod t_k = Λ^mod t_k = R ^• s_Λmod t_k . At operation 850 a first fault detection is performed by calculating h_k = \R^{e •} m - A^e Jmod t_k . If no fault has been induced in any of the preceding operations,

h_k = 0 since h_k = (R^e ' m) - (R - s_k f = R^e(m - s_k ) = 0 since m = s_k ^e in the absence of a fault. If a fault has been induced in any of the preceding operations, h_k ≠ 0 but e . will instead be a large random number since m ≠ s_k in the presence of a fault. Thus, the only information that a fault attack adversary can extract is a large random number which is not useful to the adversary. Furthermore, since R can be generated anew for each execution of flow diagram 500, successive fault attacks will yield only different large random numbers. Thus, an adversary cannot utilize successive fault attacks to extract useful information. Operation 860 calculates c_k = R • h_k + 1. In the absence of a fault induced in any of the preceding operations, c_k = 1 since h_k = 0. In the presence of a fault induced in any of the preceding operations, c_k will be a large random number since h_k will itself be a large random number which is then multiplied by a random number in calculating c_k . Again the only information that a fault attack adversary can extract from even successive attacks on operation 860 is a large random number which is not useful to the adversary.

Operation 870 calculates S = A

mod JV . In the absence of a fault induced in any of the preceding operations, S = A mod N since the product of Cγ -C , = 1 since c_k = 1. In the presence of a fault induced in any of the preceding operations, S will be a large random number since the product of C₁-C_j will be a large random number since c_k will be a large random number. Again the only information that a fault attack adversary can extract from even successive attacks on operation 870 is a large random number which is not useful to the adversary.

Operation 880 calculates/? = R^'1 mod N . Operation 890 then calculates

Sig = R ' S mod N . In the absence of a fault induced in any of the preceding operations a valid signature is output since

SIg = R S mOdN = R R CRT(S₁, ^{■ ■ ■} ₎s_j ) = CRT(s₁,---,s_j ) mod N = m^d mod N . In the presence of a fault induced in any of the preceding operations, the output is again a large random number.

The operations of flow diagram 800 implement countermeasures against hardware fault attacks while retaining the speed advantages of CRT-RSA calculations in the context of computing a RSA signature. The countermeasures reduce susceptibility to all hardware fault attacks and eliminate any susceptibility to a single fault attack. In addition to digital signature schemes, the foregoing techniques can also be applied to encryption schemes, for example, a hybrid cryptosystem including both a public key/private key cryptosystem and a symmetric key cryptosystem. Such a system could be used to encrypt a message or file F by generating symmetric key K_s and encrypting F using the symmetric-key cryptosystem E_S. The result is D=E-S(F, K_s). The system can then uses an RSA public-key for intended recipient R to encrypt the symmetric key. The result is C=(K_S)^e mod N. The system then transmits (C, D) where D may be large depending on the size of F. The recipient then uses the recipient's private-key d (which can be stored on a smart card) to decrypt C. The result is the smartcard returns K_s, at that point the receiver then decrypts D using the symmetric-key decryption algorithm and K_s. Since the smart card is asked to calculate K_S=(C)^d mod N, CRT techniques can be used to speed this calculation. This makes the operation of the smart card susceptible to hardware fault attacks. Consequently, techniques the same or similar to those described above may be used to provide countermeasures against the hardware fault attacks.

While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is to be considered as illustrative and not restrictive in character, it being understood that only the preferred embodiments have been shown and described and that all changes and modifications that come within the spirit of the inventions are desired to be protected. It should be understood that while the use of words such as preferable, preferably, preferred or more preferred utilized in the description above indicate that the feature so described may be more desirable, it nonetheless may not be necessary and embodiments lacking the same may be contemplated as within the scope of the invention, the scope being defined by the claims that follow. In reading the claims, it is intended that when words such as "a," "an," "at least one," or "at least one portion" are used there is no intention to limit the claim to only one item unless specifically stated to the contrary in the claim. When the language "at least a portion" and/or "a portion" is used the item can include a portion and/or the entire item unless specifically stated to the contrary.

