[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Oct 31 06:47:59 EDT 2014
Most, if not all, publications on the topic of fault attacks on RSA and DLP-
based algorithms (DSA, ECDSA) use a very abstract model of the fault, assuming
merely "a fault" or, for example, that an attacker can:
modify any intermediate value by setting it to either a random value
(randomizing fault) or zero (zeroing fault), such a fault can be either
permanent or transient
skip any number of consecutive instructions (skipping fault)
or at the individual-bit level:
If an adversary has full control over the injected fault, it is possible to
manipulate bits at will
with the optional ability to inject a fault with accurate timing control,
typically in the middle of a signature computation. While I haven't been able
to track down every publication on the topic, there doesn't seem to be much
that specifically addresses the case of random single-bit faults, e.g. due to
alpha particles, and of a non-malicious nature, so your in-memory private-key
component x becomes x' at some point with the difference being a single bit.
Has any work been done on this? Is RSA more robust against random single-bit
faults than the DLP-based algorithms?
Peter.
More information about the cryptography
mailing list