Fault Attacks on RSA Signatures with Partially Unknown Messages

  • Jean-Sébastien Coron
  • Antoine Joux
  • Ilya Kizhvatov
  • David Naccache
  • Pascal Paillier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90’s, Boneh, DeMillo and Lipton [6] introduced fault-based attacks on crt-rsa. These attacks factor the signer’s modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when it contains some randomness which is recovered only when verifying a correct signature.

In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith’s algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit message digest.


Fault attacks digital signatures rsa Coppersmith’s theorem iso/iec 9796-2 


  1. 1.
    Schmidt, J.-M., Herbst, C.: A practical fault attack on square and multiply. In: Proceedings of FDTC 2008, pp. 53–58. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  2. 2.
    Kim, C.H., Quisquater, J.-J.: Fault attacks for CRT based RSA: New attacks, new results, and new countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 215–228. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
  4. 4.
    BigDigits multiple-precision arithmetic source code, Version 2.2.,
  5. 5.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. Journal of Cryptology 14(2), 101–119 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Coron, J.S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault Attacks on Randomized RSA Signatures. Full version of this paper,
  9. 9.
    Coron, J.-S., Naccache, D., Stern, J.P.: On the security of RSA padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S., Naccache, D., Tibouchi, M., Weinmann, R.P.: Practical cryptanal- ysis of iso/iec 9796-2 and emv signatures. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 428–444. Springer, Heidelberg (2009), Scholar
  11. 11.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    EMV, Integrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008),
  14. 14.
    Howgrave-Graham, N.A.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Howgrave-Graham, N.A.: Approximate integer common divisors. In: CALC, pp. 51–66 (2001)Google Scholar
  16. 16.
    ISO/IEC 9796-2, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)Google Scholar
  17. 17.
    ISO/IEC 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)Google Scholar
  18. 18.
    Joye, M., Lenstra, A., Quisquater, J.-J.: Chinese remaindering cryptosystems in the presence of faults. Journal of Cryptology 21(1), 27–51 (1999)zbMATHGoogle Scholar
  19. 19.
    Lenstra, A., Lenstra Jr., H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    SAGE, Mathematical Library,
  21. 21.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21, 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Antoine Joux
    • 2
  • Ilya Kizhvatov
    • 1
  • David Naccache
    • 3
  • Pascal Paillier
    • 4
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.DGA and Université de VersaillesVersailles CEDEXFrance
  3. 3.Département d’informatique, Groupe de CryptographieÉcole normale supérieureParis CEDEX 05France
  4. 4.Gemalto, Cryptography & InnovationMeudon sur SeineFrance

Personalised recommendations