Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures

  • C. Aumüller
  • P. Bier
  • W. Fischer
  • P. Hofreiter
  • J.-P. Seifert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2523)


This article describes concrete results and practically validated countermeasures concerning differential fault attacks on RSA using the CRT. We investigate smartcards with an RSA coprocessor where any hardware countermeasures to defeat fault attacks have been switched off. This scenario was chosen in order to analyze the reliability of software countermeasures. We start by describing our laboratory setting for the attacks. Hereafter, we describe the experiments and results of a straightforward implementation of a well-known countermeasure. This implementation turned out to be not sufficient. With the data obtained by these experiments we developed a practical error model. This enabled us to specify enhanced software countermeasures for which we were not able to produce any successful attacks on the investigated chips. Nevertheless, we are convinced that only sophisticated hardware countermeasures (sensors, filters, etc.) in combination with software countermeasures will be able to provide security.


Bellcore attack Chinese Remainder Theorem Fault attacks Hardware security RSA Spike attacks Software countermeasures Transient fault model 


  1. [A]
    R. Anderson, Security Engineering, John Wiley & Sons, New York, 2001.Google Scholar
  2. [AK1]
    R. Anderson, M. Kuhn, “Tamper Resistance-a cautionary note”, Proc. of 2nd USENIX Workshop on Electronic Commerce, pp. 1–11, 1996.Google Scholar
  3. [AK2]
    R. Anderson, M. Kuhn, “Low cost attacks attacks on tamper resistant devices”, Proc. of 1997 Security Protocols Workshop, Springer LNCS vol. 1361, pp. 125–136, 1997.Google Scholar
  4. [BDL]
    D. Boneh, R. A. DeMillo, R. Lipton, “On the Importance of Eliminating Errors in Cryptographic Computations” Journal of Cryptology 14(2):101–120, 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  5. [BDHJ+]
    F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimbalu, T. Ngair, “Breaking public key cryptosystems on tamper resistant dives in the presence of transient faults”, Proc. of 1997 Security Protocols Workshop, Springer LNCS vol. 1361, pp. 115–124, 1997.Google Scholar
  6. [BR]
    M. Bellare, P. Rogaway, “The exact security of digital signatures-how to sign with RSA and Rabin”, Proc. of EUROCRYPTO’ 96, Springer LNCS vol. 1070, pp. 399–416, 1996.Google Scholar
  7. [BS]
    E. Biham, A. Shamir, “Differential fault analysis of secret key cryptosystems”, Proc. of CRYPTO’ 97, Springer LNCS vol. 1294, pp. 513–525, 1997.Google Scholar
  8. [BMM]
    I. Biehl, B. Meyer, V. Müller, “Differential fault attacks on elliptic curve cryptosystems”, Proc. of CRYPTO’ 00, Springer LNCS vol. 1880, pp. 131–146, 2000.Google Scholar
  9. [BMS]
    J. Blömer, A. May, J.-P. Seifert, personal communication, April 2002.Google Scholar
  10. [CQ]
    C. Couvreur, J.-J. Quisquater, “Fast decipherment algorithm for RSA public-key cryptosystem”, Electronics Letters 18(21):905–907, 1982.CrossRefGoogle Scholar
  11. [FS]
    W. Fischer, J.-P. Seifert, “Note on fast computation of secret RSA exponents”, Proc. of ACISP’ 02, Springer LNCS vol. 2384, pp. 136–143, 2002.Google Scholar
  12. [GMO]
    K. Gandol., C. Mourtel, F. Olivier, “Electromagnetic analysis: Concrete results”, Proc. of CHES’ 01, Springer LNCS vol. 2162, pp. 255–265, 2001.Google Scholar
  13. [Gu1]
    P. Gutmann, “Secure deletion of data from magnetic and solid-state memory”, Proc. of 6th USENIX Security Symposium, pp. 77–89, 1997.Google Scholar
  14. [Gu2]
    P. Gutmann, “Data Remanence in Semiconductor Devices”, Proc. of 7th USENIX Security Symposium, 1998.Google Scholar
  15. [HP1]
    H. Handschuh, P. Pailler, “Smart Card Crypto-Coprocessors for Public-Key Cryptography”, CryptoBytes 4(1):6–11, 1998.Google Scholar
  16. [HP2]
    H. Handschuh, P. Pailler, “Smart Card Crypto-Coprocessors for Public-Key Cryptography”, Proc. of CARDIS’ 98, Springer LNCS vol. 1820, pp. 372–379, 1998.Google Scholar
  17. [ISO]
