, 26 2.3.2 Modélisation des effets de perturbations, p.28
, 31 2.4.2.1 Perturbation de la signature, p.32
, est seulementàseulementà la fin des années 90 que lespremì eres exploitations concrètes de perturbations volontairement induites sur des puces ontétéontété révélées
, D'ailleurs, les concepteurs de composants sécurisés n'hésitent pasàpasà inclure des contre-mesures spécifiques, logicielles et/ou matérielles, pour protéger leur produits . La résistance des puces facè a ce type d'attaque physique fait même partie des points vérifiés par les CESTI. Dans la suite de ce chapitre, nous commencerons par présenter les différentes méthodes pratiquesélaboréestiquesélaborées pour perturber le bon fonctionnement de puces, Nous développerons ensuite les différents modèles de perturbation considérés dans la littérature. Enfin, nous détaillerons les attaques de référence publiées contre chacun des types d'algorithmes que nous avons plus particulì erementétudiéserementétudiés pendant la thèse
, Les attaques sur la tension d'alimentation peuventêtrepeuventêtre réalisées en provoquant soit un pic d'alimentation (supérieursupérieurà la tension Vcc), soit une micro-coupure (tension comprise entre 0V et Vcc) Demanì ere générale, la perturbation de la tension d'alimentation peut provoquer une mauvaise interprétation, voire le saut d'une instruction de la part du microprocesseur. Les variations de la fréquence d'horloge, quantàquantà elles, peuvent provoquer un cadencement d'une partie de la logique sans que l'entrée ne soit encore stabilisée ou définie, Ces attaques sont communément appelées Glitch Attack dans la littérature [AK96, ABF + 02
, 42 4.2.2.1 Extraction d'un morceau de d'exposant privé, Performances, p.45
, 54 4.3.3.1 Extraction d'un morceau d'exposant, p.56
, 62 5.2.2.1 Cadre de l'attaque, p.62
, Koc96] pour contrer les attaques par canaux auxiliaires, telles que la Differential Power Analysis (DPA), qui exploitent les signaux transpirants de l'exécution d'une exponentiation. Le principe de cette contre-mesure est basé sur le théorème de Fermat. En effet, ?m ? (Z/N Z) * et ? ? Z, m ?·?(N ) ? 1 mod N . La méthode de masquage d'exposant directement inspiré du résultat précédent est détaillée dans l'algorithme 7. Comme nous l'avonsécritavonsécrit précédemment, la complexité de l'algorithme d'exponentiation modulaire est polynomiale (linéaire) en la taille de l'exposant. Ainsi, pour préserver un temps d'exécution raisonnable
, 99 9.2.1 Perturbation transitoire d'une opération
, 101 9.2.2.1 Analyse préliminaire des vecteurs de retenue, 9.2.2.2 Extraction de l'´ etat interne complet de Rabbit . . . . . . 105
, 124 11.2.2 Contre-mesures par extension aléatoire du module 125 11.2.3 Perturbation sur la recombinaison, p.128
, 1.1 Description générale L'implantation CRT de RSA [QC82] utilise le théorème des restes chinois pour augmenter la vitesse d'un déchiffrement ou d'une signature mais aussi réduire la taille des données stockées en mémoire. En termes d'opérations binaires, cette implantation est théoriquement quatre fois plus rapide que la version standard. C'est pourquoi cette implantation de RSA est, en pratique, très largement déployée sur les systèmes embarqués, ce paragraphe, nous rappellerons les détails de la signature en mode CRT
, b i+1 ) est obtenù a partir de (a i , b i ) en retranchant 1, en divisant par deux et
, aucune erreur n'est détectée c 1 = c 2 = 1. Dans le cas contraire, la condition sur ? provoque automatiquement un masquage de l'erreur par une multiplication par un aléa et une réduction modulaire. L'autre proposition de contre-mesure consistè a remplacer systématiquement l'opération finale d'exponentiation modulairè a la puissance ? par la variante proposée par M
, ? 1) · r) mod N (11.44) 11.4 Conclusion Ce chapitre met enévidenceenévidence toute la difficulté d'´ elaborer des contre-mesures efficaces pour protéger les implantations d'algorithmes cryptographiques. Dans cette optique, nous avons détaillé l'´ evolutionparalì ele des attaques et des contre-mesuresélaboréesmesuresélaborées pour protéger le RSA- CRT, largement déployé sur les systèmes embarqués. Plusparticulì erement, nous avons proposé une méthode pour attaquer une implantation protégée de l'algorithme de signature RSA en mode CRT. Sous un modèle de faute réaliste, nous avons montré qu'il est possible de retrouver un exposant privé RSA de 1024 bitsàbitsà partir de 83 signatures perturbées. Aussi, nous suggérons fortement d'utiliser la variante proposée dans [JC05] pour remplacer l'opération de masquage Bibliographie Fault Attack on RSA with CRT : Concrete Results and Practical Countermeasures, Cryptographic Hardware and Embedded Systems volume 2523 of Lecture Notes in Computer Science, pp.260-275, 2002.
