[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

[Ralf Senderek]

On Thu, Sep 3, 2015 Phillip Hallam-Baker writes:

> But if you are using ElGamal you get a signature scheme that is based
> on a secret DH key. OK so you have that secret in there that mustn't
> leak or it will divulge your key.
> But I think the robustness argument should still hold.

And what makes you think that using ElGamal would not leak the secret
key under the same circumstances, i.e when the chip is made to dysfunction
due to a light injection? Why should an unsuccesful ElGamal signature
be immune to revealing secrets stored in the chip like RSA does?


      --ralf