A.K. Lenstra, "Memo on RSA signature generation in the presence of faults," Sept. 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....performed but not computation of m q . So, Bob gets m # = CRT(m p , m # q ) instead of m. If Bob discards m # and if Carol can get access to m # , then she finds the secret factor p by computing gcd( m # ) c mod n B , n B ) Hence, q = n B p and Carol can compute the secret decryption key d B [10, 7]. This second attack is more dangerous because it completely breaks the system. This shows clearly the importance of checking cryptographic protocols for faults [3] Note also that if Bob protects his bin, the attack does not remain applicable. The two previous attacks show that it is extremely ....

A. K. Lenstra. Memo on RSA signature generation in the presence of faults, September 1996.

....trapdoor function on elliptic curves to produce an analogue of RSA. There are numerous mathematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26] 3. attacks resulting of a bad choice of parameters [74] Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than reviewing in details ....

A. K. Lenstra, Memo on RSA signature generation in the presence of faults, September 1996.

....may be induced on smartcards during the computation of a cryptographic algorithm to find the key [8, 9] many papers have been published on this subject. Boneh et al. succeeded in breaking an RSA CRT with both a correct and a faulty signature of the same message. Lenstra then improved their attack [14] by finding one of the factors of the public modulus using only one faulty signature of a known message. In October 1996, Biham and Shamir published an attack on secret key cryptosystems [6] entitled Di#erential Fault Analysis (DFA) and in 2000, Biehl, Meyer and Muller presented a paper describing ....

A. K. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Manuscript, Available from the author at arjen.lenstra@citicorp.com, 1996.

....attack on RSA, in which complete key information is recovered given only the running time of an operation. Since this attack is aimed especially at interactive operations (as opposed to off line encryptions) we refer the reader to [Koch 95] The Bellcore Fault Analysis Attack In [Bon 96] and [Len 96] the authors used one faulty and one correct signature to efficiently factor the modulus used in the RSA system. This attack works under a very general fault model and it makes no difference what type of fault or how many faults occur in the computation. All they rely on is the fact that faults ....

Len96 A.K. Lenstra. "Memo on RSA signature generation in the presence of faults." manuscript, 1996, available from the author

....the modulus N . Once the modulus is factored the system is considered to be broken. Our attack is based on obtaining two signatures of the same message. One signature is the correct one; the other is a faulty signature. At the end of the section we describe an improvement due to Arjen Lenstra [7] that factors the modulus using just a single faulty signature of a known message M . Let M be a message and let E = M s mod N be the correct signature of the message. Let E be a faulty signature. Recall that E and E are computed as E = aE 1 bE 2 (mod N ) and E = a E 1 b E 2 ....

....be efficiently factored. We note that the above attack works under a very general fault model. It makes no difference what type of fault or how many faults occur in the computation of E 1 . All we rely on is the fact that faults occur in the computation modulo only one of the primes. Arjen Lenstra [7] observed that, in fact, one faulty signature of a known message M is sufficient. Let E = M s mod N . Let E be a faulty signature obtained under the same fault as above, that is E j E mod q but E 6j E mod p. It now follows that gcd(M Gamma E e ; N ) q where e is the public ....

A.K. Lenstra, Memo on RSA signature generation in the presence of faults, manuscript, Sept. 28, 1996. Available from the author.

....can eciently factor the RSA modulus with high probability. The same approach can also be used to attack Rabin s signature scheme. Our attack shows that one invalid signature along with a valid signature on the same message are sucient for factoring the modulus. A later improvement due to Lenstra [15] shows that an invalid signature along with the original message to be signed are sucient. RSA. Register faults can be used to attack other implementations of the RSA system though many more erroneous signatures are required. When an n bit RSA modulus is used the number of required faults is ....

....and a faulty signature of the same message an attacker can query the black box on the same message multiple times. Since standard signature formats (e.g. pkcs1) do not involve any randomness, the same x will be fed through the signing engine every time. Based on our results Arjen Lenstra [15] observed that one faulty signature of a known message x is sucient. There is no need to obtain a valid signature as well. For completeness we describe Lenstra s improvement here. Let S = x d mod N . Let S be a faulty signature obtained under the same model as above, that is S = S mod q ....

A.K. Lenstra, Memo on RSA signature generation in the presence of faults, manuscript, Sept. 28, 1996. Available from the author, arjen.lenstra@citicorp.com

....of m q . So, Bob gets m 0 = CRT(m p ; m 0 q ) instead of m. If Bob discards m 0 and if Carol can get access to m 0 , then she finds the secret factor p by computing gcd( m 0 ) e B Gamma c mod n B ; n B ) Hence, q = n B =p and Carol can compute the secret decryption key d B [10, 7]. 0000 0000 0000 0000 1111 1111 1111 1111 e B m c Alice d B m 0 Bob Carol Figure 2: Lenstra s attack. This second attack is more dangerous because it completely breaks the system. This shows clearly the importance of checking cryptographic protocols for faults [3] Note also that if Bob ....

