Cryptographic Hardware and Embedded Systems – CHES 2008

Volume 5154 of the series Lecture Notes in Computer Science pp 380-395

Perturbating RSA Public Keys: An Improved Attack

  • Alexandre BerzatiAffiliated withCEA-LETI/MINATECVersailles Saint-Quentin-en-Yvelines University
  • , Cécile CanovasAffiliated withCEA-LETI/MINATEC
  • , Louis GoubinAffiliated withVersailles Saint-Quentin-en-Yvelines University


Since its first introduction by Bellcore researchers [BDL97], fault injections have been considered as a powerful and practical way to attack cryptosystems, especially when they are implemented on embedded devices. Among published attacks, Brier et al. followed the work initiated by Seifert to raise the problem of protecting RSA public elements.

We describe here a new fault attack on RSA public elements. Under a very natural fault model, we show that our attack is more efficient than previously published ones. Moreover, the general strategy described here can be applied using multiple transient fault models, increasing the practicability of the attack.

Both the theoretical analysis of the success probability, and the experimental results – obtained with the GMP Library on a PC –, provide evidence that this is a real threat for all RSA implementations, and confirm the need for protection of the public key.


RSA fault attacks DFA public key