A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
On the Security of RSA Padding
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Optimal Security Proofs for PSS and Other Signature Schemes
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Approximate Integer Common Divisors
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
A Practical Fault Attack on Square and Multiply
FDTC '08 Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Fault attacks for CRT based RSA: new attacks, new results and new countermeasures
WISTP'07 Proceedings of the 1st IFIP TC6 /WG8.8 /WG11.2 international conference on Information security theory and practices: smart cards, mobile and ubiquitous computing systems
PSS Is Secure against Random Fault Attacks
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
An efficient CRT-RSA algorithm secure against power and fault attacks
Journal of Systems and Software
Modulus fault attacks against RSA-CRT signatures
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Fault attacks against EMV signatures
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Partial key exposure: generalized framework to attack RSA
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
On the optimality of lattices for the coppersmith technique
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Attacking RSA---CRT signatures with faults on montgomery multiplication
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
| Hi-index | 0.00 |
Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90's, Boneh, DeMillo and Lipton [6] introduced fault-based attacks on crt-rsa . These attacks factor the signer's modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when it contains some randomness which is recovered only when verifying a correct signature. In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith's algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit message digest.