## Cryptology ePrint Archive: Report 2009/309

Fault Attacks on RSA Signatures with Partially Unknown Messages

Jean-Sebastien Coron and Antoine Joux and Ilya Kizhvatov and David Naccache and Pascal Paillier

Abstract: Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90's, Boneh, DeMillo and Lipton introduced fault-based attacks on {\sc crt-rsa}. These attacks factor the signer's modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when messages contain some randomness which is recovered only when verifying a {\sl correct} signature.

In this paper we successfully extends RSA fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith's algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the ISO 9796-2 encoding standard. Practical experiments show that a $2048$-bit modulus can be factored in less than a minute given one faulty signature containing $160$ random bits and an unknown $160$-bit message digest.

Category / Keywords: implementation / Fault attacks, digital signatures, RSA, Coppersmith's theorem, ISO 9796-2

Publication Info: An extended abstract of this paper will appear at CHES 2009. This is the full version.