Cryptography Reference
In-Depth Information
advantage of a fault that occurs during the computation of an RSA signature. How-
ever, the previous results show that “right-to-left”-based exponentiations seem to be
easier to attack than “left-to-right” ones. Moreover, this attack methodology has been
later reused to successfully defeat the randomized exponent countermeasure [41].
Although this countermeasure seems to be efficient against modifications of public
elements that occur before the computation of signatures [70], Berzati et al. showed
that signatures partially infected by a faulty public modulus are still exploitable
when the private exponent is blinded [41]. However, the authors suggest the use
of the Probabilistic Signature Scheme with RSA (RSA-PSS) [31] to defeat their
attacks. Eventually, this work completes the state of the art and highlights the need
to protect RSA public elements against perturbations, even during the computation
of signatures.
7.5 Conclusion
The study of the injection of faults into RSA implementations shows that a large panel
of different attacks exist. Of course the popularity of RSA is widely accountable
for this, but the variety of the proposed implementations, even secured ones, leads
to different fault exploitations. The first instance of fault attacks has led to very
powerful applications, especially for RSA computed using the Chinese Remainder
Theorem where one fault may suffice; standard RSA implementations seems to be
more difficult to attack. Indeed, for such implementations, the goal of the attacker is
not to factor the modulus but to gradually recover the private exponent. In both cases,
conditional checks must be avoided or secured and public elements be protected in
the same way as private ones. One can conclude that implementations that parcel the
secret elements for the computation are by construction vulnerable to fault attacks.
Countermeasures such as masking techniques lead to confusion regarding the isolated
parts, but they may be not enough, as proven by the number of attacks that exploit
the residual vulnerabilities.
