Wagner's Attack on a Secure CRT-RSA Algorithm Reconsidered
نویسندگان
چکیده
At CCS 2003, a new CRT-RSA algorithm was presented in [BOS03], which was claimed to be secure against fault attacks for various fault models. At CCS 2004, David Wagner presented an attack on the proposed scheme, claiming that the so-called BOS scheme was insecure for all presented fault models [Wag04]. However, the attack itself contains a flaw which shows that although the BOS scheme is broken in some fault models, it is not broken in the most realistic ”random fault model”. This paper points out the flaw in the attack on the BOS scheme, aiming to
منابع مشابه
CRT RSA Algorithm Protected Against Fault Attacks
Embedded devices performing RSA signatures are subject to Fault Attacks, particularly when the Chinese Remainder Theorem is used. In most cases, the modular exponentiation and the Garner recombination algorithms are targeted. To thwart Fault Attacks, we propose a new generic method of computing modular exponentiation and we prove its security in a realistic fault model. By construction, our pro...
متن کاملA New Exponentiation Algorithm Resistant to Combined Side Channel Attack
Since two different types of side channel attacks based on passive information leakage and active fault injection are independently considered as implementation threats on cryptographic modules, most countermeasures have been separately developed according to each attack type. But then, Amiel et al. proposed a combined side channel attack in which an attacker combines these two methods to recov...
متن کاملImproving timing attack on RSA-CRT via error detection and correction strategy
In timing attack, a class of side channel attack, the attacker attempts to break a cryptographic algorithm by timing the operations of a specific system. Several studies on different types of timing attacks have been published, but they are either theoretical or hard to put into practice. To improve the feasibility of timing attack, the current study proposes an improved timing attack scheme on...
متن کاملExclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA
The references [9, 3, 1] treat timing attacks on RSA with CRT and Montgomery’s multiplication algorithm in unprotected implementations. It has been widely believed that exponent blinding would prevent any timing attack on RSA. At cost of significantly more timing measurements this paper extends the before-mentioned attacks to RSA with CRT when Montgomery’s multiplication algorithm and exponent ...
متن کاملExponent Blinding May Not Prevent Timing Attacks on RSA
The references [9, 3, 1] treat timing attacks on RSA with CRT and Montgomery’s multiplication algorithm in unprotected implementations. It has been widely believed that exponent blinding would prevent any timing attack on RSA. At cost of significantly more timing measurements this paper extends the before-mentioned attacks to RSA with CRT, Montgomery’s multiplication algorithm and exponent blin...
متن کامل