Fault Attacks on RSA Signatures with Partially Unknown Messages
Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90’s, Boneh, DeMillo and Lipton  introduced fault-based attacks on crt-rsa. These attacks factor the signer’s modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when it contains some randomness which is recovered only when verifying a correct signature.
In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith’s algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit message digest.
KeywordsFault attacks digital signatures rsa Coppersmith’s theorem iso/iec 9796-2
- 1.Schmidt, J.-M., Herbst, C.: A practical fault attack on square and multiply. In: Proceedings of FDTC 2008, pp. 53–58. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
- 3.ATmega128 datasheet, http://www.atmel.com/dyn/resources/prod_documents/doc2467.pdf
- 4.BigDigits multiple-precision arithmetic source code, Version 2.2., http://www.di-mgt.com.au/bigdigits.html
- 8.Coron, J.S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault Attacks on Randomized RSA Signatures. Full version of this paper, http://eprint.iacr.org
- 13.EMV, Integrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008), http://www.emvco.com
- 14.Howgrave-Graham, N.A.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 15.Howgrave-Graham, N.A.: Approximate integer common divisors. In: CALC, pp. 51–66 (2001)Google Scholar
- 16.ISO/IEC 9796-2, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)Google Scholar
- 17.ISO/IEC 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)Google Scholar
- 20.SAGE, Mathematical Library, http://www.sagemath.org