Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Handbook of Applied Cryptography
Handbook of Applied Cryptography
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Differential Fault Attacks on Elliptic Curve Cryptosystems
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Optimal Security Proofs for PSS and Other Signature Schemes
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults
Designs, Codes and Cryptography
On authenticated computing and RSA-based authentication
Proceedings of the 12th ACM conference on Computer and communications security
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
On the importance of checking cryptographic protocols for faults
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Fault Attacks on Public Key Elements: Application to DLP-Based Schemes
EuroPKI '08 Proceedings of the 5th European PKI workshop on Public Key Infrastructure: Theory and Practice
The Carry Leakage on the Randomized Exponent Countermeasure
CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
Perturbating RSA Public Keys: An Improved Attack
CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation
CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
Fault Analysis of Rabbit: Toward a Secret Key Leakage
INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Public key perturbation of randomized RSA implementations
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
PUF ROKs: a hardware approach to read-once keys
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
A new and extended fault analysis on RSA
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Modulus fault attacks against RSA-CRT signatures
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Is it wise to publish your public RSA keys?
FDTC'06 Proceedings of the Third international conference on Fault Diagnosis and Tolerance in Cryptography
Secret key leakage from public key perturbation of DLP-Based cryptosystems
Cryptography and Security
Fault analysis of the NTRUSign digital signature scheme
Cryptography and Communications
Structure-Based RSA fault attacks
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Hi-index | 0.00 |
It is well known that a malicious adversary can try to retrieve secret information by inducing a fault during cryptographic operations. Following the work of Seifert on fault inductions during RSA signature verification, we consider in this paper the signature counterpart. Our article introduces the first fault attack applied on RSA in standard mode. By only corrupting one public key element, one can recover the private exponent. Indeed, similarly to Seifert’s attack, our attack is done by modifying the modulus. One of the strong points of our attack is that the assumptions on the induced faults’ effects are relaxed. In one mode, absolutely no knowledge of the fault’s behavior is needed to achieve the full recovery of the private exponent. In another mode, based on a fault model defining what is called dictionary, the attack’s efficiency is improved and the number of faults is dramatically reduced. All our attacks are very practical. Note that those attacks do work even against implementations with deterministic (e.g., RSA-FDH) or random (e.g., RSA-PFDH) paddings, except for cases where we have signatures with randomness recovery (such as RSA-PSS). The results finally presented on this paper lead us to conclude that it is also mandatory to protect RSA’s public parameters against fault attacks.