    International Organization for Standardization, “eISO/IEC 7816-3: Electronic signals and transmission protocols”,, 2002.
  18. [JLQ]
    M. Joye, A. K. Lenstra, J.-J. Quisquater, “Chinese remaindering based cryptosystem in the presence of faults”, Journal of Cryptology 12(4):241–245, 1999.zbMATHCrossRefGoogle Scholar
  19. [JPY]
    M. Joye, P. Pailler, S.-M. Yen, “Secure Evaluation of Modular Functions”, Proc. of 2001 International Workshop on Cryptology and Network Security, pp. 227–229, 2001.Google Scholar
  20. [JQBD]
    M. Joye, J.-J. Quisquater, F. Bao, R. H. Deng, “RSA-type signatures in the presence of transient faults”, Cryptography and Coding, Springer LNCS vol. 1335, pp. 155–160, 1997.CrossRefGoogle Scholar
  21. [JQYY]
    M. Joye, J.-J. Quisquater, S. M. Yen, M. Yung, “Observability analysis-detecting when improved cryptosystems fail”, Proc. of CT-RSA Conference 2002, Springer LNCS vol. 2271, pp. 17–29, 2002.Google Scholar
  22. [KR]
    B. Kaliski, M. J. B. Robshaw, “Comments on some new attacks on cryptographic devices”, RSA Laboratories Bulletin 5, July 1997.Google Scholar
  23. [Kn]
    D. E. Knuth, The Art of Computer Programming, Vol.2: Seminumerical Algorithms, 3rd ed., Addison-Wesley, Reading MA, 1999.Google Scholar
  24. [Koca]
    O. Kocar, “Hardwaresicherheit von Mikrochips in Chipkarten”, Datenschutz und Datensicherheit 20(7):421–424, 1996.Google Scholar
  25. [Koch]
    P. Kocher, “Timing attacks on implementations of Diffie-Hellmann, RSA, DSS and other systems”, Proc. of CYRPTO’ 97, Springer LNCS vol. 1109, pp. 104–113, 1997.Google Scholar
  26. [KJJ]
    P. Kocher, J. Jaffe, J. Jun, “Differential Power Analysis”, Proc. of CYRPTO’ 99, Springer LNCS vol. 1666, pp. 388–397, 1999.Google Scholar
  27. [Ma]
    D. P. Maher, “Fault induction attacks, tamper resistance, and hostile reverse engineering in perspective”, Proc. of Financial Cryptography, Springer LNCS vol. 1318, pp. 109–121, 1997.Google Scholar
  28. [MvOV]
    A. J. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, 1997.zbMATHGoogle Scholar
  29. [NR]
    D. Naccache, D. M'Raihi, “Cryptographic smart cards”, IEEE Micro, pp. 14–24, 1996.Google Scholar
  30. [Pe]
    I. Petersen, “Chinks in digital armor-Exploiting faults to break smartcard cryptosystems”, Science News 151(5):78–79, 1997.CrossRefGoogle Scholar
  31. [Ro]
    T. Rosa, “Future Cryptography: Standards are not enough”, Proc. of Security and Protection of Information 2001, pp. 237–245, 2001.Google Scholar
  32. [RSA]
    R. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Comm. of the ACM 21:120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  33. [SQ]
    D. Samyde, J.-J. Quisquater, “ElectroMagnetic Analysis (EMA): Measures and Countermeasures for Smart Cards”, Proc. of Int. Conf. on Research in Smart Cards, E-Smart 2001, Springer LNCS vol. 2140, pp. 200–210, 2001.Google Scholar
  34. [Sh]
    A. Shamir, “Method and Apparatus for protecting public key schemes from timing and fault attacks”, U.S. Patent Number 5,991,415, November 1999; also presented at the rump session of EUROCRYPT’97.Google Scholar
  35. [YJ]
    S.-M. Yen, M. Joye, “Checking before output may not be enough against fault-based cryptanalysis”, IEEE Trans. on Computers 49:967–970, 2000.CrossRefGoogle Scholar
  36. [YKLM1]
    S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, “RSA Speedup with Residue Number System immune from Hardware fault cryptanalysis”, Proc. of the ICISC 2001, Springer LNCS vol. 2288, pp. 397–413, 2001.Google Scholar
  37. [YKLM2]
    S.-M. Yen, S.-J. Kim, S.-G. Lim, S.-J. Moon, “A countermeasure against one physical cryptanalysis may benefit another attack”, Proc. of the ICISC 2001, Springer LNCS vol. 2288, pp. 414–427, 2001.Google Scholar
  38. [ZM]
    Y. Zheng, T. Matsumoto, “Breaking real-world implementations of cryptosystems by manipulating their random number generation”, Proc. of the 1997 Symposium on Cryptography and Information Security, 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • C. Aumüller
    • 1
  • P. Bier
    • 1
  • W. Fischer
    • 1
  • P. Hofreiter
    • 1
  • J.-P. Seifert
    • 1
  1. 1.Infineon Technologies Security & ChipCard ICsMunichGermany

Personalised recommendations