[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Ralf Senderek crypto at senderek.ie
Thu Sep 3 12:26:47 EDT 2015

On Thu, 3 Sep 2015 Philip Hallam-Baker writes:

> So what happens if you have a chip with a DH private key on it and you 
> modify the private key by one bit?

> I can't prove it right now. But I am pretty sure by a handwavy argument 
> that you are still secure since there are no weak keys in DH (except for 
> keys like 0, 1 which are only weak because they are close to the default 
> starting point for brute force). 

> The mental map I have on RSA is islands of security in a sea of 
> insecurity. If you have a product of two primes you are on an island and 
> safe. But otherwise you are in the sea and the sharks can bite yer.
> DH is only solid ground.

But you're comparing apples and oranges here. DH is only solid ground 
because the DH secret key is never used to sign messages. In fact DH
lacks all authenticity that RSA provides (if you have the correct
public key of course).

The worrying part of the talk at CCC is that it's possible to "exfiltrate"
a RSA secret key from a chip with only pouring some chemicals and poking
around with a flash light (and one single computation).
That would never happen with DH secret keys inside a chip as they're not
used for signing.


More information about the cryptography mailing list