Improved PACD-Based Attacks on RSA-CRT
摘要
In this work, we use some recent developments in lattice-based cryptanalytic tools to revisit a fault attack on RSA-CRT signatures based on the Partial Approximate Common Divisor (PACD) problem. By reducing the PACD to a Hidden Number Problem (HNP) instance, we decrease the number of required faulted bits from 32 to 7 in the case of a 1024-bit RSA. With this improvement, we show that fault countermeasures based on the verification of the signature before returning it are no longer efficient. We successfully apply the attack to RSA instances up to 8192-bit. Finally, we evaluate the impact of side-channel countermeasures against this attack. The reduction from PACD to HNP might be of independent interest.