RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks

  • David Vigilant
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5154)


Fault attacks as introduced by Bellcore in 1996 are still a major threat toward cryptographic products supporting RSA signatures. Most often on embedded devices, the public exponent is unknown, turning resistance to fault attacks into an intricate problem. Over the past few years, several techniques for secure implementations have been published, all of which suffering from inadequacy with the constraints faced by embedded platforms. In this paper, we introduce a novel countermeasure mechanism against fault attacks in RSA signature generation. In the restricted context of security devices where execution time, memory consumption, personalization management and code size are strong constraints, our countermeasure is simply applicable with a low computational complexity. Our method extends to all cryptosystems based on modular exponentiation.


Bellcore attack Chinese Remainder Theorem Fault attacks RSA Software countermeasure Modular exponentiation 


  1. 1.
    Sun Microsystems Inc.: Javacard 2.2.2 - application programming interface. Technical report (2006)Google Scholar
  2. 2.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks, U.S. Patent Number 5,991,415 (also presented at the rump session of EUROCRYPT 1997) (November 1999)Google Scholar
  4. 4.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.P.: Fault attacks on rsa with crt: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Blömer, J., Otto, M., Seifert, J.P.: A new crt-rsa algorithm secure against bellcore attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 311–320. ACM, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Joye, M., Ciet, M.: Practical fault countermeasures for chinese remaindering based rsa. In: Breveglieri, L., Koren, I. (eds.) 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography - FDTC 2005 (2005)Google Scholar
  7. 7.
    Giraud, C.: Fault resistant rsa implementation. In: Breveglieri, L., Koren, I. (eds.) 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography — FDTC 2005, pp. 142–151 (2005)Google Scholar
  8. 8.
    Kim, C.H., Quisquater, J.J.: How can we overcome both side channel analysis and fault attacks on rsa-crt? In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC, pp. 21–29 (2007)Google Scholar
  9. 9.
    Rivest, R.L., Shamir, A., Adelman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Technical Report MIT/LCS/TM-82 (1977)Google Scholar
  10. 10.
    Joye, M., Lenstra, A.K., Quisquater, J.J.: Chinese remaindering based cryptosystems in the presence of faults. Journal of Cryptology: the journal of the International Association for Cryptologic Research 12(4), 241–245 (1999)MATHGoogle Scholar
  11. 11.
    Joye, M., Paillier, P.: Gcd-free algorithms for computing modular inverses. In: D.Walter, C., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 243–253. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    Yen, S.M., Kim, S., Lim, S., Moon, S.: Rsa speedup with residue number system immune against hardware fault cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)Google Scholar
  13. 13.
    Joye, M., Yen, S.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  15. 15.
    ElGamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  16. 16.
    Schnorr, C.P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    National Institute of Standards and Technology: Digital Standard Signature. Federal Information Processing Standards Publications 186 (1994)Google Scholar
  18. 18.
    Lim, C.H., Lee, P.J.: A study on the proposed korean digital signature algorithm. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 175–186. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • David Vigilant
    • 1
  1. 1.Cryptography Engineering, Gemalto Security Labs 

Personalised recommendations