[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Phillip Hallam-Baker phill at hallambaker.com
Thu Sep 3 12:54:11 EDT 2015

On Thu, Sep 3, 2015 at 12:26 PM, Ralf Senderek <crypto at senderek.ie> wrote:

> On Thu, 3 Sep 2015 Philip Hallam-Baker writes:
> So what happens if you have a chip with a DH private key on it and you
>> modify the private key by one bit?
> I can't prove it right now. But I am pretty sure by a handwavy argument
>> that you are still secure since there are no weak keys in DH (except for
>> keys like 0, 1 which are only weak because they are close to the default
>> starting point for brute force).
> The mental map I have on RSA is islands of security in a sea of
>> insecurity. If you have a product of two primes you are on an island and
>> safe. But otherwise you are in the sea and the sharks can bite yer.
>> DH is only solid ground.
> But you're comparing apples and oranges here. DH is only solid ground
> because the DH secret key is never used to sign messages. In fact DH
> lacks all authenticity that RSA provides (if you have the correct
> public key of course).
> The worrying part of the talk at CCC is that it's possible to "exfiltrate"
> a RSA secret key from a chip with only pouring some chemicals and poking
> around with a flash light (and one single computation).
> That would never happen with DH secret keys inside a chip as they're not
> used for signing.

But if you are using ElGamal you get a signature scheme that is based on a
secret DH key. OK so you have that secret in there that mustn't leak or it
will divulge your key. But I think the robustness argument should still
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150903/ba4df295/attachment.html>

More information about the cryptography mailing list