An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis

Nowadays, side channel attacks allow an attacker to recover secrets stored in embedded devices more efficiently than any other kind of attack. Among the former, fault attacks (FA) and single power analysis (SPA) are probably the most effective: when applied to straightforward implementations of the RSA cryptosystem, only one execution of the algorithm is required to recover the secret key. Over recent years, many countermeasures have been proposed to prevent side channel attacks on RSA. Regarding fault attacks, only one countermeasure offers effective protection and it can be very costly. In this paper, we focus on a means to counteract fault attacks by presenting a new way of implementing exponentiation algorithms. This method can be used to obtain fast FA-resistant RSA signature generations in both the straightforward method and Chinese remainder theorem modes. Moreover, as it has been shown that fault attacks can benefit from the weaknesses introduced by some SPA countermeasures, we ensure that our method resists SPA and, thus, does not require supplementary SPA countermeasures