Claims

CLAIMSWhat is claimed is:

1. A method comprising: selecting a first integer which is substantially random over the set {0, 1, 2, ... , 2^S-1} where s is a positive security integer; selecting a second integer which is substantially random over the set {0, 1, 2, ... , 2^S-1}; combining the first integer, the second integer and a key; and determining a scalar multiple of the combination of the first integer, the second integer, and the key.

2. A method according to claim 1 wherein s is selected such that 2^s meets a predetermined security criteria.

3. A method according to claim 2 wherein the predetermined security criteria is that 2^s fault attacks are substantially infeasible.

4. A method according to claim 3 wherein 2^s fault attacks are substantially infeasible due to the time required to perform 2^s fault attacks.

5. A method according to claim 3 wherein 2^s fault attacks are substantially infeasible due to the computational power required to perform 2^s fault attacks.

6. A method according to any of the preceding claims wherein the determining a

scalar multiple includes performing a double and add operation.

7. A method according to any of the preceding claims wherein the determining a

scalar multiple includes receiving an input including a key and outputting a scalar multiple of

the key.

8. A method according to any of the preceding claims wherein the determining a n-l scalar multiple kP includes calculating kP = V 2^l £,-_P

9. A method according to any of the preceding claims wherein the combining

includes calculating X <— k ^• 2^~s - ^2" - f\2^~s moάq .

10. A method according to claim 9 wherein the combining includes calculating

11. A method according to any of the preceding claims wherein the scalar multiple

is utilized in a Diffie-Hellman key exchange.

12. A method according to any of the preceding claims wherein the scalar multiple

is utilized in a key exchange.

13. A method comprising performing a fault attack according to the following

operations a: Let B (n/m) log(2n)

b: Create B faulty output of the process of flow diagram 200 by inducing a fault on counter i by preventing a decrementation c: Let B = {Qς : fj is the jth counter fault of the process of flow diagram 200 with inputs k and P, j = 1, ... , B} d: Set r <- -l(r + 1 = 0 many bits of the key k are known)

e: while r <= n - m do

f: Let L = y. Λ .- VP {here keybits {kj : j < r} of the secret key k are known by the adversary}

g: for all valid patterns x = x_r+v, . . . , x_r+i (where a valid pattern is x = x_v, . . . , xl is a binary sequence of length v where v <= m such that x_v = 1 or x_v = 0 and x_v-i = l) do

h: Let G_x 4- L + (-2^r+vx_r+v + Y_jZ^'^ J²' ^

i: for Q e B do j: {The following is the verification step and tests if valid pattern is correct} k: if (G_x + 0 = 2(2 then , 1: if x_r+v = 0 then m: Conclude k_r+i = x_r+1, . . . , k_r+v = x_r+v n: Set r ^- r + v and continue go to line 5. o: else p: Set k_r+1 = x_r+1 and let r <r r + 1 and continue go to line e. q: if no valid pattern satisfies the verification step then r: Set k_r+i = 0 and let r <- r + 1 s: if r < n then

t: At this point the adversary knows key bits kr . . . , kiko where r > n - m. By exhaustive search determine k_n-i, . . . , k_r+1 so that Q = kP.

u: if exhaustive search fails to produce Q = kP then

v: return failure

w: else

x: Verify Q = kP, if this fails return "failure"

y: output k

14. A method comprising:

performing a cryptographic computation g^k mod p where g is a base integer, k' is a

private key which has been protected with a countermeasure according to the process of flow

diagram 400, and p is a prime.

15. A method according to any of the preceding claims implemented in connection

with at least one of an elliptic curve, a discrete-log, a Diffie-Hellman, an elliptic curve Diffie-

Hellman, a discrete log Diffie-Hellman, an El Gamal, an ECIES, a DLIES, or an IES

cryptosystems or algorithms.

16. A system including a processor operable to execute instructions according to

any of the preceding methods.

17. A system according to claim 16 wherein the processor is provided in a smart

card.

