[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Florian Weimer fw at deneb.enyo.de
Wed Sep 2 16:25:26 EDT 2015

* Peter Gutmann:

> Florian Weimer <fw at deneb.enyo.de> writes:
>>What about Dan Boneh, Richard A. DeMillo, Richard J. Lipton, =E2=80=9COn the
>>Importance of Checking Cryptographic Protocols for Faults=E2=80=9D (1997)?
>>It shows how to break RSA implementations common at that time with a random
>>fault occurring during signature computation.
> It's... not entirely useful, it uses a rather abstract model of
> faults that include things like register faults in which a value in
> a CPU register is corrupted, but many modern CPUs (Intel, ARM, etc)
> have ECC on internal storage and memory buses, and have had them for
> years, so that type of fault seems unlikely.  That means that you're
> left with faults on external memory, from an off-list discussion
> with someone who's experimented with this it's a fairly remote
> possibility for affecting the crypto (alpha particles aren't
> predictable and guidable, and even if they were you'd have to hit
> exactly the right memory location at the right time to have an
> effect).

A while back, it occurred to me that deployment of forward secrecy in
TLS gives us a wide range of test cases, and implemented a crawler.
Today, we finally published the results:


The number of leaked private keys may seem fairly low (272), but so
was the crawler bandwidth.  I'm sure you'd find additional affected
vendors if you conducated a lot more TLS handshakes.  (Two of the
affected devices had really low leak rates.)

More information about the cryptography mailing list