[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Phillip Hallam-Baker phill at hallambaker.com
Thu Sep 3 11:26:03 EDT 2015

On Thu, Sep 3, 2015 at 10:20 AM, Henry Baker <hbaker1 at pipeline.com> wrote:

> FYI -- HW attack + GCD kills RSA:
> http://mirror.us.oneandone.net/projects/media.ccc.de/events/camp2015/webm-hd/cccamp15-6711-en-de-Hardware_attacks_hacking_chips_on_the_very_cheap_webm-hd.webm
> https://media.ccc.de/browse/conferences/camp2015/camp2015-6711-hardware_attacks_hacking_chips_on_the_very_cheap.html
> Hardware attacks: hacking chips on the (very) cheap
> How to retrieve secret keys without going bankrupt
> Ramiro Pareja & Rafa Boix

This is another reason to move to Diffie-Hellman. It is somewhat ironic
that all this time later we suddenly relearn that the very first public key
scheme was actually a lot better than those that 'improved' on it.

DH does not allow you to encrypt data directly. But it does allow you to
exchange a session key and that is all that is needed. Indeed the fact that
neither party has direct control on the choice of key provides something of
an extra check.

So what happens if you have a chip with a DH private key on it and you
modify the private key by one bit?

I can't prove it right now. But I am pretty sure by a handwavy argument
that you are still secure since there are no weak keys in DH (except for
keys like 0, 1 which are only weak because they are close to the default
starting point for brute force).

The mental map I have on RSA is islands of security in a sea of insecurity.
If you have a product of two primes you are on an island and safe. But
otherwise you are in the sea and the sharks can bite yer. DH is only solid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150903/16db3ea5/attachment.html>

More information about the cryptography mailing list