[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Nov 7 14:43:15 EST 2014

Michael =?utf-8?B?S2rDtnJsaW5n?= <michael at kjorling.se> writes:

>However, I think the above sequence potentially misses one failure case,
>namely the stuck bits case which I mentioned in my previous email in this

I saw that, but I'm not sure how much of a problem it'd really be: The MAC
check would catch stuck bits when the encrypted data is read into memory, and
the checksum3 check would catch stuck bits when the marshalled data is loaded
into bignums.  The only part with missing coverage would be when the data is
decrypted, but for that a pairwise consistency check (not shown in the
pseudocode, since it was for illustrating catching faults) should catch

Another way of checking for purely stuck bits (rather than more complex
pattern-based failures, which are arbitrarily hard to detect) would be to
write 0xAA and 0x55 patterns into memory before storing data into it.

OTOH I don't have any data for this failure mode in current systems, for the
bit-flip failures we have plenty of real-world measurements, but what's the
likelihood, and typical failure patterns, for stuck-bit failures?


More information about the cryptography mailing list