I know that blinding can be used as a countermeasure against side-channel timing attacks on RSA-CRT: RSA Timing Attack and Prevention through blinding
My question is: can blinding also be used as a countermeasure against differential fault injection attacks on RSA with CRT as described by BellCoRe (see: https://hal.archives-ouvertes.fr/hal-00939473/document and here: https://www.limited-entropy.com/crypto-series-dfa/)
In the original Bellcore attack, the attacker needs to obtain a valid signature and a signature where the computation of one of the coefficients is faulty. The exact nature of the fault does not matter, as long as it affects one of the exponentiations. Therefore it doesn't matter how the coefficients are calculated: blinding has no impact on this attack.
In any case, a cheap defense against single-fault Bellcore-style attacks against RSA is to perform the public-key operation after the private-key operation and compare against the input to the private-key operation.
Blinding may help with more advanced variants involving multiple faults. If the attack requires the faults to happen in a specific way, blinding might cause the result to be unusable for the attacker. I'm not familiar with the literature on those variants.
