Why One Should Also Secure RSA Public Key Elements

  • Eric Brier
  • Benoît Chevallier-Mames
  • Mathieu Ciet
  • Christophe Clavier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4249)


It is well known that a malicious adversary can try to retrieve secret information by inducing a fault during cryptographic operations. Following the work of Seifert on fault inductions during RSA signature verification, we consider in this paper the signature counterpart.

Our article introduces the first fault attack applied on RSA in standard mode. By only corrupting one public key element, one can recover the private exponent. Indeed, similarly to Seifert’s attack, our attack is done by modifying the modulus.

One of the strong points of our attack is that the assumptions on the induced faults’ effects are relaxed. In one mode, absolutely no knowledge of the fault’s behavior is needed to achieve the full recovery of the private exponent. In another mode, based on a fault model defining what is called dictionary, the attack’s efficiency is improved and the number of faults is dramatically reduced. All our attacks are very practical.

Note that those attacks do work even against implementations with deterministic (e.g., RSA-FDH) or random (e.g., RSA-PFDH) paddings, except for cases where we have signatures with randomness recovery (such as RSA-PSS).

The results finally presented on this paper lead us to conclude that it is also mandatory to protect RSA’s public parameters against fault attacks.


RSA Standard Mode Fault Cryptanalysis Seifert’s Attack 


  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. In: Workshop on Fault Detection and Tolerance in Cryptography (2004)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Biehl, I., Meyer, B., Müller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. Journal of Cryptology 14(2), 101–119 (2001) (An earlier version appears in [6])zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Ciet, M., Joye, M.: Elliptic curve cryptosystem in presence of permanent and transient faults. Designs Codes and Cryptography 36(1) (2005)Google Scholar
  9. 9.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese remaindering based cryptosystems in the presence of faults. Journal of Cryptology 12(4), 241–245 (1999)zbMATHCrossRefGoogle Scholar
  11. 11.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  13. 13.
    Muir, J.A.: Seiferts RSA fault attack: Simplified analysis and generalizations. IACR Eprint archive (2005)Google Scholar
  14. 14.
    PKCS #1 v 1.5: RSA Cryptography StandardGoogle Scholar
  15. 15.
    Quisquater, J.-J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  16. 16.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Seifert, J.-P.: On authenticated computing and RSA-based authentication. In: ACM Conference on Computer and Communications Security 2005, pp. 122–127 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Eric Brier
    • 1
  • Benoît Chevallier-Mames
    • 1
    • 2
  • Mathieu Ciet
    • 1
  • Christophe Clavier
    • 1
  1. 1.Gemalto, Security LabsLa CiotatFrance
  2. 2.Département d’InformatiqueÉcole Normale SupérieureParis 05France

Personalised recommendations