, On the Power of Simple Branch Prediction Analysis Adleman. A subexponential algorithm for the discrete logarithm problem with applications to cryptography, ACM Symposium on Information and Computer Communications Security Found. Comp. Sci. Symp. (FOCS 1979), pp.312-320, 1979.
, New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures, Lecture Notes in Computer Science, vol.4887, pp.185-203
DOI : 10.1007/978-3-540-77272-9_12
, The Shortest Vector Problem inL 2 is NP-Hard for Randomized Reductions, STOC, pp.10-19, 1998.
, Tamper Resistance -A cautionary Note, USENIX Workshop on Electronic Commerce, pp.1-11, 1996.
, Fault Attacks on Combiners with Memory, Selected Areas in Cryptography, 2005.
DOI : 10.1007/11693383_3
, Design and Implementation of DPA Resistive Grain-128 Stream Cipher Based on SABL Logic, International Journal of Computers Communications & Control, vol.III, pp.293-298, 2008.
, Algebraic analysis of Rabbit, 2003.
, Analysis of the key setup function in Rabbit, 2003.
, Hamming weights of the g-function. White paper, 2003.
, Periodic properties of Rabbit, 2003.
, Second degree approximations of the g-function, 2003.
, Security analysis of the IV-setup for Rabbit, 2003.
, On a Bias of Rabbit, State of the Art of Stream Ciphers, 2007.
, On Lovász lattice reduction and the nearest point problem, Combinatorica, vol.6, pp.1-13, 1986.
, Vers une généralisation rigoureuse des méthodes de Coppersmith pour la recherche de petites racines de polynômes, 2008.
, Fault Analysis of Grain-128, IEEE International Workshop on Hardware-Oriented Security and Trust, 2009.
, Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable, RSA Cryptographer's Track, pp.414-428, 2009.
DOI : 10.1017/CBO9781139165464
URL : https://hal.archives-ouvertes.fr/hal-00348416
, Fault Analysis in Cryptography, chapter A Survey of Differential Fault Analysis against Classical RSA Implementations, p.2011
, (In)security Against Fault Injection Attacks on CRT-RSA Implementations, Fault Diagnosis and Tolerance in Cryptography, pp.101-107, 2008.
, Perturbating RSA Public Keys : an Improved Attack, Cryptographic Hardware and Embedded Systems, 2008.
, Differential Fault Analysis of Rabbit : Toward a Secret Key Leakage, 10th International Conference on Cryptology in India, 2009.
, Why One Should Also Secure RSA Public Key Elements, Cryptographic Hardware and Embedded Systems, pp.324-338, 2006.
DOI : 10.1007/11894063_26
, Public Key Perturbation of Randomized RSA Implementations, Cryptographic Hardware and Embedded Systems, 2010.
DOI : 10.1007/978-3-642-15031-9_21
, Another New Attack to RSA on Tamperproof Devices, 1996.
, Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults, Security Protocols, pp.115-124, 1998.
, On the Importance of Checking Cryptographic Protocols for Faults, Lecture Notes in Computer Science, vol.1233, issue.97, pp.37-51, 1997.
DOI : 10.1007/3-540-69053-0_4
, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology, vol.14, issue.2, pp.101-119, 2001.
DOI : 10.1007/s001450010016
, The Sorcerer's Apprentice Guide to Fault Attacks, Cryptology ePrint Archive Report, vol.100, 2004.
, Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4, Fast Software Encryption (FSE 2005), pp.359-367, 2005.
DOI : 10.1007/11502760_24
, Cache-Collision Timing Attacks Against AES, Cryptographic Hardware and Embedded Systems, pp.201-215, 2006.
