ABSTRACT
At CHES 2008, Vigilant proposed an efficient way of implementing a CRT-RSA resistant against Fault Analysis. In this paper, we investigate the fault-resistance of this scheme and we show that it is not immune to fault injection. Indeed, we highlight two weaknesses which can lead an attacker to recover the whole private key by using only one faulty signature. We also suggest some modifications with a negligible cost to improve the fault-resistance of Vigilant's scheme. Therefore the scheme including modifications remains suited to embedded device constraints.
Recommendations
On Second-Order Fault Analysis Resistance for CRT-RSA Implementations
WISTP '09: Proceedings of the 3rd IFIP WG 11.2 International Workshop on Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous NetworksSince their publication in 1996, Fault Attacks have been widely studied from both theoretical and practical points of view and most of cryptographic systems have been shown vulnerable to this kind of attacks. Until recently, most of the theoretical ...
In(security) Against Fault Injection Attacks for CRT-RSA Implementations
FDTC '08: Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in CryptographySince its invention in 1977, the celebrated RSA primitive has remained unbroken from a mathematical point of view, and has been widely used to build provably secure encryption or signature protocols. However, the introduction in 1996 of a new model of ...
Modulus fault attacks against RSA-CRT signatures
CHES'11: Proceedings of the 13th international conference on Cryptographic hardware and embedded systemsRSA-CRT fault attacks have been an active research area since their discovery by Boneh, DeMillo and Lipton in 1997. We present alternative key-recovery attacks on RSA-CRT signatures: instead of targeting one of the sub-exponentiations in RSA-CRT, we ...
Comments