PSS Is Secure against Random Fault Attacks
A fault attack consists in inducing hardware malfunctions in order to recover secrets from electronic devices. One of the most famous fault attack is Bellcore’s attack against RSA with CRT; it consists in inducing a fault modulo p but not modulo q at signature generation step; then by taking a gcd the attacker can recover the factorization of N = pq. The Bellcore attack applies to any encoding function that is deterministic, for example FDH. Recently, the attack was extended to randomized encodings based on the iso/iec 9796-2 signature standard. Extending the attack to other randomized encodings remains an open problem.
In this paper, we show that the Bellcore attack cannot be applied to the PSS encoding; namely we show that PSS is provably secure against random fault attacks in the random oracle model, assuming that inverting RSA is hard.
KeywordsProbabilistic Signature Scheme Provable Security Fault Attacks Bellcore Attack
- 1.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the First Annual Conference on Computer and Communications Security. ACM, New York (1993)Google Scholar
- 2.Bellare, M., Rogaway, P.: The Exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
- 4.Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC 1998. ACM, New York (1998)Google Scholar
- 7.Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault Attacks on Randomized RSA Signatures with Partially Unknown Messages. In: CHES 2009, pp. 444–456 (2009), http://www.jscoron.fr/publications.html
- 8.emvIntegrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008), http://www.emvco.com
- 10.IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques, http://www.manta.ieee.org/groups/1363
- 11.ISO/IEC 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)Google Scholar
- 14.Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)Google Scholar