TY - GEN
T1 - Combined attack on CRT-RSA
T2 - 16th International Conference on Practice and Theory in Public-Key Cryptography, PKC 2013
AU - Barbu, Guillaume
AU - Battistello, Alberto
AU - Dabosville, Guillaume
AU - Giraud, Christophe
AU - Renault, Guénaël
AU - Renner, Soline
AU - Zeitoun, Rina
PY - 2013/1/1
Y1 - 2013/1/1
N2 - This article introduces a new Combined Attack on a CRT-RSA implementation resistant against Side-Channel Analysis and Fault Injection attacks. Such implementations prevent the attacker from obtaining the signature when a fault has been induced during the computation. Indeed, such a value would allow the attacker to recover the RSA private key by computing the gcd of the public modulus and the faulty signature. The principle of our attack is to inject a fault during the signature computation and to perform a Side-Channel Analysis targeting a sensitive value processed during the Fault Injection countermeasure execution. The resulting information is then used to factorize the public modulus, leading to the disclosure of the whole RSA private key. After presenting a detailed account of our attack, we explain how its complexity can be significantly reduced by using lattice reduction techniques. We also provide simulations that confirm the efficiency of our attack as well as two different countermeasures having a very small impact on the performance of the algorithm. As it performs a Side-Channel Analysis during a Fault Injection countermeasure to retrieve the secret value, this article recalls the need for Fault Injection and Side-Channel Analysis countermeasures as monolithic implementations.
AB - This article introduces a new Combined Attack on a CRT-RSA implementation resistant against Side-Channel Analysis and Fault Injection attacks. Such implementations prevent the attacker from obtaining the signature when a fault has been induced during the computation. Indeed, such a value would allow the attacker to recover the RSA private key by computing the gcd of the public modulus and the faulty signature. The principle of our attack is to inject a fault during the signature computation and to perform a Side-Channel Analysis targeting a sensitive value processed during the Fault Injection countermeasure execution. The resulting information is then used to factorize the public modulus, leading to the disclosure of the whole RSA private key. After presenting a detailed account of our attack, we explain how its complexity can be significantly reduced by using lattice reduction techniques. We also provide simulations that confirm the efficiency of our attack as well as two different countermeasures having a very small impact on the performance of the algorithm. As it performs a Side-Channel Analysis during a Fault Injection countermeasure to retrieve the secret value, this article recalls the need for Fault Injection and Side-Channel Analysis countermeasures as monolithic implementations.
KW - CRT-RSA
KW - Combined Attacks
KW - Coppersmith's methods
KW - Fault Injection
KW - Side-Channel Analysis
U2 - 10.1007/978-3-642-36362-7_13
DO - 10.1007/978-3-642-36362-7_13
M3 - Conference contribution
AN - SCOPUS:84873949965
SN - 9783642363610
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 198
EP - 215
BT - Public-Key Cryptography, PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, Proceedings
PB - Springer Verlag
Y2 - 26 February 2013 through 1 March 2013
ER -