Sciweavers

CHES
2009
Springer

Fault Attacks on RSA Signatures with Partially Unknown Messages

15 years 1 months ago
Fault Attacks on RSA Signatures with Partially Unknown Messages
Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90's, Boneh, DeMillo and Lipton [6] introduced fault-based attacks on crt-rsa. These attacks factor the signer's modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when messages contain some randomness which is recovered only when verifying a correct signature. In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith's algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit messa...
Jean-Sébastien Coron, Antoine Joux, Ilya Ki
Added 25 Nov 2009
Updated 25 Nov 2009
Type Conference
Year 2009
Where CHES
Authors Jean-Sébastien Coron, Antoine Joux, Ilya Kizhvatov, David Naccache, Pascal Paillier
Comments (0)