2006 | OriginalPaper | Buchkapitel
Why One Should Also Secure RSA Public Key Elements
verfasst von : Eric Brier, Benoît Chevallier-Mames, Mathieu Ciet, Christophe Clavier
Erschienen in: Cryptographic Hardware and Embedded Systems - CHES 2006
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
It is well known that a malicious adversary can try to retrieve secret information by inducing a fault during cryptographic operations. Following the work of Seifert on fault inductions during
RSA
signature verification, we consider in this paper the signature counterpart.
Our article introduces the first fault attack applied on
RSA
in standard mode. By only corrupting one public key element, one can recover the private exponent. Indeed, similarly to Seifert’s attack, our attack is done by modifying the modulus.
One of the strong points of our attack is that the assumptions on the induced faults’ effects are relaxed. In one mode,
absolutely no knowledge
of the fault’s behavior is needed to achieve the full recovery of the private exponent. In another mode, based on a fault model defining what is called
dictionary
, the attack’s efficiency is improved and the number of faults is dramatically reduced. All our attacks are very practical.
Note that those attacks do work even against implementations with deterministic (
e.g.,
RSA-FDH
) or random (
e.g.,
RSA-PFDH
) paddings, except for cases where we have signatures with randomness recovery (such as
RSA-PSS
).
The results finally presented on this paper lead us to conclude that it is also mandatory to protect
RSA
’s public parameters against fault attacks.