Fault Attacks on RSA Signatures with Partially Unknown Messages

Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90's, Boneh, DeMillo and Lipton [6] introduced fault-based attacks on crt-rsa . These attacks factor the signer's modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when it contains some randomness which is recovered only when verifying a correct signature. In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith's algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 9796-2 encoding standard. Practical experiments show that a 2048-bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160-bit message digest.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[3]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[4]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[5]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[6]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[7]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[8]  Jean-Sébastien Coron,et al.  On the Security of RSA Padding , 1999, CRYPTO.

[9]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[10]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[11]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[12]  Jean-Sébastien Coron,et al.  Cryptanalysis of ISO/IEC 9796-1 , 2008, Journal of Cryptology.

[13]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[14]  Jörn-Marc Schmidt,et al.  A Practical Fault Attack on Square and Multiply , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[15]  A. Joux,et al.  Fault Attacks on Randomized RSA Signatures , 2009 .

[16]  Jean-Sébastien Coron,et al.  Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures , 2009, CRYPTO.