Double Counting in $2^t$-ary RSA Precomputation Reveals the Secret Exponent

TL;DR

This paper introduces a novel fault attack called double counting attack (DCA) targeting the precomputation phase of $2^t$-ary RSA, revealing the secret exponent efficiently by inducing instruction skip faults.

Contribution

It presents the first fault attack on classical RSA precomputation, demonstrating how to reconstruct the secret exponent using induced faults and a position checker tool.

Findings

DCA effectively reconstructs the secret exponent with 63 faulted signatures for 1536-bit RSA.

The attack is faster with smaller public exponents like 65537.

DCA is applicable to widely used $2^t$-ary RSA implementations.

Abstract

A new fault attack, double counting attack (DCA), on the precomputation of $2^t$-ary modular exponentiation for a classical RSA digital signature (i.e., RSA without the Chinese remainder theorem) is proposed. The $2^t$-ary method is the most popular and widely used algorithm to speed up the RSA signature process. Developers can realize the fastest signature process by choosing optimum $t$. For example, $t=6$ is optimum for a 1536-bit classical RSA implementation. The $2^t$-ary method requires precomputation to generate small exponentials of message. Conventional fault attack research has paid little attention to precomputation, even though precomputation could be a target of a fault attack. The proposed DCA induces faults in precomputation by using instruction skip technique, which is equivalent to replacing an instruction with a no operation in assembly language. This paper also presents a useful "position checker" tool to determine the position of the $2^t$-ary coefficients of the secret exponent from signatures based on faulted precomputations. The DCA is demonstrated to be an effective attack method for some widely used parameters. DCA can reconstruct an entire secret exponent using the position checker with $63(=2^6-1)$ faulted signatures in a short time for a 1536-bit RSA implementation using the $2^6$-ary method. The DCA process can be accelerated for a small public exponent (e.g., 65537). The the best of our knowledge, the proposed DCA is the first fault attack against classical RSA precomputation.