Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis
IEEE Transactions on Computers
Handbook of Applied Cryptography
Handbook of Applied Cryptography
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
The Montgomery Powering Ladder
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Optical Fault Induction Attacks
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
A Practical Fault Attack on Square and Multiply
FDTC '08 Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography
A new fault cryptanalysis on montgomery ladder exponentiation algorithm
Proceedings of the 2nd International Conference on Interaction Sciences: Information Technology, Culture and Human
FDTC '09 Proceedings of the 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography
On the importance of checking cryptographic protocols for faults
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Attacking right-to-left modular exponentiation with timely random faults
FDTC'06 Proceedings of the Third international conference on Fault Diagnosis and Tolerance in Cryptography
Blinded fault resistant exponentiation
FDTC'06 Proceedings of the Third international conference on Fault Diagnosis and Tolerance in Cryptography
Hi-index | 0.00 |
Security-aware embedded devices which are likely to operate in hostile environments need protection against physical attacks. For the RSA public-key algorithm, protected versions of the Montgomery powering ladder have gained popularity as countermeasures for such attacks. In this paper, we present a general fault attack against RSA implementations which use the Montgomery powering ladder. In a first step, we discuss under which realistic fault assumptions our observation can be used to attack basic implementations. In a second step, we extend our attack to a scenario, where the message is blinded at the beginning of the exponentiation algorithm. To the best of our knowledge this is the first fault attack on a blinded Montgomery powering ladder.