Paper 2009/024

On Second-Order Fault Analysis Resistance for CRT-RSA Implementations

Emmanuelle Dottax, Christophe Giraud, Matthieu Rivain, and Yannick Sierra


Since their publication in 1996, Fault Attacks have been widely studied from both theoretical and practical points of view and most of cryptographic systems have been shown vulnerable to this kind of attacks. Until recently, most of the theoretical fault attacks and countermeasures used a fault model which assumes that the attacker is able to disturb the execution of a cryptographic algorithm only once. However, this approach seems too restrictive since the publication in 2007 of the successful experiment of an attack based on the injection of two faults, namely a second-order fault attack. Amongst the few papers dealing with second-order fault analysis, three countermeasures were published at WISTP'07 and FDTC'07 to protect the RSA cryptosystem using the CRT mode. In this paper, we analyse the security of these countermeasures with respect to the second-order fault model considered by their authors. We show that these countermeasures are not intrinsically resistant and we propose a new method allowing us to implement a CRT-RSA that resists to this kind of second-order fault attack.

Available format(s)
Publication info
Published elsewhere. The final version of this paper will be published in the proceedings of WISTP 2009
Smart CardsRSAFault Attacks
Contact author(s)
c giraud @ oberthur com
2009-06-10: revised
2009-01-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Emmanuelle Dottax and Christophe Giraud and Matthieu Rivain and Yannick Sierra},
      title = {On Second-Order Fault Analysis Resistance for CRT-RSA Implementations},
      howpublished = {Cryptology ePrint Archive, Paper 2009/024},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.