Paper 2013/506

A Formal Proof of Countermeasures Against Fault Injection Attacks on CRT-RSA

Pablo Rauzy and Sylvain Guilley


In this article, we describe a methodology that aims at either breaking or proving the security of CRT-RSA implementations against fault injection attacks. In the specific case-study of the BellCoRe attack, our work bridges a gap between formal proofs and implementation-level attacks. We apply our results to three implementations of CRT-RSA, namely the unprotected one, that of Shamir, and that of Aumüller et al. Our findings are that many attacks are possible on both the unprotected and the Shamir implementations, while the implementation of Aumüller et al. is resistant to all single-fault attacks. It is also resistant to double-fault attacks if we consider the less powerful threat-model of its authors.

Note: This is the final version of the paper, which was first published in PROOFS 2013 and then in extended version in the Journal of Cryptographic Engineering (DOI is 10.1007/s13389-013-0065-3), submitted here for self-archiving (green Open Access) under Creative Commons Attribution 4.0 International License.

Available format(s)
Publication info
Published elsewhere. Journal of Cryptographic Engineering
RSACRTfault injectionBellCoRe attackformal proofOCaml
Contact author(s)
rauzy @ enst fr
2014-01-30: last of 4 revisions
2013-08-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Pablo Rauzy and Sylvain Guilley},
      title = {A Formal Proof of Countermeasures Against Fault Injection Attacks on CRT-RSA},
      howpublished = {Cryptology ePrint Archive, Paper 2013/506},
      year = {2013},
      doi = {10.1007/s13389-013-0065-3},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.