Modulus Fault Attacks against RSA-CRT Signatures

  • Éric Brier
  • David Naccache
  • Phong Q. Nguyen
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)

Abstract

RSA-CRT fault attacks have been an active research area since their discovery by Boneh, DeMillo and Lipton in 1997. We present alternative key-recovery attacks on RSA-CRT signatures: instead of targeting one of the sub-exponentiations in RSA-CRT, we inject faults into the public modulus before CRT interpolation, which makes a number of countermeasures against Boneh et al.’s attack ineffective.

Our attacks are based on orthogonal lattice techniques and are very efficient in practice: depending on the fault model, between 5 to 45 faults suffice to recover the RSA factorization within a few seconds. Our simplest attack requires that the adversary knows the faulty moduli, but more sophisticated variants work even if the moduli are unknown, under reasonable fault models. All our attacks have been fully validated experimentally with fault-injection laser techniques.

Keywords

Fault Attacks Digital Signatures RSA CRT Lattices 

References

  1. 1.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Berzati, A., Canovas, C., Dumas, J.-G., Goubin, L.: Fault attacks on RSA public keys: Left-to-right implementations are also vulnerable. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 414–428. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Berzati, A., Canovas, C., Goubin, L.: Public key perturbation of randomized RSA implementations. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 306–319. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Berzati, A., Canovas, C., Goubin, L.: Perturbating RSA public keys: An improved attack. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 380–395. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptology 14(2), 101–119 (2001)MathSciNetMATHCrossRefGoogle Scholar
  7. 7.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA algorithm protected against fault attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Brier, E., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why one should also secure RSA public key elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Brier, E., Naccache, D., Nguyen, P.Q., Tibouchi, M.: Modulus Fault Attacks Against RSA-CRT Signatures. Full version of this paper. Cryptology ePrint Archive, http://eprint.iacr.org/
  10. 10.
    Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based cryptosystems. In: Breveglieri, L., Koren, I. (eds.) FDTC, pp. 124–131 (2005)Google Scholar
  11. 11.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetMATHCrossRefGoogle Scholar
  12. 12.
    Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on RSA signatures with partially unknown messages. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 444–456. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Trans. Computers 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
  15. 15.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetMATHCrossRefGoogle Scholar
  16. 16.
    Mirbaha, A.-P., Dutertre, J.M., Tria, A., Agoyan, M., Ribotta, A.-L., Naccache, D.: Study of single-bit fault injection techniques by laser on an AES cryptosystem. In: Gizopoulos, D., Chatterjee, A. (eds.) IOLTS (2010)Google Scholar
  17. 17.
    Muir, J.A.: Seifert’s RSA fault attack: Simplified analysis and generalizations. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 420–434. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)Google Scholar
  19. 19.
    Nguyên, P.Q., Stern, J.: Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997)Google Scholar
  20. 20.
    Nguyên, P.Q., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at SAC 1997. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 213–218. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  21. 21.
    Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Rivain, M.: Securing RSA against fault analysis by double addition chain exponentiation. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 459–480. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetMATHCrossRefGoogle Scholar
  24. 24.
    Seifert, J.-P.: On authenticated computing and rsa-based authentication. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conference on Computer and Communications Security, pp. 122–127. ACM, New York (2005)CrossRefGoogle Scholar
  25. 25.
    Stein, W.A., et al.: Sage Mathematics Software (Version 4.4.2). The Sage Development Team (2010), http://www.sagemath.org
  26. 26.
    Vigilant, D.: RSA with CRT: A new cost-effective solution to thwart fault attacks. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 130–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Éric Brier
    • 1
  • David Naccache
    • 2
  • Phong Q. Nguyen
    • 2
  • Mehdi Tibouchi
    • 2
  1. 1.IngenicoGuilherand-GrangesFrance
  2. 2.Département d’informatique, Groupe de CryptographieÉcole normale supérieureParis Cedex 05France

Personalised recommendations