[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Bill Frantz frantz at pwpconsult.com
Sat Nov 1 12:37:27 EDT 2014

On 10/31/14 at 3:47 AM, pgut001 at cs.auckland.ac.nz (Peter 
Gutmann) wrote:

>While I haven't been able
>to track down every publication on the topic, there doesn't seem to be much
>that specifically addresses the case of random single-bit faults, e.g. due to
>alpha particles, and of a non-malicious nature, so your in-memory private-key
>component x becomes x' at some point with the difference being a single bit.
>Has any work been done on this?  Is RSA more robust against random single-bit
>faults than the DLP-based algorithms?

Isn't this possibility best handled by ECC and other hardware 
error detection/correction? When you get really paranoid about 
such failures you end up with parity predicting adders, 
redundant hardware with voting etc.

In practical cases, the most likely result is failure to verify 
a signature, disagreement about what key was agreed etc. It 
seems to me that all of these failures end up secure. If the key 
with the error is a long-term key, then there is a recovery 
problem. If it is a PFS key agreement, then a retry will correct 
the problem.

There may be some head scratching over "how did this happen" 
when examining the logs.

Cheers - Bill

Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 
Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, 
CA 95032

More information about the cryptography mailing list