Perturbating RSA Public Keys: An Improved Attack

  • Alexandre Berzati
  • Cécile Canovas
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5154)


Since its first introduction by Bellcore researchers [BDL97], fault injections have been considered as a powerful and practical way to attack cryptosystems, especially when they are implemented on embedded devices. Among published attacks, Brier et al. followed the work initiated by Seifert to raise the problem of protecting RSA public elements.

We describe here a new fault attack on RSA public elements. Under a very natural fault model, we show that our attack is more efficient than previously published ones. Moreover, the general strategy described here can be applied using multiple transient fault models, increasing the practicability of the attack.

Both the theoretical analysis of the success probability, and the experimental results – obtained with the GMP Library on a PC –, provide evidence that this is a real threat for all RSA implementations, and confirm the need for protection of the public key.


RSA fault attacks DFA public key 


  1. [BCMCC06]
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. [BDJ+96]
    Bao, F., Deng, R.H., Jeng, A., Narasimhalu, A.D., Ngair, T.: Another New Attack to RSA on Tamperproof Devices (1996)Google Scholar
  3. [BDJ+98]
    Bao, F., Deng, R.H., Jeng, A., Narasimhalu, A.D., Ngair, T.: Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults. In: Lomas, M., Christianson, B. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [BDL97]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  5. [BDL01]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Eliminating Errors in Cryptographic Computations. Journal of Cryptology 14(2), 101–119 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  6. [BECN+04]
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. Cryptology ePrint Archive, Report 2004/100 (2004)Google Scholar
  7. [BO06]
    Blömer, J., Otto, M.: Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. [BS97]
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294. Springer, Heidelberg (1997)Google Scholar
  9. [CJRR99]
    Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards. In: Second Advanced Encryption Standard (AES) Candidate Conference (1999)Google Scholar
  10. [Cla07]
    Clavier, C.: De la sécurité physique des crypto-systèmes embarqués. PhD thesis, Université de Versailles Saint-Quentin (2007)Google Scholar
  11. [Gir05a]
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)Google Scholar
  12. [Gir05b]
    Giraud, C.: Fault-Resistant RSA Implementation. In: Breveglieri, L., Koren, I. (eds.) Fault Diagnosis and Tolerance in Cryptography, pp. 142–151 (2005)Google Scholar
  13. [JQBD97]
    Joye, M., Quisquater, J.J., Bao, F., Deng, R.H.: RSA-types Signatures in the Presence of Transient Faults. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 155–160. Springer, Heidelberg (1997)Google Scholar
  14. [Mui06]
    Muir, J.A.: Seifert’s RSA Fault Attack: Simplified Analysis and Generalizations. Cryptology ePrint Archive, Report 2005/458 (2006)Google Scholar
  15. [Ott04]
    Otto, M.: Fault Attacks and Countermeasures. PhD thesis, University of Paderborn (December 2004)Google Scholar
  16. [Sei05]
    Seifert, J.-P.: On Authenticated Computing and RSA-Based Authentication. In: ACM Conference on Computer and Communications Security (CCS 2005), pp. 122–127. ACM Press, New York (2005)CrossRefGoogle Scholar
  17. [Wag04]
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM Conference on Computer Security (CCS 2004), pp. 92–97. ACM Press, New York (2004)CrossRefGoogle Scholar
  18. [YKLM02]
    Yen, S.-M., Kim, D., Lim, S., Moon, S.: A Countermeasure Against One Physical Cryptanalysis May Benefit Another Attack. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Alexandre Berzati
    • 1
    • 2
  • Cécile Canovas
    • 1
  • Louis Goubin
    • 2
  1. 1.CEA-LETI/MINATECGrenoble Cedex 9France
  2. 2.Versailles Saint-Quentin-en-Yvelines UniversityVersailles CedexFrance

Personalised recommendations