A Survey of Differential Fault Analysis Against Classical RSA Implementations

Since the advent of side channel attacks, classical cryptanalysis is no longer sufficient to ensure the security of cryptographic algorithms. In practice, the implementation of algorithms on electronic devices is a potential source of leakage that an attacker can use to completely break a system [29, 15, 21]. The injection of faults during the execution of cryptographic algorithms is considered as an intrusive side channel method because secret information may leak from malicious modifications of a device’s behavior [13, 11]. In this context, the security of public key cryptosystems [13] and symmetric ciphers in both block [11] and stream modes [23] has been challenged. Recently, some interesting results have been obtained by attacking public key cryptosystems. More precisely, several papers demonstrated that the perturbation of public elements may induce critical flaws in implementations of public key cryptosystems [10, 14, 25]. We propose here a survey of the applications of fault attacks against different RSA implementations, classical or sophisticated. After a presentation of the RSA cryptosystem and its classical implementation, we review chronologically the attacks and some of the proposed countermeasures. Although first attackers focused their efforts to exploit perturbations of secret elements or related operations (see Sect. 3), recent works adressed the security of public elements (see Sect. 4). This new trend is all the more interesting since public elements are usually handled in a less secure way than private ones. Furthermore it may lead to powerful attacks regardless to the kind of induced perturbations.