Fault Attacks Against emv Signatures

  • Jean-Sébastien Coron
  • David Naccache
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)


At ches 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (cjknp) exhibited a fault attack against rsa signatures with partially known messages. This fault attack allows factoring the public modulus N. While the size of the unknown message part (ump) increases with the number of faulty signatures available, the complexity of cjknp’s attack increases exponentially with the number of faulty signatures.

This paper describes a simpler attack, whose complexity remains polynomial in the number of faults; consequently, the new attack can handle much larger umps. The new technique can factor N in a fraction of a second using ten faulty emv signatures – a target beyond cjknp’s reach. We also show how to apply the attack even when N is unknown, a frequent situation in real-life attacks.


Fault Attacks Digital Signatures rsa iso/iec 9796-2 emv 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Rogaway, P.: The Exact security of digital signatures: How to sign with rsa and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. Journal of Cryptology 14(2), 101–119 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on rsa signatures with partially unknown messages. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 444–456. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  5. 5.
    Coron, J.-S., Naccache, D., Stern, J.P.: On the security of RSA padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)Google Scholar
  6. 6.
    Coron, J.-S., Naccache, D., Tibouchi, M., Weinmann, R.P.: Practical cryptanalysis of iso/iec 9796-2 and emv signatures. In: Halevi, S. (ed.) Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 428–444. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  7. 7.
    Coron, J.-S.: Optimal security proofs for pss and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal padding schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    emv, Integrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008),
  11. 11.
    emv, EMVCo type approval terminal level 2 test cases. Version 4.2a (April 2009),
  12. 12.
    iso/iec 8825-1:2002, Information technology – ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) (2002)Google Scholar
  13. 13.
    iso/iec 9796-2, Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Mechanisms using a hash-funcion (1997)Google Scholar
  14. 14.
    iso/iec 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery– Part 2: Integer factorization based mechanisms (2002)Google Scholar
  15. 15.
    Joye, M., Lenstra, A., Quisquater, J.-J.: Chinese remaindering cryptosystems in the presence of faults. Journal of Cryptology 21(1), 27–51 (1999)Google Scholar
  16. 16.
    Nguyen, P., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at sac 1997. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 213–218. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Nguyen, P., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorization. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997)Google Scholar
  18. 18.
    Lenstra, A., Lenstra Jr., H., Lovász, L.: Factoring polynomials with rational coefficients. In: Mathematische Annalen, vol. 261, pp. 513–534. Springer, Heidelberg (1982)Google Scholar
  19. 19.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: rsa-oaep is secure under the rsa assumption. Journal of Cryptology 17(2), 81–104 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the acm, 120–126 (1978)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • David Naccache
    • 2
  • Mehdi Tibouchi
    • 2
  1. 1.Université du LuxembourgLuxembourg
  2. 2.Département d’informatique, Groupe de CryptographieÉcole normale supérieureParis Cedex 05France

Personalised recommendations