Securing RSA against Fault Analysis by Double Addition Chain Exponentiation
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
PUF ROKs: a hardware approach to read-once keys
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
An efficient CRT-RSA algorithm secure against power and fault attacks
Journal of Systems and Software
| Hi-index | 0.00 |
Since its invention in 1977, the celebrated RSA primitive has remained unbroken from a mathematical point of view, and has been widely used to build provably secure encryption or signature protocols. However, the introduction in 1996 of a new model of attacks – based on fault injections – by Boneh, deMillo and Lipton suggests the use of specific countermeasures to obtain a secure RSA implementation. In the special case of CRT implementations, many protections have been proposed and most of them have been proven insufficient to ensure resistance against DFA. In the present paper, we show that the Ciet-Joye method proposed in FDTC'2005 [10] does not completely prevent fault injection attacks: for a CRT-RSA with a 1024-bit modulus, we show that 13 faulty signatures are enough to recover the secret exponent with a probability greater than 50%, which can be improved to 99% with 83 faulty signatures.