Fault Attacks on RSA Signatures with Partially Unknown Messages

  • Jean-Sébastien Coron
  • Antoine Joux
  • Ilya Kizhvatov
  • David Naccache
  • Pascal Paillier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)

Abstract

Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90’s, Boneh, DeMillo and Lipton [6] introduced fault-based attacks on crt-rsa. These attacks factor the signer’s modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when it contains some randomness which is recovered only when verifying a correct signature.

In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith’s algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit message digest.

Keywords

Fault attacks digital signatures rsa Coppersmith’s theorem iso/iec 9796-2 

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Antoine Joux
    • 2
  • Ilya Kizhvatov
    • 1
  • David Naccache
    • 3
  • Pascal Paillier
    • 4
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.DGA and Université de VersaillesVersailles CEDEXFrance
  3. 3.Département d’informatique, Groupe de CryptographieÉcole normale supérieureParis CEDEX 05France
  4. 4.Gemalto, Cryptography & InnovationMeudon sur SeineFrance

Personalised recommendations