[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Tom Mitchell mitch at niftyegg.com
Sat Nov 1 18:40:38 EDT 2014

On Fri, Oct 31, 2014 at 3:47 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>

> Most, if not all, publications on the topic of fault attacks on RSA and
> DLP-
> based algorithms (DSA, ECDSA) use a very abstract model of the fault,
> assuming
> merely "a fault" or, for example, that an attacker can:
>   modify any intermediate value by setting it to either a random value

> typically in the middle of a signature computation.  While I haven't been
> able
> to track down every publication on the topic, there doesn't seem to be much
> that specifically addresses the case of random single-bit faults, e.g. due
> to
> alpha particles,

Systems that keep keys in memory for long periods of time could find
that the key degrades once in a while and causes problems.  Understanding
is interesting because it is invisible....  systems not designed for long
uptime use do
find their way into a machine room (i.e. machines without strong ECC on
many if not all
data paths).

The magnitude of these commonly undetected errors is easy to underestimate
and it does make sense for code that uses the key to keep the bits in a
data structure with multiple bit error detection both in memory and on disk.

FWIW:   The alpha particle cause mostly does not apply.  There was a case
at IBM where contamination of packages did cause Alpha particle bit flips
today the big issue is high energy cosmic ray interactions.    One silicon
company had cause to understand  single bit memory errors and many customers
participated in a detection and reporting program.   The errors absolutely
with altitude and the study resulted in strong ECC on future designs.

That company is gone and other company designers would do well to hire those
now grey hair engineers and take the hint for processor, memory, network,
and all other system data paths.

ECC is astoundingly important for encrypted data on disk where a flipped
bit or two impact the entire file system or data set in a database system.
Extending the statistics published by the RAID folk to modern systems is
an eye opener.  Recovery from errors is hard... better to not have to

  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141101/dc9d827a/attachment.html>

More information about the cryptography mailing list