[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

[Jerry Leichter]

On Nov 8, 2014, at 4:49 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Another option is to perform a pairwise consistency test each time the private 
> key is used.  In other words every time you generate a signature you then use 
> the public-key components to verify it (which my code does anyway just as a 
> general precaution).  Question: Will this catch all possible problems?
"All possible problems?"  I highly doubt it!

If we were talking ordinary code, "closing the loop" like this would certainly seem like an excellent idea whose only possible downside was cost.  But for crypto code ... one worries.  For example, are you opening up some possible side-channel attack by running two closely correlated exponentiations one after the other?  If we were talking about a *mathematical* attack, there would be no problem, as the attacker could have done the computations himself.  But he can't run this code *on you hardware*, with, for example, the caches warmed by the inverse calculation (that he can't perform).  It's not that I have any idea of a potential attack ... but the history of side-channel attacks should keep us cautious.

Another potential area of trouble is error recovery.  Does the fact that the verification failed reveal something?  Does recomputing using a very slightly different key reveal something?
                                                        -- Jerry