[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults
Bill Frantz
frantz at pwpconsult.com
Sat Nov 1 12:37:27 EDT 2014
On 10/31/14 at 3:47 AM, pgut001 at cs.auckland.ac.nz (Peter
Gutmann) wrote:
>While I haven't been able
>to track down every publication on the topic, there doesn't seem to be much
>that specifically addresses the case of random single-bit faults, e.g. due to
>alpha particles, and of a non-malicious nature, so your in-memory private-key
>component x becomes x' at some point with the difference being a single bit.
>
>Has any work been done on this? Is RSA more robust against random single-bit
>faults than the DLP-based algorithms?
Isn't this possibility best handled by ECC and other hardware
error detection/correction? When you get really paranoid about
such failures you end up with parity predicting adders,
redundant hardware with voting etc.
In practical cases, the most likely result is failure to verify
a signature, disagreement about what key was agreed etc. It
seems to me that all of these failures end up secure. If the key
with the error is a long-term key, then there is a recovery
problem. If it is a PFS key agreement, then a retry will correct
the problem.
There may be some head scratching over "how did this happen"
when examining the logs.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345
Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos,
CA 95032
More information about the cryptography
mailing list