[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Nov 1 12:47:33 EDT 2014

Florian Weimer <fw at deneb.enyo.de> writes:

>What about Dan Boneh, Richard A. DeMillo, Richard J. Lipton, =E2=80=9COn the
>Importance of Checking Cryptographic Protocols for Faults=E2=80=9D (1997)?
>It shows how to break RSA implementations common at that time with a random
>fault occurring during signature computation.

It's... not entirely useful, it uses a rather abstract model of faults that
include things like register faults in which a value in a CPU register is
corrupted, but many modern CPUs (Intel, ARM, etc) have ECC on internal storage
and memory buses, and have had them for years, so that type of fault seems
unlikely.  That means that you're left with faults on external memory, from an
off-list discussion with someone who's experimented with this it's a fairly
remote possibility for affecting the crypto (alpha particles aren't
predictable and guidable, and even if they were you'd have to hit exactly the
right memory location at the right time to have an effect).


More information about the cryptography mailing list