At CHES 2008, Vigilant proposed an efficient way of implementing a CRT-RSA resistant against Fault Analysis. In this paper, we investigate the fault-resistance of this scheme and we show that it is not immune to fault injection. Indeed, we highlight two weaknesses which can lead an attacker to recover the whole private key by using only one faulty signature. We also suggest some modifications with a negligible cost to improve the fault-resistance of Vigilant's scheme. Therefore the scheme including modifications remains suited to embedded device constraints.
展开▼