18. A system according to claim 16 wherein the instructions are operable to implement a process according to the process of flow diagram 200.

19. An apparatus including a computer readable medium configured to store instructions according to any of the preceding methods.

20. An apparatus according to claim 19 wherein the computer readable medium in a memory of a smart card.

21. An apparatus according to claim 19 wherein the instructions are operable to implement a process according to the process of flow diagram 200.

22. A method comprising: receiving a message; performing a CRT calculation on the message; performing a fault detection calculation which will produce a random number if a fault was introduced in the performing a CRT calculation on the message; generating a signature value based upon the fault detection calculation; and outputting the signature value to offer authentication of identity.

23. The method of claim 22 wherein the message is m and the performing a CRT

calculation on the message includes calculating s_k = m ^>l mod p_{k t} , generating a pseudo- random number R, calculating A_k =R s_k mod p_{k t} , and calculating

A = CRT(A₁, ...,A_j)moάN_t.

24. The method of claim 22 wherein the performing a fault detection calculation includes calculating h_k = \R^{e •} m - A^e Jmod t_k .

25. The method of claim 22 wherein the performing a fault detection calculation includes calculating h_k = \R^e -m- A^ejvaoάt_k , calculating c_k = R -h_k +1, and calculating

26. The method of claim 25 wherein the generating a signature value includes calculating R = R^~ mod N , and calculating Sig =R'S mod N .

27. The method of claim 22 wherein the message is m; the performing a CRT calculation on the message includes calculating

s_k =m ^k>t mod p_kt , generating a pseudo-random number R, calculating

A_k =R s_k mod p_{k t} , and calculating A = CRT [A₁,..., A_j) mod N_t ;

the performing a fault detection calculation includes calculating h_k = \R^e - m - A^e Jmod t_k , calculating c_k = R • h_k + 1, and calculating

,S=A^Cl"C^modiV;and the generating a signature value includes calculating R = R mod N , and calculating Sig = R S modN .

28. The method of claim 22 further comprising transmitting the signature value to an authentication verification system which receives the signature value, and verifying the

signature including calculating m = (signature value) mod N .

29. The method of claim 22 wherein the CRT calculation is randomized.

30. An apparatus comprising: a computer readable medium storing a program, the program being executable to randomize a CRT calculation, calculate a value which is a function of the CRT calculation, the value being a pseudorandom number if a fault has been induced in the program, the value being a predetermined value if a fault has not been induced in the program, and generate a signature which is a function of the value.

31. The apparatus of claim 30 wherein the program being executable to randomize a

CRT calculation includes the program being executable to calculate a CRT value, generate a pseudo-random number, multiply the CRT value and the pseudo-random number to give a randomized CRT value, and perform a CRT calculation based upon the randomized CRT value.

32. The apparatus of claim 30 wherein the predetermined value is zero.

33. The apparatus of claim 30 wherein the program being executable to generate a signature which is a function of the value includes the program being executable to perform a derandomization.

34. The apparatus of claim 30 wherein the computer readable medium is encapsulated in a smart card.

35. The apparatus of claim 30 wherein the apparatus includes an output interface and the program is further executable to output the signature to the interface.

36. A system comprising: a first variable storing a CRT computation result based at least in part upon a pseudo- random number; a second variable storing a fault check computation result based at least in part upon the pseudo-random number; a third variable storing a digital signature computation result depending upon the CRT computation result and the fault check computation result; and the digital signature computation result being unsignable to provide indication of access to an RSA private exponent.

37. The system of claim 37 further comprising a processor which outputs the CRT computation result, the fault check computation result, and the digital signature computation result.

38. The system of claim 36 wherein the fault check computation result is further based at least in part upon the CRT computation result.

39. The system of claim 36 wherein the first variable, the second variable, and the third variable are stored in a smart card memory.

40. The system of claim 36 wherein the CRT computation result is the result of a two prime CRT computation.

41. The system of claim 36 wherein the CRT computation result is the result of a three prime CRT computation.