A. K. Lenstra. Memo on RSA signature generation in the presence of faults, September 1996.

....Similarly, the cheater can still benefit of V s services with the payment of C, but then the real customer can complain to V . 7 Secret key strengthening Tamper resistant devices are never totally tamper proof, as publicly discussed in relation with the recent work on transient fault analysis[2, 4, 5, 10]. Whatever the real threat is, it might be better not to have a single key kB in mass manufactured devices. Rather we propose to use several keys k 1 B ; k n B . Each vendor has an identifier which is secretly hashed onto a set of n=2 indices I D , which means that a vendor identified ....

A. K. Lenstra. Memo on RSA signature generation in the presence of faults. Sep. 1996. Unpublished.

....[2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and the faulty one. Independently, Lenstra [5] showed that only one message and the corresponding faulty signature were required to recover p and q. This paper shows that this attack applies to any RSA type cryptosystem. Particularly, we show how to extend it to LUC [8] and Demytko [3] cryptosystems. 1 Review of Bellcore Lenstra s attack ....

Lenstra, A. K. Memo on RSA signature generation in the presence of faults, Sept. 1996.

....one way trapdoor function on elliptic curves to produce an analogue of RSA. There are numerous mathematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26] 3. attacks resulting of a bad choice of parameters [74] Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than reviewing in details all ....

A. K. Lenstra, Memo on RSA signature generation in the presence of faults, September 1996. 10 MARC JOYE AND JEAN-JACQUES QUISQUATER

....in their announcement. Our work here was motivated first by the Bellcore announcement and then by the DFA announcement. Our first report on attacking RSA and some countermeasures were posted in the Internet on the 23rd and 24th October 1996 [2] Right after that, A. K. Lenstra sent us his memo [9] on attacking RSA in Chinese remainder in a private communication. Subsequently, we released a more complete research note on attacking RSA and the ElGamal signature scheme on the 29th October 1996 [3] Recently, Joye and Quisquater extended the Chinese remaindering attack to LUC and Demytko ....

....that one bit fault at certain location and time can cause fatal leakage of the private key. The example above assumes that only one c i contains a single bit error and that there is no error propagation from c i to c j , j i. The effects of such error propagation were considered in [6] and [9]. As a result, the error models in [6] and [9] are more complicated and probably more realistic than ours. From practical viewpoint, our model can be explained as the model for read error. That is, c i is mistaken as c 0 i when it is multiplied to the value for computing c d but remains ....

[Article contains additional citation context not shown here]

A. K. Lenstra, "Memo on RSA Signature Generation in the Presence of Faults", Manuscript, Sept. 28, 1996. Available from Author at arjen.lenstra@citicorp.com.

....be efficiently factored. We note that the above attack works under a very general fault model. It makes no difference what type of fault or how many faults occur in the computation of E 1 . All we rely on is the fact that faults occur in the computation modulo only one of the primes. Arjen Lenstra [14] observed that one faulty signature of a known message M is sufficient. For completeness we describe Lenstra s improvement here. Let E = M s mod N . Let E be a faulty signature obtained under the same fault as above, that is E j E mod q but E 6j E mod p. It now follows that gcd(M ....

A.K. Lenstra, Memo on RSA signature generation in the presence of faults, manuscript, Sept. 28, 1996. Available from the author, arjen.lenstra@citicorp.com

....this generalization are straightforward. The analysis of cryptosystems in the presence of faults was launched by newspaper publications that cited a Bellcore press release New Threat Model Breaks Crypto Codes. Thereafter, several researchers reported some possible implications in both public key [12, 3, 8, 20] and private key [4] cryptography. The method presented in this paper improves the Bellcore s result, later published in [5] in the following way. Their method requires two Chinese remaindering signatures on the same message, one correct and one faulty, whereas our version requires the message ....

A. K. Lenstra. Memo on RSA signature generation in the presence of faults, September 1996.

No context found.

A.K. Lenstra, "Memo on RSA signature generation in the presence of faults," Sept. 1996.

No context found.

A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.

No context found.

A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.

No context found.

A.K. Lenstra. Memo on RSA signature generation in the presence of faults. Manuscript, September 1996.

No context found.

A.K. Lenstra. Memo on RSA signature generation in the presence of faults. Available from the author: arjen.lenstra@citicorp.com.

No context found.

A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.

No context found.

A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.

No context found.

A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.

No context found.

Lenstra, A. K.: Memo on RSA signature generation in the presence of faults, manuscript, Sept. 28, 1996. Available from the author.

No context found.

Lenstra, A. K.: Memo on RSA signature generation in the presence of faults, manuscript, Sept. 28, 1996. Available from the author.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC