Paper 2002/073

Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures

C. Aumüller, P. Bier, P. Hofreiter, W. Fischer, and J. -P. Seifert


This article describes concrete results and practically approved countermeasures concerning differential fault attacks on RSA using the CRT. It especially investigates smartcards with a RSA coprocessor where any hardware countermeasure to defeat such fault attacks have been switched off. This scenario has been chosen in order to completely analyze the resulting effects and errors occurring inside the hardware. Using the results of this kind of physical stress attack enables the development of completely reliable software countermeasures. Although {\em successful\/} RSA attacks on the investigated hardware have been only possible with an expensive enhanced laboratory equipment, the effects on the unprotected hardware have been tremendously. This caused lots of analysis efforts to investigate what really happened during the attack. Indeed, this will be addressed in this paper. We first report on the nature of the resulting errors within the hardware due to the physical stress applied to the smartcard. Hereafter, we describe the experiments and results with a very efficient and prominent software RSA-CRT DFA countermeasure. This method could be shown to be insufficient, i.e., detected nearly no error, when we introduced stress at the right position during the computation. Naturally, a detailed error analysis model followed, specifying every failure point during the RSA-CRT operation. This model finally allowed to develop and present here new very practically oriented software countermeasures hedging the observed and characterized fault attacks. Eventually, we present the security analysis of our new developed software RSA-CRT DFA countermeasures. Thanks to their careful specification according to the observed and analyzed errors they resisted all kinds of physical stress attacks and were able to detect any subtle computation error, thus avoiding to break the smartcard by fault attacks. Nevertheless, we stress, that although our software countermeasures have been fully approved by practical experiments, we are convinced that only sophisticated hardware countermeasures like sensors and filters in combination with software countermeasures will be able to provide a secure and comfortable base to defeat in general any conceivable fault attacks scenario on smartcards properly.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Fault attacksBellcore attackHardware securityHardware robustnessRSAChinese Remainder TheoremSpike attacksTransient fault modelSoftware countermeasures
Contact author(s)
Jean-Pierre Seifert @ infineon com
2002-06-07: received
Short URL
Creative Commons Attribution


      author = {C.  Aumüller and P.  Bier and P.  Hofreiter and W.  Fischer and J. -P.  Seifert},
      title = {Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures},
      howpublished = {Cryptology ePrint Archive, Paper 2002/073},
      year = {2002},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.