DOI : 10.1007/11894063_16
, Differential Fault Attacks on Elliptic Curve Cryptosystems, Advances in Cryptology, pp.131-146, 2000.
DOI : 10.1007/3-540-44598-6_8
, CRT RSA Algorithm Protected Against Fault Attacks, Information Security Theory and Practices, pp.229-243, 2007.
DOI : 10.1007/11554868_13
, Wagner???s Attack on a Secure CRT-RSA Algorithm Reconsidered, Fault Diagnosis and Tolerance in Cryptography, pp.13-23, 2006.
DOI : 10.1007/11889700_2
, A New CRT-RSA Algorithm Secure Against Bellcore Attack, ACM Conference on Computer and Communication Security (CCS 2003), pp.311-320, 2003.
, Optimal asymmetric encryption, Advances in Cryptology ? EUROCRYPT 1994, International Conference on the Theory and Application of Cryptographic Techniques, pp.92-111, 1994.
DOI : 10.1007/BFb0053428
, The Exact Security of Digital Signatures-How to Sign with RSA and Rabin, Advances in Cryptology ? EURO- CRYPT 1996, International Conference on the Theory and Application of Cryptographic Techniques, pp.399-416, 1996.
DOI : 10.1007/3-540-68339-9_34
, The next stage of differential fault analysis : How to break completely unknown cryptosystems, 1996.
, Differential fault analysis of secret key cryptosystems, Advances in Cryptology, 1997.
DOI : 10.1007/BFb0052259
, Cryptanalitic Time/memory/data Tradeoffs For Stream Cipher, Advances in Cryptology ? ASIACRYPT 2000, pp.1-13, 1976.
, Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes, Advances in Cryptology Bibliographie, pp.129-142, 1996.
DOI : 10.1007/3-540-68697-5_11
, Rabbit : A High-Performance Stream Cipher, Fast Software Encryption, pp.307-329, 2003.
, Analyse des effets d'attaques par fautes et conception sécurisée sur plate-forme reconfigurable, 2009.
, Elliptic Curve Cryptosystems in the presence of permanent and transient faults. Designs, Codes and Cryptography, pp.33-43, 2005.
, Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations, Advances in Cryptology -Eurocrypt 2000, International Conference on the Theory and Application of Cryptographic Techniques, pp.392-407, 2000.
DOI : 10.1007/3-540-45539-6_27
, De la sécurité physique des crypto-systèmes embarqués, 2007.
, Glitch and Laser Fault Attacks onto a Secure AES Implementation on a SRAM-Based FPGA, Journal of Cryptology, vol.57, issue.11, 2009.
DOI : 10.1007/s00145-010-9083-9
URL : https://hal.archives-ouvertes.fr/hal-00550051
, A Course in Computational Algebraic Number Theory, 1993.
, Finding Small Roots of a Bivariate Integer Equation, Advances in Cryptology ? EUROCRYPT 1996, International Conference on the Theory and Application of Cryptographic Techniques, pp.178-189, 1996.
, Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities, Journal of Cryptology, vol.10, issue.4, pp.233-260, 1997.
, Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems, pp.292-302, 1999.
, Trivium ? A Stream Cipher Construction Inspired by Block Cipher Design Principles. eSTREAM, ECRYPT Stream Cipher, 2005.
, On Second-Order Fault Analysis Resistance for CRT-RSA Implementations, Information Security Theory and PracticesDH76b] W. Diffie and M.E. Hellman. Multiuser Cryptographic Techniques. In AFIPS National Computer Conference AFIPS Conference ProceedingsDLV03] P. Dusart, G. Letourneux, and O. Vivolo. Differential Fault Analysis on AES Applied Cryptography and Network Security volume 2846 of Lecture Notes in Computer Science, pp.68-83644, 1976.
DOI : 10.1007/978-3-642-03944-7_6
, Théorie des codes -Compression , cryptage, correction [Dus98] P. Dusart Autour de la fonction qui compte le nombre de nombres premiers A public key cryptosystem and a signature scheme based on discrete logarithms, Proceedings of CRYPTO 84 on Advances in cryptology. [Fin94] H. Finney. An RC4 cycle that can't happen, pp.10-18, 1985.
