# Fault attack on RSA-CRT

When signing an (unknown) message using the RSASSA-PKCS1-v1_5 scheme (see PKCS#1), an error was introduced during the computation of the RSASP1 signing transformation (see PKCS#1). Chinese Remainder Theorem was used, the error affected only the partial signature value modulo p, ie. value called in PKCS#1 signature as s_1. The signer later discovered that the computed signature is invalid, and signed the same message again. This time all went without errors. Find the signer’s private key, given the public modulus N, public exponent e, faulty signature value f, and correct signature value s.

In [1]:
from math import gcd

In [2]:
n = 143439281935793709829883511119512297318347597781777879206016778171534720301126138047071671599318397710025065932294231888139238578615677641709345935975961129727859596609343289124965796285308717120051606006794321837387662808710892762405359764253183416603706120250336984377143647112873468386573559510267301025317
e = 2**16 + 1
f = 71251176378222026591825270924710333598755025600583408398417673044948036838605203199365453395684541835766338661162672639861182656220165947252131425810938132667168370928457399579218032946166229495635857434396515864365919188222925205058641667971268925279334818704393729730175259569121845705737661313402980864137
s = 15223702582445980286808606927407147872606816408515094671195941573747873776542763859988851309420835589410131772963096153108282509175871696342163196550032899522429025717395838274305099296786258069032517578628430962210476221001719559330646207213315978859400699157086660962631721005185511377251893703145230857109

In [3]:
def rsasp1(m: int, p: int, q: int, d: int) -> int:
    """
    RSA signing using the Chinese Remainder Theorem (see PKCS#1)

    Parameters
    ----------
    m : int
        The message to sign
    p : int
        The first prime factor (n = p * q)
    q : int
        The second prime factor (n = p * q)
    d : int
        The private exponent
    
    Returns
    -------
    int
        The signature of the message
    """
    
    dP = d % (p - 1)
    dQ = d % (q - 1)
    qInv = pow(q, -1, p)

    s_1 = pow(m, dP, p)
    s_2 = pow(m, dQ, q)
    h = ((s_1 - s_2) * qInv) % p
    return s_2 + q * h

In [4]:
p = gcd(n, s - f)
q = n // p
d = pow(e, -1, (p - 1) * (q - 1))

print(f"private key: {d}")

private key: 43569980095149997430207227304517010279938746494985309693061568321112374338686818592597399431277466823526694653618280882511982885766853759151440400803720916908347693122671225187324856037273449451632811895965052551011373909834429691044958285626568638665136584983658707110625106517651242447076816811982645324929
