[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Michael Kjörling michael at kjorling.se
Fri Nov 7 16:23:09 EST 2014

On 7 Nov 2014 16:01 -0500, from leichter at lrw.com (Jerry Leichter):
> So if the original checksum function was C(x), you've replaced it by
> C(ASCII(x)), where ASCII(x) converts x into a series of decimal
> digits. Why is that a better checksum than C() was? If the answer is
> that C(0) = 0 so it's vulnerable to "stuck at 0" faults, then you're
> simply saying that C was a bad checksum (for this purpose) to begin
> with. Why not choose a better one in some disciplined way, rather
> using the arbitrary technique?

I can see three main possibilities here:

1. I misunderstood Peter's pseudocode and exactly what it does at each
step as well as all the steps when taken together. This seems the most

2. I failed to express myself properly.

3. You misunderstood what I meant with my comment.

Or possibly a combination of points 2 and 3 above.

What I meant was that if you load the key material into a memory
location which suffers from a stuck bit, then how does Peter's
proposed scheme detect that failure of RAM to hold what was intended
when each intermediate checksum gives a valid result (which basically
means that there are no bit _flips_ during operation)?

By adding an end-to-end checksum, with some defined format for what is
checksummed, all the way from storage to (in this case) the bignum
representation, we add the possibility of capturing that failure as

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list