[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Florian Weimer fw at deneb.enyo.de
Thu Sep 3 13:46:52 EDT 2015

* Phillip Hallam-Baker:

> So what happens if you have a chip with a DH private key on it and you
> modify the private key by one bit?
> I can't prove it right now. But I am pretty sure by a handwavy argument
> that you are still secure since there are no weak keys in DH (except for
> keys like 0, 1 which are only weak because they are close to the default
> starting point for brute force).

You also need to protect p and g for finite-field DH.  When you change
those, it seems less obvious what might happen.  Klima and Rosa
described a key recovery algorithm for DSA based on deliberate choices
of p and g, but maybe there are results for random changes as well.

More information about the cryptography mailing list