Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4236)


The technique of RSA private computation speedup by using Chinese Remainder Theorem (CRT) is well known and has already been widely employed in almost all RSA implementations. A recent CRT-based factorization attack exploiting hardware fault has received growing attention because of its potential vulnerability on most existing implementations. In this attack any single erroneous computation will make the RSA system be vulnerable to factorizing the public modulus. Recently, two hardware fault immune protocols for CRT speedup on RSA private computation were reported based on the concept of fault infective computation. A special property of these two protocols is that they do not assume the existence of totally fault free and tamper free comparison operation within the machine in order to enhance the reliability. However, it will be shown in this paper that these two protocols are still vulnerable to a potential computational fault attack on an auxiliary process that was not considered in the usual CRT-based factorization attack.


Chinese remainder theorem (CRT) Cryptography Factorization attack Fault infective CRT Hardware fault cryptanalysis Residue number system 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. 2.
    Bao, F., Deng, R.H., Han, Y., Jeng, A., Narasimbalu, A.D., Ngair, T.: Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In: Pre-proceedings of the 1997 Security Protocols Workshop, Paris, France (1997)Google Scholar
  3. 3.
    Joye, M., Quisquater, J.-J., Bao, F., Deng, R.H.: RSA-type signatures in the presence of transient faults. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 155–160. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Maher, D.P.: Fault induction attacks, tamper resistance, and hostile reverse engineering in perspective. In: FC 1997. LNCS, vol. 1318, pp. 109–121. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Lenstra, A.K.: Memo on RSA signature generation in the presence of faults (September 1996)Google Scholar
  7. 7.
    Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese remaindering based cryptosystems in the presence of faults. Journal of Cryptology 12(4), 241–245 (1999)zbMATHCrossRefGoogle Scholar
  8. 8.
    Shamir, A.: How to check modular exponentiation. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 11–15. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Shamir, A.: Method and apparatus for protecting public key schemes from timing and fault attacks. United States Patent 5991415 (November 23, 1999)Google Scholar
  10. 10.
    Yen, S.M., Joye, M.: Checking before output not be enough against fault-based cryptanalysis. IEEE Trans. on Computers 49(9), 967–970 (2000)CrossRefGoogle Scholar
  11. 11.
    Quisquater, J.-J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  12. 12.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  13. 13.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystem. Commun. of ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Yen, S.M., Moon, S.J., Ha, J.C.: Hardware fault attack on RSA with CRT revisited. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 374–388. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Aumüller, C., Bier, P., Fischer, W., Hofreiter, P., Seifert, J.-P.: Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 260–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Yen, S.M., Kim, S.J., Lim, S.G., Moon, S.J.: RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Trans. on Computers – Special issue on CHES 52(4), 461–472 (2003)Google Scholar
  17. 17.
    Giraud, C.: Fault-resistant RSA implementation. In: Proc. of the 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography–FDTC 2005, September 2 (2005)Google Scholar
  18. 18.
    Ciet, M., Joye, M.: Practical fault countermeasures for Chinese remaindering based RSA. In: Proc. of the 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography–FDTC 2005, September 2 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Laboratory of Cryptography and Information Security (LCIS), Department of Computer Science and Information EngineeringNational Central UniversityChung-LiTaiwan, R.O.C.
  2. 2.Strategy Development Team, Information Security Policy DivisionKorea Information Security AgencySeoulKorea
  3. 3.School of Electronic and Electrical EngineeringKyungpook National UniversityTaeguKorea

Personalised recommendations