PSS Is Secure against Random Fault Attacks

  • Jean-Sébastien Coron
  • Avradip Mandal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


A fault attack consists in inducing hardware malfunctions in order to recover secrets from electronic devices. One of the most famous fault attack is Bellcore’s attack against RSA with CRT; it consists in inducing a fault modulo p but not modulo q at signature generation step; then by taking a gcd the attacker can recover the factorization of N = pq. The Bellcore attack applies to any encoding function that is deterministic, for example FDH. Recently, the attack was extended to randomized encodings based on the iso/iec 9796-2 signature standard. Extending the attack to other randomized encodings remains an open problem.

In this paper, we show that the Bellcore attack cannot be applied to the PSS encoding; namely we show that PSS is provably secure against random fault attacks in the random oracle model, assuming that inverting RSA is hard.


Probabilistic Signature Scheme Provable Security Fault Attacks Bellcore Attack 


  1. 1.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the First Annual Conference on Computer and Communications Security. ACM, New York (1993)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The Exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. Journal of Cryptology, Springer-Verlag 14(2), 101–119 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC 1998. ACM, New York (1998)Google Scholar
  5. 5.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Coron, J.S.: Optimal security proofs for pss and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault Attacks on Randomized RSA Signatures with Partially Unknown Messages. In: CHES 2009, pp. 444–456 (2009),
  8. 8.
    emvIntegrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008),
  9. 9.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques,
  11. 11.
    ISO/IEC 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)Google Scholar
  12. 12.
    Lenstra, A., Lenstra Jr., H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)CrossRefGoogle Scholar
  13. 13.
    Nguyên, P.Q., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at SAC ’97. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, p. 213. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  14. 14.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Avradip Mandal
    • 1
  1. 1.University of Luxembourg 

Personalised recommendations