[Cryptography] Vulnerability of RSA vs. DLP to single-bit faults

Florian Weimer fw at deneb.enyo.de
Thu Sep 3 16:08:07 EDT 2015

* Ralf Senderek:

> And what makes you think that using ElGamal would not leak the secret
> key under the same circumstances, i.e when the chip is made to dysfunction
> due to a light injection? Why should an unsuccesful ElGamal signature
> be immune to revealing secrets stored in the chip like RSA does?

Lenstra's side-channel attack on RSA-CRT is extremely powerful because
it does not need any assumption about the nature of the fault.  It
just does not matter, as long as it only affects one of the
components.  As far as I understand it, other side-channel attacks do
not have this property, you have to apply considerable knowledge of
implementation details (which can often be reverse-engineered,

More information about the cryptography mailing list