Weaknesses in Current RSA Signature Schemes

  • Juliane Krämer
  • Dmitry Nedospasov
  • Jean-Pierre Seifert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7259)


This work presents several classes of messages that lead to data leakage during modular exponentiation. Such messages allow for the recovery of the entire secret exponent with a single power measurement. We show that padding schemes as defined by industry standards such as PKCS#1 and ANSI x9.31 are vulnerable to side-channel attacks since they meet the characteristics defined by our classes. Though PKCS#1 states that there are no known attacks against RSASSA-PKCS1-v1_5, the EMSA-PKCS1-v1_5 encoding in fact makes the scheme vulnerable to side-channel analysis. These attacks were validated against a real-world smartcard system, the Infineon SLE78, which ran our proof of concept implementation. Additionally, we introduce methods for the elegant recovery of the full RSA private key from blinded RSA CRT exponents.


RSA PKCS#1 ANSI x9.31 Side-Channel Attacks Simple Power Analysis CRT Exponent Blinding 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    American National Standards Institute: ANSI X9.31-1998: Public Key Cryptography Using Reversible Algorithms for the Financial Services Industry (rDSA) (1998)Google Scholar
  2. 2.
    Campagna, M., Sethi, A.: Key recovery method for CRT implementation of RSA (2004)Google Scholar
  3. 3.
    Courrège, J.-C., Feix, B., Roussellet, M.: Simple Power Analysis on Exponentiation Revisited. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 65–79. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Dhem, J.F., et al.: A Practical Implementation of the Timing Attack. In: Working Conference on Smart Card Research and Advanced Application, pp. 167–182 (1998)Google Scholar
  5. 5.
    Fischer, W., Seifert, J.-P.: High-Speed Modular Multiplication. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 264–277. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  7. 7.
    Infineon Technologies AG: Contactless SLE 78 family: Next Generation Security,
  8. 8.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Krämer, J., Nedospasov, D., Seifert, J.P.: Weaknesses in Current RSA Signature Schemes, Extended Version (2011),
  11. 11.
    LeCroy Corporation: WavePro 7 Zi Oscilloscope,
  12. 12.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security). Springer New York, Inc. (2007)Google Scholar
  13. 13.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press (1997)Google Scholar
  14. 14.
    Miyamoto, A., Homma, N., Aoki, T., Satoh, A.: Enhanced power analysis attack using chosen message against RSA hardware implementations. In: ISCAS, pp. 3282–3285 (2008)Google Scholar
  15. 15.
    Percival, C.: Cache missing for fun and profit. In: Proc. of BSDCan 2005 (2005)Google Scholar
  16. 16.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  17. 17.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    RSA: PKCS #1 v2.1: RSA Cryptography Standard (2002),
  19. 19.
    Schindler, W.: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Sedlak, H.: Konzept und Entwurf eines Public-Key-Code Kryptographie-Prozessors (1985)Google Scholar
  21. 21.
    Sedlak, H.: The RSA Cryptography Processor. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 95–105. Springer, Heidelberg (1988)Google Scholar
  22. 22.
    Shamir, A.: Method and Apparatus for Protecting Public Key Schemes from Timing and Fault Attacks. US Patent 5991415 (November 23, 1999)Google Scholar
  23. 23.
    Walter, C., Thompson, S.: Distinguishing Exponent Digits by Observing Modular Subtractions. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 192–207. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Yen, S.-M., Lien, W.-C., Moon, S.-J., Ha, J.C.: Power Analysis by Exploiting Chosen Message and Internal Collisions – Vulnerability of Checking Mechanism for RSA-Decryption. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 183–195. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Juliane Krämer
    • 1
  • Dmitry Nedospasov
    • 1
  • Jean-Pierre Seifert
    • 1
  1. 1.Security in TelecommunicationsTechnische Universität Berlin and Deutsche Telekom Innovation LaboratoriesGermany

Personalised recommendations