[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults
Florian Weimer
fw at deneb.enyo.de
Thu Sep 3 13:46:52 EDT 2015
* Phillip Hallam-Baker:
> So what happens if you have a chip with a DH private key on it and you
> modify the private key by one bit?
>
> I can't prove it right now. But I am pretty sure by a handwavy argument
> that you are still secure since there are no weak keys in DH (except for
> keys like 0, 1 which are only weak because they are close to the default
> starting point for brute force).
You also need to protect p and g for finite-field DH. When you change
those, it seems less obvious what might happen. Klima and Rosa
described a key recovery algorithm for DSA based on deliberate choices
of p and g, but maybe there are results for random changes as well.
More information about the cryptography
mailing list