[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Florian Weimer fw at deneb.enyo.de
Sat Nov 1 05:05:15 EDT 2014

* Peter Gutmann:

> While I haven't been able to track down every publication on the
> topic, there doesn't seem to be much that specifically addresses the
> case of random single-bit faults, e.g. due to alpha particles, and
> of a non-malicious nature, so your in private-key component x
> becomes x' at some point with the difference being a single bit.

What about Dan Boneh, Richard A. DeMillo, Richard J. Lipton, “On the
Importance of Checking Cryptographic Protocols for Faults” (1997)?  It
shows how to break RSA implementations common at that time with a
random fault occurring during signature computation.

More information about the cryptography mailing list