Fault-based attacks, which recover secret keys by deliberately introducing fault(s) in cipher implementations and analyzing the faulty outputs, have been proved to be extremely powerful. In this paper, we propose a novel Concurrent Error Detection (CED) scheme to counter fault-based attack against RSA by exploiting its multiplicative homomorphic property. Specifically, the proposed CED scheme verifies if Π <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i=1</sub> <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">k</sup> E(m <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i</sub> ) ≡ EΠ <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i=1</sub> <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">k</sup> m <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i</sub> (mod n) (mod n) where E could be either RSA encryption, or decryption, or signature, or verification process. Upon a mismatch, all the ciphertexts will be suppressed. The time overhead is 1/k and k can be used to trade-off the time overhead with memory overhead and output latency. Recognizing that an RSA device could be subject to a combination of several side-channel attacks, the proposed scheme enables an easy divide-and-concur solution-any fine-tuned architecture, for example, a power-attack-resistant architecture, can be equipped with fault-attack resistance easily without disturbing its original resistance. This advantage distinguishes the proposed scheme over the existing countermeasures.
Read full abstract