Observability Analysis - Detecting When Improved Cryptosystems Fail -

  • Marc Joye
  • Jean-Jacques Quisquater 
  • Sung-Ming Yen 
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2271)


In this paper we show that, paradoxically, what looks like a “universal improvement” or a “straight-forward improvement” which enables better security and better reliability on a theoretical level, may in fact, within certain operational contexts, introduce new exposures and attacks, resulting in a weaker operational cryptosystem. We demonstrate a number of such dangerous “improvements”. This implies that careful considerations should be given to the fact that an implemented cryptosystem exists within certain operational environments (which may enable certain types of tampering and other observed information channels via faults, side-channel attacks or behavior of system operators). We use our case studies to draw conclusions about certain investigations required in studying implementations and suggested improvements of cryptosystems; looking at them in the context of their operating environments (combined with their potential adversarial settings). We call these investigations observability analysis.


Security analysis observability cryptanalysis implementations side-channel attacks fault analysis robustness cryptosystems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    RSA Laboratories. PKCS #1 v2.0: RSA cryptography standard, October 1, 1998. Available at
  2. 2.
    RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard, Draft 2, January 5, 2001. Available at
  3. 3.
    F. Bao, R. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, and T.-H. Ngair. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In B. Christianson, B. Crispo, M. Lomas, and M. Roe, eds, Security Protocols, vol. 1361 of Lecture Notes in Computer Science, pp. 115–124, Springer-Verlag, 1998.CrossRefGoogle Scholar
  4. 4.
    Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption — How to encrypt with RSA. In A. De Santis, ed., Advances in Cryptology-EUROCRYPT’94, vol. 950 of Lecture Notes in Computer Science, pp. 92–111, Springer-Verlag, 1995.CrossRefGoogle Scholar
  5. 5.
    Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard RSA PKCS #1. In H. Krawczyk, ed., Advances in Cryptology-CRYPTO’98, vol. 1462 of Lecture Notes in Computer Science, pp. 1–12, Springer-Verlag, 1998.CrossRefGoogle Scholar
  6. 6.
    Daniel Bleichenbacher, Burt Kaliski, and Jessica Staddon. Recent results on PKCS #1: RSA encryption standard. RSA Laboratories’ Bulletin, no. 7, June 1998.Google Scholar
  7. 7.
    Dan Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2):203–213, 1999.zbMATHMathSciNetGoogle Scholar
  8. 8.
    Dan Boneh, Richard A. DeMillo and Richard J. Lipton. On the importance of checking cryptographic protocols for faults. In W. Fumy, ed., Advances in Cryptology-EUROCRYPT’97, vol. 1233 of Lecture Notes in Computer Science, pp. 37–51, Springer-Verlag, 1997.Google Scholar
  9. 9.
    Dan Boneh, Antoine Joux, and Phong Q. Nguyen. Why Textbook El Gamal and RSA encryption are insecure. In T. Okamoto, ed., Advances in Cryptology-ASIACRYPT2000, vol. 1976 of Lecture Notes in Computer Science, pp. 30–43, Springer-Verlag, 2000.CrossRefGoogle Scholar
  10. 10.
    Don Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 10(4):233–260, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In H. Imai and Y. Zheng, eds., Public Key Cryptography, vol. 1560 of Lecture Notes in Computer Science, pp. 53–68, Springer-Verlag, 1999.CrossRefGoogle Scholar
  12. 12.
    Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. RSA-OAEP is secure under the RSA assumption. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.Google Scholar
  13. 13.
    Henri Gilbert, Dipankar Gupta, Andrew Odlyzko, and Jean-Jacques Quisquater. Attacks on Shamir’s ‘RSA for paranoids’. Information Processing Letters, 68:197–199, 1998.CrossRefGoogle Scholar
  14. 14.
    Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Marc Joye, Arjen K. Lenstra, and Jean-Jacques Quisquater. Chinese remaindering cryptosystems in the presence of faults. Journal of Cryptology, 12(4):241–245, 1999.zbMATHCrossRefGoogle Scholar
  16. 16.
    Marc Joye, Pascal Paillier, and Sung-Ming Yen. Secure evaluation of modular functions. In R.J. Hwang and C.K. Wu, eds., Proc. of the 2001 International Workshop on Cryptology and Network Security (CNS 2001), pp. 227–229, Taipei, Taiwan, September 26–28, 2001.Google Scholar
  17. 17.
    Marc Joye, Jean-Jacques Quisquater, Feng Bao, and Robert H. Deng. RSA-type signatures in the presence of transient faults. In M. Darnell, ed., Cryptography and Coding, vol. 1355 of Lecture Notes in Computer Science, pp. 155–160, Springer-Verlag, 1997.CrossRefGoogle Scholar
  18. 18.
    Marc Joye, Jean-Jacques Quisquater, and Moti Yung. On the power of misbehaving adversaries and security analysis of the original EPOC. In D. Naccache, ed., Topics in Cryptology-CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 208–222, Springer-Verlag, 2001.CrossRefGoogle Scholar
  19. 19.
    Burton S. Kaliski Jr. Comments on a new attack on cryptographic devices. RSA Laboratories Technical Note, October 23, 1996.Google Scholar
  20. 20.
    Çetin K. Koç. RSA hardware implementation. Technical Report TR 801, RSA Laboratories, April 1996.Google Scholar
  21. 21.
    Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In M. Wiener, editor, Advances in Cryptology-CRYPTO’99, vol. 1666 of Lecture Notes in Computer Science, pp. 388–397, Springer-Verlag, 1999.CrossRefGoogle Scholar
  22. 22.
    James Manger. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS #1. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, pp. 230–238, Springer-Verlag, 2001.Google Scholar
  23. 23.
    Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proc. of the 22nd ACM Annual Symposium on the Theory of Computing (STOC’ 90), pp. 427–437, ACM Press, 1990.Google Scholar
  24. 24.
    Andrew Odlyzko. The future of integer factorization. Cryptobytes, 1(2):5–12, 1995.Google Scholar
  25. 25.
    Jean-Jacques Quisquater and Chantal Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18:905–907, 1982.CrossRefGoogle Scholar
  26. 26.
    Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, ed., Advances in Cryptology-CRYPTO’91, vol. 576 of Lecture Notes in Computer Science, pp. 433–444, Springer-Verlag, 1992.Google Scholar
  27. 27.
    Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Adi Shamir. RSA for paranoids. Cryptobytes, 1(2):1–4, 1995.Google Scholar
  29. 29.
    Adi Shamir. Patent US 5.991.415: Method and apparatus for protecting public key schemes from timing and fault attacks, 12 May 1997.Google Scholar
  30. 30.
    Adi Shamir. How to check modular exponentiation. Presented at the rump session of EUROCRYPT’97, Konstanz, Germany, 11–15th May 1997.Google Scholar
  31. 31.
    Victor Shoup. OAEP reconsidered. In J. Kilian, ed., Advances in Cryptology-CRYPTO2001, vol. 2139 of Lecture Notes in Computer Science, Springer-Verlag, 2001.Google Scholar
  32. 32.
    Sung-Ming Yen and Marc Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Transactions on Computers, 49(9):967–970, 2000.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Marc Joye
    • 1
  • Jean-Jacques Quisquater 
    • 2
  • Sung-Ming Yen 
    • 3
  • Moti Yung
    • 4
  1. 1.Gemplus Card InternationalCard Security GroupGémenosFrance
  2. 2.UCL Crypto GroupLouvain-la-NeuveBelgium
  3. 3.Dept of Computer ScienceNational Central UniversityTaiwan, R.O.C.
  4. 4.CertCoNew YorkUSA

Personalised recommendations