Wagner’s Attack on a Secure CRT-RSA Algorithm Reconsidered

  • Johannes Blömer
  • Martin Otto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4236)


At CCS 2003, a new CRT-RSA algorithm was presented in [BOS03], which was claimed to be secure against fault attacks for various fault models. At CCS 2004, David Wagner presented an attack on the proposed scheme, claiming that the so-called BOS scheme was insecure for all presented fault models [Wag04]. However, the attack itself contains a flaw which shows that although the BOS scheme is broken in some fault models, it is not broken in the most realistic ”random fault model”. This paper points out the flaw in the attack on the BOS scheme, aiming to clarify this issue.


CRT-RSA fault attacks smartcards BOS-Scheme Wagner’s attack 


  1. [ABF+02]
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. [BDL01]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptology 14(2), 101–119 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  3. [BOS03]
    Blömer, J., Otto, M., Seifert, J.-P.: A new CRT-RSA algorithm secure against Bellcore attacks. In: Atluri, V., Liu, P. (eds.) Conference on Computer and Communications Security — CCS. ACM SIGSAC, pp. 311–320. ACM Press, New York (2003)Google Scholar
  4. [CCD00]
    Clavier, C., Coron, J.-S., Dabbous, N.: Differential power analysis in the presence of hardware countermeasures. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. [CJ05]
    Ciet, M., Joye, M.: Practical fault countermeasures for chinese remaindering based RSA. In: 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2005), Edinburgh, Scotland, September 2 (2005)Google Scholar
  6. [Gir05]
    Giraud, C.: Fault resistant RSA implementation. In: Breveglieri, L., Koren, I. (eds.) Fault Diagnosis and Tolerance in Cryptography — FDTC 2005, September 2 (2005)Google Scholar
  7. [Ott05]
    Otto, M.: Fault attacks and countermeasures, Ph.D. thesis, University of Paderborn (2005),
  8. [QS02]
    Quisquater, J.-J., Samyde, D.: Eddy current for magnetic analysis with active sensor. In: Proceedings of Esmart 2002 (2002)Google Scholar
  9. [RE00]
    Rankl, W., Effing, W.: Smart card handbook, 2nd edn. John Wiley & Sons, Chichester (2000)Google Scholar
  10. [SA02]
    Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. [Sha99]
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. US Patent No. 5, 991, 415 (November 23, 1999)Google Scholar
  12. [Wag04]
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Atluri, V., Pfitzmann, B., McDaniel, P.D. (eds.) Conference on Computer and Communications Security — CCS 2004. ACM SIGSAC, pp. 92–97. ACM Press, New York (2004)CrossRefGoogle Scholar
  13. [YKLM01]
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, p. 397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. [YKLM03]
    Yen, S.-M., Kim, S., Lim, S., Moon, S.-J.: RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis. IEEE Transactions on Computers 52(4), 461–472 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Martin Otto
    • 2
  1. 1.Institute for Computer SciencePaderborn UniversityPaderbornGermany
  2. 2.Corporate Technology CT IC3Siemens AGMunichGermany

Personalised recommendations