Securing RSA hardware accelerators through residue checking

Abstract

Circuits for the hardware acceleration of cryptographic algorithms are ubiquitously deployed in consumer and industrial products. Although being secure from a mathematical point of view, such accelerators may expose several vulnerabilities strictly related to the hardware implementation. Differential fault analysis (DFA) and hardware Trojan horses (HWTs) may be exploited to steal secret information from the circuit or to interfere with its nominal functioning. It is therefore important to protect cryptographic hardware accelerators against such attacks in an efficient way. In this paper, we propose a lightweight technique for protecting circuits implementing the RSA algorithm against DFA and HWTs at runtime. The proposed solution relies on residue checking which is a well-known technique belonging to traditional fault tolerance. Residue checking is here applied to RSA circuits in order to detect any modification of the output of the circuit possibly induced by the occurrence of a fault or the activation of a HWT. When this happens, the protection technique reacts to the attack by obfuscating the circuit's output (i.e. generating a random output). An experimental campaign (99% confidence and 1% error) demonstrated that, when dealing with DFA, the proposed solution detected 100% of the fault attacks that leaked information to the attacker. Moreover, we applied the proposed technique to all the HWT infected implementations of the RSA algorithm available in the Trust-Hub benchmark suite achieving a 100% HWT detection. The overhead introduced by the proposed solution is a maximum area increase below 3%, about 18% dynamic power consumption increase while it has no impact on the operating frequency.