fyi: Adi Shamir's microprocessor bug attack

James Muir jamuir at
Tue Nov 27 10:35:46 EST 2007

James A. Donald wrote:
> James Muir wrote:
>  > Can anyone think of a deployed implementation of RSA
>  > signatures that would be vulnerable to the attack
>  > Shamir mentions?  Hashing and message blinding would
>  > seem to thwart it.
> As I said, public key encryption has long been known to
> be weak against chosen plaintext and chosen cryptotext -
> so protocols have long been designed to prevent this
> sort of attack.  If they are not so designed, they were
> known to be weak before this attack was discovered.

I completely agree with you.  Good public key cryptography should be
designed to resist chosen message attacks.  This has been a standard
part of cryptographic theory since the 80s.  But this is an
implementation attack, and real world implementations don't necessarily
follow all the rules of cryptographic theory.

If you or anyone else happened to know of a single real-world
implementation of RSA signatures that is vulnerable to this fault
attack, then that might give some justification for the incredible media
coverage it has received.  I can't think of any, and my feeling is that
this announcement has been over-hyped (and presented without proper


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list