[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Oct 31 06:47:59 EDT 2014

Most, if not all, publications on the topic of fault attacks on RSA and DLP-
based algorithms (DSA, ECDSA) use a very abstract model of the fault, assuming
merely "a fault" or, for example, that an attacker can:

  modify any intermediate value by setting it to either a random value
  (randomizing fault) or zero (zeroing fault), such a fault can be either
  permanent or transient

  skip any number of consecutive instructions (skipping fault)

or at the individual-bit level:

  If an adversary has full control over the injected fault, it is possible to
  manipulate bits at will

with the optional ability to inject a fault with accurate timing control,
typically in the middle of a signature computation.  While I haven't been able
to track down every publication on the topic, there doesn't seem to be much
that specifically addresses the case of random single-bit faults, e.g. due to
alpha particles, and of a non-malicious nature, so your in-memory private-key
component x becomes x' at some point with the difference being a single bit.

Has any work been done on this?  Is RSA more robust against random single-bit
faults than the DLP-based algorithms?


More information about the cryptography mailing list