, Power Attack on Small RSA Public Exponent Statistical Analysis of the Alleged RC4 Keystream Generator Weaknesses in the Key Scheduling Algorithm of RC4 Fouque and F. Valette. The Doubling Attack ? why Upwards Is Better than Downwards A survey on fault attacks, Cryptographic Hardware and Embedded Systems Workshop on Fast Software Encryption (FSE 2000), volume 1978 of Lecture Notes in Computer Science Cryptographic Hardware and Embedded Systems CARDIS 2004, Smart Card Research and Advanced Applications IVGir05a] C. Giraud. DFA on AES. In V. Rijmen, H. Dobbertin, and A. Sowa Fourth Conference on the Advanced Encryption Standard (AES4) Fault Diagnosis and Tolerance in CryptographyGir05c] C. Giraud. Procédé de traitement de données impliquant une exponentiation modulaire et un dispositif associé, pp.339-353, 2001.
, Attaques de Cryptosystèmes Embarqués et Contre-Mesures Associées, 2007.
, Fault Attacks on Signature Schemes, Proceedings of Information Security and Privacy, pp.478-491, 2004.
DOI : 10.1007/978-3-540-27800-9_41
, Synchronization Fault Cryptanalysis for Breaking A5/1, Experimental and Efficient Algorithms, pp.415-427, 2005.
DOI : 10.1007/11427186_36
, The Use of Lasers to Simulate Radiation-Induced Transients in Semiconductors Devices and Circuits, IEEE Transactions on Nuclear Science, vol.39, pp.1647-1653, 1992.
, A Stream Cipher Proposal: Grain-128, 2006 IEEE International Symposium on Information Theory, pp.1614-1618, 2006.
DOI : 10.1109/ISIT.2006.261549
, Differential Fault Analysis of Trivium, Fast Software Encryption, pp.158-172, 2008.
DOI : 10.1007/978-3-540-71039-4_10
, Fault Analysis of Stream Ciphers
DOI : 10.1007/978-3-540-28632-5_18
, Reconstructing RSA Private Keys from Random Key Bits, Advances in Cryptology ? CRYPTO 2009, pp.1-17, 2009.
DOI : 10.1007/978-3-642-03356-8_1
, Practical Fault Countermeasures for Chinese Remaindering Based RSA, Fault Diagnosis and Tolerance in Cryptography (FDTC 2005), pp.124-132, 2005.
, Chinese Remaindering Based Cryptosystems in the Presence of Faults, Journal of Cryptology, vol.12, issue.4, pp.241-245, 1999.
DOI : 10.1007/s001459900055
, A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants, Advances in Cryptology -ASIACRYPT 2006, pp.267-282, 2006.
DOI : 10.1007/11935230_18
, Protecting RSA Against Fault Attacks : The Embedding Method, Fault Diagnosis and Tolerance in Cryptography, pp.41-45, 2009.
, Secure Evaluation of Modular Functions, International Workshop on Cryptology and Network Security, pp.227-229, 2001.
, RSA-type signatures in the presence of transient faults, Cryptography and Coding, 6th IMA International Conference, pp.155-160, 1997.
DOI : 10.1007/BFb0024460
, Factorization of a 768-bit rsa modulus, p.6, 2010.
, Fault Attacks on Public Key Elements: Application to DLP-Based Schemes, European PKI workshop Public Key Infrastructure, pp.182-195, 2008.
DOI : 10.1007/978-3-540-69485-4_13
, Differential Power Analysis, Advances in Cryptology, pp.388-397, 1999.
DOI : 10.1007/3-540-48405-1_25
, Timing attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Advances in Cryptology, pp.104-113, 1996.
, Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures, Information Security Theory and Practices, Smart Cards, Mobile and Ubiquitus Computing Systems, pp.215-228, 2007.
DOI : 10.1109/TC.2003.1190587
, Differential Fault Analysis of Rabbit, Selected Areas in Cryptography Lecture Notes in Computer Science, pp.200-217, 2009.
DOI : 10.1007/978-3-642-05445-7_13
, Memo on RSA Signature Generation in the presence of Faults, 1996.
, The development of the number field sieve, Lecture Notes in Mathematics, vol.1554, 1993.
DOI : 10.1007/BFb0091534
, Factoring polynomials with rational coefficients, Mathematische Annalen, vol.32, issue.4, pp.515-534, 1986.
DOI : 10.1007/BF01457454
, New RSA Vulnerabilities Using Lattice Reduction Methods, 2003.
, Chip and PIN is Broken, 2010 IEEE Symposium on Security and Privacy, 2010.
