Practical Fault Countermeasures for Chinese Remaindering Based RSA

Most implementations of the widely-used RSA cryptosystem rely on Chinese remaindering (CRT) as this greatly improves the performances in both running times and memory requirements. Unfortunately, CRT-based implementations are also known to be more sensitive to fault attacks: a single fault in an RSA exponentiation may reveal the secret prime factors trough a GCD computation, that is, a total breaking. This paper reviews known countermeasures against fault attacks and explain why there are not fully satisfactory or secure. It also presents practical countermeasures which feature the following advantages: 1. only CRT input elements are needed (in particular, the value of exponents e and/or d is not required), 2. the resulting performances (running times and memory requirements) are not too much affected, 3. no pre-computations or modifications in the personalisation process are needed, 4. the fault detection does not rely on decisional tests as this can be bypassed, 5. all previously known fault attacks are covered. As a result, our countermeasures enjoy at the same time all best known properties to protect against fault attacks in CRT-based implementations of RSA.