2011
DOI: 10.1007/s13389-011-0015-x
|View full text |Cite
|
Sign up to set email alerts
|

Modulus fault attacks against RSA–CRT signatures

Abstract: Abstract. RSA-CRT fault attacks have been an active research area since their discovery by Boneh, DeMillo and Lipton in 1997. We present alternative key-recovery attacks on RSA-CRT signatures: instead of targeting one of the sub-exponentiations in RSA-CRT, we inject faults into the public modulus before CRT interpolation, which makes a number of countermeasures against Boneh et al.'s attack ineffective.Our attacks are based on orthogonal lattice techniques and are very efficient in practice: depending on the f… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
10
0

Year Published

2012
2012
2020
2020

Publication Types

Select...
5
2
2

Relationship

3
6

Authors

Journals

citations
Cited by 12 publications
(10 citation statements)
references
References 26 publications
0
10
0
Order By: Relevance
“…Since the pioneering exploit of a CRT-RSA implementation [4], fault attacks targeting cryptographic applications have been under the spotlight of security research and new studies are published every year [28]. Such fault attacks are either described at an algorithmic level [1,8] or target a specific implementation [5,9]. They rely on the attacker's ability to inject and exploit fault effects on a sensitive application: e.g., a skipped instruction or corrupted variable.…”
Section: Related Workmentioning
confidence: 99%
“…Since the pioneering exploit of a CRT-RSA implementation [4], fault attacks targeting cryptographic applications have been under the spotlight of security research and new studies are published every year [28]. Such fault attacks are either described at an algorithmic level [1,8] or target a specific implementation [5,9]. They rely on the attacker's ability to inject and exploit fault effects on a sensitive application: e.g., a skipped instruction or corrupted variable.…”
Section: Related Workmentioning
confidence: 99%
“…return A Garner's formula (2) does not require a reduction modulo N , which is interesting for efficiency reasons and also because it prevents certain fault attacks [4]. On the other hand, it does require an inverse Montgomery transformation S q = CIOS(S q , 1), whereas that step is not necessary for formula (1), as it can be mixed with the multiplication with q −1 mod p. This is an important point, as some of our attacks specifically target the inverse Montgomery transformation.…”
Section: Rsa-crt Signature Generationmentioning
confidence: 99%
“…Garner's formula (2) does not require a reduction modulo N , which is interesting for efficiency reasons and also because it prevents certain fault attacks [4]. On the other hand, it does require an inverse Montgomery transformation S q = CIOS(S q , 1), whereas that step is not necessary for formula (1), as it can be mixed with the multiplication with q −1 mod p. This is an important point, as some of our attacks specifically target the inverse Montgomery transformation.…”
Section: Rsa-crt Signature Generationmentioning
confidence: 99%