DOI : 10.1109/SP.2010.33
, Modular Multiplication without trial divison, Mathematics of Computation, vol.44, pp.519-521
, Speeding the Pollard and Elliptic Curve Methods of Factorization, Mathematics of Computation, vol.48, pp.243-264, 1987.
, Seifert's RSA Fault Attack : Simplified Analysis and Generalizations, Cryptology ePrint Archive Report, vol.458, 2005.
, A New Physical Mechanism for Soft Errors in Dynamic Memories, 16th International Reliability Physics Symposium, 1978.
DOI : 10.1109/IRPS.1978.362815
, Experimenting with Faults, Lattices and the DSA, Lecture Notes in Computer Science, vol.3386, pp.16-28, 2005.
DOI : 10.1007/978-3-540-30580-4_3
, The Insecurity of the Digital Signature Algorithm with Partially Known Nonces, oSN77] National Institute of Standards and Technology (NIST). FIPS PUB 46 : The Data Encryption Standard, pp.151-176, 1977.
DOI : 10.1007/s00145-002-0021-3
, A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher, Workshop on Fast Software Encryption, pp.245-259, 2004.
DOI : 10.1007/978-3-540-25937-4_16
, Fast decipherment algorithm for RSA public-key cryptosystem, Electronics Letters, vol.18, issue.21, pp.905-907, 1982.
DOI : 10.1049/el:19820617
, Eddy Current for Magnetic Analysis with Active Sensor, 2002.
, Probabilistic algorithm for testing primality, Journal of Number Thoery, vol.12, issue.1, pp.128-138, 1980.
, Securing RSA Against Fault Analysis by Double Addition Chain Exponentiation, RSA Cryptographer's Track (CT-RSA 2009), pp.459-480, 2009.
, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol.21, issue.2, pp.120-126, 1978.
DOI : 10.1145/359340.359342
, Optical Fault Induction Attacks, Cryptographic Hardware and Embedded Systems Applied Cryptography, pp.2-12, 1996.
DOI : 10.1007/3-540-36400-5_2
, Lattice Basis Reduction : Improved practical algorithms and solving subset sum problems, Math. Programming, pp.181-199, 1994.
, On Authenticated Computing and RSA-Based Authentication, ACM Conference on Computer and Communications Security (CCS 2005), pp.122-127, 2005.
, Improved Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks, Presented at the Rump Session of Eurocrypt'97, 1997.
, Stream Ciphers : Dead or Alive ?, Advances in Cryptology ? ASIACRYPT 2004, p.78, 2004.
, Number Theory C++ Library (NTL)
, A Computational Introduction to Number Theory and Algebra, 2005.
, Optically Enhanced Position-Locked Power Analysis, Cryptographic Hardware and Embedded Systems, pp.61-75, 2006.
, La science du secret, 1997.
, Cryptography : Theory and Practice, 1995.
, Discrete logarithms: The effectiveness of the index calculus method, Algorithmic Number Theory (ANTS-II 1996), pp.337-362, 1996.
DOI : 10.1007/3-540-61581-4_66
, RSA with CRT : A new Cost Effective Solution to Twart Fault Attacks, Cryptographic Hardware and Embedded Systems, pp.130-145, 2008.
, Cryptanalysis of a provably secure CRT-RSA algorithm, Proceedings of the 11th ACM Conference on Computer Security, pp.92-97, 2004.
, Cryptanalysis of Rabbit, 11th International Conference on Information Security, pp.204-214, 2008.
, Checking Before Output May not be Enough Against Fault-Based Cryptanalysis, IEEE Transactions on Computers, pp.367-370, 2000.
, Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection, Fault Diagnosis and Tolerance in Cryptography, pp.381-385, 2004.
DOI : 10.1007/11889700_5
, RSA Speedup with Residue Number System Immune Against Hardware Fault Cryptanalysis, Lecture Notes in Computer Science, vol.2288, pp.397-413, 2001.
, Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection, Fault Diagnosis and Tolerance in Cryptography, pp.53-61, 2006.
DOI : 10.1007/11889700_5
, Hardware Fault Attack on RSA with CRT Revisited, Information Security and Cryptology, pp.374-388, 2002.
DOI : 10.1007/3-540-36552-4_26
, Effect of Cosmic Rays on Computer Memories, Science, vol.206, pp.776-788, 1979.