Fault Attacks on RSA Public Keys: Left-To-Right Implementations Are Also Vulnerable

  • Alexandre Berzati
  • Cécile Canovas
  • Jean-Guillaume Dumas
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5473)


After attacking the RSA by injecting fault and corresponding countermeasures, works appear now about the need for protecting RSA public elements against fault attacks. We provide here an extension of a recent attack [BCG08] based on the public modulus corruption. The difficulty to decompose the “Left-To-Right” exponentiation into partial multiplications is overcome by modifying the public modulus to a number with known factorization. This fault model is justified here by a complete study of faulty prime numbers with a fixed size. The good success rate of this attack combined with its practicability raises the question of using faults for changing algebraic properties of finite field based cryptosystems.


RSA fault attacks “Left-To-Right” exponentiation number theory 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BCG08]
    Berzati, A., Canovas, C., Goubin, L.: Perturbating RSA Public Keys: An Improved Attack. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 380–395. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. [BCMCC06]
    Brier, É., Chevallier-Mames, B., Ciet, M., Clavier, C.: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 324–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. [BDJ+98]
    Bao, F., Deng, R.H., Jeng, A., Narasimhalu, A.D., Ngair, T.: Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [BDL97]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. [BDL01]
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Eliminating Errors in Cryptographic Computations. Journal of Cryptology 14(2), 101–119 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  6. [BECN+04]
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. Cryptology ePrint Archive, Report 2004/100 (2004)Google Scholar
  7. [BO06]
    Blömer, J., Otto, M.: Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 13–23. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. [BOS03]
    Blömer, J., Otto, M., Seifert, J.-P.: A New CRT-RSA Algorithm Secure Against Bellcore Attack. In: ACM Conference on Computer and Communication Security (CCS 2003), pp. 311–320. ACM Press, New York (2003)Google Scholar
  9. [BS97]
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. [Cla07]
    Clavier, C.: De la sécurité physique des crypto-systèmes embarqués. PhD thesis, Université de Versailles Saint-Quentin (2007)Google Scholar
  11. [Coh93]
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, New York (1993)CrossRefzbMATHGoogle Scholar
  12. [Dus98]
    Dusart, P.: Autour de la fonction qui compte le nombre de nombres premiers. PhD thesis, Université de Limoges (1998)Google Scholar
  13. [Gir05a]
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. [Gir05b]
    Giraud, C.: Fault-Resistant RSA Implementation. In: Breveglieri, L., Koren, I. (eds.) Fault Diagnosis and Tolerance in Cryptography, pp. 142–151 (2005)Google Scholar
  15. [Mui06]
    Muir, J.A.: Seifert’s RSA Fault Attack: Simplified Analysis and Generalizations. Cryptology ePrint Archive, Report 2005/458 (2006)Google Scholar
  16. [Rab80]
    Rabin, M.O.: Probabilistic algorithm for testing primality. Journal of Number Thoery 12(1), 128–138 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  17. [Sei05]
    Seifert, J.-P.: On Authenticated Computing and RSA-Based Authentication. In: ACM Conference on Computer and Communications Security (CCS 2005), pp. 122–127. ACM Press, New York (2005)Google Scholar
  18. [Sho05]
    Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  19. [Wag04]
    Wagner, D.: Cryptanalysis of a provably secure CRT-RSA algorithm. In: Proceedings of the 11th ACM Conference on Computer Security (CCS 2004), pp. 92–97. ACM Press, New York (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alexandre Berzati
    • 1
    • 3
  • Cécile Canovas
    • 1
  • Jean-Guillaume Dumas
    • 2
  • Louis Goubin
    • 3
  1. 1.CEA-LETI/MINATECGrenoble Cedex 9France
  2. 2.Laboratoire Jean Kuntzmann, umr CNRS 5224Université de GrenobleGrenobleFrance
  3. 3.Versailles Saint-Quentin UniversityVersailles CedexFrance

Personalised recommendations